ISSUES in data privacy are more pronounced in the information-technology and business-process management (IT-BPM) industry.
The Philippines’s IT-BPM industry is currently the second-largest contributor to the country’s GDP t after the overseas remittances of migrant workers, according to the Information Technology and Business Process Association of the Philippines (Ibpap). The sector processes personal data on an industrial scale from English-speaking countries all over the world.
“Ibpap has consistently been at the forefront of industry efforts to protect the integrity of data being processed here in the country,” Ibpap President and CEO Rey Untal said, citing that the group has been actively involved in the legislative process for Republic Act (RA) 10173, or the Data Privacy Act; RA 10175, or the Cybercrime Prevention Act; and the Department of Information and Communications Technology law.
Untal added the Ibpap is now active in the implementation of said laws “by ensuring a high level of awareness and compliance among industry players.”
Untal said Ibpap members believe that the effective implementation of the Data Privacy Act will boost the competitiveness of the Philippines as a location for IT-BPM work “while helping sustain and enhance investors’ confidence in the country’s capability to protect the integrity of data, specifically personal information and sensitive personal information that are being processed here.”
THE IT-BPM industry is one of the data-privacy stakeholders that helped craft and pushed for the passage of the Data Privacy Act in August 2012.
“The signing into law of RA 10173 increased investors’ and clients’ confidence in the country’s IT-BPM industry,” Ibpap said.
Untal noted the importance of particular provisions in the law “stipulating the protection of personal information and sensitive personal information being transmitted to and processed in the Philippines.”
“This is significantly influenced by Directive 95/46/EC of the European Union and the Asia Pacific Economic Cooperation Information Privacy Framework [Apec-PF], thereby ensuring its consistency with global standards, the Act accomplishes both state policies of protecting data privacy and ensuring the free flow of information,” Untal added.
Directive 95/46/EC, a policy adopted in October 1995 by the European Union, regulates the processing of personal data within the EU. The directive takes into account about 74 considerations and principles including the cross-border flows of personal data that the EU believes “are necessary to the expansion of international trade.”
On the other hand, the Apec-PF was endorsed by Apec Ministers in 2004. The Apec said the group did so because it recognizes that cooperation to balance and promote effective information-privacy protection, and the free flow of information in the Asia-Pacific region is key to improving consumer confidence and ensuring the growth of electronic commerce.
The Apec-PF on information-privacy protection “was developed in recognition of the importance of developing appropriate privacy protections for personal information, particularly from the harmful consequences of unwanted intrusions and the misuse of personal information.”
ACCORDING to Ibpap, the Data Privacy Act is one of the toughest data-privacy legislations in the region in terms of sanctions imposed on offenders, since it criminalizes noncompliance, with fines and prison sentences being imposed even for first-time offenders.
Noncompliance with the Act can result in serious ramifications, since it offers no second chances and breaches of the Act are automatic offences, the Ibpap explains. Depending on the nature of the breach, controllers may be penalized by imprisonment for between three and six years and fines of between P500,000 and P4 million for individual breaches.
However, Ibpap noted there is also some ambiguity in the way Section 4 (f) of the Act, which talks about foreign laws and regulations that already apply to personal data collected from foreign jurisdictions, is interpreted in Section 5 (g) of the “Implementing Guidelines.”
In accordance with Section 5 (g) of the implementing rules and regulations (IRR) of RA 10173, particularly in light of Section 4 (f) of the Data Privacy Act, it needs to be clarified if business-processing companies that are processing data from foreign jurisdictions are exempt from the requirements of RA 10173, provided that such processing is done in accordance with foreign privacy laws.
To note, Section 5 (g) of RA 10173 defines “personal information originally collected from residents of foreign jurisdiction, including any applicable data-privacy laws, which is being processed in the Philippines.
“The burden of proving the law of the foreign jurisdiction falls on the person or body seeking exemption,” the section said. “In the absence of proof, the applicable law shall be presumed to be the Act and these [IRR].”
ACCORDING to Untal, Ibpap has been taking steps to meet the Data Privacy Act’s compliance requirements since the start of the year.
“We’ve conducted thorough reviews of the RR [registration requirements] that, among other things, necessitated the appointment of a data-protection officer [DPO], the registration of a data-processing system, as well as other organizational, physical and technical requirements,” Untal said. “ We’ve also worked closely with the National Privacy Commission [NPC] and participated in their public consultation concerning the Registration Requirements. And based on the IRR, we prepared illustrative baseline drafts of compliance documentation for guidance of members.”
He clarified that Ibpap members are also free to consult their own counsel in drafting their own documentation.
The NPC is a regulatory and quasi-judicial agency constituted in March 2016 by virtue of RA 10173. The agency is mandated to uphold the right to data privacy and ensure the free flow of information, with a view to promoting economic growth and innovation.
ACCORDING to Raymund E. Liboro, head of the NPC, companies were able to register their respective DPOs before the September 9 deadline set by the Data Privacy Act.
The NPC has warned in September that companies that failed to beat the deadline for the registration of their data-processing systems starting with the registration of their DPO could face compliance checks.
In case the NPC finds an organization wanting, Liboro said the privacy-compliance check could lead to the issuance of a compliance order, which enforces specific actions to be performed by the company within a time period. In case the organization did not follow through satisfactorily, it will trigger a formal investigation that could possibly result in prosecution, Liboro was quoted in a statement as saying. He, however, admitted the country is “still taking baby steps” in the implementation of the Data Privacy Act.
“Fully grasping its mechanisms would take a little time and will not happen overnight,” he said. “What is important is that our citizens, especially the media, are engaged and that the government remains steadfast in viewing privacy and transparency as important values to every Filipino.”
Image credits: Nonie Reyes