New Report on Limits of “Consent” in the Philippines’ Data Protection Law
Today, the Future of Privacy Forum (FPF) and Asian Business Law Institute (ABLI), as part of their ongoing joint research project: “From Consent-Centric Data Protection Frameworks to Responsible Data Practices and Privacy Accountability in Asia Pacific,” are publishing the sixth in a series of detailed jurisdiction reports on the status of “consent” and alternatives to consent as lawful bases for processing personal data in Asia Pacific (APAC).
This report provides a detailed overview of relevant laws and regulations in the Philippines, including:
- notice and consent requirements for processing personal data;
- the status of alternative legal bases for processing personal data which permit processing of personal data without consent if the data controller undertakes a risk impact assessment (e.g., legitimate interests); and
- statutory bases for processing personal data without consent and exceptions or derogations from consent requirements in laws and regulations,
The findings of this report and others in the series will inform a forthcoming comparative review paper which will make detailed recommendations for legal convergence in APAC.
The Philippines’ Data Protection Landscape
The main personal data protection legislation in the Philippines is Republic Act No. 10173, better known as the Data Privacy Act of 2012 (DPA), which was passed in 2012 but only fully took effect in September 2017.
The DPA applies broadly to individuals and organizations that process the personal information of Philippine citizens, even if the individual or organization does not have a legal presence in the Philippines. For purposes of the DPA, “processing” refers to any operation(s) performed upon personal information and includes collection, use, and disclosure of personal information, among others. The DPA also provides a number of exceptions for the processing of personal information by public authorities for various purposes.
The stated policy aim of the DPA is to protect the fundamental human right to privacy of communication while ensuring the free flow of information to promote innovation and growth.
To that end, the DPA provides data subjects with a number of rights over their data, including rights to information about how their personal information is processed, correct personal information about them, and order the blocking, removal, or destruction of their personal information. Notably, the DPA was also the first data protection law in APAC to provide data subjects with an express right to data portability, which applies where personal information is processed by electronic means and in a structured and commonly used format.
The DPA also establishes the National Privacy Commission (NPC), an independent body that is responsible for administering and implementing the DPA. The NPC’s role as defined by the DPA is multifaceted and includes responsibilities to, among others: (1) advise the Government and the public and private sectors on personal data protection-related matters; (2) ensure that regulated entities comply with the DPA’s requirements, using enforcement measures if necessary; and (3) align the Philippine data protection framework with international standards and cooperate with peer regulators in other jurisdictions.
Since its establishment, NPC has been active in issuing guidance on the DPA. One of the NPC’s first acts was to issue the Implementing Rules and Regulations to the DPA, which took effect in September 2016 and provided clarification as to how the DPA’s requirements apply in practice. Since then, NPC has also provided further guidance in the form of circulars, advisories, and notably, 307 “advisory opinions” published on the NPC’s website, in which the Commissioner provides guidance on how the NPC would interpret and apply the DPA’s requirements in a wide range of situations, often in response to questions from businesses and members of the public.
Role and Status of Consent as a Basis for Processing Personal Data in the Philippines
Consent is one of several, equivalent legal bases for processing personal information and sensitive personal information under the DPA. Alternative legal bases are similar to those under the GDPR and cover a range of situations where the processing of personal information is necessary for:
- preparatory steps for, or fulfillment of, a contract;
- vital interests of the data subject;
- compliance with a legal obligation;
- response to a national emergency; or
- pursuit of the “legitimate interests” of the data controller or a third party, subject to a balancing test.
Alternative legal bases for processing sensitive personal information are also premised on necessity but are much stricter and generally only apply in narrow circumstances where either the data subject is incapable of giving consent (e.g., medical treatment or a threat to life and health), or where specific provisions of law stipulate that consent is not required but provide other safeguards for the sensitive personal information.
For purposes of the DPA, consent must be freely given, specific, and informed and must indicate that the data subject agrees to collection or processing of his/her personal information. The NPC has also clarified through an Advisory Opinion that it would not recognize implied, implicit, or negative forms of consent.
If an individual or organization wishes to rely on consent to process personal information, it must obtain consent from the data subject (or the data subject’s lawful representative) prior to collecting the personal information or for non-sensitive personal information, either before or as soon as reasonably practicable after collection. Once obtained, the consent must also be recorded, whether by written, electronic, or other means.
Consent can also be withdrawn at any time, in which case processing of the personal information must cease unless the individual or organization can rely on an alternative legal basis for processing.
Read the previous reports in the series here.