Developments in the Philippine Privacy Framework: Regulator’s Perspective

In this article, Deputy Privacy Commissioner Leandro Angelo Y. Aguirre and Celine Melanie A. Dee from the Philippine National Privacy Commission (NPC) examine the regulatory developments in the Philippines, specifically on the Data Privacy Act (2012) to provide key insights to strengthen the nation’s existing privacy regulatory framework.

Disclaimer: The content published on this website is the original work of the writer(s) and has not been edited or altered in any way. It is presented here exactly as written by the author(s). It is presented in its entirety as authored by the writer(s).

By Leandro Angelo Y. Aguirre and Celine Melanie A. Dee, National Privacy Commission (NPC), Philippines

In the coming months, the National Privacy Commission (NPC) will release several issuances to supplement the Data Privacy Act of 2012 (DPA) and provide guidance on certain aspects of data privacy. These endeavours, which are rooted in law and policy, draw from legal insights discussed in the Commissioners’ Decisions and Resolutions, and result from consultations and engagements with industry experts.

We took the initiative to engage with data privacy practitioners through Calls for Public Input and focus groups with recognised industry experts. Through these efforts, we identified the operational challenges and pressing issues in data privacy practice. As we developed these issuances, we remained cognisant of the importance of formulating future-proofed, technology neutral, and practical issuances. This led us to develop issuances that address prevalent data privacy matters and strengthen the existing privacy regulatory framework of the Philippines.

Several notable issuances include:

1. Guidelines on Consent

The Guidelines on Consent elaborates on consent as a lawful criterion for the processing of personal and sensitive personal information. It provides an in-depth discussion on each of the different requisites of consent to guide Personal Information Controllers (PIC) on how to secure valid and meaningful consent from their data subjects. It also sets out how consent is understood in relation to the general principles of privacy, including Transparency and Fairness, and discusses how a PIC should demonstrate its compliance with these principles.

On the principle of Transparency, the Guidelines emphasises that a PIC should eschew from weasel-worded privacy notices and policies when it provides information to its data subjects. It may adopt a layered privacy notice to prevent consent fatigue among its data subjects. A PIC is encouraged to develop a privacy notice that embodies the minimum specific information, which then directs the data subjects to additional and detailed information necessary for a specific type of processing at the relevant point of time. To fulfill its obligations on Transparency, a PIC should ensure specificity, clarity, and timeliness of the manner it provides information to its data subjects. These ideas stem from the Commissioners’ Decisions that the information a PIC provides to its data subjects should be concrete and definitiveunderstood by an average member of its target audience, and presented in a simple manner using clear and plain language but not necessarily replacing technical words with layman’s terms.

On the principle of Fairness, the Guidelines underscores that a PIC should process personal data in a way that is neither manipulative nor unduly oppressive to its data subjects. Thus, a PIC should process personal data in a manner that its data subjects would reasonably expect and not in other means that would result in unjustified adverse effects. Data subjects may reasonably expect additional processing by examining if such further processing is compatible with the original purpose that the PIC initially communicated, as elucidated in the NPC 17-047 JV v. JR Decision.

2. Guidelines on Deceptive Design Patterns

The Guidelines on Deceptive Design Patterns builds on the directive in the Guidelines on Consent that a PIC shall not use deceptive methods, such as dark patterns, when obtaining the consent of data subjects in digital and analogue interfaces.

The Guidelines recognises that an increasing number of data subjects fall prey to manipulative interfaces because they do not realise that privacy risks often result from a PIC’s use of deceptive design patterns. In such cases, manipulative techniques and the promise of convenience misleads data subjects to their detriment. Thus, this issuance emphasises a PIC’s obligation to uphold the principle of Fairness where it should process personal data in a manner that is neither manipulative not unduly oppressive to data subjects.

This is not to say, however, that all instances of incentivising consent where the PIC offers benefits to its data subjects in exchange for their consent are immediately construed as deceptive methods, coercion, or compulsion. The Commission will determine such cases based on the specific circumstances of a case.

3. Guidelines on Legitimate Interest

The Guidelines on Legitimate Interest responds to the industry’s shift to legitimate interest as a lawful basis for processing personal information. Legitimate interest, under the DPA, is a lawful criterion solely for the processing of personal information. A PIC cannot rely on legitimate interest as its basis for lawful processing of sensitive personal information. It elaborates on the requisites of legitimate interest that a PIC or PIP should comply with. First discussed in the NPC 21-167 MAF v. Shopee Philippines, Inc. Decision, these requisites are: (1) the legitimate interest is established; (2) the processing is necessary to fulfil the legitimate interest that is established; and (3) the interest is legitimate or lawful and it does not override fundamental rights and freedoms of data subjects.

More PICs are relying on legitimate interest as their lawful basis for processing personal information. As a result of this growing reliance on legitimate interest, there is value in highlighting a PIC’s obligation to uphold the principle of Accountability in the processing of personal information. It is the PIC’s obligation to ensure that their purpose and manner of processing is a valid use of its legitimate interest.

These issuances underscore a PIC’s obligations in processing the personal data of its data subjects. It recognises that a PIC is in a better position to ensure the protection of personal data of its data subjects. Thus, a PIC is responsible and remains accountable that any personal data processed is protected and the manner of processing is in accordance with the general privacy principles and the rights of the data subjects.

Data Privacy Competency Program

At the same time, the NPC recognises the value of educating those who process personal data and those whose personal data are processed on the fundamental concepts and principles of the DPA. Through the new Data Privacy Competency Program (Program), we will democratise and enhance the access and quality of data privacy education throughout the Philippines. The Program focuses on the fundamental and operational aspects of the DPA necessary for anyone who seeks to have a better understanding of the DPA and its application to actual situations. The guidelines on the Program will also be the subject of a formal issuance.

These initiatives provide PICs with guidance to properly fulfil their obligations under the law and equip data subjects to make more meaningful choices concerning their personal data. By addressing the prevalent data privacy issues through these initiatives, the NPC continues to strengthen data privacy protection in the Philippines and deepen the appreciation for the robust field of data privacy.

The views and recommendations expressed in this article are solely of the author/s and do not necessarily reflect the views and position of the Tech for Good Institute.

About the writers

Leandro Angelo Y. Aguirre
Deputy Privacy Commissioner, National Privacy Commission (NPC), Philippines

Leandro Angelo Y. Aguirre is the Deputy Privacy Commissioner of the Philippine National Privacy Commission and has served in that role since February 2018.

He received his Juris Doctor degree from the University of the Philippines College of Law and his Master of Laws from Harvard Law School. He is a member of both the Philippine Bar and the New York State Bar.

He is also a member of the academe having taught various subjects at the UP College of Law since 2013. He served as an advisor on the bill that eventually became the Data Privacy Act of 2012.

Celine Melanie A. Dee
Chief of Staff to the Deputy Privacy Commissioner, National Privacy Commission (NPC), Philippines

Celine Melanie A. Dee, Chief of Staff to Deputy Privacy Commissioner Leandro Angelo Y. Aguirre, is a licensed lawyer in the Philippines with several locally and internationally published works in technology and intellectual property laws.

Her work and research centres on innovation policy and development. Her insights from private practice and involvement in the academe provide her with a grounded approach to the legal controversies of emerging technologies.

She received her Juris Doctor degree from the Ateneo de Manila University School of Law, Philippines. She holds an LL.M. (Distinction) in Technology and Intellectual Property Law from the University of Hong Kong.

The writers have also published a book “Privacy and Data Protection Law in the Philippines” which examines the right to informational privacy in relation to the general privacy principles, lawful criteria for processing, and other concepts as embodied in the Philippine privacy regulatory framework.

The book is available in the Wolters Kluwer eStore or through Amazon eStore.

Download Report

Download Report

Latest Updates

Latest Updates​

Keep pace with the digital pulse of Southeast Asia!

Never miss an update or event!

Mouna Aouri

Programme Fellow

Mouna Aouri is an Institute Fellow at the Tech For Good Institute. As a social entrepreneur, impact investor, and engineer, her experience spans over two decades in the MENA region, South East Asia, and Japan. She is founder of Woomentum, a Singapore-based platform dedicated to supporting women entrepreneurs in APAC through skill development and access to growth capital through strategic collaborations with corporate entities, investors and government partners.

Dr Ming Tan

Founding Executive Director

Dr Ming Tan is founding Executive Director for the Tech for Good Institute, a non-profit founded to catalyse research and collaboration on social, economic and policy trends accelerated by the digital economy in Southeast Asia. She is concurrently a Senior Fellow at the Centre for Governance and Sustainability at the National University of Singapore and Advisor to the Founder of the COMO Group, a Singaporean portfolio of lifestyle companies operating in 15 countries worldwide.  Her research interests lie at the intersection of technology, business and society, including sustainability and innovation.

 

Ming was previously Managing Director of IPOS International, part of the Intellectual Property Office of Singapore, which supports Singapore’s future growth as a global innovation hub for intellectual property creation, commercialisation and management. Prior to joining the public sector, she was Head of Stewardship of the COMO Group and the founding Executive Director of COMO Foundation, a grantmaker focused on gender equity that has served over 47 million women and girls since 2003.

 

As a company director, she lends brand and strategic guidance to several companies within the COMO Group. Ming also serves as a Council Member of the Council for Board Diversity, on the boards of COMO Foundation and Singapore Network Information Centre (SGNIC), and on the Digital and Technology Advisory Panel for Esplanade–Theatres on the Bay, Singapore’s national performing arts centre.

 

In the non-profit, educational and government spheres, Ming is a director of COMO Foundation and Singapore Network Information Centre (SGNIC) and chairs the Asia Advisory board for Swiss hospitality business and management school EHL. She also serves on  the Council for Board Diversity and the Digital and Technology Advisory Panel for Esplanade–Theatres on the Bay, Singapore’s national performing arts centre.

 

Ming was educated in Singapore, the United States, and England. She obtained her bachelor’s and master’s degrees from Stanford University and her doctorate from Oxford.