The National Privacy Commission recently issued Circular No. 2022-01, which outlines the administrative fines to be imposed for infractions committed by personal information controllers or personal information processors.
In brief
The National Privacy Commission (NPC) issued Circular No. 2022-01 on 12 August 2022, entitled “Guidelines on Administrative Fines” (“Circular“). The Circular fixes the administrative fines to be imposed upon personal information controllers (PICs) or personal information processors (PIPs) for infractions of the Data Privacy Act of 2012 (DPA), its implementing rules and regulations, and the issuances of the NPC.
The Circular takes effect on 27 August 2022 and will apply prospectively. Thus, complaints that have already been filed with the NPC prior to the effectivity date are not covered by the Circular.
What the Circular provides
The Circular follows a tiered system, such that the amount of the administrative fine, which the NPC can impose to an erring PIC or PIP, will depend on the type of infraction committed, namely:
- For grave infractions, the NPC can impose an administrative fine ranging from 0.5% to 3% of the PIC’s or PIP’s annual gross income.
A grave infraction is committed when:- There is an infraction of any of the general privacy principles in the processing of personal data pursuant to Section 11 of the DPA, where the total number of affected data subjects exceeds 1,000.
- There is an infraction of any of the data subject rights pursuant to Section 16 of the DPA, where the total number of affected data subjects exceeds 1,000.
- There is a repetition of the same infraction penalized under the Circular, regardless of whether the first infraction was classified as a major or other infraction.
- For major infractions, the NPC can impose an administrative fine ranging from 0.25% to 2% of the PIC’s or PIP’s annual gross income.
A major infraction is committed when:- There is an infraction of any of the general privacy principles in the processing of personal data pursuant to Section 11 of the DPA, and where the total number of affected data subjects is 1,000 or below.
- There is an infraction of any of the data subject rights pursuant to Section 16 of the DPA, where the total number of affected data subjects is 1,000 or below.
- There is failure on the part of the PIC to implement reasonable and appropriate measures to protect the security of personal information pursuant to Section 20 (a), (b), (c), or (e) of the DPA.
- There is failure on the part of the PIC to ensure that third parties processing personal information on its behalf shall implement security measures pursuant to Section 20 (c) or (d) of the DPA.
- There is failure on the part of the PIC to notify the NPC and affected data subjects of a personal data breach pursuant to Section 20(f) of the DPA, unless otherwise punishable by Section 30 of the DPA.
In both cases, the computation shall be based on the PIC’s or PIP’s annual gross income of the immediately preceding year when the infraction occurred. Note that for purposes of said computation, the NPC may require the PIC or PIP to submit its audited financial statement filed with the appropriate tax authorities for the immediately preceding year when the infraction occurred, its last regularly prepared balance sheet or annual statement of income and expenses, and such other financial documents as the NPC may deem relevant and appropriate. However, where the PIC or PIP has not been operating for more than one year, the basis for the NPC’s computation will be its gross income at the time the infraction was committed.
The NPC is also empowered to impose administrative fines for other infractions, including the failure to register the true identity or contact details of the PIC, the data processing system, or information on automated decision-making which can reach up to either PHP 200,0001 (approximately USD 4,000) or PHP 50,0002 (approximately USD 1,000), depending on the violation committed.
Notwithstanding the foregoing, please note that the total imposable administrative fine for a single act or omission of a PIC or PIP, whether resulting in a single or multiple infractions, shall not exceed PHP 5 million (approximately USD 100,000).
The Circular further sets out the factors that the NPC should consider, including the categories of data affected and any mitigating action adopted by the PIC or PIP to reduce the harm to the data subject, when determining the amount to be imposed, which must nevertheless be within the ranges mentioned in the Circular.3 Moreover, the Circular provides that no administrative fine shall be imposed by the NPC unless the PIC or PIP is afforded due process (i.e., notice and hearing) in accordance with its Rules of Procedure.
Finally, the Circular provides that PICs or PIPs who refuse to pay the imposed administrative fine may be subject to a cease and desist order, other processes or reliefs that the NPC may be authorized to initiate under the DPA, and appropriate contempt proceedings under the Rules of Court.
Recommended actions
Clients are advised to take the necessary steps to ensure compliance with the DPA, its implementing rules and regulations, and the issuances of the NPC, and to avoid committing any of the infractions mentioned in the Circular, which are subject to potential administrative fines imposed by the NPC.
1 The NPC can impose an administrative fine ranging from PHP 50,000 (approximately USD 1,000) to PHP 200,000 (approximately USD 4,000) for the following infractions:
(a) The failure to register the true identity or contact details of the PIC, the data processing system, or information on automated decision-making pursuant to Sections 7(a), 16, and 24 of the DPA and its corresponding issuances; or
(b) The failure to provide updated information as to the identity or contact details of the PIC, the data processing system, or information on automated decision-making pursuant to Sections 7(a), 16, and 24 of the DPA and its corresponding issuances.
2 The NPC can impose an administrative fine up to PHP 50,000 (approximately USD 1,000) for the following infractions: The failure to comply with any Order, Resolution or Decision of the NPC, or of any of its duly authorized officers, pursuant to Section 7 of the DPA and its corresponding issuances.
Note that this administrative fine shall be in addition to the fine imposed for the original infraction subject of the NPC’s Order, Resolution or Decision, if any.
3 The NPC shall consider the following factors in determining the amount of administrative fine to be imposed, which must be within the ranges provided under the Circular:
(a) Whether the infraction occurred due to negligence or through intentional infraction on the part of the PIC or PIP
(b) Whether the infraction resulted in damage to the data subject, taking into account the degree of damage to the data subject, if any
(c) The nature or duration of the infraction, in relation to the nature, scope, and purpose of the processing
(d) The action or measure taken prior to the infraction to protect the personal data being processed, as well as the rights of the data subject under Section 16 of the DPA
(e) Any previous infractions determined by the NPC as contained in its Orders, Resolutions or Decisions, whether these infractions have led to the imposition of fines, and the length of time that has passed since those infractions
(f) The categories of personal data affected
(g) The manner in which the PIC or PIP discovered the infraction, and whether it informed the NPC
(h) Any mitigating action adopted by the PIC or PIP to reduce the harm to the data subject
(i) Any other aggravating or mitigating circumstances as appreciated by the NPC, including financial benefits incurred or losses avoided by the PIC or PIP
* * * * *
Please contact QTInfoDesk@quisumbingtorres.com for inquiries.