PH firms warned of EU data privacy rules

Published March 4, 2018, 12:00 AM

by manilabulletin_admin

By Bernie Cahiles-Magkilat

Companies, especially those in the business process outsourcing sector, are warned to be compliant with EU’s stringent General Data Protection Regulation (GDPR), which will take effect on May 25 this year.

George Yang, founder and CEO of Silicon Valley-based AI Pros, raised the issue of data privacy protection during a panel discussion at The Chamber Connects with Silicon Valley Forum, an open discourse on “Artificial Intelligence: Opportunities and Challenges for Philippine Business”.

Yang noted that the Philippines, the world’s leader in voice outsourcing, is not yet accredited in the EU’s data privacy protection, thus, any calls from the EU to the Philippines can be stopped.

“The good thing though is that India, the Philippine competitor in the BPO space, is also not accredited by EU,” Yang said. He also noted China has passed its own data privacy protection law.

According to Yang, data privacy protection should not be an after thought, but rather a part of the entire AI (artificial intelligence) architecture.

This calls for the Philippines to be granted “adequacy status” by EU to enable free flow of information between the Philippines and the 28 member countries of EU.

Data adequacy is a status granted by the European Commission to non-EEA (European Economic Area) countries who provide a level of personal data protection that is “essentially equivalent” to that provided in European law. It can also be awarded to specified sectors of an economy or international organizations.

Once a country is granted “adequacy status”, personal data can be transferred freely between EEA member states, which include all EU countries. But personal data is allowed to leave the EEA only if the Commission judges there to be sufficient protection for this data in the destination country. When a country has been awarded the status, information can pass freely between it and the EEA.

This regulation has been enshrined under EU’s 2016 GDPR, which provides some additional safeguards around how individuals’ data is used. It harmonizes data protection laws across the EEA, as well as updating and expanding the scope of existing data protection regulation, much of which is two decades old.

Currently, the Commission has recognized 12 countries or territories, including Argentina, Israel and New Zealand as providing fully adequate data protection. The USA and Canada have been deemed to provide only partially adequate protection. In Canada, only private organizations that use the data for commercial activities have free access to EU data.

The National Data Privacy Commission, however, said that Philippine companies engaged in the processing of personal data of EU citizens, goods and services are complying with the stringent EU regulations.

Raymund Liboro, chairman of the National Privacy Commission, said the Philippines data privacy law is pretty much aligned with that of the EU, making local companies processing personal data of EU citizens easily compliant with its GDPR even without the “status adequacy”.

EU GDPR will take effect on May 25 this year, which means that the 28 countries of EU will fully implement the bloc’s data privacy protection regulations.

Despite the sufficiency in data privacy protection, Liboro said the Commission will work on filing an application for an “adequacy status” within the year.

According to Liboro, there are ways to comply with the EU GDPR. One is through adequacy status, and binding corporate rules, among others.

Liboro is confident of the Philippine compliance with GDPR, stressing the good relationship with the EU committee on personal data process. The Philippines was even granted an observer status in this committee.