Philippines Privacy Office Readying to Flex Enforcement Muscles

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

The Philippines privacy office should become fully operational by mid-2018 and will step in to protect the privacy rights of Filipino data subjects wherever in the world violations occur, the country’s privacy chief told Bloomberg BNA in an interview.

Companies doing business in the Philippines, including those that handle customer service and data processing functions for companies outside the country, may face more focused privacy and data security enforcement as a result.

The Philippines sees effective data protection as fundamental to underpin the expansion of its vital business processing operations sector (BPO), which provides call centers, data transcription, and similar services carried out on behalf of foreign corporations, Privacy Commissioner Raymond Liboro said on the sidelines of the 39th International Data Protection and Privacy Commissioners’ Conference in Hong Kong.

The BPO sector in the Philippines is “handling personal data on an industrial scale,” Liboro said. Among the companies with BPO arms in the Philippines are Accenture Inc., JPMorgan Chase & Co., and IBM Business Services Inc.

The privacy office, the National Privacy Commission, was established in March 2016. It has filled approximately half of the 120 staff positions needed to bring it to full operational status, Liboro said. Recruitment has been held back by competition for lawyers and other specialists with the private sector, where privacy professionals are often better paid, he said.

Embedding Privacy

Under the Philippines Data Privacy Act, which was adopted in 2012, data processors operating in the Philippines with more than 250 employees are must register with the National Privacy Commission and provide information on their processing operations and contracts, data protection officers, data transfers outside the Philippines, cybersecurity measures, and privacy certifications.

The office plans to establish, in early 2018, a national privacy council that would bring together regulators and representatives of various economic sectors to discuss ways to embed the framework privacy law, Liboro said. “We will encourage the creation and development of sectoral codes of practice,” he said. The council would help lead to “more assured buy-in” from companies on privacy issues, and help the Philippines move toward being seen by other countries as having adequate privacy protections, Liboro said.

The privacy office will also promote, through the council, the uptake of the Asia-Pacific Economic Cooperation Cross Border Privacy Rules, Liboro said. The APEC CBPR system requires a participating country to adopt national data transfer procedures, including an independent public or private sector accountability agent and an enforcement agency. Participating companies also must implement data privacy policies consistent with the APEC Privacy Framework.

The Philippines could within a year join Canada, Japan, Mexico, South Korea, and the U.S. in formally recognizing the CBPRs framework, Liboro said.

Global Reach

Awareness of privacy rights in the Philippines is growing, and in its first 18 months, the privacy office received about 140 complaints, including complaints on unauthorized processing, collection and deletion of data, identity theft, and malicious disclosure of personal information, Liboro said.

Some countries have adopted rules requiring that companies store personal data collected there to be stored on servers withing the country, but “we do not have data localization policies and we don’t see that happening in the near future,” Liboro said.

However, Liboro said the commission was obliged to pursue complaints against companies globally if Filipino data subjects are harmed by data violations. In a recent case, the privacy office pursued a complaint from a Philippines resident whose photographs were picked up from Facebook Inc.'s website and used without consent on the Dallas-based classified advertising website backpage.com.

The company rapidly complied with the Philippines privacy office’s request that it take down the pictures, Liboro said. If it hadn’t complied, the office would have coordinated with the U.S. Federal Trade Commission on the complaint, he said.

“It’s significant that we were able to test the long-arm provision of our law. The mere fact that the website responded positively to our message is a welcome development,” he said.

To contact the reporter on this story: Stephen Gardner in Hong Kong at correspondents@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

For More Information

Information on the Philippines Data Privacy Act, and the National Privacy Commission's implementing rules, is available at https://privacy.gov.ph/data-privacy-act-primer/.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security