Slow Philippines Privacy Law Uptake Raises Concerns

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Yu-Tzu Chiu

Dec. 21 — The Philippines government's failure to implement the country's framework data protection statute is prompting business leaders to push for change and legal analysts to call for companies to at least align their privacy practices with the general principles of the law.

The Data Privacy Act was enacted in 2012. It mandated the creation of a National Privacy Commission to administer and implement the law and to monitor and ensure compliance with international standards for data protection. However, three years later, the commission hasn't been established.

Edward Chatterton, a partner at DLA Piper in Hong Kong, told Bloomberg BNA that the delay in implementing the acts is a result of President Benigno Aquino not forming the commission and appointing its commissioners.

(Click image to enlarge.)

philippines story image 01062016

According to Chatterton, the commission's role was to draw up the Act's Implementing Rules and Regulations (IRR) within 90 days from the passage of the law or by December 2012, and its main task was to monitor the implementation of the Act.

“One of the impacts of the non-implementation of the IRR is that there are now no clear guidelines on handling data breaches, establishing data breach policies and response protocols and crafting safety standards,” he said.

Without the commission and the IRR, Chatterton said, “the Data Privacy Act is just words on a page.”

Business Groups Push for Change 

In late August, the Joint Foreign Chamber of the Philippines urged the government to immediately establish the commission in order for the act to take effect.

The business group stressed that the law would help protect data and boost the country's information technology, business process management and knowledge process management industry, which they said is expected to contribute $21.3 billion to the national economy and employ 1.2 million Filipinos by the end of 2015.

“So far we do not have a clear idea of when the Commission will be appointed,” John Forbes, who chairs the Legislative Committee of American Chamber of Commerce of the Philippines, told Bloomberg BNA.

“The Joint Foreign Chambers and other Philippine business groups continue to call the attention of the Philippine Government to the importance of moving forward to establish the Commission, so that the IRRs can be drafted and enforcement of the new law can also move forward,” Forbes said.

The chamber is composed of local arms of overseas business chambers of America, Australia-New Zealand, Canada, Europe, Japan, South Korea, as well as the Philippine Association of Multinational Companies Regional Headquarters. The group represents 3,000 member companies trading more than $230 billion with the Philippines and investing some $30 billion in the local market.

New Opportunity for Action?

The National Privacy Commission was intended to become a unit of the Department of Information and Communications Technology (DICT), Chatterton said. The Philippine Senate passed its third and final reading of a DICT bill in June, and the Congress approved the bill in October.

But President Aquino opposes the bill “deeming the establishment of a DICT redundant since the Philippines already has a Department of Transportation and Communications and the Information and Communications Technology Office,” Chatterton said.

The Philippine Business Groups and Joint Foreign Chambers said it would like to see the president sign the bill and work to fund it through a supplementary budget in the 2016 “so the department can move ahead as soon as possible.”

Be Prepared 

Despite the delay in implementation of the framework law, legal analysts urge that covered companies be prepared to comply.

“While waiting for the Philippine government's definitive action, data controllers and processors should now be keen on aligning their privacy practices and policies with the general principles of the act, at a minimum,” Bienvenido Marquez, a partner at Quisumbing Torres, Manila, which is a member firm of Baker & McKenzie International.

“Although the organization of the Act's implementing agency and the promulgation of its rules and regulations are uncertain at present, they are, however, imminent, given the pressure that foreign and local business groups have been placing on the Philippine government to finally establish the commission,” Marquez told Bloomberg BNA.

“After all, any additional expenditure on human and financial resources that may be required by the Act's IRR in the future will surely be negligible compared to the harsh criminal and administrative penalties facing violators of the Act,” he said.

Persons and entities covered by the act should start complying with the law by establishing and implementing a privacy policy, including information security policies, for its organization and customers, ensuring that contractual commitments both with its clients and service providers ensure adherence with the Act, and securing the consent of individuals whose personal information are being processed, Marquez said.

To contact the reporter on this story: Yu-Tzu Chiu in Taipei at

To contact the editor responsible for this story: Donald G. Aplin at