Cyber Security in the Philippines

Is it unlawful in this jurisdiction to access third party data without authorisation? Is it unlawful to store data which has been accessed without authority? Accessing third party data without authorisation may be unlawful under several laws in the Philippines. If the data is accessed and stored by a third party without authorisation from the owner of the data, the access and storage may be considered to be an offence punishable under the Cybercrime Prevention Act of 2012 (Republic Act No. 10175; “Cybercrime Act”) for being an offense against the confidentiality, integrity and availability of computer data and systems. Depending on the nature and scope of the act perpetrated, the unauthorised access may be classified as any of the following offences: Illegal Access – The access to the whole or any part of a computer system without right. Illegal Interception – The interception made by technical means without right of any non-public transmission of computer data to, from, or within a computer system including electromagnetic emissions from a computer system carrying such computer data. Data Interference — The intentional or reckless alteration, damaging, deletion or deterioration of computer data, electronic document, or electronic data message, without right, including the introduction or transmission of viruses. System Interference — The intentional alteration or reckless hindering or interference with the functioning of a computer or computer network by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data or program, electronic document, or electronic data message, without right or authority, including the introduction or transmission of viruses. Misuse of Devices:

  • The use, production, sale, procurement, importation, distribution, or otherwise making available, without right, of:
    • A device, including a computer program, designed or adapted primarily for the purpose of committing any of the offences under the Cybercrime Act; or
    • A computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed with intent that it be used for the purpose of committing any of the offences under this Act.
  • The possession of an item referred to in subparagraphs (a)(i) and (a)(ii) above with intent to use said devices for the purpose of committing any of the offences above.

When the information accessed involves personal data, the Data Privacy Act of 2012 (Republic Act No. 10173, “DPA”) penalises the unauthorised access or intentional breach by persons who knowingly and unlawfully, or violating data confidentiality and security data systems, breaks in any way into any system where personal and sensitive personal information is stored. Is there a legal mechanism whereby you can seek access to or retrieve the copy of data which has been accessed without authority? Is there a legal mechanism that enables you find out information about who may have accessed your data without authority and/or how it was used? The Cybercrime Act has provisions that mandate a service provider to preserve computer data (integrity of traffic data and subscriber information). Content data shall be preserved upon receipt of a request from law enforcement authorities requiring their preservation. The preserved data will then be accessed or disclosed after securing a court warrant (search warrant) to disclose or submit subscriber’s information, traffic data or relevant data in the service provider’s possession or control. In turn, the disclosed information may reveal information as to what data has been accessed, who accessed the information and how the information was subsequently used. If the illegally accessed, retrieved or copied data involves personal information, the DPA mandates (among other responsibilities of a personal information controller/service provided) that the personal information controller/service provider notify the affected data subject. The notification shall at least describe the nature of the breach, the personal information possibly involved, and the measures taken to address the breach. Is there any restriction on the use that can be made of the information or documentation obtained regarding a data breach incident using a legal process? We are not aware of any law or regulation which specifically restricts the use of information or documentation obtained regarding a data breach incident. Anton Piller orders1 are not recognized in the Philippines. However, as discussed in the first paragraph in the previous question, the Cybercrime Act mandates a service provider to preserve the integrity of traffic data and subscriber information relating to communication services (law requires preservation for a minimum period of six months). Upon request of a law enforcement authority, content data may similarly be preserved. Is it possible to maintain confidentiality in relation to the legal steps necessary to get access to the data or information? The Cybercrime Act requires service providers to preserve traffic data (any computer data other than the content of the communication including, but not limited to, the communication’s origin, destination, route, time, date, size, duration, or type of underlying service) for a period six months from the date of the data transaction. Law enforcement authorities may order a one-time extension for another six months subject to the conditions set out in the law. In this procedure, the service provider (which was ordered to preserve computer data) is mandated by law to keep the order, and its compliance, confidential. If it is later determined that proceedings should be commenced in another jurisdiction (for example, the perpetrator is found to reside there), can you stop the proceedings in this jurisdiction in such a way that you are not prevented from commencing proceedings on the same issue as a result of the application of res judicata, double jeopardy or some other similar principle? It may be argued that legal proceedings in another jurisdiction should not affect the remedies available to persons subject to the jurisdiction of Philippine law. In this context, any proceedings initiated in another jurisdiction should, strictly speaking, not affect the jurisdiction (nor the proceedings, if already initiated) in the Philippines. In the same line of reasoning, the legal concepts of res judicata or double jeopardy, should not apply. Is there an obligation in your jurisdiction to hold personal information securely? Yes. The DPA requires that personal information controllers must implement reasonable and appropriate organisational, physical and technical measures intended for the protection of personal information against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing. Further, personal information controllers must implement reasonable and appropriate measures to protect personal information against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination. Does the law in your jurisdiction restrict or place conditions on the transfer of personal or other information to other foreign jurisdictions? The DPA states that each personal information controller is responsible for information that has been transferred to a third party for processing internationally. The personal information controller is accountable for complying with the requirements of the DPA and shall use contractual or other reasonable means to provide a comparable level of protection while the information is being processed by a third party in a foreign jurisdiction. Further, Presidential Decree 1718 (PD 1718), in general, regulates the transfer of information to locations outside of the Philippines in limited circumstances, particularly when the information deals with information considered as “vital to the national interest”. Is there a generally applicable obligation to notify data subjects of a data breach in your Jurisdiction? The DPA imposes an obligation for the personal information controller to notify data subjects (and the National Privacy Commission) of a data breach in one instance: when sensitive personal information that may, under the circumstances, be used to enable identity fraud is reasonably believed to have been acquired by an unauthorised person, and the personal information controller or the National Privacy Commission believes that such unauthorised acquisition is likely to give rise to a real risk of serious harm to any affected data subject. Is there a generally applicable obligation to notify the authorities of a data breach in your jurisdiction? Please see our response above. Are there sector specific mandatory data breach notification obligations in your jurisdiction? For banking and banking related services, the Bangko Sentral ng Pilipinas (Central Bank of the Philippines; “BSP”) issued Circular No. 808 (Series of 2013) which covers Guidelines on Information Technology Risk Management for All Banks and Other BSP Supervised Institution. Part of the guidelines include an obligation to “report any breach in information security, especially incidents involving the use of electronic channels” to the BSP.


1 is a court order that provides the right to search premises and seize evidence without prior warning. This prevents destruction of relevant evidence, particularly in cases of alleged trademark, copyright or patent infringements. Note that Section 19 of the Cybercrime Act would have created an Anton Piller type power for the Department of Justice upon prima facie information that a computer data is found to violate provisions of the Act. However, Section 19 was declared unconstitutional by the Philippine Supreme Court.