Understanding how the Data Protection Authority in Philippines works | MediaNama
Summary
TLDRMatthew Ich Bruce, a journalist from the Philippines, discusses the National Privacy Commission (NPC), established under the 2012 Data Privacy Act. The NPC, with its commissioner and deputies, has broad powers including rule-making and quasi-judicial functions but has been criticized for its lack of transparency and enforcement. Despite having the authority to impose fines, the NPC has been lenient, focusing on compliance over punishment. The biggest data leak occurred shortly after the NPC's inception, with no accountability. The NPC's effectiveness is questioned, with suggestions for increased transparency and stricter enforcement to improve data protection.
Takeaways
- 🇵🇭 The Philippines has had a data protection law since 2012, overseen by the National Privacy Commission (NPC).
- 🛡️ The NPC is endowed with broad powers under the Data Privacy Act of 2012, including rulemaking and quasi-judicial functions.
- 👤 The current commissioner is the first and only one since the law's implementation in 2016, following the establishment of the NPC.
- ⚖️ The NPC can impose administrative fines and conduct investigations but refers criminal prosecutions to the Department of Justice.
- 🔍 Despite the NPC's powers, there has been limited transparency regarding the enforcement of data privacy regulations.
- 📊 A significant data leak involving 55 million voters' information occurred shortly after the NPC's establishment, with no accountability.
- 🚫 The NPC has been criticized for not being stringent enough in its enforcement, leading to a lack of fear or pressure among companies.
- 🔑 Companies are required to disclose data breaches to the NPC within 72 hours, but the NPC's follow-up actions are not well-publicized.
- 💡 Transparency in the NPC's actions and compliance enforcement could help build trust and ensure companies adhere to data privacy laws.
- 📈 The NPC could benefit from increased use of its power to impose fines to demonstrate its commitment to enforcing data privacy regulations.
- 👩💼 There is a shortage of Data Protection Officers (DPOs) in the Philippines, which is a challenge that needs to be addressed.
Q & A
菲律宾的数据保护法是什么时候开始实施的?
-菲律宾的数据保护法,即2012年数据隐私法案(Republic Act No. 10173),自2012年9月8日起成为可执行的法律,但其实施规则和条例(IRR)直到2016年9月9日才开始生效。
菲律宾国家隐私委员会(NPC)的主要职能是什么?
-菲律宾国家隐私委员会(NPC)是负责管理和执行数据隐私法案的独立机构,确保国家遵守数据保护的国际标准。NPC负责发布关于处理个人数据的程序的指南和通知,处理个人数据泄露事件,并提供关于数据隐私问题的建议和咨询。
菲律宾数据保护法案规定了哪些个人数据的处理原则?
-菲律宾数据保护法案规定了透明度、合法目的和比例性等数据处理的一般原则。此外,还规定了收集、处理和保留个人数据的具体原则,例如收集必须是为了声明的、特定的和合法的目的;个人数据应被公平和合法地处理;处理应确保数据质量;个人数据不应被不必要地长期保留。
在菲律宾,个人数据泄露后有哪些通知要求?
-在菲律宾,个人数据泄露后,个人信息控制者(PIC)必须在知道发生需要通知的个人数据泄露后72小时内通知国家隐私委员会(NPC)和受影响的数据主体。通知必须描述泄露的性质、可能涉及的个人数据,以及实体为解决泄露所采取的措施。
菲律宾国家隐私委员会的结构是怎样的?
-菲律宾国家隐私委员会由一名委员和两名副委员组成。目前的委员是该委员会自成立以来的第一位委员。虽然法律在2012年通过,但直到2016年实施规则和条例通过后,委员会才开始真正发挥作用。
菲律宾国家隐私委员会如何处理违反数据隐私法的行为?
-菲律宾国家隐私委员会可以对违反数据隐私法的行为进行调查,接收正式投诉,并启动事实调查程序。它还可以自行对违规行为施加行政处罚罚款,但刑事起诉则需转交给司法部处理。
菲律宾国家隐私委员会是否有权对公司进行罚款?
-是的,菲律宾国家隐私委员会有权对违反数据隐私法的公司进行罚款。它还可以要求公司遵守其发布的合规命令,以改善内部流程。
菲律宾国家隐私委员会是否面临任何挑战或限制?
-是的,菲律宾国家隐私委员会的权力受到法律的限制。例如,尽管委员会建议对选举委员会主席提起诉讼,但司法部并未采取行动,导致没有对数据泄露事件的负责人进行问责。此外,委员会在执行合规和透明度方面也存在挑战。
菲律宾国家隐私委员会是否应该被重新构建或赋予更多权力?
-一些人认为,为了提高其效率,菲律宾国家隐私委员会应该更加透明,并且可能需要更频繁地使用其罚款权力来显示其执行数据隐私法的决心。此外,也有人提出需要更多数据保护官员来满足公司的需求,这是当前面临的一个问题。
菲律宾的数据保护法律是否符合国际标准?
-是的,菲律宾的数据保护法律旨在确保国家遵守数据保护的国际标准,并通过国家隐私委员会来监督实施。
Outlines
📜 Introduction to the Philippine Data Protection Authority
Matthew Ich Bruce, a journalist from the Philippines, discusses the National Privacy Commission (NPC), established under the Data Privacy Act of 2012. The NPC, comprised of a commissioner and two deputy commissioners, has broad powers, including rulemaking and quasi-judicial functions. Despite being established in 2012, the law's implementing rules and regulations were only passed in 2016. The NPC can issue compliance orders, conduct investigations, and impose administrative fines but refers criminal cases to the Department of Justice. The effectiveness of the NPC has been questioned, with a significant data leak occurring shortly after its establishment, leading to no prosecutions. The NPC's transparency and enforcement actions post-disclosure have been criticized, and there is a debate over whether it should be given more powers or restructured.
🔍 Enhancing Transparency and Enforcement in Data Protection
The discussion highlights the need for greater transparency in the NPC's operations to build trust in companies' compliance with data protection regulations. It suggests that the NPC could be more proactive in imposing fines to demonstrate its commitment to enforcement. The narrative points out a shortage of Data Protection Officers (DPOs) in the country, which is a challenge for companies to meet the legal requirement of having a DPO. The interview concludes with a call for increased focus on training DPOs and enhancing the NPC's capacity to ensure effective data protection in the Philippines.
Mindmap
Keywords
💡Data Protection Authority
💡National Privacy Commission (NPC)
💡Data Privacy Act of 2012
💡Quasi-judicial function
💡Administrative fines
💡Data breach
💡Transparency
💡Data Protection Officer (DPO)
💡Cross-border data transfer
Highlights
The Philippines has had a data protection law since 2012 and established a Data Protection Authority.
The National Privacy Commission (NPC) is the authority overseeing data privacy in the Philippines.
The NPC is composed of a commissioner and two deputy commissioners.
The current commissioner is the first and only one since the law's inception.
The Data Privacy Act of 2012 started to take effect in 2016 with the implementation of rules and regulations.
The NPC has rulemaking power and can issue circulars to compel companies to comply with data privacy regulations.
The NPC has a quasi-judicial function, allowing it to prosecute violators of the data privacy act.
The NPC can impose administrative fines for violations but refers criminal prosecution to the Department of Justice.
The NPC's effectiveness has been questioned, with critics arguing it hasn't done as much as it could.
A major data leak involving 55 million voters' data occurred shortly after the NPC became operational.
The NPC recommended prosecution of the Commission on Elections' chairman, but the Department of Justice did not act on it.
There have been several data breaches involving private companies, which are required to disclose them to the NPC.
The NPC is generally good at making breach disclosures public but lacks transparency in enforcement actions.
The NPC's main goal is to get companies to comply with orders and improve internal processes rather than prosecute or fine them.
There is a concern that companies are not scared of the commission and do not feel pressured to comply with data privacy mandates.
Transparency could help alleviate concerns about companies' compliance with data privacy regulations.
The NPC should consider using its power to impose fines more often to show its seriousness in enforcing data privacy.
There is a shortage of Data Protection Officers (DPOs) to meet the demand from companies required to have one.
Transcripts
so hi I'm Matthew ich Bruce I'm from the
Philippines and I'm a journalist with
the Philippine Daily Inquirer so the
Matthew Philippines has had a data
protection law since 2012 and you have a
Data Protection Authority can you tell
us about the Data Protection Authority
and what kind of posit has what is the
structure who's on the yeah okay so the
National privacy Commission or NPC is
what it's called in the Philippines and
essentially it has a very broad range of
powers under the data Privacy Act of
2012
it's made up of a commissioner and do
deputy commissioners the current
commissioner is the very first
Commissioner that it's had and so the
law was passed under the previous
administration and the commissioners
been a holdover from then so first and
only commissioner but actually even
though the law was passed in 2012 I only
really started to take effect in 2016
when the implementing rules and
regulations were passed so what four
years after the initial passing of the
law essentially the powers that it has
it's a rulemaking body so it has the
power to build on the data Privacy Act
essentially by issuing circulars that
could compel companies so to comply or
in terms of coming up with additional
regulations for companies to comply with
it also has a quasi-judicial function so
it can actually prosecute people for
violating that but it has the power to
conduct investigations to receive formal
complaints to initiate the fact-finding
body in terms of those complaints and
then on its own it can actually impose
administrative fines but in terms of
criminal prosecution it would then refer
that to the Department of Justice so
what's been the experience so far in
terms of like how many complaints have
been filed as any transparency that how
many companies have been prosecuted how
many have been fine how many been have
there been criminal prosecutions against
has that has it improved things to have
a Data Protection Authority so that
that's an interesting question I think
that a lot of people would argue that
it hasn't really done as much as it
could although of course it's powers are
also limited by the law in that sense
because the biggest data leak that
happened in the Philippines actually
happened less than a month after the
National privacy Commission started to
really take effect and so this was a
breach on the Commission on Elections so
55 million voters Riyad data was leaked
on a searchable website so you could
search for anything their full names
their addresses their birthdays all of
that so this was really seen as a big
test for how effective the NBC could
actually be and it ended up being that
it recommended the prosecution of the
chairman at the time of the Commission
on Elections
but then the Department of Justice never
acted on that recommendation so
essentially no one has really been held
accountable for that leak and now it's
been three years since then people have
largely forgotten about it there have
been several data breaches it happens
actually on a fairly regular basis with
private companies and so under the law
they're required to disclose those
breaches to the NPC within 72 hours and
the NPC is generally good about making
those disclosures public but then after
it's made those disclosures public it
it's not very good about being
transparent in terms of what actions
it's then taken to enforce compliance or
what what mandates that it issued if
ever to those companies in order to
comply so all of those are a little bit
murky they have said that their main
goal is to get these companies to comply
with with the orders that the issue in
terms of sort of cleaning up their
internal processes rather than
prosecuting them or issue
the fines I think that they're afraid
that that will have a deterring effect
on companies in terms of them not
wanting to comply or have a Data
Protection Officer but I think that of
course a counterpoint could be made that
it essentially made that companies
aren't really scared of this commission
aren't really feeling the pressure to
comply with the the mandates under the
data privacy are so if you think that
the authority had to be reconstituted or
it had to be given additional powers
what do you think should change now now
that you have experience behind you as a
country what would make it better
that's a good question um I think that
well for one I think that it is still a
relatively young body so I think that
even as journalists even civil society
are still sort of together with the
Commission trying to figure out what the
best way for it is what its place is in
terms of how strict it should be how
lenient it should be in terms of
regulation I think that for one just
general transparency would go a long way
to allying some of the concerns in
regards to just how compliant these
companies actually are because I like I
said it doesn't you know it it's public
releases have been that companies that
issues compliance orders with have been
compliant with those orders but we don't
know what exactly those orders were or
what actually changes were actually made
in those companies and so I think that
it goes back to just that having that
trust that that is actually that the
companies are complying because
obviously there is that mistrust
especially now when it comes to how
private corporations handle data so I
think that that one I'm not sure if that
you know how exactly to operationalize
more transparency but I'm sure that that
would be something that would help it
more I don't know if it should be given
more powers in terms of liability
criminal liability holding people liable
because I do think that it does have the
power to impose fines and I think that
maybe it should be using that
more often because there actually hasn't
been a company that's been flying under
the app so essentially it's all just
been you know the companies when they
have a breach for example in their issue
the compliance order and then that's the
end of it so I think that you know
having that fine would serve to sort of
show other companies that the NPC is
serious about enforcing enforcing these
powers I think that another major
problem right now is that since the Act
requires every corporation to have a
Data Protection Officer dbo and one of
the big problems that we're having now
is that there aren't enough data
production officers to fill the demand
in terms of the number of companies so I
think that's another thing that we
really need to be focusing on moving
forward okay
thanks for your time think you'll be
appreciated thank you so much
5.0 / 5 (0 votes)