Understanding how the Data Protection Authority in Philippines works | MediaNama

MediaNama
17 Oct 201907:04

Summary

TLDRMatthew Ich Bruce, a journalist from the Philippines, discusses the National Privacy Commission (NPC), established under the 2012 Data Privacy Act. The NPC, with its commissioner and deputies, has broad powers including rule-making and quasi-judicial functions but has been criticized for its lack of transparency and enforcement. Despite having the authority to impose fines, the NPC has been lenient, focusing on compliance over punishment. The biggest data leak occurred shortly after the NPC's inception, with no accountability. The NPC's effectiveness is questioned, with suggestions for increased transparency and stricter enforcement to improve data protection.

Takeaways

  • 🇵🇭 The Philippines has had a data protection law since 2012, overseen by the National Privacy Commission (NPC).
  • 🛡️ The NPC is endowed with broad powers under the Data Privacy Act of 2012, including rulemaking and quasi-judicial functions.
  • 👤 The current commissioner is the first and only one since the law's implementation in 2016, following the establishment of the NPC.
  • ⚖️ The NPC can impose administrative fines and conduct investigations but refers criminal prosecutions to the Department of Justice.
  • 🔍 Despite the NPC's powers, there has been limited transparency regarding the enforcement of data privacy regulations.
  • 📊 A significant data leak involving 55 million voters' information occurred shortly after the NPC's establishment, with no accountability.
  • 🚫 The NPC has been criticized for not being stringent enough in its enforcement, leading to a lack of fear or pressure among companies.
  • 🔑 Companies are required to disclose data breaches to the NPC within 72 hours, but the NPC's follow-up actions are not well-publicized.
  • 💡 Transparency in the NPC's actions and compliance enforcement could help build trust and ensure companies adhere to data privacy laws.
  • 📈 The NPC could benefit from increased use of its power to impose fines to demonstrate its commitment to enforcing data privacy regulations.
  • 👩‍💼 There is a shortage of Data Protection Officers (DPOs) in the Philippines, which is a challenge that needs to be addressed.

Q & A

  • 菲律宾的数据保护法是什么时候开始实施的?

    -菲律宾的数据保护法,即2012年数据隐私法案(Republic Act No. 10173),自2012年9月8日起成为可执行的法律,但其实施规则和条例(IRR)直到2016年9月9日才开始生效。

  • 菲律宾国家隐私委员会(NPC)的主要职能是什么?

    -菲律宾国家隐私委员会(NPC)是负责管理和执行数据隐私法案的独立机构,确保国家遵守数据保护的国际标准。NPC负责发布关于处理个人数据的程序的指南和通知,处理个人数据泄露事件,并提供关于数据隐私问题的建议和咨询。

  • 菲律宾数据保护法案规定了哪些个人数据的处理原则?

    -菲律宾数据保护法案规定了透明度、合法目的和比例性等数据处理的一般原则。此外,还规定了收集、处理和保留个人数据的具体原则,例如收集必须是为了声明的、特定的和合法的目的;个人数据应被公平和合法地处理;处理应确保数据质量;个人数据不应被不必要地长期保留。

  • 在菲律宾,个人数据泄露后有哪些通知要求?

    -在菲律宾,个人数据泄露后,个人信息控制者(PIC)必须在知道发生需要通知的个人数据泄露后72小时内通知国家隐私委员会(NPC)和受影响的数据主体。通知必须描述泄露的性质、可能涉及的个人数据,以及实体为解决泄露所采取的措施。

  • 菲律宾国家隐私委员会的结构是怎样的?

    -菲律宾国家隐私委员会由一名委员和两名副委员组成。目前的委员是该委员会自成立以来的第一位委员。虽然法律在2012年通过,但直到2016年实施规则和条例通过后,委员会才开始真正发挥作用。

  • 菲律宾国家隐私委员会如何处理违反数据隐私法的行为?

    -菲律宾国家隐私委员会可以对违反数据隐私法的行为进行调查,接收正式投诉,并启动事实调查程序。它还可以自行对违规行为施加行政处罚罚款,但刑事起诉则需转交给司法部处理。

  • 菲律宾国家隐私委员会是否有权对公司进行罚款?

    -是的,菲律宾国家隐私委员会有权对违反数据隐私法的公司进行罚款。它还可以要求公司遵守其发布的合规命令,以改善内部流程。

  • 菲律宾国家隐私委员会是否面临任何挑战或限制?

    -是的,菲律宾国家隐私委员会的权力受到法律的限制。例如,尽管委员会建议对选举委员会主席提起诉讼,但司法部并未采取行动,导致没有对数据泄露事件的负责人进行问责。此外,委员会在执行合规和透明度方面也存在挑战。

  • 菲律宾国家隐私委员会是否应该被重新构建或赋予更多权力?

    -一些人认为,为了提高其效率,菲律宾国家隐私委员会应该更加透明,并且可能需要更频繁地使用其罚款权力来显示其执行数据隐私法的决心。此外,也有人提出需要更多数据保护官员来满足公司的需求,这是当前面临的一个问题。

  • 菲律宾的数据保护法律是否符合国际标准?

    -是的,菲律宾的数据保护法律旨在确保国家遵守数据保护的国际标准,并通过国家隐私委员会来监督实施。

Outlines

00:00

📜 Introduction to the Philippine Data Protection Authority

Matthew Ich Bruce, a journalist from the Philippines, discusses the National Privacy Commission (NPC), established under the Data Privacy Act of 2012. The NPC, comprised of a commissioner and two deputy commissioners, has broad powers, including rulemaking and quasi-judicial functions. Despite being established in 2012, the law's implementing rules and regulations were only passed in 2016. The NPC can issue compliance orders, conduct investigations, and impose administrative fines but refers criminal cases to the Department of Justice. The effectiveness of the NPC has been questioned, with a significant data leak occurring shortly after its establishment, leading to no prosecutions. The NPC's transparency and enforcement actions post-disclosure have been criticized, and there is a debate over whether it should be given more powers or restructured.

05:00

🔍 Enhancing Transparency and Enforcement in Data Protection

The discussion highlights the need for greater transparency in the NPC's operations to build trust in companies' compliance with data protection regulations. It suggests that the NPC could be more proactive in imposing fines to demonstrate its commitment to enforcement. The narrative points out a shortage of Data Protection Officers (DPOs) in the country, which is a challenge for companies to meet the legal requirement of having a DPO. The interview concludes with a call for increased focus on training DPOs and enhancing the NPC's capacity to ensure effective data protection in the Philippines.

Mindmap

Keywords

💡Data Protection Authority

A Data Protection Authority (DPA) is an independent public authority that supervises the application of data protection laws. In the context of the Philippines, the DPA is known as the National Privacy Commission (NPC), which was established to implement and enforce the Data Privacy Act of 2012 [^7^]. The NPC is responsible for protecting the personal information of individuals and ensuring compliance with data privacy laws, as well as promoting public awareness about data protection rights and obligations [^1^].

💡National Privacy Commission (NPC)

The National Privacy Commission is the Philippine government agency tasked with the administration and implementation of the country's data privacy laws. It was created under the Data Privacy Act of 2012 and started to take effect in 2016 with the passage of the implementing rules and regulations [^8^]. The NPC has broad powers, including rule-making, conducting investigations, receiving complaints, and imposing administrative fines for violations of data privacy [^1^].

💡Data Privacy Act of 2012

The Data Privacy Act of 2012 is a comprehensive law in the Philippines that aims to protect the privacy of individuals in relation to personal information. It establishes a framework for the collection, processing, and storage of personal data and gives individuals certain rights regarding their personal information [^12^]. The Act also led to the creation of the National Privacy Commission to oversee compliance and enforcement of data protection regulations [^8^].

💡Quasi-judicial function

The term 'quasi-judicial function' refers to the authority of an administrative agency, like the NPC, to adjudicate disputes and enforce compliance with regulations. In the context of the NPC, this means it has the power to investigate data privacy violations, receive complaints, and impose administrative fines or penalties [^1^]. However, for criminal prosecution, the NPC would refer cases to the Department of Justice [^1^].

💡Administrative fines

Administrative fines are penalties imposed by regulatory agencies, such as the NPC, for non-compliance with the rules and regulations set forth in the Data Privacy Act. These fines serve as a corrective measure to enforce compliance with data protection laws [^1^]. The NPC has the authority to impose such fines on companies that violate data privacy regulations [^1^].

💡Data breach

A data breach occurs when unauthorized individuals gain access to, or acquire, sensitive information such as personal data. In the Philippines, the NPC is responsible for investigating data breaches and ensuring that companies report such incidents within 72 hours as per the law [^1^]. The NPC also works to ensure that companies take appropriate measures to prevent future breaches and protect personal data [^8^].

💡Transparency

Transparency in the context of the NPC refers to the openness and clarity with which the commission operates, especially in its enforcement actions and decisions regarding data privacy. It is suggested that increasing transparency could help alleviate concerns about how companies are held accountable for their compliance with data privacy regulations [^1^]. Transparency also involves making public the actions taken by the NPC in response to data breaches or other violations [^1^].

💡Data Protection Officer (DPO)

A Data Protection Officer is a role designated within an organization to ensure compliance with data protection regulations, including the Data Privacy Act of 2012. The DPO is responsible for overseeing the internal processes that handle personal data and ensuring that the organization follows proper data protection procedures [^11^]. The NPC requires certain organizations to register their DPOs and data processing systems [^11^].

💡Cross-border data transfer

Cross-border data transfer involves the movement of personal data from one country to another. The Data Privacy Act of 2012 and the NPC regulate how personal data can be transferred internationally, ensuring that appropriate safeguards are in place to protect the data [^12^]. The NPC is responsible for overseeing these transfers and ensuring that they comply with the law [^12^].

Highlights

The Philippines has had a data protection law since 2012 and established a Data Protection Authority.

The National Privacy Commission (NPC) is the authority overseeing data privacy in the Philippines.

The NPC is composed of a commissioner and two deputy commissioners.

The current commissioner is the first and only one since the law's inception.

The Data Privacy Act of 2012 started to take effect in 2016 with the implementation of rules and regulations.

The NPC has rulemaking power and can issue circulars to compel companies to comply with data privacy regulations.

The NPC has a quasi-judicial function, allowing it to prosecute violators of the data privacy act.

The NPC can impose administrative fines for violations but refers criminal prosecution to the Department of Justice.

The NPC's effectiveness has been questioned, with critics arguing it hasn't done as much as it could.

A major data leak involving 55 million voters' data occurred shortly after the NPC became operational.

The NPC recommended prosecution of the Commission on Elections' chairman, but the Department of Justice did not act on it.

There have been several data breaches involving private companies, which are required to disclose them to the NPC.

The NPC is generally good at making breach disclosures public but lacks transparency in enforcement actions.

The NPC's main goal is to get companies to comply with orders and improve internal processes rather than prosecute or fine them.

There is a concern that companies are not scared of the commission and do not feel pressured to comply with data privacy mandates.

Transparency could help alleviate concerns about companies' compliance with data privacy regulations.

The NPC should consider using its power to impose fines more often to show its seriousness in enforcing data privacy.

There is a shortage of Data Protection Officers (DPOs) to meet the demand from companies required to have one.

Transcripts

play00:00

so hi I'm Matthew ich Bruce I'm from the

play00:03

Philippines and I'm a journalist with

play00:05

the Philippine Daily Inquirer so the

play00:07

Matthew Philippines has had a data

play00:09

protection law since 2012 and you have a

play00:13

Data Protection Authority can you tell

play00:15

us about the Data Protection Authority

play00:16

and what kind of posit has what is the

play00:19

structure who's on the yeah okay so the

play00:24

National privacy Commission or NPC is

play00:26

what it's called in the Philippines and

play00:28

essentially it has a very broad range of

play00:30

powers under the data Privacy Act of

play00:32

2012

play00:33

it's made up of a commissioner and do

play00:36

deputy commissioners the current

play00:38

commissioner is the very first

play00:39

Commissioner that it's had and so the

play00:41

law was passed under the previous

play00:43

administration and the commissioners

play00:45

been a holdover from then so first and

play00:47

only commissioner but actually even

play00:49

though the law was passed in 2012 I only

play00:52

really started to take effect in 2016

play00:54

when the implementing rules and

play00:56

regulations were passed so what four

play00:59

years after the initial passing of the

play01:01

law essentially the powers that it has

play01:03

it's a rulemaking body so it has the

play01:06

power to build on the data Privacy Act

play01:08

essentially by issuing circulars that

play01:11

could compel companies so to comply or

play01:14

in terms of coming up with additional

play01:17

regulations for companies to comply with

play01:19

it also has a quasi-judicial function so

play01:22

it can actually prosecute people for

play01:25

violating that but it has the power to

play01:28

conduct investigations to receive formal

play01:31

complaints to initiate the fact-finding

play01:33

body in terms of those complaints and

play01:35

then on its own it can actually impose

play01:39

administrative fines but in terms of

play01:41

criminal prosecution it would then refer

play01:43

that to the Department of Justice so

play01:45

what's been the experience so far in

play01:47

terms of like how many complaints have

play01:50

been filed as any transparency that how

play01:53

many companies have been prosecuted how

play01:55

many have been fine how many been have

play01:58

there been criminal prosecutions against

play01:59

has that has it improved things to have

play02:02

a Data Protection Authority so that

play02:04

that's an interesting question I think

play02:06

that a lot of people would argue that

play02:08

it hasn't really done as much as it

play02:11

could although of course it's powers are

play02:13

also limited by the law in that sense

play02:15

because the biggest data leak that

play02:18

happened in the Philippines actually

play02:20

happened less than a month after the

play02:22

National privacy Commission started to

play02:24

really take effect and so this was a

play02:26

breach on the Commission on Elections so

play02:28

55 million voters Riyad data was leaked

play02:31

on a searchable website so you could

play02:34

search for anything their full names

play02:36

their addresses their birthdays all of

play02:38

that so this was really seen as a big

play02:40

test for how effective the NBC could

play02:42

actually be and it ended up being that

play02:46

it recommended the prosecution of the

play02:49

chairman at the time of the Commission

play02:51

on Elections

play02:52

but then the Department of Justice never

play02:54

acted on that recommendation so

play02:57

essentially no one has really been held

play02:58

accountable for that leak and now it's

play03:02

been three years since then people have

play03:04

largely forgotten about it there have

play03:07

been several data breaches it happens

play03:11

actually on a fairly regular basis with

play03:13

private companies and so under the law

play03:16

they're required to disclose those

play03:18

breaches to the NPC within 72 hours and

play03:22

the NPC is generally good about making

play03:25

those disclosures public but then after

play03:28

it's made those disclosures public it

play03:30

it's not very good about being

play03:32

transparent in terms of what actions

play03:34

it's then taken to enforce compliance or

play03:37

what what mandates that it issued if

play03:40

ever to those companies in order to

play03:42

comply so all of those are a little bit

play03:44

murky they have said that their main

play03:49

goal is to get these companies to comply

play03:51

with with the orders that the issue in

play03:54

terms of sort of cleaning up their

play03:55

internal processes rather than

play03:57

prosecuting them or issue

play03:59

the fines I think that they're afraid

play04:00

that that will have a deterring effect

play04:04

on companies in terms of them not

play04:06

wanting to comply or have a Data

play04:08

Protection Officer but I think that of

play04:10

course a counterpoint could be made that

play04:12

it essentially made that companies

play04:15

aren't really scared of this commission

play04:17

aren't really feeling the pressure to

play04:19

comply with the the mandates under the

play04:23

data privacy are so if you think that

play04:27

the authority had to be reconstituted or

play04:29

it had to be given additional powers

play04:32

what do you think should change now now

play04:35

that you have experience behind you as a

play04:36

country what would make it better

play04:39

that's a good question um I think that

play04:41

well for one I think that it is still a

play04:44

relatively young body so I think that

play04:46

even as journalists even civil society

play04:49

are still sort of together with the

play04:51

Commission trying to figure out what the

play04:54

best way for it is what its place is in

play04:56

terms of how strict it should be how

play04:58

lenient it should be in terms of

play05:00

regulation I think that for one just

play05:03

general transparency would go a long way

play05:05

to allying some of the concerns in

play05:07

regards to just how compliant these

play05:10

companies actually are because I like I

play05:13

said it doesn't you know it it's public

play05:16

releases have been that companies that

play05:17

issues compliance orders with have been

play05:20

compliant with those orders but we don't

play05:22

know what exactly those orders were or

play05:25

what actually changes were actually made

play05:28

in those companies and so I think that

play05:30

it goes back to just that having that

play05:32

trust that that is actually that the

play05:35

companies are complying because

play05:36

obviously there is that mistrust

play05:37

especially now when it comes to how

play05:39

private corporations handle data so I

play05:43

think that that one I'm not sure if that

play05:45

you know how exactly to operationalize

play05:47

more transparency but I'm sure that that

play05:50

would be something that would help it

play05:52

more I don't know if it should be given

play05:55

more powers in terms of liability

play05:58

criminal liability holding people liable

play06:00

because I do think that it does have the

play06:03

power to impose fines and I think that

play06:05

maybe it should be using that

play06:08

more often because there actually hasn't

play06:10

been a company that's been flying under

play06:12

the app so essentially it's all just

play06:15

been you know the companies when they

play06:17

have a breach for example in their issue

play06:19

the compliance order and then that's the

play06:20

end of it so I think that you know

play06:23

having that fine would serve to sort of

play06:27

show other companies that the NPC is

play06:30

serious about enforcing enforcing these

play06:33

powers I think that another major

play06:36

problem right now is that since the Act

play06:38

requires every corporation to have a

play06:40

Data Protection Officer dbo and one of

play06:44

the big problems that we're having now

play06:45

is that there aren't enough data

play06:48

production officers to fill the demand

play06:51

in terms of the number of companies so I

play06:54

think that's another thing that we

play06:55

really need to be focusing on moving

play06:57

forward okay

play06:59

thanks for your time think you'll be

play07:01

appreciated thank you so much

Ver Más Videos Relacionados

Data Protection Officer Philippines

IT'S OVER

Telegram Will Never Be The Same

Why is the International Criminal Court under attack? - BBC News

This Obscure Maths Will Revolutionize Data Privacy

Using Open Source Tools to Build Privacy-Conscious Data Systems

Rate This

5.0 / 5 (0 votes)

Summary
Outlines
Mindmap
Keywords
Highlights
Transcripts
Etiquetas Relacionadas
Data PrivacyPhilippinesPrivacy LawNPCCybersecurityComplianceData BreachTransparencyCorporate ResponsibilityRegulation
¿Necesitas un resumen en inglés?