By: Atty. Edsel F. Tupaz, & Julia Unarce
November 25, 2024
Summary
The NPC Guidelines on Personal Data Processing clarify Section 13(f) of the Data Privacy Act, allowing Personal Information Controllers to process sensitive personal data for protecting lawful rights and interests in court proceedings or establishing legal claims. The guidelines emphasize the necessity and proportionality of data processing, ensuring transparency and informing data subjects about the nature and purpose of data use. The Advisory distinguishes between legitimate interest and legal claims, highlighting that processing can occur without an existing court case, and stresses the importance of not exploiting data processing provisions. The NPC does not assess evidence admissibility or legal strategies, focusing solely on the necessity of data processing for legal claims.
According to the 2023 Philippine Judiciary Annual Report, there are about 658,101 pending cases before the Supreme Court down to the lower courts. To support litigants, various laws were enacted to aid them in protecting their rights and defending their claims under the law. In the domain of data privacy, the Data Privacy Act of 2012 (the Act), permits the processing of sensitive and privileged personal information if it is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, for the establishment, exercise, or defense of legal claims, or when provided to the Government or a public authority.
Pursuant to its rule-making authority, the National Privacy Commission (NPC) issued Advisory No. 2024-02, entitled Guidelines on Personal Data Processing Based on Section 13(f) of the Data Privacy Act (the Advisory). The Advisory clarifies the application of Section 13(f) of the Act to enable Personal Information Controllers (PICs) to properly rely on this basis for the processing of personal data. Notably, according to the Advisory, it is not the Act’s intention to grant a blanket exemption to public authorities, but rather to strike a balance between, on one hand, the need for public authorities to process personal data pursuant to its functions and mandate.
In this Insight article, Edsel F. Tupaz and Julia Antoinette S. Unarce, of Gorriceta Africa Cauton & Saaavedra, discuss the key points under the Guidelines and how to ensure compliance with the provisions regarding lawful bases for processing.es, and the need to safeguard the rights and interests of data subjects on the other.
The Advisory applies to all natural or juridical persons relying on Section 13(f) of the Act as the lawful basis for the processing of personal data. The scenarios for processing on the basis of Section 13(f) of the Act are provided as follows:
- the processing is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings;
- the processing is necessary for the establishment, exercise, or defense of legal claims;
- or the processing entails providing personal data to the Government or a public authority is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings or the establishment, exercise, or defense of legal claims in relation to its constitutional or statutory mandate. Such instances may include providing information that supports an investigation of a law enforcement or regulatory agency.
Necessity
In determining the proper application of the three scenarios under Section 13(f) of the Act, the PIC must take into consideration the necessity of the specific processing activity undertaken for the legitimate purpose of protecting lawful rights and interests of natural or legal persons in court proceedings, or establishing, exercising, or defending legal claims.
The specific processing activity is necessary when it is adequate, relevant, and not excessive in relation to the legitimate purpose and must be within the limitations of the law. The NPC has consistently held that ‘necessity’ refers to the general privacy principle of proportionality, which is one of the general considerations of the PIC in processing personal information.
Clarifications on the protection of lawful rights and interests and the establishment, exercise, or defense of legal claims
The Advisory also elaborates on the proper appreciation of the rule under Section 13(f) of the Act. As such, the processing of personal data on the basis of Section 13(f) of the Act may be conducted during stages preparatory to a case. It does not require that there be an existing proceeding before the appropriate court, body, or tribunal. In line with this, the NPC held that to require a court proceeding for the application of Section 13(f) of the Act would disregard the clear letter of the law; after all, the establishment of legal claims presupposes that there is still no pending case since a case will only be filed once the required claims have already been established. In one advisory, it was discussed that a condominium corporation may compel the proper PICs to disclose information of delinquent condominium unit owners without a court order, in order to initiate enforcement action against the latter. In a similar vein, the processing of personal data on the basis of Section 13(f) of the Act need not result in the filing of an actual case.
Furthermore, ‘natural or legal persons’ under Section 13(f) of the Act refers to persons whose lawful rights and interests are protected in court proceedings, including the parties and their witnesses. Finally, legal claims that were established, exercised, or defended may belong to persons other than those who processed the personal data.
Transparency and the right to be informed
Should the data processing lead to the initiation of the appropriate action or proceedings against the data subject, the service of pleadings to the parties of a case is understood to be the next practical opportunity to inform the data subjects of the processing of their personal information pursuant to the requirements of the Act. The data subject must be informed of the nature, purpose, and extent of the processing of their personal data for the protection of lawful rights and interests or the establishment, exercise, or defense of legal claims.
Legal claims vis-à-vis legitimate interest
The Advisory also discusses the relationship between Sections 12(f) and 13(f) of the Act. Data processing based on the instances under Section 13(f) of the Act may be considered as a legitimate interest of the PIC if what is involved is merely personal information (and not sensitive personal information). In one case, the NPC held that the protection of the lawful rights and interests of the complainant in a potential fraud case is considered a legitimate interest, which would allow the processing of personal information.
If the processing shall be treated under the criteria under Section 12(f) of the Act, the PIC must fulfill the requisites for processing based on legitimate interest under the Guidelines on Legitimate Interest.
Determination of merits and admissibility of evidence
As a final note, the NPC only determines whether the processing of personal data is necessary in relation to the lawful rights and interests sought to be protected or the legal claims that are sought to be established, exercised, or defended. The NPC does not rule on the admissibility of evidence, its materiality, relevance, or probative value to a particular case outside of its jurisdiction. The NPC also does not rule on the propriety of the legal strategy employed by the parties in legal proceedings. The establishment, exercise, or defense of a legal claim under Section 13(f) of the Act as a lawful basis for the processing of personal data is independent of the existence of a cause of action.
Key takeaways
The Act aims to safeguard personal data under the control of PICs. It is important to recognize that this protection is subject to limitations, particularly in relation to the rights of other individuals. In cases where a legal claim against a data subject is imminent, the law permits the aggrieved party to access and utilize another’s personal information for the purpose of pursuing legal action. Nonetheless, this provision must not be exploited by PICs or any other relevant party, as certain conditions and requirements must still be met in accordance with the law.
Edsel F. Tupaz is a Senior Partner, Head of Data Privacy, Cybersecurity and AI Initiatives Practice Group & Head of Special Projects and Infrastructure Group. Edsel is a Dual-qualified under the Philippine and New York Bars, with over 20 years of expertise across data privacy & protection, technology, cybersecurity, AI, infrastructure, government procurement, corporate law, and banking and financial services. Master of Laws from Harvard Law School, holds economics and law degrees from Ateneo (both with honors), served as Managing Technical Editor of the Harvard Human Rights Journal, and listed under the Experts Directory for Philippine privacy law on OneTrust DataGuidance. Certified Information Privacy Professional – Europe (CIPP/E) and Certified Information Privacy Manager (CIPP) under IAPP. Challenger at the Alan Turing Institute’s Data Challenge – Policy Priorities and AI for Sustainable Development Goals (2023-2024). Awarded “Data Privacy & Protection Lawyer of the Year” at the 2023 Philippine Law Awards and is recognized among the Top 100 Lawyers in the Philippines by Asia Business Law Journal.
Julia Antoinette S. Unarce is a Junior Associate at the Firm and a member of its Litigation, Data Privacy, Anti-Money Laundering, and Environmental, Social, and Governance (ESG) Departments. Her practice spans a broad range of legal matters, including civil, criminal, and administrative cases. She actively represents clients before courts and administrative agencies, and is involved in the negotiation, settlement, and pre-litigation resolution of disputes. In addition to litigation, she provides advisory services on evolving regulatory frameworks, assisting clients with business formation, compliance with reportorial obligations, policy development, and other corporate and regulatory matters.
This article was originally published on OneTrust Data Guidance. You may find the full article here: https://www.dataguidance.com/opinion/philippines-protecting-rights-and-establishing
