Stronger data privacy law sought


The National Privacy Commission (NPC) has sought for amendments that will give the existing data privacy law more teeth in the enforcement function amid rapid digital transformation in the country.

During the 55th Asia Pacific Privacy Authorities (APPA) Forum, Privacy Commissioner Raymund Enriquez Liboro said that the House of Representatives – Committee on Information and Communications Technology, has approved the substitute bill to amend the Data Privacy Act (DPA) or Republic Act No. 10173.

The substitute bill grants additional powers to the National Privacy Commission (NPC). It gives the authority to issue summons, subpoenas, contempt powers, and to impose administrative penalties.

“In the last five years, the National Privacy Commission has laid down data privacy in the Philippines with a clear roadmap. In our drive to become a data privacy resilient country, we have adopted a responsive regulatory approach characterized by raising awareness, strict compliance, and enforcing the law. To do this, we find a need to amend the current DPA to keep up with the changing times,” Liboro said in his speech at the virtual APPA 55, hosted by the Personal Information Protection Commission of Korea.

One provision of the substitute bill includes redefining “sensitive personal information” to include biometric and genetic data, and political affiliation, considering the innate sensitivity of these classes of personal data.

It also clarifies extraterritorial application of the DPA by specifying clear instances when
processing personal data of Philippine citizens and/or residents is concerned. This ensures the end-to-end protection of data subjects’ information (i.e., offering of goods or services, or monitoring of behavior within the Philippines or when the entity has a link with the country), to which they are entitled under the DPA.

The amendment also seeks to define the digital age of consent to process personal information to more than fifteen (15) years, applicable where information society services are provided and offered directly to a child (as children more than 15 years old under Philippine laws may already act with discernment).

Other amendments are the inclusion of performance of a contract as a new criterion of the lawful basis for processing of sensitive personal information; allowing Personal Information Controllers (PICs) outside of the Philippines to authorize Personal Information Processors (PIPs) in the country to report data breaches to the Commission on behalf of the controller; and modifying criminal penalties under the DPA, giving the proper courts the option to impose either imprisonment or fine upon its sound judgment.


Aside from the proposed amendments to the DPA, the NPC is set to introduce administrative fines to strengthen data privacy accountability and build data privacy resilience among PICs and PIPs.


The NPC presented in the Forum the Digital Identity, e-Commerce, and e-Governance in the Philippines and ASEAN, highlighting the Commission’s efforts in assisting the development of the law and its IRR to ensure the people’s right to privacy.


The NPC also presented its efforts to curb harmful handling of citizens’ personal data such as the Commission’s issuances and guidance to the public as part of the COVID-19 response and the Kabataang Digital, the NPC’s advocacy campaign promoting a safe online environment for the youth. Also discussed are the guidelines expressly prohibiting the harvesting of contact lists of borrowers for debt collection through harassment; guidelines promoting the use of videoconferencing technology or e-hearing to hear cases; and the amended Rules of Procedure to streamline the Commission’s complaints process.

“The NPC, despite the pandemic, has shifted gears and embraced the new normal of resolving data privacy complaints. We commenced Project Decongestion 2.0, refining our strategy in handling our case dockets clogged with thousands of individual complaints,” Liboro said.