Data Protection Philippines: A Global Comparative Analysis
In an Asia-Pacific region where citizens spend the most hours online, data protection is a critical concern for both businesses and individuals. The Philippines has a robust digital community but faces the challenge of safeguarding personal data amidst rapid technological advancements.
While strides have been made in acknowledging the importance of adequate data privacy practices, existing regulations often struggle to keep pace. This article is a comparative analysis of the Philippines’ Data Privacy Act (DPA) and the European Commission’s General Data Protection Regulation (GDPR) and its implications for businesses and citizens.
Overview of the Data Protection Landscape in the Philippines
This section offers a thorough look at the Philippines’ data protection ecosystem, exploring central statistics and trends that highlight the current state of data privacy in the country.
1. Prevalence of data breaches
The prevalence of data breaches in the Philippines is a pressing concern. Online privacy provider Surfshark has a running tally of breached email accounts per country. In 2023, the Philippines recorded 705,470 cases, adding to a lifetime total of 124 million breaches since 2004.
In the same year, several high-profile government breaches leaked thousands of gigabytes of sensitive data. These incidents underscore the urgent need for stronger data protection measures to prevent sensitive information from misuse and unauthorized access.
2. State of cybersecurity
The state of cybersecurity in the Philippines may explain the high prevalence of data breaches. Key sectors such as healthcare, finance, business process outsourcing (BPO), and utilities are increasingly vulnerable due to a concerning shortage of cybersecurity professionals.
Experts estimate that 180,000 cybersecurity professionals are needed to adequately cover just 10% of these vital sectors. Despite this demand, the Philippines lags behind its BPO competitors in terms of Certified Information Systems Security Professional (CISSP) certifications, the gold standard for cybersecurity professionals.
There’s a crucial gap in the nation’s cyber defense capabilities in terms of both quality and quantity. Urgent measures are necessary to bolster cybersecurity resources against evolving threats.
3. Trust in existing data protection measures
The constant attacks and the inability to prevent them make trust in the current data protection measures precarious. The National Privacy Commission (NPC) is the agency responsible for ensuring the protection of personal data and enforcing the DPA. In a recent survey, they found alarmingly low satisfaction and trust ratings, at 41% and 36%, respectively.
A separate survey unveils a sobering statistic revealing the mindset Filipinos have towards their data. Most respondents (64%) believe that it is likely their data will be leaked in the country. The lack of trust is sadly not unfounded, so initiatives are urgently needed to bolster confidence.
Global Comparative Analysis: Similarities and Differences
The Philippines based its Data Privacy Act of 2012 on the General Data Protection Regulation of the European Union, recognizing the need for robust data protection standards in the digital age. Both frameworks share common principles while exhibiting notable differences in scope, enforcement mechanisms, and specific provisions.
The DPA’s text and its , which the NPC created, are the sources of this comparison.
Data privacy principles
These are the grounding principles that define their respective frameworks.
| DPA | GDPR | Comparison |
| Transparency
The DPA’s first principle mandates transparency, ensuring organizations provide clear information to data subjects about data collection, use, and processing. |
Transparency
Both laws emphasize transparency, requiring organizations to provide clear, concise, and easily accessible information about personal data processing. |
The transparency principle in both laws is similar, with differences primarily found in other principles. |
| Legitimate purpose
The DPA mandates that organizations process personal data only for legitimate and specified purposes, safeguarding individuals’ rights and privacy. |
Lawfulness
While not identical, the GDPR principle of lawfulness also requires data processing to be based on specified lawful reasons. |
The DPA’s legitimate purpose principle emphasizes specific justifications for data collection and processing.
Meanwhile, the GDPR’s lawfulness principle outlines legal bases for processing personal data, including consent, contract performance, and legal obligations. |
| Proportionality
The DPA’s proportionality principle requires data collection and processing to be reasonable and proportionate, promoting responsible data handling and minimizing privacy risks. |
Fairness
The GDPR fairness principle requires that personal data processing be fair, transparent, and respectful of data subjects’ rights. |
Both principles aim for fair treatment of data subjects, with the DPA balancing processing benefits with privacy risks, while the GDPR emphasizes equitable treatment and transparency. |
See DPA Section 11, IRR Section 18, GDPR Articles 5–12
Rights of data subjects
As the primary party, both laws protect data subjects and allow them to enjoy several rights and protections to support their fundamental right to privacy.
| DPA Rights | GDPR Rights |
| Under the DPA, individuals have the…
1. Right to be informed about the extent of the collection, processing, and purpose of their personal data. 2. Right to object to the processing of their personal data, including for direct marketing purposes. 3. Right to access personal data held by organizations and to obtain information about how it is being processed. 4. Right to correct inaccuracies in the personal data held by organizations. 5. Right to rectification, erasure, or blocking of inaccurate, unlawfully processed, or unnecessary personal data. |
The GDPR allows data subjects to have the…
1. Right to be informed about the processing of their personal data, including its purpose and the identity of the data controller. 2. Right to access confirmation from organizations regarding the processing of their personal data and access to that data. 3. Right to rectification or to request the correction of inaccurate or incomplete personal data held by organizations. 4. Right to object to processing done to their personal data, including for direct marketing purposes. 5. Rights in relation to automated decision-making and profiling, including the option to opt out of automated decisions and seek human intervention. 6. Right to be forgotten through the deletion or removal of their personal data under certain circumstances. 7. Right to data portability by obtaining and reusing their personal data across different services easily. 8. Right to restrict processing in case of inaccurate data, unlawful processing, or objection. |
See DPA Chapter IV, IRR Rule VIII, GDPR Articles 15–21
Both data protection laws ensure the rights of data subjects to protect their personal data, emphasizing transparency, access, rectification, erasure, and objection. While both frameworks grant similar rights, the GDPR has a few extra protections that make it more future-proofed.
The GDPR protects individuals from the potential adverse effects or discrimination resulting from decisions made solely through automated means, including profiling. This right is particularly relevant considering the increasing dependence on AI tools.
DPA, on the other hand, defined automated processing and profiling only upon the publication of its IRR. These rights were subsumed in the data subject’s right to object to any decisions they made solely on automated processes.
The right to data portability is another unique right to the GDPR. It facilitates the direct transmission of personal data between controllers, enhancing data control.
Controllers and processors
The controllers and processors are the parties that handle personal data.
| DPA | GDPR | |
| Controllers | Personal information controllers (PICs) are entities or individuals who determine and control the processing of personal data under the DPA. | Data controllers are entities or individuals who determine and oversee the processing of personal data, bearing primary responsibility for GDPR compliance. |
| Processors | Personal information processors (PIPs) are entities or individuals who assist PICs by processing data according to their instructions and guidelines. However, they do not control the purposes or methods of processing. | GDPR data processors are entities or individuals who handle personal data on behalf of a data controller, strictly following their instructions and GDPR guidelines. |
See DPA Section 3h and 3i, IRR Rule I, GDPR Section 1-10 and 1-13
The definitions of controllers and processors in the EU’s GDPR and the Philippines’ DPA are generally similar. Both define controllers as entities determining personal data processing purposes and means, while processors handle data on behalf of their respective controllers.
The primary distinctions are in their enforcement mechanisms and requirements. The GDPR sets stricter standards for processors, including contractual obligations and legal liability for non-compliance. Meanwhile, issues with compliance generally fall on the controller under the DPA.
Implication of Data Protection on Businesses
How exactly are businesses in the Philippines affected by the DPA and IRR? The law adds specific considerations that all companies must make to remain compliant.
1. Data processing principles and consent mechanisms
Businesses in the Philippines are obligated to adhere to the data processing principles listed above and elaborated by the IRR. They must process personal data according to data privacy principles.
This includes implementing clear consent mechanisms, where individuals are fully informed about the purpose and scope of data processing and provide explicit consent. Companies generally fulfill their responsibility through terms of service agreements.
2. Cross-border data transfers
For businesses operating in the Philippines or serving Filipino citizens abroad, the same stringent consent and data protection requirements apply as in local data interactions. Navigating international laws adds complexity to compliance, as businesses must ensure adherence to diverse legal frameworks.
3. Legal compliance and potential penalties
Failure to comply with DPA requirements can result in penalties, making legal compliance a priority. Fines range from Php 500,000 to Php 2,000,000, and imprisonment, depending on the type and severity of the violation.
Impact on Individuals: Data Rights and Protections
Through the DPA, individuals are empowered to exercise greater control over their personal information.
1. Reinforced privacy rights
Data protection regulations strengthen and uphold people’s fundamental privacy rights, ensuring they have a meaningful say over their personal data. These regulations support the broader principle of autonomy over personal data.
2. Strengthened data subject rights
The DPA specifically focuses on enhancing the rights of people as data subjects, improving their control over their personal information in the context of data processing. These rights oblige businesses to respect and uphold data subject rights, fostering transparency, accountability, and fairness.
3. Added individual responsibilities
While the DPA exists to protect individuals, it also imparts corresponding responsibilities regarding their personal data. Individuals must educate themselves about their DPA rights to actively assert them when organizations handle their personal information.
A Deep Dive into Philippine Data Protection
The Data Protection Act of 2012 reflects a growing emphasis on privacy rights, accountability, and transparency. While strides have been made, ongoing efforts are needed to ensure widespread compliance and address evolving data privacy needs effectively.
It’s the only way to create a culture of responsible data handling and protecting everyone’s information.
If you need customer data services that you can rely on to be secure, consider partnering with Inquiro. We are a customer data platform specializing in comprehensive data management solutions tailored to suit your organization’s unique needs.
Request a demo today to see us in action!
