The Philippines Data Privacy Law: What Businesses Must Know to Comply

Jul 23, 2024 Blog Article

The Philippines Data Privacy Law, officially known as the Data Privacy Act (DPA) or Republic Act No. 10173, is designed to safeguard individuals’ personal data. This legislation impacts various entities, including enterprises, data centers, ITADs, and mobile processing centers, all of which are responsible for ensuring compliance by managing and disposing of the data of Philippine citizens responsibly. Here’s what you need to know about this crucial law. 

Shraddha Sharma Shraddha Sharma serves as Senior Legal Counsel at Blancco Technology Group in Pune, India. Her areas of expertise include data privacy compliance, risk management, contract negotiation, and statutory advisory across various jurisdictions. She leverages her deep understanding of global privacy regulations to steer data protection initiatives at Blancco and beyond.

Key provisions of the Philippines data privacy law

The Philippines Data Privacy Law provides a comprehensive legal framework for safeguarding personal data within the country. Key provisions of the law include: 

By incorporating these provisions, the Philippines Data Privacy Law aims to establish a framework for data protection, ensuring that individuals’ personal information is collected appropriately and handled with care. 

How does the Data Privacy Act address data ownership? 

The Philippines Data Privacy Act of 2012 establishes principles and guidelines for processing personal information, including ownership provisions. It affirms individuals’ ownership of their personal information when collected by businesses or organizations. Consequently, these entities must obtain consent from data subjects before collecting, processing, or disclosing their personal data. The law mandates implementing security measures to ensure confidentiality and security, permitting processing only for lawful purposes. 

Overall, the Data Privacy Act of the Philippines upholds ownership and safeguards individuals’ rights over their personal information. It also imposes responsibilities on businesses and organizations to ensure compliance with data protection principles and respect data subjects’ rights. 

Under this act, data subjects possess rights, such as accessing, correcting, and erasing their information held by businesses or organizations. This underscores individuals’ control over their information, even when handled by third parties. Additionally, businesses or organizations, as data controllers, bear obligations to protect data subjects’ rights and adhere to data protection principles. This entails implementing security measures to prevent unauthorized access, disclosure, alteration, or destruction of personal information. 

Overall, the Data Privacy Act of the Philippines upholds ownership and safeguards individuals’ rights over their personal information. It also imposes responsibilities on businesses and organizations to ensure compliance with data protection principles and respect data subjects’ rights. 

How does the DPA affect data scraping? 

Data scraping refers to the automated process of extracting data from websites or databases using software tools or scripts. This technique allows users to gather large amounts of data quickly and efficiently for various purposes such as research, analysis, or aggregation. While useful for reaching business goals, it also increases liabilities under data protection laws.  

Currently, the NPC is considering guidelines for data scraping or research. While the DPA does not explicitly address these activities, it indirectly impacts them by requiring organizations to obtain consent from data subjects and adhere to data protection principles. 

The guidelines being developed by the NPC will likely provide best practices for data scraping and research, focusing on obtaining consent, anonymizing data, and maintaining data security throughout the process. In the meantime, the guide below provides some recommendations under several sections of the law.  

Section of the DPARecommendation Reasoning  
Legal basis and consent Clarify the legal basis for data scraping under the Data Privacy Act. Consent or another lawful basis is crucial for lawful processing under data protection laws. 
This includes obtaining explicit consent, ensuring transparency, and safeguarding privacy rights. 
Clear procedures for obtaining and documenting consent ensure transparency and accountability. 
Purpose and scope Define permissible purposes for data scraping and the scope of data that can be collected. 
Purpose limitation, a core principle of data protection laws, ensures responsible data use. 
Scraping activities must adhere to specific, legitimate purposes to avoid misuse of personal data. 
Clear guidelines on permissible purposes and data collection scope promote ethical and responsible data scraping. 
Transparency Inform data subjects about data scraping activities and their purposes. Transparency fosters trust and compliance with data protection principles. 
Organizations should disclose data scraping activities, collection purposes, and data usage. 
This empowers data subjects to make informed decisions and enhances accountability. 
Data security Establish standards for securing scraped data to prevent unauthorized access or breaches. Organizations must implement technical and organizational measures to secure scraped data, meeting Data Privacy Act obligations. 
This minimizes data breach risks and strengthens overall data protection. 
Continuous protection requires securing data throughout the scraping and research process
Ethical considerationsEncourage ethical practices in data scraping. Ethical data scraping promotes responsible behavior and minimizes negative impacts on website operations. 
Respecting robots.txt files and minimizing server load maintain good relations between scrapers and website owners. 
Anonymizing or de-identifying personal data safeguards privacy during research, preventing individual identity disclosure. 

While the DPA primarily addresses the protection and processing of personal data, activities such as data scraping often intersect with copyright law. Data scraping can involve extracting information from websites, which may include copyrighted content, raising legal issues related to intellectual property rights. A key case that highlights this interaction is Ryanair Ltd. v. PR Aviation BV.  

PR Aviation scraped flight data from Ryanair’s website, which was protected by terms of service prohibiting scraping. Ryanair sued PR Aviation for both copyright infringement and breach of terms of service. The European Court of Justice ruled that databases not protected by the EU Database Directive’s copyright provisions could still be protected by contract law. The court concluded that PR Aviation’s scraping activities violated Ryanair’s terms of service, constituting a breach of contract. 

Under the DPA, organizations must ensure that their data processing activities, including data scraping, comply with lawful practices. This includes respecting the terms of service of websites, which can legally prohibit scraping. Organizations must be aware that violating these terms can lead to legal actions based on breach of contract and potentially copyright infringement.  

What are the penalties for violating Republic Act No. 10173? 

Failure to comply with the DPA can result in stiff penalties, including fines and imprisonment.  

Organizations found to be in violation of the law may be subject to penalties of up to PHP 5 million (≈$85k USD), as well as civil and criminal liabilities. This is unlike the GDPR, where only penalties are levied.  

Organizations found to be in violation of the law may be subject to penalties of up to PHP 5 million (≈$85k USD).  

The Philippines Data Privacy Act has led to a growing awareness of the importance of protecting personal data. By setting clear guidelines and standards, the law helps to create a secure and trustworthy environment for both businesses and consumers. However, with the increasing volume of data being generated and stored by organizations, there is a need for more advanced solutions to help ensure data privacy and security. 

How your organization can meet DPA requirements with data erasure 

Most organizations use a combination of encryption, access management, and firewalls to protect information in compliance with the DPA. However, data erasure stands out in the data protection toolkit for its definitive approach to securing information.  

Data erasure is unique in that it is not just about protecting data from unauthorized access—it is about completely eliminating the data once it is no longer needed, thereby ensuring compliance with data protection regulations like the DPA.

Unlike encryption, which scrambles data to prevent unauthorized access but leaves the data intact, data erasure permanently removes the information, ensuring it cannot be reconstructed or retrieved. Likewise, access management systems control who can reach the data, but do not remove it, while firewalls act as barriers to protect data from external threats but again, do not delete the data.  

Data erasure is unique in that it is not just about protecting data from unauthorized access—it is about completely eliminating the data once it is no longer needed, thereby ensuring compliance with data protection regulations like the DPA. Such laws often require the secure disposal of personal data to prevent potential breaches. This makes data erasure an essential tool for organizations looking to not only comply with legal standards but also to maintain strong data hygiene practices.  

Start Your Free Trial

Interested in learning more about how Blancco’s erasure tools can help you comply with the DPA and acts like it? Get started with a free data erasure trial for enterprises.

You may be interested in: