The Philippine National Privacy Commission (NPC), which administers the country’s Data Privacy Act (DPA), has recently made available to the public copies of its advisory opinions. These opinions had been issued in response to various queries regarding the proper application and interpretation of the provisions of the DPA and its implementing rules and regulations.
Issue of consent
Advisory Opinion No. 2017-42 (issued 14 August 2017) sets out the NPC’s view on what constitutes sufficient consent for the collection and processing of personal information.
Under the DPA, collection and processing of personal data must have a lawful basis. Consent is one of the acceptable criteria for lawful processing. Consent is defined as “any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of his or her personal, sensitive or privileged information.”
The opinion responded to the question of whether sufficient consent could be acquired through the following arrangements:
- the notice states that the continued use of the products and services of the company will be deemed as consent to collect, process, and share personal data, including processing for purposes of direct marketing, data analytics, and automated processing
The NPC opined that this was a form of implied or inferred consent and that this is not sufficient for purposes of the DPA.
Finally, the NPC referred to Recital 32 of the REGULATION (EU) 2016/679 or the General Data Protection Regulation (GDPR) of the European Union for additional guidance on consent. The recital states:
xxx xxx. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. xxx xxx
Based on the advisory opinion, controllers with websites or other platforms that collect and process personal data should have on their sites/platforms:
3) a separate mechanism for data subjects to agree to data sharing and to processing involving automated decisionmaking.
Controllers and processors will need to continue to monitor how the NPC administers the DPA and its implementing rules. They should also take note that the NPC will tend to be guided by the GDPR and how this is being applied.