info@goldenblatt.co.uk
49 Russell Square, London, UK

Follow us:

ArticlesData Privacy Updates | October 2022

November 14, 20220
  1. NPC’s Statement on the SIM Card Registration Bill

    Date: October 10, 2022The National Privacy Commission (NPC) supports the intention of the SIM Card Registration Bill to prevent the proliferation of various and evolving electronic communication aided criminal activities.

    The NPC is fully aware that implementing a SIM card registration system will entail a massive collection of personal data. Hence, there is a strong need to develop a technology-neutral approach and to future-proof the proposed legislation to achieve its intended purpose, in a manner that respects the rights and freedoms of the data subjects.

    The NPC advocated to the House of Representatives and the Senate of the Philippines to consider the proportionality principle and data minimization mechanisms concerning the provisions on social media providers and authorized resellers. Mechanisms must be developed and implemented to prevent security risks and data breaches that may arise from overcollection and improper or inadequate monitoring practices.

    The NPC recommended that the burden to determine the SIM card buyer’s identity should not fall on retailers who may not have the necessary know-how or resources to properly verify the identity of data subjects and the authenticity of the identification cards that will be presented. Delegating it to these retailers may result in overcollection and improper or inadequate monitoring and security practices. This was adopted in Section 5 of the Bill.

    The NPC also discouraged the use of a centralized server or database as it carries greater risks if a security breach occurs. This recommendation was adopted in Section 6 of the Bill, which requires that the designated government agencies or public telecommunications entities (PTEs) maintain their own databases. The PTE must strictly use the database to process, activate, or deactivate a SIM or subscription, and not for any other purpose.

    In fulfillment of its duty to uphold the rights of data subjects, the NPC will closely coordinate with other agencies to develop the necessary guidelines to properly implement the Bill.

    Republic Act No. 11934, or the SIM Card Registration Act
    Date: October 10, 2022

    A SIM card registration form must ask subscribers to disclose their full name, date of birth, and address on top of providing a copy of a valid government-issued ID or other similar documents.

    Mobile phone subscribers with prepaid SIM cards have 180 days from the time the law takes effect to register and verify their phone numbers with their respective public telecommunications entities (PTE).

    Under the Sim Card Registration Act, every public telecommunication entity or direct seller shall be required to demand end users of SIM cards present a valid identification document to validate their identities.

    Among the information required from end users are:
    • Full name
    • Complete address
    • Date of birth
    • Sex
    • Cellphone number of the SIM card and serial number

    Some of the valid documents they can present are:
    • Driver’s License
    • Philippine National ID
    • SSS/GSIS Card
    • UMID Card
    • Passport
    • Senior Citizen’s Card
    • NBI Clearance
    • Police Clearance
    • Firearms License
    • Voter’s ID
    • TIN ID
    • PRC ID
    • IBP ID
    • OWWA ID
    • Government Office ID
    • PWD Card
    • School ID (for minors)

    The law requires public telecommunications entities (PTEs) to maintain a SIM Card Register of their subscribers, containing the required information. They must also submit a verified list of their authorized dealers and agents nationwide to the National Telecommunications Commission (NTC), with updates every quarter of the year.

    Juridical entities like companies and businesses must provide a copy of their certificate of registration and either a resolution adopting an authorized representatives or a special power of attorney.

    A minor’s SIM card registration will be named under the consenting parent or guardian.

    Tourists staying for less than a month must register with their passport and address while in the Philippines and their SIM registration form must contain their full name, passport number, and address.

    Foreign nationals in the country either to work or study should register their full name, passport number, and address in the provided form and present their passport, their address in the Philippines, Alien Certificate of Registration Identification Card or ACRI-Card from the Bureau of Immigration and an Alien Employment Permit from the Department of Labor and Employment, if applicable.

  2. National Privacy Commission issues an Order to Telcos to cooperate on investigation of smishing attacks
    Date: September 8, 2022The National Privacy Commission (NPC) orders telecommunication service providers, Globe Telecom Inc., Smart Communications Inc., and DITO Telecommunity, to submit a comprehensive audit report which shall include an examination of their respective distributor frameworks for their Subscriber Identity Modules (SIM cards) used in smishing messages that contain the names of recipients.“

    The Commission is proactively investigating the matter to identify the causes, and implement all possible solutions to mitigate, if not eliminate, the threats and risks brought by targeted smishing messages. This is an ongoing investigation that involves close coordination between telecommunication companies and government authorities such as the National Telecommunications Commission (NTC),“ said Privacy Commissioner John Henry D. Naga.

    “We will relentlessly protect the Filipino against any unscrupulous attempt to take advantage of our personal data. We urge the full cooperation of all stakeholders involved, including the Telcos, our partners in the government, and the public, to bring this matter to a full conclusion”, the Privacy Chief added.

    In addition, the Order directs telecommunication companies to report on all the mobile phone numbers involved in the smishing messages; the distributors and/or entities from where the involved numbers were distributed; the individuals and/or entities where the mobile phone numbers were disclosed by the Distributors; and other information that may aid the NPC in its ongoing investigation.

    The Telcos have been given a period of ten (10) days to comply. The Complaints and Investigation Division of the NPC will also evaluate the Telcos’ submissions and probe further.

    As part of its next steps, the NPC will convene a meeting with representatives from the Telcos, and government agencies which include, the NTC, the Cybercrime Investigation and Coordinating Center, the Philippine National Police, and the National Bureau of Investigation, on September 13, 2022.

  3. NPC Circular No. 2022-01: “Guidelines On Administrative Fines”
    Date of Effectivity: August 27, 2022The NPC demands the full cooperation and compliance of personal information controllers (PICs) and personal information processors (PIPs) in the implementation of the Circular.

    The NPC believes that the Circular is a significant step towards strengthened data privacy and protection in the Philippines as it will further invigorate organizational accountability among PICs and PIPs, which are expected to establish measures that will ensure and intensify their compliance with the Data Privacy Act of 2012 (DPA).

    The NPC urges PICs and PIPs to remain its active partners in administering and implementing the DPA and its related issuances. Ultimately, the NPC wants to instill into PICs and PIPs that safeguarding data subjects’ personal data is their paramount obligation, and failure to perform such obligation has its corresponding repercussions.

    The Guidelines on Administrative Fines will apply prospectively, and infractions made prior to the effectivity thereof are not covered. Neither are complaints already filed and pending with the NPC affected by the Circular.

  4. NPC launched a user-friendly online system for faster and easier data breach notification management and reporting

    On April 20, 2022, the National Privacy Commission (NPC) held its virtual launching of the Data Breach Notification Management System (DBNMS), a user-friendly interface that facilitates easy tracking and faster submission of Personal Data Breach Notifications and Annual Security Incident Reports.The DBNMS is a standardized and automated system, making it easier for personal information controllers (PICs) to submit Personal Data Breach Notification as required by NPC Circular No. 16-03 and Annual Security Incident Reports. The DBNMS addresses the limitations of manual submission and processing, as well as increases public transparency by allowing PICs to access pertinent and real-time information on their data breach notification.

    Privacy Commissioner John Henry D. Naga told more than 800 event participants from both the public and private sector that the DBNMS is part of the NPC’s efforts to develop new and digitized ways to better serve the Filipinos.

    “The National Privacy Commission’s vision to further protect and uphold data privacy rights goes hand-in-hand with embracing emerging technologies that will revolutionize data privacy and protection. Hence, the NPC continuously adopts and implements digitization of our processes to efficiently achieve our objectives,” Naga said.

    A PIC, including those with multiple branches or offices, can only have one account in the DBNMS. If the PIC has other related companies or entities, each company or entity must register in the system under separate accounts. The company or entity is responsible for maintaining and submitting its reporting requirements to the NPC.

    With the launch of the DBNMS, the NPC will no longer accept Breach Notification and Annual Security Incident Report (ASIR) submissions except through the DBMNS online platform. Thus, submissions through email, personal filing, ordinary mail, licensed courier service, and any other mode of physical submission shall not be considered as valid.

    The submission deadline of the NPC for the ASIRs for the years 2018 to 2021 is on 31 October 2022.

  5. R.A. No. 11862: “An Act Strengthening the Policies on Anti-Trafficking in Persons, Providing Penalties for Its Violations, and Appropriating Funds Therefor, Amending for the Purpose Republic Act No. 9208, as Amended, Otherwise Known as the ‘Anti-Trafficking in Persons Act of 2003’” (https://www.officialgazette.gov.ph/downloads/2022/06jun/20220604-RA-11862-RRD.pdf)Date of effectivity: 12 July 2022 (15 days after its publication in the Official Gazette, Gazette, or in a newspaper of general circulation—28 Jun 2022)

    R.A. No. 11862, which amended the Anti-Trafficking in Persons Act of 2003, and other special laws pertaining to Human Trafficking introduced an entirely new section (Section 9) governing the duties and responsibilities of the private section under the said Act.

    Section 9 of the said law emphasized the following private sectors and enumerated their respective duties and responsibilities: (a) Internet Intermediaries; (b) Owners and Operators of Internet Cafes, Hotspots and Kiosks, Money Transfer and Remittance Centers, Transport Services, Tourism Enterprises, Malls, and Other Business Establishments Open and Catering to the Public; (c) Tourism Enterprises; and (d) Financial Intermediaries.

    The above-mentioned entities may be required by law enforcers, prosecutors, and other investigative bodies to provide information, e.g., subscribed information of persons who are suspected of having violated or attempted to violate human-trafficking laws. The law specifically provides that such requests, when made by said authorities through the proper processes and in good faith shall not be construed as a violation of both the Data Privacy Act of 2012 of 2012 (R.A. No. 10173) and the Cybercrime Prevention Act (R.A. No. 10175).

    Key Note:

    Private sector entities may be compelled to disclose personal information by the proper authorities and investigative bodies investigating Human Trafficking violations. Such disclosure, when done through the proper procedures and in good faith by express provision of law, are not violative of the Data Privacy Act of 2012.

  6. R.A. No. 11861: “An Act Granting Additional Benefits to Solo Parents, Amending for the Purpose Republic Act No. 8972, Entitled ‘An Act Providing for Benefits and Privileges to Solo Parents and Their Children, Appropriating Funds Therefor and for Other Purposes’” (https://www.officialgazette.gov.ph/downloads/2022/06jun/20220604-RA-11861-RRD.pdf)Date of effectivity: 12 July 2022 (15 days after its publication in the Official Gazette, or in a newspaper of general circulation—28 Jun 2022)

    Section 19 of R.A. No. 8972, as amended by R.A. No. 11861, provides that custodians of the documents, records, data, or information shall ensure the utmost confidentiality of the same, in compliance with Data Privacy Act of 2012 (R.A. No. 10173).

Leave a Reply

Your email address will not be published. Required fields are marked *

https://gorricetalaw.com/wp-content/uploads/2022/04/logo_white_04.png
15/F Strata 2000, F. Ortigas Jr. Road Ortigas Center, Pasig City, 1605 Philippines
+632 8696-0687 | +632 8696-0988 | +632 8658-3472 | +632 8715-5785
counselors@gorricetalaw.com

Follow us:

OFFICES

Yusarn Audrey LLC
Singapore: 4 Shenton Way, #14-03, SGX Centre 2 Singapore 068807

Yusarn Audrey IP Services (Thailand) Co. Ltd
Thailand: 163 Thai Samut Building, 14th Floor, Unit 14H Surawangse Road, Suriyawongse, Bangkrak Bangkok 10500 Thailand

Yusarn Audrey IP Services Sdn Bhd
Malaysia: Unit 33-08, Tower A, Menara UOA Bangsar No. 5 Jin Bangsar Utama 1, Taman Bangsar, 59000 Kuala Lumpur, Malaysia

Gorriceta – ALL RIGHTS RESERVED