Escolar Documentos
Profissional Documentos
Cultura Documentos
About EITSC: The European Innovation, Technology, and Science Center Foundation (EITSC) is an initiative of several European
and Philippine development-oriented organizations. Creating European-Philippine partnerships, the EITSC is the bridge for
Philippine companies into the European market and for European firms to build strategic partnerships with Philippine business in
innovation/ technology/ science, and to set-up beachheads in the country. As part of its commitment to increasing
understanding in Philippine-European relations, EITSC commissioned Mr. Mapa to author this paper.
About the author: Damian “Dondi” Mapa is an expert in information and communications technology and public policy. In 2004,
he was appointed to the Commission on ICT (CICT) by President Gloria Macapagal-Arroyo. In 2016, he was appointed to the
National Privacy Commission (NPC) by President Benigno S. Aquino III. He is a co-author and signatory of the Implementing Rules
and Regulations of the Data Privacy Act of 2012 as well as various NPC circulars and advisories. He is a Certified Information
Privacy Manager (CIPM) and a past member of EITSC’s Board of Trustees.
During my term as CICT Commissioner, I was tasked by President Arroyo in 2004 to grow the Philippine
BPO industry and make it more competitive. One of the strategies we pursued was “data protection as a
competitive differentiator for business process outsourcing”. To this end, we invited several EU
consultants in 2005-2006 to give their comments on DTI Administrative Order No. 8-2006, Guidelines for
the Protection of Personal Data, which eventually evolved into Republic Act 10173, the Data Privacy Act
of 2012. Our leader in this undertaking was the late Senator Edgardo J. Angara, then the Chairman of the
Congressional Commission on Science Technology and Engineering (COMSTE).
Thus, it should not come as a surprise to anyone that the Data Privacy Act (DPA) is closely patterned after
the European Union’s General Data Protection Regulation (GDPR). In fact, I would assert that any
Philippine company that is fully compliant with the DPA and related issuances is already 90% compliant
with the GDPR. A corollary to this would be that Filipino Data Protection Officers (DPOs) would naturally
be highly proficient in performing GDPR-compliance roles.
To prove this assertion, I have compiled a point-by-point comparison in the sections below. Please note
that my thesis is not that the DPA is the Philippine version of the GDPR, but rather that the DPA may be
viewed as a Philippine implementation of the GDPR – in alignment with Recital 8 of the GDPR: “States
may, as far as necessary for coherence and for making the national provisions comprehensible to the
persons to whom they apply, incorporate elements of this Regulation into their national law.”
In reading my comments below, please note that when I refer to the “DPA”, I also include the related
issuances of the National Privacy Commission (NPC): namely, the Act’s Implementing Rules and
Regulations (IRR) as well as related circulars and advisories:
The GDPR aspires to cover all data subjects, regardless of nationality or place of residence. Whereas the
DPA covers Philippine citizens primarily, whether they are in the Philippines, or travelling abroad. One
way of simplifying this scope is to state: “If you are in the EU, expect to be covered by the GDPR, and if
you are in the Philippines, expect to be covered by the DPA.” Given the 100% alignment seen in paragraph
2 above, then this is tantamount to saying that all 8 rights mentioned above are expected to be upheld in
both the Philippines, as well as in the Union.
There is one substantial difference under the DPA: the addition of “transmissibility of rights”, which gives
the lawful heirs and assigns of a data subject the ability to invoke the rights of a data subject who has
passed away or been incapacitated. This means that data controllers and processors must be prepared to
uphold these rights, even in the absence of the data subject.
There is also a substantial difference under the GDPR: for those outside the Union, if you are processing
data of subjects who are in the Union for the purpose of offering goods/services, or for monitoring their
behavior within the Union, then you must also comply with GDPR.
There is very close alignment in this area, with personal information referring to information that will
allow one to be identified, and sensitive (or “special”) data referring to information that falls under
specifically enumerated categories. Under the DPA, this enumeration includes government-issued
identification numbers, as well as privileged information.
Another distinction to be aware of is that, under the IRR and related issuances, “personal data” is used as
a catch-all phrase that includes personal information, sensitive personal information, and privileged
information.
6. What are the conditions under which personal information may be processed?
7. What are the conditions under which sensitive personal information (or special categories of
personal data) may be processed?
The DPA is slightly more restrictive when it comes to processing of sensitive personal information, as it
does not explicitly allow for processing of “data which are manifestly made public by the data subject”.
In addition, data processed for scientific and statistical research shall be held under strict confidentiality
and shall be used only for the declared purpose (IRR Section 37).
8. What are the privacy principles that must be observed when processing personal information/data?
There is very close alignment in this area, with DPA adding the principle of “proportionality”, which is
somewhat similar to the “data minimization” principle under the GDPR.
While there is close alignment in this area, there are some slight differences. The GDPR has introduced
the concept of “granularity” in Article 7.2, whereas the DPA has introduced the concept of “time-bound”
consent in Section 19.a.1 of the IRR.
Also, while the GDPR allows parents to provide consent for children aged 16 years and even down to 13
years old, the DPA is silent with regard to the age of the data subject, though it should be noted that in
the Philippines, the age of majority is defined as 18 years old by Republic Act 6809.
10. What are the obligations around appointing a Data Protection Officer (DPO)?
There is close alignment in this area. Whereas the GDPR lists down the 3 situations where a DPO is needed,
the DPA requires all controllers and processors to designate a DPO, and this is most likely the case as well
in EU countries that have passed local laws to implement the GDPR.
However, one notable difference in the GDPR is the requirement to designate “data protection
representatives” for controllers and processors who do not have an established presence in the Union,
but who process data of subjects who are in the Union for the purpose of offering goods/services, or for
monitoring their behavior within the Union.
One notable difference in the DPA is that the DPO must be an employee of the company, or if employed
by contract, the contracted period should be a minimum of two years. In addition, while the functions of
a DPO may be outsourced, the DPO should always have the role of being contact person for the NPC.
11. What are the obligations around the conduct of a privacy impact assessment?
Other than the title of the document (DPIA or Data Protection Impact Assessment in GDPR, PIA or Privacy
Impact Assessment in DPA), there is very close alignment in this area.
In addition, NPC Advisory 17-03 specifically mentions ISO/IEC 29134 as an acceptable methodology for
the conduct of a privacy impact assessment. Under this methodology, there is the possibility of conducting
a “pre-assessment”, otherwise known as a threshold analysis.
12. What are the obligations around reporting breaches of personal data?
The DPA defines security incident as “an event or occurrence that affects or tends to affect data
protection, or may compromise the availability, integrity and confidentiality of personal data”, and under
GDPR, there is a similar definition: “a breach of security leading to the accidental or unlawful destruction,
loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise
processed.”
Both the GDPR and the DPA lay down clear criteria on when notification is required, these are spelled out
in the sections referred to above. There is very close alignment in this area, with the DPA including the
“affected data subjects” to those who must be notified within 72 hours. Nevertheless, the NPC allows
delay in notification under the conditions listed in Section 40 of the IRR.
13. What other obligations are aligned between GDPR and DPA?
Comply with arrangement for Article 26 Comply with the principles for IRR Section
joint controllers data sharing 20, Circular
16-02
14. Are there any obligations with regard to transferring personal data across borders?
With regard to certification, GDPR lays down the conditions for having one such common certification,
the European Data Protection Seal, in Articles 42 and 43.
While the DPA and related issuances do not place any restrictions on data residency, there may be sectoral
regulations in place, such as those imposed by the Philippine Central Bank (BSP) on banks and other
financial institutions.
15. What are the consequences of not complying with these laws/regulations?
The GDPR famously lays down fines up to 20 million EUR (or up to 4% of the previous year’s turnover). In
addition, further civil, administrative, and criminal penalties may be still defined by the EU Member States.
In the Philippines, violations of the DPA and related issuances can result in the serving of a compliance
order, cease and desist order (ban on processing), payment of damages, and criminal prosecution which
could result in jail terms (up to 7 years) and fines (up to 5 million PHP). The maximum penalties are
imposed when at least 100 data subjects have been affected. If the offense is committed by a public
officer, there is an accessory penalty of disqualification from public office for double the term of the
criminal penalty.
Other than breach notifications, the GDPR does not spell out any other reporting or registration
requirements, but rather leaves this up to the EU Member States to specify.
In the Philippines, the requirements include annual registration, and an annual Security Incident Report
(IRR Sections 46 to 48, Circular 16-03, and Circular 17-01).
The GDPR lists down several situations where data protection obligations may be relaxed, namely: data
relating to criminal convictions and offences (Article 10), de-identified data (Article 11), restrictions to the
rights and obligations (Article 23) and journalistic, academic, artistic, or literary purposes (Article 85).
The DPA has similar provisions, namely: matters of public concern or “FOI” (IRR Section 5.a), journalistic,
artistic, or literary purposes (IRR Section 5.b), research intended for a public benefit (IRR Section 5.c), and
information collected from residents of foreign jurisdictions (IRR Section 5.f). There is also a limitation on
the rights of data subjects for reasons enumerated in IRR Section 37.
Please note however, that these exemptions are not “blanket” exemptions, and care must therefore be
exercised to ascertain which of the obligations are being waived, if at all.
###