Administrative fines in the Philippines – and how to avoid them

It has been a decade since the data privacy law of the Philippines, the Data Privacy Act of 2012, was enacted.

Since then, the National Privacy Commission, an independent body created under the law, also known as the DPA, was established in 2016, to administer and implement provisions of the law, and to monitor and ensure compliance.

On 12 August 2022, the NPC took what it called “a significant step towards strengthened data privacy and protection” by issuing a circular on administrative fines for data privacy infractions, in recognition that “it is essential for the public interest to impose administrative fines that are proportionate and dissuasive” of such infractions.

According to the circular, officially known as NPC Circular No. 2022-01 on the Guidelines on Administrative Fines, administrative fines can range up to PHP50,000 (USD872), or PHP200,000 (USD3,489), or as much as 3% of a company's annual gross income, depending on the gravity of the violations by a personal information controller (PIC) or personal information processor (PIP). The total imposable administrative fine shall not exceed PHP5,000,000 (USD87,208).

Factors that affect the amount of the fine include the degree of damage to the data subject, mitigating actions taken prior to the incident to protect the data, mitigating actions taken to reduce harm to the data subject, and the manner by which the company discovered the infraction, among many others.

The NPC later confirmed that the Circular on Administrative Fines was now in effect, as of 27 August. This statement clarifies and reinforces how the NPC will become more active in enforcing the DPA and the rights of data subjects.

With this framework for administrative fines now in place, we asked Edwin Concepcion, Country Manager of data privacy consultancy Straits Interactive in the Philippines, about his thoughts on how this impacts businesses and the data privacy landscape in the country.

Edwin Concepcion

For more information on how to comply with the DPA in the Philippines, please schedule a 20-minute strategy call or contact sales@straitsinteractive.com to get queries answered.

What NPC Circular No. 2022-01 means for Philippine businesses

What is the current data privacy landscape in the Philippines like?

Edwin: A recent survey commissioned by the NPC showed that public awareness and knowledge of the DPA rose from 13% in 2017 to 25% in 2021. The nationwide survey was conducted by the Philippine Survey and Research Center from October to November 2021. The survey measured public awareness, practices, and perception of data protection and privacy issues.

Meanwhile, demand for data protection practitioners in the country has increased. This is evidenced by an increasing frequency and number of Linkedin job postings for data protection, information security, risk management and data governance roles. From these postings, it is also clear that more companies are seeking candidates who have undergone proper training and certification, and possess experience in these roles.

What is the significance of the Circular on Administrative Fines?

Edwin: In their own words, the NPC is now “demanding” compliance from Philippine businesses and organisations. I believe that this announcement, and other recent announcements by NPC, indicate that the NPC is taking a serious view on enforcing the law and will likely impose fines for infractions of the DPA sooner rather than later. I do not expect there would be any “grace period” for enforcement action.

So businesses should take this news seriously and take some steps to demonstrate compliance to the law. As fines may be assessed as a percentage of annual gross income, the financial implications could have a great impact on an organisation’s income and profitability.

What should businesses do?

Edwin: Businesses should comply with the requirements of the DPA to create a programme to protect personal data, improve their information security postures, train their employees on their obligations for confidentiality of personal information and be able to respond to any incidents or breaches of personal information.

First, they need to understand what is required (by reading the DPA, all its Implementing Rules and Regulation, and the NPC’s Circulars) and then draw up a plan to comply with the law. Then, they need to hire a consultant to help speed up planning and implementation, such as identifying risks in the processing of personal information, then planning to minimise those risks.

Other important items on the agenda include organisations that fit the criteria, as PICs or PIPs, having to register their data processing systems in the stipulated time – within two months of the commencement of such a system. Failure to do so could result in being assessed a “grave infraction” and a fine of as much as 3% of annual gross income.

What else should businesses be aware of?

Edwin: With the release of Circular No. 2022-01, it is clear that the NPC is now stepping up in its efforts and embracing its role of protecting FIlipinos from the abuse and misuse of their individual personal information.

Another law that organisations should be aware of is the amended Public Service Act. Congress has now made it clear that all companies belonging to sectors such as telecommunications, domestic shipping, railways and subways, airlines, expressways, tollways, and transport network vehicles services (TNVS) are now mandated to implement information security management systems based on ISO standards.

Visit www.dpexnetwork.com to learn more about ISO certification courses and data protection competency roadmaps.