Data Protection Enforcement in the Philippines

Administrative Remedies

None (please see general comments).

Civil Remedies

As specifically provided for by the Data Privacy Act of 2012, individuals or “any aggrieved party” may file civil actions for restitution in court based on the general provisions of the Civil Code (in particular, parties may invoke “abuse of rights” provisions, meddling in privacy and/or quasi-delicts provisions).

Criminal Remedies

The Data Privacy Act provides for criminal sanctions for violations of its provisions composed of fines ranging from PhP100,000 to PhP5,000,000 (about USD$2,400 to USD$123,450) and/or imprisonment ranging from 6 months up to 7 years.

Other Remedies

If the offender is a corporation, partnership or any juridical person, the penalty shall be imposed upon the responsible officers, as the case may be, who participated in, or by their gross negligence, allowed the commission of the crime. If the offender is a juridical person, the court may suspend or revoke any of its rights under the Data Privacy Act. If the offender is an alien, he or she shall, in addition to the criminal and civil penalties prescribed, be deported without further proceedings after serving the penalties prescribed. If the offender is a public official or employee and he or she is found guilty of (i) accessing personal information and sensitive personal information due to negligence and/or (ii) processing personal information and sensitive personal information for unauthorized purposes, he or she shall, in addition to the penalties prescribed, suffer perpetual or temporary absolute disqualification from office.

Selected Enforcement Actions / General Comments

There are currently no published guidance issued or enforcement actions taken for the provisions of the Data Privacy Act. As of this date, the governmental authority or regulator mandated by the Act to be created – The Data Privacy Commission – has not yet been formed. Neither have the Rules and Regulations of the Act been promulgated, even though the Act itself requires the promulgation of the Rules within ninety (90) day of the Act’s effectivity (September 2012) – meaning the rules should have been promulgated as early as January 2013. We expect the Data Privacy Commission to be convened and the Rules and Regulations governing the Act to be issued soon as these are long overdue.