Published 07 September 2018, The Daily Tribune

Compliance with Data Privacy Act can be very expensive. Full compliance with Republic Act No. 10173, otherwise known as the Data Privacy Act, entails considerable costs such as the hiring and compensation of the Data Protection Officer, acquisition of applications or systems t0 strengthen technical security, and expenditures related to capacity building, orientation or training programs for employees. Non-compliance, however, is more costly and should not even be considered as an option.

The Data Privacy Act applies to all natural and juridical persons  processing personal data. Personal information refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual (Section 3 [g] of the Data Privacy Act). Processing, on the other hand, refers to any operation performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data Section 3 [j] of the Data Privacy Act).

Aside from reputational damage which is difficult to quantify, non-compliance with the Data Privacy Act can expose covered individuals and companies to imprisonment and/or a fine. It is noteworthy that the penalties are imposable upon the responsible officers of the companies who participated in, or by their gross negligence, allowed the commission of the crime. The penalties for noncompliance are summarized as follows:

Punishable ActJail TermFine (Pesos)
Unauthorized processing1y to 3y – 3y to 6y500k to 4m
Access due to negligence1y to 3y – 3y to 6y500k to 4m
Improper disposal6m to 2y – 3y to 6y100k to 1m
Unauthorized purposes18m to 5y – 2y to 7y500k to 2m
Intentional breach1y to 3y500k to 2m
Concealment of breach18m to 5y500k to 1m
Malicious disclosure18m to 5y500k to 1m
Unauthorized disclosure1y to 3y – 3y to 5y500k to 2m
Combination of acts3y to 6y1m to 2m

Misguided compliance is equally costly. Some companies may have the tendency to “over-secure” the personal data. Consequently, unnecessary trade-offs are made and the full functionality of the organization is sacrificed. In determining the appropriate level of security appropriate for a covered individual or entity, the National Privacy Commission (“NPC”) will take into account the nature of the personal data that requires protection, the risks posed by the processing, the size of the organization and complexity of its operations, current data privacy best practices, and the cost of security implementation (Section 29, Implementing Rules and Regulations of the Data Privacy Act).

Other companies also  incur a lot of expenses for the sole purpose of securing the consent of their data subjects. There may be a need to pause and evaluate whether their current processing activities are allowable under the data privacy law sans the consent of the data subjects. Pursuant to Section 22 of the Implementing Rules, processing of personal information is lawful even without the consent of the data subject if it is necessary:

  1. To fulfill the contractual obligations with the data subject or to take steps at the request of the data subject prior to entering the said agreement;
  2. To comply with a legal obligation;
  3. To protect vitally important interests of the data subject, including his or her life and health;
  4. To respond to national emergency or to comply with the requirements of public order and safety, as prescribed by law;
  5. To fulfill a constitutional or statutory mandate of a public authority; or
  6. To pursue the legitimate interests of the personal information controller, or by a third party to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject, which require protection under the Philippine Constitution.

For instance, schools may lawfully post in their bulletin boards the names of accepted first year students on the basis of legitimate interest. Legitimate interest is most likely to be an appropriate basis where data are used in ways that people would reasonably expect and that have a minimal impact on privacy (Advisory Opinion No. 2018-020 issued by the NPC dated 18 April 2018). Furthermore, condominium corporations may lawfully disclose the unit numbers of the members of the association based on its legal obligation under Section 74 of the Corporation Code relative to the provision for access to and inspection of corporate records (Advisory Opinion No. 2018-011 issued by the NPC dated 22 March 2018).

Another common error in data privacy compliance is the confusion with respect to the nature of the personal data  being collected. There are entities which justify their processing activities based on the parameters enumerated in Section 22 of the Implementing Rules but the data actually collected are sensitive personal information and not merely personal information. For example, a picture is considered as a personal information if the identity of the individual is apparent. However, it will be considered as a sensitive personal information if the individual’s race or religious affiliations can be ascertained by mere looking at the same picture.

Organizational adjustments may be necessary and costs may be incurred, but at the end of the day, as aptly put by US Supreme Justice Louis Brandeis, the right to privacy is the most comprehensive of rights and the right most valued by civilized men.

For comments and questions, please send email to