Search for:

The National Privacy Commission recently issued Circular No. 2022-01, which outlines the administrative fines to be imposed for infractions committed by personal information controllers or personal information processors.

In brief

The National Privacy Commission (NPC) issued Circular No. 2022-01 on 12 August 2022, entitled “Guidelines on Administrative Fines” (“Circular“). The Circular fixes the administrative fines to be imposed upon personal information controllers (PICs) or personal information processors (PIPs) for infractions of the Data Privacy Act of 2012 (DPA), its implementing rules and regulations, and the issuances of the NPC.

The Circular takes effect on 27 August 2022 and will apply prospectively. Thus, complaints that have already been filed with the NPC prior to the effectivity date are not covered by the Circular.


What the Circular provides

The Circular follows a tiered system, such that the amount of the administrative fine, which the NPC can impose to an erring PIC or PIP, will depend on the type of infraction committed, namely:

  1. For grave infractions, the NPC can impose an administrative fine ranging from 0.5% to 3% of the PIC’s or PIP’s annual gross income. 
    grave infraction is committed when: 
    • There is an infraction of any of the general privacy principles in the processing of personal data pursuant to Section 11 of the DPA, where the total number of affected data subjects exceeds 1,000.
    • There is an infraction of any of the data subject rights pursuant to Section 16 of the DPA, where the total number of affected data subjects exceeds 1,000.
    • There is a repetition of the same infraction penalized under the Circular, regardless of whether the first infraction was classified as a major or other infraction.
  2. For major infractions, the NPC can impose an administrative fine ranging from 0.25% to 2% of the PIC’s or PIP’s annual gross income. 
    major infraction is committed when: 
    • There is an infraction of any of the general privacy principles in the processing of personal data pursuant to Section 11 of the DPA, and where the total number of affected data subjects is 1,000 or below.
    • There is an infraction of any of the data subject rights pursuant to Section 16 of the DPA, where the total number of affected data subjects is 1,000 or below.
    • There is failure on the part of the PIC to implement reasonable and appropriate measures to protect the security of personal information pursuant to Section 20 (a), (b), (c), or (e) of the DPA.
    • There is failure on the part of the PIC to ensure that third parties processing personal information on its behalf shall implement security measures pursuant to Section 20 (c) or (d) of the DPA.
    • There is failure on the part of the PIC to notify the NPC and affected data subjects of a personal data breach pursuant to Section 20(f) of the DPA, unless otherwise punishable by Section 30 of the DPA.

In both cases, the computation shall be based on the PIC’s or PIP’s annual gross income of the immediately preceding year when the infraction occurred. Note that for purposes of said computation, the NPC may require the PIC or PIP to submit its audited financial statement filed with the appropriate tax authorities for the immediately preceding year when the infraction occurred, its last regularly prepared balance sheet or annual statement of income and expenses, and such other financial documents as the NPC may deem relevant and appropriate. However, where the PIC or PIP has not been operating for more than one year, the basis for the NPC’s computation will be its gross income at the time the infraction was committed.

The NPC is also empowered to impose administrative fines for other infractions, including the failure to register the true identity or contact details of the PIC, the data processing system, or information on automated decision-making which can reach up to either PHP 200,0001 (approximately USD 4,000) or PHP 50,0002 (approximately USD 1,000), depending on the violation committed.

Notwithstanding the foregoing, please note that the total imposable administrative fine for a single act or omission of a PIC or PIP, whether resulting in a single or multiple infractions, shall not exceed PHP 5 million (approximately USD 100,000).

The Circular further sets out the factors that the NPC should consider, including the categories of data affected and any mitigating action adopted by the PIC or PIP to reduce the harm to the data subject, when determining the amount to be imposed, which must nevertheless be within the ranges mentioned in the Circular.3 Moreover, the Circular provides that no administrative fine shall be imposed by the NPC unless the PIC or PIP is afforded due process (i.e., notice and hearing) in accordance with its Rules of Procedure.

Finally, the Circular provides that PICs or PIPs who refuse to pay the imposed administrative fine may be subject to a cease and desist order, other processes or reliefs that the NPC may be authorized to initiate under the DPA, and appropriate contempt proceedings under the Rules of Court.
 

Recommended actions

Clients are advised to take the necessary steps to ensure compliance with the DPA, its implementing rules and regulations, and the issuances of the NPC, and to avoid committing any of the infractions mentioned in the Circular, which are subject to potential administrative fines imposed by the NPC.


The NPC can impose an administrative fine ranging from PHP 50,000 (approximately USD 1,000) to PHP 200,000 (approximately USD 4,000) for the following infractions:

(a) The failure to register the true identity or contact details of the PIC, the data processing system, or information on automated decision-making pursuant to Sections 7(a), 16, and 24 of the DPA and its corresponding issuances; or

(b) The failure to provide updated information as to the identity or contact details of the PIC, the data processing system, or information on automated decision-making pursuant to Sections 7(a), 16, and 24 of the DPA and its corresponding issuances.

The NPC can impose an administrative fine up to PHP 50,000 (approximately USD 1,000) for the following infractions: The failure to comply with any Order, Resolution or Decision of the NPC, or of any of its duly authorized officers, pursuant to Section 7 of the DPA and its corresponding issuances.

Note that this administrative fine shall be in addition to the fine imposed for the original infraction subject of the NPC’s Order, Resolution or Decision, if any.

The NPC shall consider the following factors in determining the amount of administrative fine to be imposed, which must be within the ranges provided under the Circular:

(a) Whether the infraction occurred due to negligence or through intentional infraction on the part of the PIC or PIP
(b) Whether the infraction resulted in damage to the data subject, taking into account the degree of damage to the data subject, if any
(c) The nature or duration of the infraction, in relation to the nature, scope, and purpose of the processing
(d) The action or measure taken prior to the infraction to protect the personal data being processed, as well as the rights of the data subject under Section 16 of the DPA
(e) Any previous infractions determined by the NPC as contained in its Orders, Resolutions or Decisions, whether these infractions have led to the imposition of fines, and the length of time that has passed since those infractions
(f) The categories of personal data affected
(g) The manner in which the PIC or PIP discovered the infraction, and whether it informed the NPC
(h) Any mitigating action adopted by the PIC or PIP to reduce the harm to the data subject
(i) Any other aggravating or mitigating circumstances as appreciated by the NPC, including financial benefits incurred or losses avoided by the PIC or PIP

* * * * *

LOGO Philippines_QuisumbingTorres_Manila

Please contact QTInfoDesk@quisumbingtorres.com for inquiries.

VISIT QUISUMBING TORRES SITE

Author

Bienvenido Marquez III is a partner in Quisumbing Torres' Intellectual Property, Data and Technology Practice Group. He also co-heads the Consumer Goods & Retail Industry Group and is a member of the Technology, Media & Telecommunications Group. He participates in initiatives of Baker & McKenzie International of which Quisumbing Torres is a member firm. He is a member of Baker McKenzie's Asia Pacific Intellectual Property Business Unit for Brand Enforcement. He is immediate Past President of the Philippine Chapter of the Licensing Executives Society International (2019-2021), and is currently co-chair of the LESI Asia Pacific. He is also a member of the Anti-Counterfeiting Committee of the International Trademarks Association (INTA). He has been appointed as member of the INTA Asia Global Advisory Council (GAC) for 2022 to 2023, making him the only Philippine representative on the council.

Bien has vast experience in handling IP enforcement litigation, trademark and patent prosecution and maintenance, copyright, data privacy, information security, IT, telecommunications, e-commerce, electronic transactions, cyber security and cybercrime. He has been consistently ranked as a leading individual for Intellectual Property and TMT in Legal 500 Asia Pacific, Chambers Asia Pacific, asialaw Leading Lawyers, Managing IP Stars, Asia IP, and World Trademark Review. He was also recognized as a Volunteer Service Awardee by INTA in 2018.

Author

Divina Ilas-Panganiban, CIPM is a partner and the head of Quisumbing Torres’ Intellectual Property, Data and Technology Practice Group and co-heads the Technology, Media & Telecommunications (TMT) Industry Group. She participates in initiatives of Baker & McKenzie International of which Quisumbing Torres is a member firm. She is a member of Baker & McKenzie International's Asia Pacific TMT, and the Asia Pacific Intellectual Property Steering Committees.
Divina is a Certified Information Privacy Manager by the International Association of Privacy Professionals (IAPP). She currently serves as the Vice-President and Director of the Philippine Chapter of the Licensing Executives Society International, the Regional Vice-chair of the LESI's Education Committee, the Co-chairperson of the Committee on Intellectual Property Rights of The American Chamber of Commerce of the Philippines, and the Chairperson of the IAPP KnowledgeNet Chapter for the Philippines.
Divina was recently appointed to be a member of the Advisory Council for Intellectual Property (ACIP) of the Intellectual Property Office of the Philippines (IPOPHL). The ACIP is an advisory board composed of a select group of people from different sector to which IP is of great value. She was recently recognized in the Hall of Fame for Best External Lecturers by the IP Academy of the IPOPHL.
Divina just finished her stint as the chair the Unreal Campaign of the International Trademarks Association (INTA) for East Asia and the Pacific and continues to organize anti-counterfeiting activities in schools and universities around the country, educating the youth about the importance of intellectual property protection.
Divina is a multi-awarded lawyer with a stellar track record in the IP, data and technology fields. She has garnered numerous awards and accolades, including the Woman Lawyer of the Year by the ALB Philippine Law Awards 2023. She has been cited as leading lawyer for intellectual Property and TMT by The Legal 500 Asia Pacific, Chambers Asia Pacific, Managing IP, World Trademark, Asialaw and IAM Patent 1000, among others. Known for her exceptional legal expertise and unwavering commitment to her clients, Divina has established herself as a leader in her profession.