Last review date: 7 January 2025

The Philippine National Privacy Commission (NPC)

Department of Information and Communications Technology

National Cybersecurity Inter-Agency Committee

Department of Justice – Office of Cybercrime

Cybercrime Investigation and Coordinating Center, which coordinates cooperation among the following agencies:

• Bureau of Immigration
• Philippine Drug Enforcement Agency
• Bureau of Customs
• National Prosecution Service
• Anti-Money Laundering Council
• Securities and Exchange Commission
• National Telecommunications Commission

 

Last review date: 7 January 2025

☒ Very active

Last review date: 7 January 2025

The key priorities of the National Privacy Commission are:

• Conduct both online and on-site compliance checks
• Investigation of targeted smishing attacks and other financial-related scams
• Coordination with local telecommunications companies concerning the implementation of the SIM Registration Act
• Takedown of online lending apps that violate Philippine data privacy regulations

Last review date: 7 January 2025

Regulatory investigations or direct enforcement activity by data or cyber regulators are:

☒         Common

Class actions/group actions under data or cyber regulation are:

☒         Rare

Last review date: 7 January 2025

There are:

☒         administrative remedies / civil penalties applied by regulators and law enforcement

The NPC shall perform all acts as may be necessary to effectively implement the DPA, its IRR, and its other issuances and to enforce its Orders, Resolutions or Decisions, including the imposition of administrative sanctions, fines, or penalties. This includes:

• Issuing compliance or enforcement orders
• Awarding indemnity on matters affecting any personal data, or rights of data subjects
• Issuing cease and desist orders or imposing a temporary or permanent ban on the processing of personal data upon finding that the processing will be detrimental to national security or public interest, or if it is necessary to preserve and protect the rights of data subjects
• Recommending to the Department of Justice (DOJ) the prosecution of crimes and imposition of penalties specified in the Act
• Compelling or petitioning any entity, government agency, or instrumentality, to abide by its orders or take action on a matter affecting data privacy
• Imposing administrative fines for violations of the DPA, its IRR, and other issuances of the NPC

Additionally, the NPC recently issued Circular No. 2022-01 on the imposition of administrative fines. In light of said circular, the NPC may now impose administrative fines ranging from 0.5% to 3% of the annual gross income of the PIC or PIP in case of grave infractions and 0.25% to 2% of the annual gross income of the PIC or PIP in case of major infractions.

A grave infraction is committed when:

• There is an infraction of any of the general privacy principles in the processing of personal data pursuant to Section 11 of the DPA, where the total number of affected data subjects exceeds 1,001 or more.
• There is an infraction of any of the data subject rights pursuant to Section 16 of the DPA, where the total number of affected data subjects exceeds 1,001 or more.
• There is a repetition of the same infraction penalized under the circular, regardless of whether the first infraction was classified as a major or other infraction.

A major infraction is committed when:

• There is an infraction of any of the general privacy principles in the processing of personal data pursuant to Section 11 of the DPA, where the total number of affected data subjects is 1,000 or below (1-1,000).
• There is an infraction of any of the data subject rights pursuant to Section 16 of the DPA, where the total number of affected data subjects is 1,000 or below (1- 1,000).
• There is a failure on the part of the PIC to implement reasonable and appropriate measures to protect the security of personal information pursuant to Section 20 (a), (b), (c), or (e) of the DPA.
• There is a failure on the part of the PIC to ensure that third parties processing personal information on its behalf shall implement security measures pursuant to Section 20 (c) or (d) of the DPA.
• There is a failure on the part of the PIC to notify the NPC and affected data subjects of personal data breaches pursuant to Section 20 (f) of the DPA, unless otherwise punishable by Section 30 of the DPA.

In both cases, the computation shall be based on the PIC's or PIP's annual gross income of the immediately preceding year when the infraction occurred. Note that for purposes of said computation, the NPC may require the PIC or PIP to submit its audited financial statement filed with the appropriate tax authorities for the immediately preceding year when the infraction occurred, its last regularly prepared balance sheet or annual statement of income and expenses, and such other financial documents as the NPC may deem relevant and appropriate. However, where the PIC or PIP has not been operating for more than one year, the basis for the NPC's computation will be its gross income at the time the infraction was committed.

The NPC is also empowered to impose administrative fines for other infractions, including the failure to register the true identity or contact details of the PIC, the data processing system, or information on automated decision-making which can reach up to either PHP 200,000 (approximately USD 4,000) or PHP 50,000 (approximately USD 1,000), depending on the violation committed.

Notwithstanding the foregoing, please note that the total imposable administrative fine for a single act or omission of a PIC or PIP, whether resulting in a single or multiple infractions, shall not exceed PHP 5 million (approximately USD 100,000).

☒         criminal penalties from regulators and law enforcement

The following are the criminal penalties:

Unauthorized Processing of Personal Information and Sensitive Personal Information

• The unauthorized processing of personal information shall be penalized by imprisonment ranging from one to three years and a fine of PHP 500,000 to PHP 2,000,000 shall be imposed on persons who process personal information without the consent of the data subject, or without being authorized under the DPA or any existing law.
• The unauthorized processing of personal sensitive information shall be penalized by imprisonment ranging from three to six years and a fine of PHP 500,000 to PHP 4,000,000 shall be imposed on persons who process personal information without the consent of the data subject, or without being authorized under the DPA or any existing law.

Accessing Personal Information and Sensitive Personal Information Due to Negligence

• Accessing personal information due to negligence shall be penalized by imprisonment ranging from one to three years and a fine of PHP 500,000 to PHP 2,000,000 shall be imposed on persons who, due to negligence, provided access to personal information without being authorized under the DPA or any existing law.
• Accessing sensitive personal information due to negligence shall be penalized by imprisonment ranging from three to six years and a fine of PHP 500,000 to PHP 4,000,000 shall be imposed on persons who, due to negligence, provided access to personal information without being authorized under the DPA or any existing law.

Improper Disposal of Personal Information and Sensitive Personal Information

• The improper disposal of personal information shall be penalized by imprisonment ranging from six months to two years and a fine of PHP 100,000 to PHP 500,000 shall be imposed on persons who knowingly or negligently dispose, discard or abandon the personal information of an individual in an area accessible to the public or has otherwise placed the personal information of an individual in its container for trash collection.
• The improper disposal of sensitive personal information shall be penalized by imprisonment ranging from one to three years and a fine of PHP 100,000 to PHP 1,000,000 shall be imposed on persons who knowingly or negligently dispose, discard or abandon the personal information of an individual in an area accessible to the public or has otherwise placed the personal information of an individual in its container for trash collection.

Processing of Personal Information and Sensitive Personal Information for Unauthorized Purposes

• The processing of personal information for unauthorized purposes shall be penalized by imprisonment ranging from one year and six months to five years and a fine of PHP 500,000 to PHP 1,000,000 shall be imposed on persons processing personal information for purposes not authorized by the data subject, or otherwise authorized under the DPA or under existing laws.
• The processing of sensitive personal information for unauthorized purposes shall be penalized by imprisonment ranging from two to seven years and a fine of PHP 500,000 to PHP 2,000,000 shall be imposed on persons processing sensitive personal information for purposes not authorized by the data subject, or otherwise authorized under the DPA or under existing laws.

Unauthorized Access or Intentional Breach

• The penalty of imprisonment ranging from one to three years and a fine of PHP 500,000 to PHP 2,000,000 shall be imposed on persons who knowingly and unlawfully, or violating data confidentiality and security data systems, breaks in any way into any system where personal and sensitive personal information is stored.

Concealment of Security Breaches Involving Sensitive Personal Information

• The penalty of imprisonment of one year and six months to five years and a fine of PHP 500,000 to PHP 1,000,000 shall be imposed on persons who, after having knowledge of a security breach and of the obligation to notify the NPC, intentionally or by omission conceals the fact of such security breach.

Malicious Disclosure

• Any personal information controller or personal information processor or any of its officials, employees or agents, who, with malice or in bad faith, discloses unwarranted or false information relative to any personal information or personal sensitive information obtained by him or her, shall be subject to imprisonment ranging from one year and six months to five years and a fine of PHP 500,000 to PHP 1,000,000.

Unauthorized Disclosure

• Any personal information controller or personal information processor or any of its officials, employees or agents, who disclose to a third party personal information not covered by the immediately preceding section without the consent of the data subject, shall he subject to imprisonment ranging from one to three years and a fine of PHP 500,000 to PHP 1,000,000.
• Any PIC or PIP or any of its officials, employees or agents, who disclose to a third party sensitive personal information not covered by the immediately preceding section without the consent of the data subject, shall be subject to imprisonment ranging from three to five years and a fine of PHP 500,000 to PHP 2,000,000.

Combination or Series of Acts

• Any combination or series of acts as defined in Sections 25 to 32 will subject the person to imprisonment ranging from three to six years and a fine of PHP 1,000,000 to PHP 5,000,000.

☒         private remedies

The NPC, sua sponte, or persons who are the subject of a privacy violation or personal data breach, or who are otherwise personally affected by a violation of the Data Privacy Act, may file complaints for violations of the DPA. The person who is the subject of the privacy violation or personal data breach, or their duly authorized representative may file the complaint, provided that the circumstances of the authority must be established.

Any person who is not personally affected by the privacy violation or personal data breach may: (a) request for an advisory opinion on matters affecting the protection of personal data; or (b) inform the NPC of the data protection concern, which may in its discretion, conduct monitoring activities on the organization or take such further action as may be necessary. 

 

Last review date: 7 January 2025

☒         individual personal actions

☒         representative actions (e.g., brought by a consumer / data privacy body or the supervisory authority)

☒         class actions