By: Atty. Edsel F. Tupaz & Atty. Gabriel G. Tabeta
May 16, 2025
Summary
The Philippines National Privacy Commission’s Advisory on Child-Oriented Transparency addresses the vulnerabilities of children in digital environments, emphasizing the importance of transparency in data processing. It mandates age-appropriate privacy notices and Child Privacy Impact Assessments for products or services likely accessed by children, ensuring their protection and rights as data subjects. The Advisory also prohibits deceptive design patterns and stresses the involvement of parents or guardians in data processing activities. Overall, it aims to safeguard children’s data privacy while acknowledging their evolving capacities and the benefits of digitalization.
The Joint Advisory outlines guidelines for adopting Privacy Enhancing Technologies in the Philippine insurance industry.
The Philippine National Privacy Commission (NPC) and the Insurance Commission (IC), pursuant to their respective mandates to ensure compliance with data protection laws and to regulate and supervise insurance, pre-need, and health maintenance organization industries, released a Joint Advisory on Considerations on the Use of Privacy Enhancing Technologies (PETs) in the Insurance Industry (the Joint Advisory) on March 11, 2025. The Joint Advisory is a result of the NPC and IC’s Memorandum of Agreement to collaborate on the development of joint guidelines on the use of PETs in the insurance industry. Prior to the Memorandum of Agreement, the NPC called for public input on use cases for PETs.
In this Insight article, Anthony Edsel F. Tupaz and Gabriel G. Tabeta, from Gorriceta Africa Cauton & Saavedra, delve into the Joint Advisory and implications of different types of PETs.
The Joint Advisory consists of guidelines for the adoption of PETs by IC- regulated companies, which include insurance providers, insurance and pre- need companies, health maintenance organizations, mutual benefit associations, their respective agents, brokers, adjusters, intermediaries, all other entities under the regulatory control and supervision of the IC, and their personal information processors (collectively referred to as Covered Entities).
The Joint Advisory discusses the concept of PETs, the different classes of PETs, and the regulatory compliance implications of adopting PETs. The Joint Advisory defines PETs as a collection of digital technologies, approaches, and tools that permit data processing and analysis while protecting the confidentiality, integrity, and availability of personal data. This definition is taken from the Organisation for Economic Co-operation and Development (OECD) report titled ‘Emerging Privacy-Enhancing Technologies: Current Regulatory and Policy Approaches’ (the OECD Report), which the Joint Advisory directly references.
Further borrowing from the OECD Report, the Joint Advisory adopts the OECD Report’s taxonomy of PETs, which divides PETs into four categories:
- data obfuscation tools;
- encrypted data processing tools;
- federated and distributed analytics; and
- data accountability tools.
Data obfuscation
Data obfuscation tools protect personal data by altering its content and form, allowing such data to be anonymized or pseudonymized to conceal the identity of data subjects when unnecessary for the purposes of processing. Examples of data obfuscation tools include anonymization and pseudonymization tools, synthetic data, differential privacy, and zero- knowledge proofs. Data obfuscation tools obscure unique identifiers in personal data through various means. Anonymization and pseudonymization tools remove identifiers from personal data to disallow the re-identification of data subjects. On the other hand, synthetic data is the use of artificially generated data, resembling ‘real’ personal data, generated from population models. Differential privacy protects personal data incorporated in large datasets from re-identification by making small changes to raw data to mask details of individual inputs. Zero-knowledge proofs obscure data by allowing data subjects to selectively disclose personal data to personal information controllers (PICs) or verify queries without revealing additional information.
Encrypted data
Encrypted data processing tools allow PICs to process encrypted data without decryption prior to processing, which is useful when decryption poses significant risks to the confidentiality or integrity of personal data. Examples of encrypted data processing tools include homomorphic encryption, multi- party computation, and trusted execution environments. Homomorphic encryption is a method of processing data wherein personal data is encrypted in a manner that allows computations to be performed on it to extract a result without decrypting the data. In one case, a technology company aimed to demonstrate use cases of homomorphic encryption in processing the financial information of one of Brazil’s largest banks. Multi- party computation is an encrypted data processing tool that secures personal data from attacks by allowing parties to jointly compute a function over the input data without disclosing the input data each party holds. This is especially promising for PICs and data subjects involved in multi-party personal data processing activities where a single malicious party may compromise the confidentiality of data.
Trusted execution environments (TEEs), on the other hand, are a class of hardware-based encrypted data processing tools that allow the processing of personal data on a computer processor in an environment that is separated and secure from the operating system. In another use case, a different technology company reported that it recently integrated TEEs in user devices in a feature that protects sensitive user data in the event the application processor is compromised.
Federated and distributed analytics
Federated and distributed analytics are data processing tools that analyze personal data without granting PICs visibility or access to the personal data being analyzed. Federated and distributed analytics tools provide the benefit of giving PICs summary statistics and results without disclosing identifiers found in personal data. This is done by either pre-processing data from the source by running local computations on user devices in a process called federated analytics, or by allowing software and statistical analysis programs to ‘travel’ to where data is stored to perform analytics without the transfer of data.
Data accountability
Unlike the former three classes of PETs, data accountability tools, while not intended to primarily protect the confidentiality of personal data, offer new mechanisms for PICs to enhance data subject control over their personal data. Examples of data accountability tools include accountable systems, threshold secret-sharing, and personal information management systems. Accountable systems are software systems that manage the use and sharing of personal data and track compliance by integrating personal data processing rules and policies into systems. Threshold secret-sharing is a data accountability tool that requires a predetermined number of keys to unlock encrypted data. Personal information management systems, on the other hand, provide data subjects direct control over their personal data incorporated in large datasets by giving them the ability to choose where and how they want their personal data to be processed.
The Joint Advisory emphasizes that ‘Covered Entities may adopt PETs to analyze data and develop insights from such data while upholding privacy and maintaining an appropriate level of security.’ Even though the Joint Advisory promotes the use of PETs, it is important to note that Covered Entities continue to be accountable for the processing of personal data, including that processed by third-party providers of PETs. Covered Entities are also advised to conduct Privacy Impact Assessments (PIAs) prior to the adoption of PETs and thereafter, as may be necessary. This is to ensure Covered Entities adopt the most suitable PET for their processing activities and assess risks that may result from personal data processing activities of PETs. In connection with this, the Joint Advisory advises Covered Entities to consider industry standards and best practices when adopting PETs. Technical compatibility, costs, and efficiency may be considered, among other factors, when assessing which PETs to adopt and what other PETs may be utilized with the PET to be adopted to further enhance privacy compliance and protect personal data.
The Joint Advisory is a significant issuance that integrates PETs into the Philippine privacy regulatory regime. By outlining a framework for the adoption of PETs, the Joint Advisory provides Covered Entities with basic tools and guidance needed to analyze data and develop insights from data while upholding privacy and maintaining an appropriate level of security. As Covered Entities explore the use of PETs, conducting PIAs and aligning with industry best practices will be essential to ensure that these technologies are applied thoughtfully and effectively. Ultimately, the Joint Advisory demonstrates the NPC’s initiative to collaborate with other industry regulators to strengthen measures to protect personal information.
Edsel F. Tupaz is a Senior Partner, Head of Data Privacy, Cybersecurity and AI Initiatives Practice Group & Head of Special Projects and Infrastructure Group. Edsel is a Dual-qualified under the Philippine and New York Bars, with over 20 years of expertise across data privacy & protection, technology, cybersecurity, AI, infrastructure, government procurement, corporate law, and banking and financial services. Master of Laws from Harvard Law School, holds economics and law degrees from Ateneo (both with honors), served as Managing Technical Editor of the Harvard Human Rights Journal, and listed under the Experts Directory for Philippine privacy law on OneTrust DataGuidance. Certified Information Privacy Professional – Europe (CIPP/E) and Certified Information Privacy Manager (CIPP) under IAPP. Challenger at the Alan Turing Institute’s Data Challenge – Policy Priorities and AI for Sustainable Development Goals (2023-2024). Awarded “Data Privacy & Protection Lawyer of the Year” at the 2023 Philippine Law Awards and is recognized among the Top 100 Lawyers in the Philippines by Asia Business Law Journal.
Gabriel G. Tabeta is a Junior Associate and currently a member of the Data Privacy, Cybersecurity & AI, Tax, and Technology Media & Telecommunications Departments of the Firm. Gabriel is involved in the various data privacy and AI initiatives of the Firm, working with foreign and domestic clients to ensure their projects and operations comply with the country’s data privacy regulations. Gabriel also assists in processing reportorial requirements for businesses looking to make their entry into the Philippine market.
This article was originally published on OneTrust Data Guidance. You may find the full article here: https://www.dataguidance.com/opinion/philippines-privacy-enhancing-technologies-and
