Introduction
In the ever-evolving landscape of the modern world, being online has become an integral part of our daily lives. The invention of the internet has transformed the way we communicate, access information, and do business. It has given rise to an interconnected global community, breaking barriers of distance and time, and offering us opportunities to explore, learn, and grow.
In this digital age, being online go beyond than simply connecting to the World Wide Web. It is about navigating a huge online world, filled with different cultures, perspectives, and experiences. From social media platforms that bring friends and family closer despite being oceans apart to e-commerce websites that open a window to a variety of products and services, the online world is an ever-expanding universe of possibilities.
In order to access this virtual world and transact our business online, people, like you and me, have no choice but to surrender some of our information, and sometimes even our identity. Our surrender is a double-edged sword. On one hand, the submission of information ensures, in some level, that only real person will be able to access the platform to which we conduct business. If these platforms are successful to gatekeep only real individuals to their platform, it will assure us, their users, that we transact only with real persons. On the other hand, the surrender of our information is vulnerable to the unauthorized access, unauthorized processing, malicious disclosure, and unauthorized disclosure, only to name a few. Because of these vulnerabilities, the Philippine government saw it fit to protect us from these pitfalls, and enacted the Data Privacy Act of 2012, which seeks to protect our fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth.
Who are protected under Republic Act No. 10173 or the Data Privacy Act of 2012?
Republic Act No. 10173 or the Data Privacy Act of 2012 (DPA) protects data subjects. According to the DPA, data subjects are individuals whose personal information is processed. Corollarily, personal information is defined by law as any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual. By the same definition, personal information of individual, includes, but not limited to, the name of a person, place of birth, and date of birth.
In addition, the DPA protects the sensitive personal information of data subjects which refers to personal information:
(1) About an individual's race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
(2) About an individual's health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
(3) Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
(4) Specifically established by an executive order or an act of Congress to be kept classified.
What is the scope of the Data Privacy Act?
According to the DPA, the act shall apply to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines.
However, the scope of DPA do not stop there as the Act provides for extraterritorial application. Meaning, the DPA's application, in the perspective of the Philippine law, goes beyond the Philippine borders. The DPA, according to Section 6, provides that it shall apply to an act done or practice engaged in and outside of the Philippines by an entity if:
(a) The act, practice or processing relates to personal information about a Philippine citizen or a resident;
(b) The entity has a link with the Philippines, and the entity is processing personal information in the Philippines or even if the processing is outside the Philippines as long as it is about Philippine citizens or residents such as, but not limited to, the following:
(1) A contract is entered in the Philippines;
(2) A juridical entity unincorporated in the Philippines but has central management and control in the country; and
(3) An entity that has a branch, agency, office or subsidiary in the Philippines and the parent or affiliate of the Philippine entity has access to personal information; and
(c) The entity has other links in the Philippines such as, but not limited to:
(1) The entity carries on business in the Philippines; and (2) The personal information was collected or held by an entity in the Philippines.
Hence, should a person in the Philippines engages a foreign service provider (FSP), the fact that the FSP is located outside of the Philippines will not prevent the law from protecting Filipinos against violations of FSPs of their right under the DPA as long as the local link mentioned above is there.
What are the rights of data subjects?
Right to be informed. Data subjects shall be informed whether their personal information have been processed, or being processed. Under the DPA, it deemed unlawful the processing of data without knowledge and express consent of the data subject. In other words, personal information controllers (PIC) and personal information processors (PIP) must inform data subjects of the fact of processing of their personal information. Most importantly, however, is that PICs and PIPs obtain the consent of the data subjects should they will process the data subjects' information.
Right to access. You, as a data subject, have the right of reasonable access to the following upon demand:
(1) Contents of your personal information that were processed;
(2) Sources from which your personal information were obtained;
(3) Names and addresses of recipients of personal information;
(4) The manner by which your data were processed;
(5) The reasons for the disclosure of the personal information to the receivers;
(6) Information on automated processes where the data will or likely to be made as the sole basis for any decision significantly affecting or will affect the data subject;
(7) Date when his or her personal information concerning the data subject were last accessed and modified; and
(8) The designation, or name or identity and address of the personal information controller.
Right to object. You, as a data subject, have the right to object to the processing of your data. Subject to exceptions under the the DPA, PICs and PIPs shall inform you should there be any significant change or amendment to the information supplied or declaration made to you. Should you have already given prior consent for the processing of your personal data, the PIC or PIP should inform you and give you an opportunity to object and/or withdraw your consent.
Right to rectify. According to the DPA, you, as data subject, can ask the PIC to immediately and accordingly correct any inaccuracy or error in your personal information.
Right to erasure or blocking. This right gives you, the data subject, the right to suspend, withdraw, or order the blocking, removal or destruction of your personal information from the PIC's system on grounds and proof that the personal information are incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes, or are no longer necessary for the purposes for which they were collected.
Right to file a complaint. Should your personal information has been processed, misused, accessed without your authority, improperly disposed, and/or your data privacy rights have been violated; then, you can file a complaint before the National Privacy Commission.
Right to damages. You, as a data subject, has the right to monetary damages should you sustained injury due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of your personal information.
Right to data portability. When the data is processed electronically and in a structured and commonly used format, you, as data subject, have the right to obtain from the PIC a copy of the said data.
It must be emphasized that the rights of data subject may be transmitted to the data subject's lawful heirs and assigns when the data subject is already dead or when he or she is incapacitated or incapable of exercising the rights.
Sources
Republic Act 10173
https://privacy.gov.ph/data-subject-rights/, accessed 28 July 2023.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
