The Data Privacy Act of 2012 (“Act” or “DPA”) or Republic Act No. 10173, which took effect on 8 September 2012, is the governing law on data privacy matters in the Philippines.
In 2022, two bills (House Bill No. 892 and House Bill No. 898) were filed in the House of Representatives of the Philippines, seeking to amend the DPA. The proposed amendments under House Bill No. 892 broadly include:
- Increasing the penalties (both the period of imprisonment and monetary fines) for violations of the DPA; and
- Providing for perpetual absolute disqualification as a penalty for a public official or employee who violates provisions of the DPA.
On the other hand, the proposed amendments under House Bill No. 898 broadly include:
- Defining biometric and genetic data.
- Expanding the exclusions on the applicability of the DPA.
- Redefining “sensitive personal information” to include biometric and genetic data, and labor affiliation. Clarifying the extraterritorial application of the DPA by specifying clear instances when the processing of personal data of Philippine citizens and / or residents is concerned.
- Defining the digital age of consent to process personal information as more than fifteen (15) years, applicable where information society services are provided and offered directly to a child.
- Including the performance of a contract as a new criterion of the lawful basis for processing of sensitive personal information.
- Allowing Personal Information Controllers (“PIC”) outside of the Philippines to authorize Personal Information Processors (“PIP”) or any other third party in the country, in writing, to report data breaches to the National Privacy Commission (“NPC”) on behalf of the PIC.
- Modifying criminal penalties under the DPA, giving the proper courts the option to impose either imprisonment or fine upon its sound judgment.
The said bill remains pending before the Philippine House of Representatives.
A further bill was filed in 2022 and is pending before the Philippine Senate (Senate No. 1367) likewise seeking to amend the DPA. Specifically, the bill seeks to exclude the applicability of the DPA to personal information and sensitive personal information that are necessary to address a health crisis during a period of a declared national emergency or pandemic.
Given the rigorous process of passing a law in the Philippines there are no indications that any of these pending bills will be passed into law within the next 12 months.