Data Privacy in Philippines, European Union, and United States 1 year ago

 

In 2016, millions of Facebook users had their personal information illegally taken, which alarmed the authorities and exposed how Cambridge Analytica, a political data analytics company, worked on the 2016 political campaign. 

 

Cambridge Analytica used the information they gathered to create personality profiles which will be sold to clients and later can be utilized for "psychographic targeting" of advertisements.

 

As a result, data privacy has grown to be a significant concern, and many consumers wish to prevent organizations from selling their data. Compliance with data privacy and protection rules is now regarded as a competitive advantage for business operations,especially following the National Privacy Commission's mandate to oversee and carry out the terms of the Data Privacy Act (DPA) of 2012. This act focuses on the proper collection, management, storage, and sharing of data with any third parties, as well as compliance with relevant privacy regulations like the California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR).

 

Data Privacy Act of 2012 (DPA) 

Republic Act No. 10173, also known as the Data Privacy Act, is a law that aims to protect all types of information, whether they are private, sensitive, or personal. It is intended to apply to all individuals—natural and legal—involved in processing personal information.

 

California Consumer Privacy Act (CCPA)

CCPA is intended to protect California citizens’ right to the privacy of their personal information. As a result, it may have an influence on any company that has clients in California. 

 

The CCPA requires businesses to give customers information about how their personal information is collected, used, and shared. It also allows customers to stop their data from being sold to third parties, access it, and have it deleted.

 

General Data Protection Regulation (GDPR)

GDPR is a legal framework that specifies guidelines for collecting and using personal information from residents outside the European Union (EU). This is applicable regardless of where the business is located; therefore, all entities that draw users from Europe must abide by it.


 

 

Data Privacy Act (DPA)

California Consumer Privacy Act (CCPA)

General Data Protection Regulation (GDPR)

Definition of Personal Information

All forms of personal information that can clearly determine or substantially determine the identity. 

Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

Refers to any information relating to an identified or identifiable natural person (data subject), directly or indirectly, in particular by reference to an identifier. 

Penalty

Depending on the crime committed, penalty ranges from ₱500,000.00 to ₱4,000,000.00, and imprisonment ranging from one (1) to six (6) years.

Up to $2,500 for violations and $7,500 for intentional violations. The California state court imposes the fines.

EU supervisory agencies look after businesses no matter the size of their entity.

 

Penalties might go as high as €20,000,00 or 4% of yearly global revenue, and EU Member States may impose their own sanctions.

Applies to which users

Any natural person or legal entity, whether employed by the public or private sector that processes personal data living within and outside the Philippines. But special cases may apply. 

Applies to all profit businesses that gather personal information about Californians for marketing purposes or to sell them goods or services and have annual gross revenue of at least $25,000,000.

Applies to organizations that collect personal data of individuals within the European Union (EU) and European Economic Area (EEA) even if they don't particularly market their goods and services to EU residents.

Data Privacy Officer requirements

Monitor the PIC's or PIP's compliance with the DPA, its IRR, NPC regulations, and other relevant laws

The CCPA does not require a data protection officer (DPO)

DPO should be knowledgeable with the necessary privacy or data protection policies and procedures, particularly those related to information systems, data security, and/or data protection.

Rights of users

  • Right to be informed

  • Right to access

  • Right to object

  • Right to erasure or blocking

  • Right to damages

  • Right to file a complaint with the National Privacy Commission

  • Right to data portability

  • Right to know

  • Right to delete

  • Right to not participate in a sale

  • Right to non-discrimination

  • Right to access personal data

  • Right to correct personal data

  • Right to delete personal data

  • Right to restrict personal data processing

  • Right to transfer data to another controller

  • Right to object to personal data processing

  • Right to object automated data processing for decision making and profiling

Here’s an example of personal information that can determine the identity of an individual:

  • Basic identity information (Race, ethnic origin, marital status, age, color, education, and religion)

  • Web data (IP Address, cookie data, etc.)

  • Political affiliations 

  • Biometric Data (health, genetic or sexual orientation)

  • Court proceedings or offenses committed.

 

Here is additional sensitive information or material that is usually disclosed to a third party and is common during employment:

  • Trade secrets

  • Proprietary information

  • Personal information of those involved with the disclosing party

  • Data, information, campaign materials, or strategies not yet available to the public

  • Social security numbers, previous or current health records, licenses or suspension, and tax returns

 

Common across DPA, CCPA, and GDPR

Despite the fact that the definitions may be different, these regulations focus on data that relates to an identifiable natural person. Businesses outside the jurisdiction must take both into account since they may have extraterritorial implications.

 

Data Controller vs. Data Processor 

Data controller is the primary entity in charge of obtaining consent and controlling access–deciding why and how to process personal data, in which they are accountable for preserving the privacy and rights of the data.

 

A data processor is an entity that handles data processing on the controller's behalf. Law offices, medical facilities, and accounting organizations are examples of common data processors–Organizations on the processing side may also store or trash data.

 

Data Protection Officer (DPO)

A DPO manages and supervises the data protection approach of personal information controllers (PIC) and processors (PIP). They also ensure compliance with the DPA's Implementing Rules and Regulations and other relevant data privacy and security laws and regulations.

.

Businesses are responsible for upholding and respecting their stakeholders' data privacy rights while handling personal information. These regulations and laws–establish a framework for data privacy accountability and compliance that will address various topics, including governance, data security, etc. 


Suppose your business needs to comply with DPA's implementing rules and regulations, you can contact our legal experts, or you can also read more about Data Privacy

Business Startup Law Privacy

AIC Grande Tower Garnet Road
Ortigas Center, Pasig City
Metro Manila Philippines

Mobile No. +639451244898
digestph@gmail.com
Please read our FAQ before contacting us.