NPC sets admin fines vs  data privacy infractions

Published August 12, 2022, 5:53 PM

by Bernie Cahiles-Magkilat

The National Privacy Commission (NPC) will impose administrative fines ranging from a low of 0.25 percent to three percent of the annual gross income of the personal information controllers (PICs) and personal information processors (PIPS) that committed data privacy infractions.

This is contained in NPC Circular No. 2022-01 on the Guidelines on Administrative Fines recognizes that it is essential for the public interest to impose administrative fines that are proportionate and dissuasive of data privacy infractions.

NPC said that the administrative fines range from 0.5% to 3% and 0.25% to 2%, respectively, of the annual gross income of the PIC or PIP will depend on whether the violation is grace or major.

As for other violations, the PIC or PIP shall be subject to an administrative fine of not less than P50,000.00, but not exceeding P 200,000.00 for either of the following: (1) failure to register the true identity or contact details of the PIC, the data processing system, or information on automated decision making; or (2) failure to provide updated information as to the identity or contact details of the PIC, the data processing system, or information on automated decision making.

The failure to comply with any Order, Resolution, or Decision of the Commission, or of any of its duly authorized officers, will result to an administrative fine not exceeding P50,000.00 on top of the fine imposed for the original infraction.

The Circular also enumerated the circumstances that will be taken into consideration in computing the fine.

To determine the annual gross income of the PIC or PIP that committed the infraction, the NPC may evaluate and require submission of the PIC’s or PIP’s audited financial statements filed with the appropriate tax authorities for the immediately preceding year when the infraction occurred, the last regularly prepared balance sheet or annual statement of income and expenses, and such other financial documents deemed relevant and appropriate.

If a PIC or PIP has not been operating for more than one year, the base for computing administrative fines will be the entity’s total gross income at the time the violation was committed. PICs or PIPs that refuse to pay the administrative fine under the circular may be subject to a Cease and Desist Order, other processes or reliefs as the Commission may be authorized to initiate pursuant to Section 7 of the Data Privacy Act, and appropriate contempt proceedings under the Rules of Court.

The Guidelines on Administrative Fines will apply prospectively. Complaints already filed to the NPC are not affected by the issuance.

Privacy Commissioner John Henry D. Naga said that through the Circular, the NPC encourages organizational accountability among PICs and PIPs by initiating measures to enhance their compliance with the Data Privacy Act of 2012 as stewards of personal data.

“The National Privacy Commission is intensifying its efforts in order for personal information controllers and processors to adopt optimal levels of data protection and security. The Circular on Administrative Fines is vital to NPC in effectively executing its mandate to administer and implement the data privacy law. We hope that PICs and PIPs would not view the administrative fines as adversarial, but as a motivation to protect and safeguard the personal data they collect and process,” the privacy chief said.