By Leandro Angelo Y. Aguirre and Celine Melanie A. Dee, National Privacy Commission (NPC), Philippines
In the coming months, the National Privacy Commission (NPC) will release several issuances to supplement the Data Privacy Act of 2012 (DPA) and provide guidance on certain aspects of data privacy. These endeavours, which are rooted in law and policy, draw from legal insights discussed in the Commissioners’ Decisions and Resolutions, and result from consultations and engagements with industry experts.
We took the initiative to engage with data privacy practitioners through Calls for Public Input and focus groups with recognised industry experts. Through these efforts, we identified the operational challenges and pressing issues in data privacy practice. As we developed these issuances, we remained cognisant of the importance of formulating future-proofed, technology neutral, and practical issuances. This led us to develop issuances that address prevalent data privacy matters and strengthen the existing privacy regulatory framework of the Philippines.
Several notable issuances include:
1. Guidelines on Consent
The Guidelines on Consent elaborates on consent as a lawful criterion for the processing of personal and sensitive personal information. It provides an in-depth discussion on each of the different requisites of consent to guide Personal Information Controllers (PIC) on how to secure valid and meaningful consent from their data subjects. It also sets out how consent is understood in relation to the general principles of privacy, including Transparency and Fairness, and discusses how a PIC should demonstrate its compliance with these principles.
On the principle of Transparency, the Guidelines emphasises that a PIC should eschew from weasel-worded privacy notices and policies when it provides information to its data subjects. It may adopt a layered privacy notice to prevent consent fatigue among its data subjects. A PIC is encouraged to develop a privacy notice that embodies the minimum specific information, which then directs the data subjects to additional and detailed information necessary for a specific type of processing at the relevant point of time. To fulfill its obligations on Transparency, a PIC should ensure specificity, clarity, and timeliness of the manner it provides information to its data subjects. These ideas stem from the Commissioners’ Decisions that the information a PIC provides to its data subjects should be concrete and definitive, understood by an average member of its target audience, and presented in a simple manner using clear and plain language but not necessarily replacing technical words with layman’s terms.
On the principle of Fairness, the Guidelines underscores that a PIC should process personal data in a way that is neither manipulative nor unduly oppressive to its data subjects. Thus, a PIC should process personal data in a manner that its data subjects would reasonably expect and not in other means that would result in unjustified adverse effects. Data subjects may reasonably expect additional processing by examining if such further processing is compatible with the original purpose that the PIC initially communicated, as elucidated in the NPC 17-047 JV v. JR Decision.
2. Guidelines on Deceptive Design Patterns
The Guidelines on Deceptive Design Patterns builds on the directive in the Guidelines on Consent that a PIC shall not use deceptive methods, such as dark patterns, when obtaining the consent of data subjects in digital and analogue interfaces.
The Guidelines recognises that an increasing number of data subjects fall prey to manipulative interfaces because they do not realise that privacy risks often result from a PIC’s use of deceptive design patterns. In such cases, manipulative techniques and the promise of convenience misleads data subjects to their detriment. Thus, this issuance emphasises a PIC’s obligation to uphold the principle of Fairness where it should process personal data in a manner that is neither manipulative not unduly oppressive to data subjects.
This is not to say, however, that all instances of incentivising consent where the PIC offers benefits to its data subjects in exchange for their consent are immediately construed as deceptive methods, coercion, or compulsion. The Commission will determine such cases based on the specific circumstances of a case.
3. Guidelines on Legitimate Interest
The Guidelines on Legitimate Interest responds to the industry’s shift to legitimate interest as a lawful basis for processing personal information. Legitimate interest, under the DPA, is a lawful criterion solely for the processing of personal information. A PIC cannot rely on legitimate interest as its basis for lawful processing of sensitive personal information. It elaborates on the requisites of legitimate interest that a PIC or PIP should comply with. First discussed in the NPC 21-167 MAF v. Shopee Philippines, Inc. Decision, these requisites are: (1) the legitimate interest is established; (2) the processing is necessary to fulfil the legitimate interest that is established; and (3) the interest is legitimate or lawful and it does not override fundamental rights and freedoms of data subjects.
More PICs are relying on legitimate interest as their lawful basis for processing personal information. As a result of this growing reliance on legitimate interest, there is value in highlighting a PIC’s obligation to uphold the principle of Accountability in the processing of personal information. It is the PIC’s obligation to ensure that their purpose and manner of processing is a valid use of its legitimate interest.
These issuances underscore a PIC’s obligations in processing the personal data of its data subjects. It recognises that a PIC is in a better position to ensure the protection of personal data of its data subjects. Thus, a PIC is responsible and remains accountable that any personal data processed is protected and the manner of processing is in accordance with the general privacy principles and the rights of the data subjects.
Data Privacy Competency Program
At the same time, the NPC recognises the value of educating those who process personal data and those whose personal data are processed on the fundamental concepts and principles of the DPA. Through the new Data Privacy Competency Program (Program), we will democratise and enhance the access and quality of data privacy education throughout the Philippines. The Program focuses on the fundamental and operational aspects of the DPA necessary for anyone who seeks to have a better understanding of the DPA and its application to actual situations. The guidelines on the Program will also be the subject of a formal issuance.
These initiatives provide PICs with guidance to properly fulfil their obligations under the law and equip data subjects to make more meaningful choices concerning their personal data. By addressing the prevalent data privacy issues through these initiatives, the NPC continues to strengthen data privacy protection in the Philippines and deepen the appreciation for the robust field of data privacy.
The views and recommendations expressed in this article are solely of the author/s and do not necessarily reflect the views and position of the Tech for Good Institute.
About the writers
Leandro Angelo Y. Aguirre
Deputy Privacy Commissioner, National Privacy Commission (NPC), Philippines
Leandro Angelo Y. Aguirre is the Deputy Privacy Commissioner of the Philippine National Privacy Commission and has served in that role since February 2018.
He received his Juris Doctor degree from the University of the Philippines College of Law and his Master of Laws from Harvard Law School. He is a member of both the Philippine Bar and the New York State Bar.
He is also a member of the academe having taught various subjects at the UP College of Law since 2013. He served as an advisor on the bill that eventually became the Data Privacy Act of 2012.
Celine Melanie A. Dee
Chief of Staff to the Deputy Privacy Commissioner, National Privacy Commission (NPC), Philippines
Celine Melanie A. Dee, Chief of Staff to Deputy Privacy Commissioner Leandro Angelo Y. Aguirre, is a licensed lawyer in the Philippines with several locally and internationally published works in technology and intellectual property laws.
Her work and research centres on innovation policy and development. Her insights from private practice and involvement in the academe provide her with a grounded approach to the legal controversies of emerging technologies.
She received her Juris Doctor degree from the Ateneo de Manila University School of Law, Philippines. She holds an LL.M. (Distinction) in Technology and Intellectual Property Law from the University of Hong Kong.
The writers have also published a book “Privacy and Data Protection Law in the Philippines” which examines the right to informational privacy in relation to the general privacy principles, lawful criteria for processing, and other concepts as embodied in the Philippine privacy regulatory framework.