info@goldenblatt.co.uk
49 Russell Square, London, UK

Follow us:

ArticlesData Privacy Law Updates – March 2023

March 27, 2023

Data Privacy Law Updates

 

 

 

  1. NPC launches user-friendly Data Breach Notification Management System, an online system for faster and easier data breach notification management and reportingOn April 20, 2022, the National Privacy Commission (NPC) held its virtual launching of the Data Breach Notification Management System (DBNMS), a user-friendly interface that facilitates easy tracking and faster submission of Personal Data Breach Notifications and Annual Security Incident Reports.

    The DBNMS is a standardized and automated system, making it easier for personal information controllers (PICs) to submit Personal Data Breach Notifications as required by NPC Circular No. 16-03 and Annual Security Incident Reports. The DBNMS addresses the limitations of manual submission and processing, as well as increases public transparency by allowing PICs to access pertinent and real-time information on their data breach notification.

    A PIC, including those with multiple branches or offices, can only have one account in the DBNMS. If the PIC has other related companies or entities, each company or entity must register in the system under separate accounts. The company or entity is responsible for maintaining and submitting its reporting requirements to the NPC.

    With the launch of the DBNMS, the NPC will no longer accept Breach Notification and Annual Security Incident Report (ASIR) submissions except through the DBMNS online platform . Thus, submissions through email, personal filing, ordinary mail, licensed courier service, and any other mode of physical submission shall not be considered as valid.

    For 2022 ASIRs, the DBNMS shall accept submissions from 1 January 2023 to 31 March 2023.

  2. NPC Circular No. 2022-02: “Amending Certain Provisions of NPC Circular No. 20-01 on the Guidelines on the Processing of Personal Data for Loan-Related Transactions”Date issued: 01 December 2022 (Effective 15 days after its publication in the Official Gazette or newspaper of general circulation)

    Under NPC Circular No. 2022-02, the following additional duties of lending companies (“LCs”) and financing companies (“FCs”):

    1. LCs, FCs, and other persons acting as such shall obtain consent for the processing of personal data at the point where the personal data is necessary;
    2. Just-in-time notices, which give data subjects information on how a particular piece of information he or she is asked to provide will be processed, shall be provided before obtaining consent of the data subjects;
    3. The most appropriate format in providing the details of processing to borrowers should be aligned with the business processes of the LCs, FCs, or other persons acting as such and have utmost consideration to the accessibility of the information and convenience of borrowers.

    LCs, FCs, and other persons acting as such that use online applications used for loan processing activities shall be prohibited from conducting unnecessary processing, including requiring unnecessary permissions that involve personal and sensitive personal information.

    Further, a borrower may be required to provide character references to verify the identity and veracity of the information provided by the borrower for the grant of a loan. It shall be the responsibility of the borrower to inform his/her character references that he/she was included as such in the loan application. On the part of the LCs, FCs, and other persons acting as such, contacting the character references for purposes other than for verification of identity and veracity of information is prohibited.

    The borrower may also provide for a guarantor of his/her loan obligation. The guarantor’s separate consent must be obtained by the LC, FC or other persons acting as such, in accordance with the applicable provisions of the Data Privacy Act.

    With respect to contact lists of borrowers, the unbridled processing of contact lists, in whatever form, is prohibited; however, the processing of contact lists for purposes of identifying and contacting the character references or guarantors provided by the borrowers themselves is allowed.

  3. NPC Circular No. 2022-03: “Guidelines for Private Security Agencies on the Proper Handling of Customer and Visitor Information”Date issued: 05 December 2022 (Effective 15 days after its publication in the Official Gazette or newspaper of general circulation)

    NPC Circular No. 2022-03 provides for the guidelines that must be followed by all Personal Information Controllers (“PIC/s”), and Private Security Agency (“PSA”) and Security Guards acting as Personal Information Processors (“PIP/s”) in the processing of personal data of customers, visitors, and other data subjects as part of their security services.

    Under the Circular, PICs engaging the services of PSAs shall have the following obligations:

    1. Develop a privacy notice in clear and plain language which shall explain to all customers, visitors, and other data subjects the purposes of collecting personal data, security measures implemented to safeguard their personal data, retention period of personal data, data subjects’ rights, and the fact that the personal data shall be turned over to the corresponding PIC who engaged the PSA/security guard.
    2. Observe proportionality in all personal data processing activities;
    3. Use contractual or other reasonable means to ensure that proper safeguards are in place to guarantee confidentiality, integrity, availability of personal data processed, and to prevent its use for unauthorized purposes; and
    4. Ensure that reasonable and appropriate safeguards are in place for the processing of personal data by PSAs and security guards.

    PSA acting as PICs shall register with the NPC in accordance with the applicable rules on the Registration of Data Processing Systems and Notifications regarding Automated Decision-making. It shall also provide training on the data privacy laws to all its security guards prior to their deployment and ensure that these security guards are complying with the requirements of the DPA.

    PSA acting as PICs shall register with the NPC in accordance with the applicable rules on the Registration of Data Processing Systems and Notifications regarding Automated Decision-making. It shall also provide training on the data privacy laws to all its security guards prior to their deployment and ensure that these security guards are complying with the requirements of the DPA.

    PSA acting as PICs shall register with the NPC in accordance with the applicable rules on the Registration of Data Processing Systems and Notifications regarding Automated Decision-making. It shall also provide training on the data privacy laws to all its security guards prior to their deployment and ensure that these security guards are complying with the requirements of the DPA.

  4. NPC Circular No. 2022-04: “Registration of Personal Data Processing System, Notification Regarding Automated Decision-Making or Profiling, Designation of Data Protection Officer, and the National Privacy Commission Seal Of Registration”Date of Effectivity:  11 January 2023

    Under NPC Circular No. 2022-04, the list of entities required to register their Data Processing Systems (DPS) with the NPC was amended to include Personal Information Controllers (PICs) and Personal Information Processors (PIPs) who:

    1. Employ two hundred fifty (250) or more persons;
    2. Those processing sensitive personal information of one thousand (1000) or more individuals;
    3. Those processing data that will likely pose a risk to the rights and freedoms of the data subjects;
    4. Is an Individual Professional, as defined under the Circular; or
    5. Is a government agency.

    Entities not included in the enumeration above may voluntarily register their DPS with the NPC.

    The NPC has released a new official registration platform on February 3, 2023 pursuant to the Circular where the PICs and PIPs register their Data Protection Officer (DPO) and DPS.

    The following steps shall be followed in the registration of DPO and DPS:

    1. PIC/PIP shall create an account in NPC’s official registration platform
    2. In the application form, PIC/PIP shall input basic information, such as the name and contact details of the DPO, email address of the DPO, and contact details of the Head of the Organization/Agency;
    3. Upload the application form together with supporting documents. For a comprehensive list of documentary requirements, please contact us.
    4. The details of all the DPS operated by the PIC or PIP shall be encoded into the platform;
    5. Input and register all publicly facing online mobile or web-based applications;
    6. Review and validation by the NPC;
    7. In case of deficiency, the PIC/PIP will be given five (5) days to submit the necessary requirements; and
    8. Once the submission is validated, release of the Certificate of Registration (COR) and Seal of Registration for download.

    The COR and Seal of Registration shall be valid for one (1) year from the date of their issuance.

    With the launch of the National Privacy Commission Registration System (“NPCRS”) and the effectivity of NPC Circular No. 2022-04 on 11 January 2023, the Commission will no longer accept new registration, amendments, and renewal of registration except through the NPCRS portal.

    Personal Information Controllers (PICs), Personal Information Processors (PIPs), and Individual Professionals processing personal data who are covered by mandatory registration (Sec. 5 NPC Cir. 22-04) have 180 days or until 10 July 2023 to comply.

    All Certificates of Registration with effectivity dates until the 8th of March 2023 are EXTENDED to 10 July 2023.

    PICs, PIPs, and Individual Professionals holding OLD Certificates of Registration bearing a different effectivity date shall be considered not-registered.


NATIONAL PRIVACY COMMISSION ADVISORIES

 

  1. NPC Privacy Policy Office Advisory Opinion No. 2022-017: “Re: Disclosure of Personal Information for Cybersecurity Investigations”
    (https://www.privacy.gov.ph/wp-content/uploads/2022/09/Advisory-Opinion-No.-2022-017-for-publication_Redacted.pdf)Date issued: 20 September 2022

    The establishment of legal claims requiring the processing of sensitive personal information is permitted under Section 13(f) of the Data Privacy Act (DPA). The term establishment may include activities to obtain evidence by lawful means for prospective court proceedings. As such, the DPA does not require the establishment of actual or ongoing court proceedings.

  2. NPC Privacy Policy Office Advisory Opinion No. 2022-018: “Re: Data Subject Rights in the Philippine Identification System”
    (https://www.privacy.gov.ph/wp-content/uploads/2022/09/Advisory-Opinion-No.-2022-018-for-publication-redacted.pdf)Date issued: 20 September 2022

    The DPA sets the limits of personal data processing, including the lawful bases of processing and the rights of the data subjects. Data subject’s rights include, among others, the right to object or withdraw consent and the right to erasure or blocking.

    When it is the law and not consent that is the basis for processing, as in the Philippine Identification System(PhilSys), the right to withdraw consent by the data subject does not apply. There is no consent to speak of since the registration is a legal obligation imposed under every citizen or resident alien.

    Republic Act 11055 or the law governing PhilSys does not do not provide for grounds for deletion or erasure of the registered person’s personal data. Instead, it provides for grounds for deactivation. Thus, in the absence of express provisions in the law allowing for deletion in the system, the right to erasure, or to demand for absolute deletion from the PhilSys, is not applicable to registered persons in the PhilSys.

  3. NPC Privacy Policy Office Advisory Opinion No. 2022-019: “Re: Use of Body-worn Camera by Security Personnel”
    (https://www.privacy.gov.ph/wp-content/uploads/2022/10/Advisory-Opinion-No.-2022-019_Redacted.pdf)Date issued: 21 September 2022

    The images of identifiable individuals captured in a photograph or audiovisual recordings are considered personal information about the individual. Thus, the processing of which should comply with the provisions of the DPA.

    The Corporations must assess if the use of Body-Worn Cameras within the premises will pass the three-part test of legitimate interest, namely: purpose test, necessity test, and balancing test; and the Corporation must adhere to the general data privacy principles of transparency, legitimate purpose and proportionality.

  4. NPC Privacy Policy Office Advisory Opinion No. 2022-020: “Re: Civil Registry Request By a Person Other Than The Owner”
    (https://www.privacy.gov.ph/wp-content/uploads/2022/10/Advisory-Opinion-No.-2022-020_Redacted.pdf)Date issued: 21 September 2022

    The grant by the Philippine Statistic’s Authority (PSA) of access to personal data does not necessarily mean that the entire form or record requested will be disclosed. An issuance from the PSA either confirming or denying the marriage or death of the person subject of the record requested may be sufficient and aligned with the data privacy principle of proportionality.

  5. NPC Privacy Policy Office Advisory Opinion No. 2022-021: “Re: Publication of Information of List of Wholesale Electricity Spot Market (WESM) Members And Retail Customer Information Under Retail Competition and Open Access (RCOA) And Green Energy Option Program (GEOP).”
    (https://www.privacy.gov.ph/wp-content/uploads/2022/10/Advisory-Opinion-No.-2022-021_Redacted.pdf)
  6. NPC Privacy Policy Office Advisory Opinion No. 2022-022: “Re: Disclosure of Covid-19 Swab Test Results In Group Chat”
    (https://www.privacy.gov.ph/wp-content/uploads/2022/10/Advisory-Opinion-No.-2022-022-DCHD-for-publication.pdf)Date issued: 19 October 2022

    The disclosure of personal data in cases of contact tracing “shall be limited to public health authorities, such as the DOH and its authorized partner agencies, LGUs, or other lawfully authorized entities, officers, or personnel, and must only be for the purpose of responding to the public health emergency.” Thus, the NPC does not suggest posting in a group chat the names of employees who are COVID-19 positive.

    Consent is not the appropriate basis for disclosure of COVID-19 swab test results. Instead, the appropriate lawful basis for processing relative to contact tracing purposes is provided and limited by law and regulation, that is, DOH Department Memorandum No. 2020-0189.

  7. NPC Privacy Policy Office Advisory Opinion No. 2022-023: “Re: Disclosure of Students’ Personal Data for Case Build-Up Purposes”
    (https://www.privacy.gov.ph/wp-content/uploads/2022/12/Advisory-Opinion-No.-2022-023_Redacted.pdf)Date issued: 11 November 2022

    The University should evaluate whether the personal data requested is relevant and is not excessive to the purpose. While the law may allow processing when there is a lawful basis for the same, the processing of personal data remains to be subject to the proportionality principle which requires that the processing shall be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose.

  8. NPC Privacy Policy Office Advisory Opinion No. 2022-024: “Re: Free Flow of Data”
    (https://www.privacy.gov.ph/wp-content/uploads/2022/11/Advisory-Opinion-No.-2022-024-sgd_Redacted.pdf)Date issued: 21 November 2022

    The DPA concerns itself with the free flow of data but limited to the specific context of personal data processing only. The law has the twin task of protecting the right to privacy while ensuring the free flow of information.

    This means recognizing the fundamental right of individuals to the protection of the privacy of their personal data, and at the same time, recognizing interests of the government and the private sector in the processing of personal data which is vital in the implementation of constitutional and statutory mandates and in lawful business operations, respectively.

  9. NPC Privacy Policy Office Advisory Opinion No. 2022-025: “Re: 201 Files of Government Employees”
    (https://www.privacy.gov.ph/wp-content/uploads/2022/11/Advisory-Opinion-No.-2022-025_Redacted.pdf)Date issued: 22 November 2022

    Under the law, companies are obligated to respond and grant reasonable access to subject requests. Should the request be ignored or denied, a complaint with the NPC may be initiated following the procedure laid down in NPC Circular No. 2016-04, as one of NPC’s functions is to enforce and effectively implement the provisions of the DPA, including those pertaining to the rights of data subjects.

  10. NPC Privacy Policy Office Advisory Opinion No. 2022-026: “Disclosure of Personal Data Through The Database of Individuals Barred from Taking Civil Service Examinations and From Entering Government Service (DIBAR)”
    (https://www.privacy.gov.ph/wp-content/uploads/2023/01/Advisory-Opinion-No.-2022-026_Redacted.pdf)Date issued: 23 November 2022

    The NPC recognizes that in order to uphold the principle of merit and fitness in the government service, the CSC has to establish a system for the selection and retention of those who are found to be qualified and the exclusion of those who have been adjudged unfit to hold government office due to having been dismissed for cause from the government service. Hence, it is within the CSC’s mandate to develop and utilize the DIBAR for the purpose of identity verification of dismissed officials/employees for the use of all government agencies, and the same is treated as a special case under Section 5 (d) of the IRR of the DPA.

    The NPC nonetheless underscores that as a PIC, the CSC is still required under the DPA to implement reasonable and appropriate organizational, physical, and technical security measures for the protection of personal data within its custody.

  11. NPC Privacy Policy Office Advisory Opinion No. 2022-027: “Obtaining a Copy of a Child’s Birth Certificate by a Putative Parent”
    (https://www.privacy.gov.ph/wp-content/uploads/2023/02/Advisory-Opinion-No.-2022-027.pdf)Date issued: 15 December 2022

    A request for Birth Certificate by a putative parent for purposes of succession planning and to preclude preterition or omission of compulsory heirs was denied by the Philippine Statistics Authority (PSA) on the ground that under PSA MC No. 2019-15, there must be a pending case and a duly issued subpoena before the release of the civil registry document.

    The NPC advised that the putative parent is not precluded from obtaining a copy of the birth certificate of his child despite the absence of his name in birth certificate indicating him as the father. Sec. 13(f) of the DPA which provides that processing of personal information is permitted if it is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise, or defense of legal claims, or when provided to government or public authority.

    Here, the request falls under Sec. 13(f) of the DPA since the processing or disclosure of the birth certificate is needed by the putative father for the establishment of his legal claims in relation to succession planning.

  12. NPC Privacy Policy Office Advisory Opinion No. 2022-028: “Request for Copies of Tax Declaration, Certificate of Title, and Tax Clearance of Real Properties”
    (https://www.privacy.gov.ph/wp-content/uploads/2023/02/Advisory-Opinion-No.-2022-028.pdf)Date issued: 29 December 2022

    The disclosure of Land Documents is considered processing of personal information, and therefore must comply with the requirements under the DPA. The Land Documents contain various personal and sensitive personal information of the individual owner or administrator such as name, address, and taxpayer identification number (TIN)

    However, in the present inquiry, the request to the Assessor for copies of Land Documents is necessary for legal action. As such, the request qualifies as processing or disclosure for the establishment of a legal claim under Section 13 (f) of the DPA.

  13. NPC Privacy Policy Office Advisory Opinion No. 2023-001: “Disclosure of Condominium Unit Owners’ Personal Data and Related Documents”
    (https://www.privacy.gov.ph/wp-content/uploads/2023/02/Advisory-Opinion-No.-2023-001.pdf)Date issued: 17 January 2023

    Documents such as CCTs, purchase agreements and tracebacks of CCTs, by themselves, are not automatically considered personal data. However, such documents may contain personal data such as name, address, marital status, and citizenship, among others. If the registered owner/s are natural persons, then the processing of those documents fall within the scope of the DPA. CCT numbers, although distinct and unique, do not identify the registered owner of the property or any specific individual for that matter. Instead, the CCT number is issued to identify the property, not the individual. Hence, CCT numbers by themselves are not considered personal information. CCT numbers can only be regarded as personal information if the actual certificate of title, in its entirety, is considered. This is the only time that a CCT number can be correlated with the name of the registered owner, a natural person, and therefore, indirectly identify such person.

    The lawful processing of personal information shall have basis under Section 12 (f) of the DPA, which is when the processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed.

    The disclosure of the requested documents and CCT numbers are necessary in order for TICC to establish its legal claims for unpaid dues and other assessments against the unit owners concerned. Documents such as Deeds of Sale and Reservation Agreements may contain information which may not be relevant to TICC’s claims. The principle of proportionality necessitates that only the information requested and necessary for the purpose indicated should be processed. With this, NPI may opt to conceal or redact such information that are not relevant to TICC’s claims upon the documents’ disclosure to TICC.

    TICC should only disclose such personal data which will help in the achievement of its responsibility as condominium corporation to collect the dues and assessments from the delinquent owners. Further, TICC should consider less intrusive means of identifying and/or notifying the unit owners. Publication/posting of unit numbers in public spaces within the condominium may be too intrusive for the declared purpose and may not even be a guarantee that such posting/publication will lead TICC to the unit owner. The posting/publication must only be considered as a last resort if there is absolutely no way for TICC to get hold of the requested information and documents. In such instance, the processing of personal information must still adhere to the proportionality principle wherein TICC must only disclose such personal information that is adequate and necessary for the declared purpose, which is the collection of unpaid dues

  14. NPC Privacy Policy Office Advisory Opinion No. 2023-002: “Disclosure of Tax Declarations of Real Properties and Other Related Documents”
    (https://www.privacy.gov.ph/wp-content/uploads/2023/02/Advisory-Opinion-No.-2023-001.pdf)Date issued: 18 January 2023

    A government agency may process personal data pursuant to its statutory mandate, even without the consent of the data subject, in the exercise of its regulatory function. Hence, in this case, the requested documents may be released to DOST subject to the principles of proportionality or processing only such personal data necessary for the stated purpose, and the concomitant responsibility of the implementation of the appropriate and reasonable physical, organizational, and technical security measures to protect data.

  15. NPC Privacy Policy Office Advisory Opinion No. 2023-003: “Disclosure of Property Information through the Land Registration Authority’s Geo-Spatial Query Service”
    (https://www.privacy.gov.ph/wp-content/uploads/2023/01/Advisory-Opinion-No.-2023-003.pdf)Date issued: 18 January 2023

    The Geo-Spatial Query Service (GQS) is a service offered by the Land Registration Authority (LRA) primarily to other government agencies. The GQS provides information on titled properties, particularly when the requesting entity does not know the title number of the property but has an identified point-of-interest and/or alignment of interest where properties to be mapped are generally located. Can the LRA legally provide the above information to a requesting entity, especially to the private sector?

    If the property involved is registered to a natural person and the requesting entity is the government, then the disclosure of personal information (i.e., the name of the individual registered owner) may be allowed under Section 12 (c) [compliance with a legal obligation] and 12 (e) [fulfill functions of public authority] of the DPA.

    If the requesting entity is from the private sector, Section 12 (c) may also be used.

    Key note: Elements that should exist for valid processing based on a legal obligation:

    1. if the legal obligation the PIC cites as lawful criteria exists and applies to the PIC;
    2. if the processing that the PIC performs is necessary to comply with the legal obligation; and,
    3. if all the conditions imposed by the legal obligation for the processing of the personal information have been complied with.
  16. NPC Privacy Policy Office Advisory Opinion No. 2023-004: “Disclosure of Subscribers’ Data pursuant to Revenue Regulation No. 09-2022”
    (https://www.privacy.gov.ph/wp-content/uploads/2023/02/Advisory-Opinion-No.-2023-004.pdf)Date issued: 02 February 2023

    The BIR issued RR 09-20223 to implement the Electronic Invoicing/Receipting and Sales Reporting System (EIS). Under the EIS, the BIR will store and process the sales data of covered taxpayers using BIR’s Sales Data Transmission System and issue the corresponding sales documents through its web-based issuance facility. Pursuant to this, the BIR requested the disclosure of the registered addresses and email addresses of Globe Telecom’s subscribers covered by RR 09-2023.

    Under Section 12 (c) of the DPA, there is lawful processing of personal information when it is necessary for “compliance with a legal obligation to which the personal information controller is subject.” It appears that the BIR’s request for information, including the registered address and email address of Globe’s buyers/subscribers, is necessary to comply with the requirements of RR 09-2022 and, ultimately, the TRAIN Law.

  17. NPC Privacy Policy Office Advisory Opinion No. 2023-009: “Data Sharing Agreement with a Specialized Agency of the United Nations”
    (https://www.privacy.gov.ph/wp-content/uploads/2023/03/Advisory-Opinion-No.-2023-009.pdf)Data issued: 27 February 2023

    The NPC previously issued NPC Circular No. 2016-02 which makes it mandatory for government agencies to execute a Data Sharing Agreement when sharing personal data to a third party. This was superseded by NPC Circular No. 2020-03, which provides:

    SECTION 8. Data sharing agreement; key considerations. — Data sharing may be covered by a data sharing agreement (DSA) or a similar document containing the terms and conditions of the sharing arrangement…

    Thus, the execution of a DSA is no longer mandatory but is considered as a best practice and a demonstration of accountability by the PIC in relation to data sharing.


JURISPRUDENCE

 

  1. GR. No. 213860: The Philippine Stock Exchange, Inc., et. al v. The Secretary of Finance, et. al
    (https://sc.judiciary.gov.ph/33170/)Date issued: 05 July 2022

    The Department of Finance (DOF) issued Revenue Regulation (RR) No. 1-2014, stating that “withholding agents are now required to submit a digital copy of the alphalist of their employees and payees.” The Commissioner of Internal Revenue (CIR) subsequently released Revenue Memorandum Circular (RMC) No. 5-2014 clarifying the provisions of RR 1-2014 on the submission of the alphalist of employees/payees of income payments. It requires submission of the tax identification number (TIN) and the complete name of the payees, together with the corresponding amount of income and withholding tax. The Securities and Exchange Commission (SEC) then issued SEC Memorandum Circular (MC) No. 10-2014, directing the Philippine Depository and Trust Corporation (PDTC) and broker dealers to provide the listed companies or their transfer agents an alphalist of all depository account holders and the total shareholdings in each of the accounts and sub-accounts. Under this, the broker dealer alphalist shall provide the following information:

    1. Name of client/payee
    2. TIN
    3. Address of Payee
    4. Status (Residence/Nationality)
    5. Total Shareholding
    6. Birth date

    The Philippine Stock Exchange (PSE), et. al assailed the pertinent regulations, stating that these policies are violative of the Data Privacy Act (DPA). They insist that by requiring broker dealers to divulge personal information of their clients such as TIN, birthdate, and address, the questioned regulations would expose them to criminal penalties under the DPA.

    The Supreme Court found that the regulations violated the DPA, namely Sections 4 (Scope) and 13 (Sensitive Personal Information and Privileged Information),. The collection of information pursuant to the questioned regulations is not necessary for the BIR to carry out its functions. The Secretary of Finance (SOF), et. al failed to show the aspects or operations under the prior rule that will be improved by the collection of the information. Thus, the requirement of necessity under the provision is not met.

    Furthermore, the information, particularly the TINs of the investors, sought to be collected and provided to the listed companies and eventually the BIR, are without a doubt sensitive personal information. The questioned regulations failed to include guarantees to protect the sensitive information to be collected.

  2. NPC 19-142: MLF v. MyTaxi.PH Corporation (Grab Philippines)
    (https://www.privacy.gov.ph/wp-content/uploads/2023/02/NPC-19-142-MLF-v.-Grab-Philippines-2022.03.31.-Decision.pdf)Date issued: 31 March 2022

    MLF filed a complaint against Grab Philippines (Grab) stating that when he booked a ride from the Grab app, the driver messaged him through the in-app chat asking him to cancel the ride. When MLF refused, the driver responded “tang inamo.” MLF escalated the matter to Grab, stating that this was a privacy violation under Section 28 of the DPA. He also complained of another instance where a Grab driver asked him to cancel the trip and when MLF refused, the driver refused to cancel the trip and “held MLF hostage from using the service.” MLF argues that Grab, as the Personal Information Controller (PIC), is responsible that his data is used only for authorized purposes. According to MLF, he consented to Grab using his data for the purpose of transacting a ride, not for the purpose of having a chat, call or SMS text with the assigned drivers outside of transacting a ride.

    The NPC found that the complaint should be dismissed as there is no violation of the DPA. The foul statement made by the Grab driver, no matter how offensive, does not constitute a violation of the DPA. Grab had a legitimate purpose in processing MLF’s data, which is to allow the communication between the driver and the passenger to facilitate the transaction of a Grab ride. This purpose was adequately communicated to MLF through Grab’s Privacy Policy and Terms of Use for Philippines GrabCar Passengers. It is clearly enumerated in his contract with Grab that aside from providing services to MLF, Grab may share his personal data to other users to enable the communication between them, for any reason whatsoever. In sum, Grab, as the PIC, did not process MLF’s personal information for a different purpose that is neither covered by the authority given by him nor otherwise authorized by the DPA or existing laws. The processing of MLF’s information remains in accordance with Grab’s legitimate purpose of enabling communications between the driver and the passenger to facilitate the transaction of a Grab ride. Hence, Grab did not violate Section 28 of the DPA.

  3. NPC 21-167: MAF v. Shopee Philippines, Inc.
    (https://www.privacy.gov.ph/wp-content/uploads/2023/01/NPC-21-167-2022.09.22-MAF-v.-Shopee-Decision-Final.pdf)Date issued: 22 September 2022

    MAF filed a complaint against Shopee Philippines, Inc. (Shopee) for violation of Sections 28 (Processing for an Unauthorized Purpose) and 32 (Unauthorized Disclosure) of the Data Privacy Act (DPA). MAF alleged that her minor child’s picture was used as proof of delivery and the courier service took the child’s picture without the consent of either MAF or the child and was not told of the purpose of the same. The child’s photo was then forwarded to the seller. She had requested that Shopee remove the child’s photo from the system but Shopee refused.

    The NPC found that Shopee did not violate Sections 28 and 32 of the DPA but it did violate the general privacy principle of proportionality. Shopee processed personal information according to a lawful criterion under Section 12 of the DPA. Section 12 of the DPA allows for the processing of personal information when it is necessary for the purposes of the legitimate interests pursued by Shopee, the PIC. Shopee had legitimate interest in processing the photo as proof of delivery. It is necessary for Shopee to secure proof by taking a photo that proves that a package had been delivered to the buyer.

    Unauthorized Disclosure under Section 32 requires that personal information or sensitive personal information is disclosed to a third party without any of the lawful criteria under Sections 12 and 13, as applicable. The seller is not considered a third party to the online shopping transaction. Shopee “acts as an intermediary that brings together the Seller and the Buyer.” The parties to the sale remain the buyer and the seller. Thus, the supposed disclosure of Shopee to the seller of the photo as proof of delivery cannot be considered as Unauthorized Disclosure under Section 32 of the DPA.

    Shopee violated the proportionality principle when the PIP’s rider took the photo as proof of delivery. The general privacy principle of proportionality requires that the processing is adequate, relevant, suitable, and necessary processing that is not excessive in relation to the declared and specified purpose. Shopee’s act of taking the son’s photo as proof of delivery is disproportional to the declared and specified purpose. The act of taking the son’s photo is not necessary to the declared and specified purpose and the means is not the least intrusive means available. Shopee could have fulfilled the declared and specified purpose of securing proof of delivery with less intrusive means such as by taking a picture of an arm with the package.

    Key note: Processing based on legitimate interest requires the fulfillment of the following conditions: (1) the legitimate interest is established; (2) the processing is necessary to fulfill the legitimate interest that is established; and (3) the interest is legitimate or lawful and it does not override fundamental rights and freedoms of data subjects.

    Processing is deemed proportional when (1) processing is adequate, relevant, and necessary to the declared and specified purpose; and (2) the means by which processing is performed is the least intrusive means available.

  4. NPC SS 22-001 and NPC SS 22-008: In Re: Commission on Elections, Smartmatic Group of Companies, RVA, WS, and Other John Does and Jane DoesInitiated as a sua sponte NPC Investigation on Possible Data Privacy Violations Committed in Relation to the Alleged Hack and Breach of the Commission on Elections System or Servers
    (https://www.privacy.gov.ph/wp-content/uploads/2023/01/NPC-SS-22-001-and-NPC-SS-22-008-2022.09.22-In-re-Commission-on-Elections-Decision-Final.pdf)

    Date issued: 22 September 2022

    The Complaints and Investigation Division (CID) of the NPC filed a case against COMELEC, the Smartmatic Group of Companies (Smartmatic), RVA, Winston Steward (Steward) and other John Does and Jane Does for violation of Sections 29 (Unauthorized Access or Intentional Breach) and 30 (Concealment of Security Breaches involving Sensitive Personal Information) of the DPA. It asserted that RVA, Steward, and several John Does and Jane Does (RVA, et al.) are liable for Section 29 of the DPA. RVA, an employee at Smartmatic from August 2021 to January 2022, allegedly granted Steward access to Smartmatic’s servers while he was at the COMELEC office. RVA did this by allowing Steward to use his computer through AnyDesk.

    The CID stated that it was through RVA’s actions that Steward and other unknown individuals “were able to breach and consequently access the overseas [absentee] voters list and site survey forms.” COMELEC and Smartmatic should be recommended for prosecution for Concealing the Security Breach involving Sensitive Personal Information.

    The NPC found that RVA, Steward, and other John Does and Jane Does are liable for violating Section 29 of the DPA while COMELEC and Smartmatic are not liable for a violation of Section 30.

    It is not disputed that Smartmatic’s data system stores personal or sensitive personal information. The data system of Smartmatic stores personal data of voters by reason of the election results transmissions solutions, management, and services (ERTSMS Contract) in connection with the 2016, 2019, and 2022 elections that it entered into with COMELEC. RVA admitted that he gave unauthorized access to Steward and other unknown individuals through the use of the AnyDesk App. RVA, WS, and other unknown individuals knowingly and unlawfully broke into or breached Smartmatic’s servers that violated data confidentiality and security data systems.

    There is no obligation on the part of COMELEC, the Personal Information Controller (PIC), and Smartmatic, the Personal Information Processor (PIP) to report the breach to the Commission because the first and third requisite for mandatory breach notification are not present. The breach does not involve sensitive personal information or information that may be used to enable identity fraud. Furthermore, Given that the alleged breach happened in 2022, the personal information taken from the breach may be inaccurate and outdated. Taken together with the fact that the personal information involved is neither sensitive personal information nor information that enables identity fraud, the unauthorized acquisition of personal information in the site survey forms is unlikely to give rise to a real risk of serious harm to the affected data subjects.

    Key note: Unauthorized Access or Intentional Breach is committed when the following requisites concur:

    1. The data system stores personal or sensitive personal information;
    2. The accused breaks into the system; and
    3. The accused knowingly and unlawfully broke into the system in a manner which violates data confidentiality and security of the same.

    The requisites of Concealment of Security Breaches Involving Sensitive Personal Information are:

    1. A personal data breach occurred;
    2. The breach is one that requires notification to the NPC; and,
    3. The person knowingly conceals the facts of such breach from the NPC.
https://gorricetalaw.com/wp-content/uploads/2022/04/logo_white_04.png
15/F Strata 2000, F. Ortigas Jr. Road Ortigas Center, Pasig City, 1605 Philippines
+632 8696-0687 | +632 8696-0988 | +632 8658-3472 | +632 8715-5785
counselors@gorricetalaw.com

Follow us:

OFFICES

Yusarn Audrey LLC
Singapore: 4 Shenton Way, #14-03, SGX Centre 2 Singapore 068807

Yusarn Audrey IP Services (Thailand) Co. Ltd
Thailand: 163 Thai Samut Building, 14th Floor, Unit 14H Surawangse Road, Suriyawongse, Bangkrak Bangkok 10500 Thailand

Yusarn Audrey IP Services Sdn Bhd
Malaysia: Unit 33-08, Tower A, Menara UOA Bangsar No. 5 Jin Bangsar Utama 1, Taman Bangsar, 59000 Kuala Lumpur, Malaysia

Gorriceta – ALL RIGHTS RESERVED