In the digital age, the significance of data protection cannot be overstated. As data becomes the new currency, businesses worldwide are redefining their strategies to accommodate this shift. As businesses embrace digitization in the Philippines, the role of a Data Protection Officer (DPO) has become increasingly crucial.

With the advent of the internet and digital technologies, businesses have access to unprecedented amounts of data. While this data offers invaluable insights that can shape business strategies and drive growth, it also presents a new set of data privacy and security challenges.

The Philippines has recognized these challenges and taken proactive measures to protect individuals' data rights. In 2012, the country enacted the Data Privacy Act (DPA), a comprehensive law designed to ensure the secure and fair processing of personal data in the Philippines. The DPA mandates that every organization processing personal data must designate a Data Privacy Officer (DPO).

The DPO plays a vital role in enforcing data protection within an organization. They oversee data protection strategy and implementation to ensure compliance with DPA requirements. They also serve as the point of contact between the company and any supervisory authorities who govern data-related activities.

The DPO's responsibilities include educating the company and employees on necessary compliance requirements, conducting audits to ensure compliance, and serving as the point of contact between the company and the National Privacy Commission (NPC).

The Philippines is one of the fastest-growing digital markets in Southeast Asia, with businesses increasingly leveraging data to drive growth. As such, the role of the DPO has become more critical than ever.

Having a DPO is a legal requirement under the DPA for organizations that process personal data. Non-compliance can result in severe penalties, including substantial fines and reputational damage. A DPO helps ensure businesses remain compliant with the law, thereby avoiding these penalties.

As data breaches become increasingly commonplace, consumers are more concerned about their data's security. Businesses that demonstrate their commitment to data protection by appointing a DPO can earn their customers' trust and enhance their reputation.

A DPO helps identify and manage data-related risks, preventing breaches that could result in substantial financial and reputational losses. They can also help create response plans to mitigate the impact of any potential data breaches.

A DPO can provide valuable insights into how data is used and processed within the organization, helping to inform business decisions. They can also ensure that any data processing activities align with the business's overall objectives.

In the digital era, data protection is a business imperative. In the context of the Philippines, the role of a DPO is integral to ensuring that businesses adhere to data protection laws, manage risks effectively, and use their data responsibly. By appointing a DPO, businesses in the Philippines can ensure compliance with the DPA and gain a competitive advantage in the increasingly data-driven business landscape.

Atty. Francis Euston Acero, Data Privacy Officer of the Manila Electric Company and its subsidiaries. (photo from the FB page of Atty. Acero)

To make us understand fully the role of a DPO in the Philippines, I reached out to Atty. Francis Euston Acero, the Data Privacy Officer of the Manila Electric Company and its subsidiaries. In this position, he oversees compliance with the Philippine data privacy laws of one of the nation's largest conglomerates. Atty. Aceros is also the founding director and a member of the Board of Trustees of Democracy.Net.PH, a non-profit organization dedicated to supporting the public sector at the intersection of technology and law. This organization focuses primarily on internet freedom, online rights, development, and security.

Here's our conversation: 

As a leading figure in the data privacy field, can you share how the landscape of data privacy has changed since you started in 2014?

When I started doing work in data privacy in the middle of 2014, the entire field was more focused on advocacy work, calling on the administration to take data privacy more seriously, for government to comply with its mandate to appoint the first set of officers to the National Privacy Commission.

It did not take that long for disaster to strike. It only took just over one year.

I remember having to make the rounds on television to remind people to take care of their data now that they were all exposed.

Back then, people thought that data privacy compliance was something you achieved at the snap of a finger. Now, we’re supposed to know better. Privacy compliance depends on the existence of a compliance culture, a culture of good governance. It requires a maturity that moves from ad hoc solutions that put out fires to institutional know-how that anticipates fires before they happen.

Imagine, if you will, what may happen should a breach of the scale of Comeleak happens, what pitchforks are going to come out. I believe people are not going to take that kind of negligence sitting down, especially after all these phishing-based scams of late. People are far more active in asserting their rights and demanding that they be informed of how their data is going to be processed. Look at how our digital platforms are crucified for mistakes that are on a far smaller scale than what happened to Comelec all those years ago.

In addition, you now have a regulator that’s more focused on cohesive policy and consistent enforcement. These are very important because data privacy rules act as guideposts for people who wish to comply. Then you need consistent enforcement because people start skirting rules when they know some people get away with it when fines and other penalties get seen as the cost of doing business. In addition to government regulation, you also have market regulation - that is, the market really responds when they understand that you have some form of malasakit toward them. This applies to all manner of customer touchpoints, data privacy included. Data privacy is much more than having a privacy notice or privacy policy in place. Data privacy is about having discipline over your data processing. The privacy notice and privacy policies that need to be in place are just reflections of the discipline you should have had anyway.

The question is, what remains the same? There are several common reactions that we’re seeing out there: (a) data privacy is this strange new thing, so I’ll let the junior guy on the totem pole handle it; (b) let’s hand it off to this big consulting platform so I don’t have to learn it; or (c) I don’t know what it is, and I can’t understand anything, so it doesn’t exist. In all three common reactions, the decision-makers panic once they understand liability falls upon them. Then the costs escalate from there. It’s a vicious cycle. That hasn’t changed.

In your experience drafting the Implementing Rules and Regulations of the Data Privacy Act of 2012, what were some of your biggest challenges?

1. Providing sufficient insight. We had to make sure that there was enough insight in the more detailed provisions in the Implementing Rules to provide a guide to how we should look at data privacy. We made the IRR in the light of the then looming passage of the GDPR (European General Data Protection Regulation). Just how much of these innovations in the GDPR could we adopt without stretching the law?

2. Not reinventing the wheel. If you look at the Data Privacy Act, Section 11 requires that personal information controllers abide by transparency, legitimate purpose, and proportionality. The definitions of those terms aren’t in the law itself, because those definitions in a data privacy law context are already terms of art - they are derived from legal texts analyzing the 1980 OECD Guidelines on Data Protection and the 1995 European Union Data Protection Directive.

3. Getting the word out. The Privacy Commission had roadshows for Cebu and Davao aside from at least two that we had in Manila; I was part of the Cebu and of the roadshow in UP Diliman. We really wanted it to be inclusive, we fielded a lot of questions from the research sector and from the cybersecurity space. The business community caught up a lot later.

As a former Complaints and Investigations Division Chief of the National Privacy Commission, could you share a case or situation that significantly shaped your understanding of data privacy?

A lot has already been made public, so let’s go from there. Let’s start with what I call the Korean Church Case (MNLC v. PXXX Corporation, NPC Case No. 19-528). That case was still going through the machine when I left.

Where a building manager created a rule that required MNLC worshippers to submit to building security their Philippine-government issued identification cards, valid IDs showing a Philippine address, and photographs for identification cards to be used in managing building access, all for security purposes, and on the grounds that church elders gave their consent, the National Privacy Commission ruled that the building management violated Philippine data privacy laws. The building management then submitted the names of the worshippers to the Bureau of Immigration to check if any of the worshippers were overstaying aliens.

This is a landmark case for several reasons. 

Off the bat, this is truly horrible behavior on the part of the building management. Often, building management and security consider themselves to be above the law (unless chastised elsewhere by some authority, but I digress). Security is not an alta before which you lie prostrate and let all manner of offense slide. Data subjects always have to evaluate whether processing is proportional to the purposes for which the data is to be processed. That purpose has to be some legitimate concern, which does not include discrimination based on race, religion, or nationality. Here, the collection excessive in relation to their stated purpose of security for the building: this is more than standard behavior for the purpose. This puts paid to the lie that these measures were for security; these measures are meant to target church members.

Next, the Privacy Commission took the opportunity to elaborate what is being contemplated when the law says “those who, by their actions, participated in the offense.” In determining who are liable, the Privacy Commission looked at those who sent letters to MNLC, those who set the policy, and those who should have acted as part of their fiduciary duties but did not. Thus, the Privacy Commission ruled that the building administrator (as administrative head of the building management company), the head of legal and compliance, and the members of the Board of Directors of the building management company were directly liable for the nominate crime of Unauthorized Processing. 

The crime of Unauthorized Processing, as defined in the Data Privacy Act of 2012, and considering the circumstances of this case, carries with it a penalty ofimprisonment of four years and a fine of two million Pesos for each respondent. This is because the maximum penalties are supposed to be imposed here, considering the scale of the processing.

Further, this case examines the concept of consent. Consent, according to this decision, is always contextual. I would go further to say that consent has to be made on an individual basis if the processing is going to be this intrusive.

Finally, this was the first case elevated to the Court of Appeals that reached a decision as to a finding on what constitutes nominal damages for violations of the Data Privacy Act. Here, the Court of Appeals ruled, on appeal, that not only were the damages warranted, but nominal damages in this case should have been set at twenty thousand pesos per data subject. The Court of Appeals, in a fashion, said that the decision was in fact too kind to the building management.

How the mighty are laid low!

What does this mean, then? It means that data privacy extends to more aspects and areas of daily life than what we care to acknowledge. Every time we fill up a form or ask people for information data privacy is involved. Once we come into control of that data, no matter how we come into control of that data, we become responsible for protecting that data against all forms of abuse, even if we are somehow the abuser.

As the Data Privacy Officer of the Manila Electric Company and its subsidiaries, how do you handle the potential conflicts of interest that might arise between business needs and compliance requirements?

I don’t see any conflict between business needs and compliance requirements because our business needs are rooted in, among others, our core values: excellence, customer centricity, sustainability, integrity, innovation, malasakit, and bayanihan.

All of these values reflect who we are, and what we do as integral to data privacy work. If anything, it’s my job to explain to all our stakeholders how Meralco’s core values align with data privacy compliance. My job is to ensure that we do embody our values, especially integrity and malasakit, in the way we handle our data.

Our approach is based on ethical compliance, guided by our shared values and principles: what is the right thing to do, even when nobody is watching? When you are building a compliance landscape, no matter the stage or phase of development, you stay afloat and ahead of changing regulation by working on making data privacy as part of the culture so it becomes just the way we do things, that it becomes part of who we are.

While there may be times that there is a difference in opinion as to how to achieve our own corporate objectives, as data protection professionals, it is our duty to help our process owners come up with solutions that allow us to get things done while maintaining data privacy compliance. Data privacy compliance is never a zero-sum game; it never is. At the very heart of things, we are solutions people. For that reason, we never say yes or no outright in the manner of some high and mighty gatekeeper.

We never go wrong when we go back to our core values: excellence, customer centricity, sustainability, integrity, innovation, malasakit, and bayanihan.

Could you share more about the work of  Democracy.Net.PH,  mainly its focus on internet freedom and online rights, and how it intersects with data privacy?

At Democracy.Net.PH, we were there at the very beginning of the country’s data privacy journey, calling for caution and action after Comelec data breach and the appointment of the first officials of the National Privacy Commission at the end of the term of then-President Aquino. Today, our members individually preach how important it is to have data privacy compliance in the public and private spheres. Jun Macarambon, who used to work for and with me in the Privacy Commission, who now heads Democracy.Net.PH as its President, often talks about data privacy in his talks, most recently at the First Ranao ICT Summit. Pierre Tito Galla, who was also with me at the start, calling for action and caution following the Comelec data breach, works with the BEACON project of USAID and is no stranger to the privacy community.

We all preach that compliance doesn’t just involve making sure you have all your documents; compliance also requires that your data subjects are fully able to exercise their data subject rights. One of the main points of fighting for internet freedom and online rights is that your rights online should be the same as your rights offline. In no other sphere is this more evident than in data privacy – which covers both digital and paper-based data processing.

One other area that we also emphasize at Democracy.Net.PH is that while the damage from data breaches is not immediately apparent, it allows malefactors and miscreants to bash data with other, more recent data breaches or skimming attacks in order to create a fuller, more complex database. If there’s anything we’ve learned over the past ten years, it’s that the damage is cumulative, the attacks are more targeted. It’s irresponsible to say that data breaches don’t have any damage. For example, in the Comelec data breach, every single data breach that occurs just enriches those exposed databases.

In your opinion, what are the biggest challenges and opportunities in data privacy in the Philippines today?

There’s a lack of top executive buy-in, for a majority of the businesses who do not understand the implications of non-compliance. According to Eugene Acevedo, CEO of RCBC, upper management (particularly at the CEO and BoD level), speaking at this year’s Privacy Awareness Week, DPOs need to cause panic to make them understand the importance of prioritizing data privacy. Data privacy maturity is really evident in dealing with other companies, especially if the data privacy maturity of both parties is not at the same level. There’s a need to have business leaders understand that data privacy compliance is synonymous with good business governance and proper execution. There is also a need to make our business leaders understand that this compliance mindset comes through culture change – which in itself takes time. These things do not happen overnight.

Data privacy is still in its infancy in the Philippines. Even though we’re at least several years in when it comes to data privacy regulations, we’re still learning how to be better at data privacy. This means that the maturity levels of most companies still leave much to be desired. This is an opportunity for people to get into the field and become really proficient with data privacy – especially when companies require turnarounds on their data privacy stances. Sheepish excuses don’t really work when getting out of trouble in data privacy.

What are the new challenges that you expect to face because of the wide adoption of AI in companies and industries in the country?

What wide adoption of AI? There’s this rush to adopt generative AI, without understanding what AI really does and how it can help. That’s not the entirety of AI, and that’s not how far AI can go to help out with things. We have very basic AI implementation here, but that’s generally the case for most. As far as data privacy goes, the wider, global community has been looking at AI since 2017, so we’re seeing the fruits of that labor.

The gap between what AI currently does and can do and what these so-called futurists claim AI can do is still wide. AI can do a lot of things well, but there are things that it still cannot do, just because of the nature of how AI understands what it is that it needs to learn.

A greater level of understanding of how neural networks learn should help our company decision-makers understand where AI can play a bigger role in their own systems, instead of treating AI as some magic panacea that cures all forms of programming and processing ills. It’s easy to be seduced by large words and use cases that have no parallel application to the problems that businesses here face. We shouldn’t be jumping in bed with technology just because it is new, without understanding how the technology is to get used.

A better understanding of AI limitations allows those DPOs involved in evaluating the use of AI and other processing technology to make an evaluation in the light of: (a) the data to be used in training the AI – not only does this training data will affect the way the AI makes decisions in specific use cases, this ensures that the personal data to be uploaded in the training data remains online long after its sunset date; and (b) in catching false positives – it’s a limitation of the way neural networks learn and make decisions. As early as 2017, data protection enforcement authorities have insisted that data processing that relies on AI still have some form of human intervention. I have not seen any implementation where this policy should change.

When the adoption of large language models or other forms of AI goes unchecked and blindly adopted, people can get hurt. Recently, a lawyer in the United States got into hot water when the legal precedent he cited was found by the magistrate to be completely fabricated. The lawyer later admitted that he used an implementation of ChatGPT to craft his entire pleading, including all references to case law. Worse, the lawyer insisted that he did not review the work product from ChatGPT. This nonsensical answer betrayed the negligence that the lawyer displayed in relying solely on technology that is still in its infancy.

In other words, rushing to implement AI in data processing just to have AI in your processing as a competitive advantage without understanding what it is and what it is not makes AI implementations vulnerable to snake oil salespersons and all other forms of fraudsters.

How can ordinary internet users help in protecting data privacy in security?

Exercise your data subject rights, especially following a data breach. Hold personal information controllers accountable for the information that they collect and process. Inasmuch as personal information controllers have the obligation to produce a safe computing environment for their data subjects, data subjects can help by scrutinizing the data privacy stances of the businesses they patronize.

Even with all that, we should be vigilant with the data that we ask controllers to process and to be knowledgeable about the levels of sharing and processing.

We shouldn’t make it easy for identity thieves and other bad actors to get access to our data. Using complex passwords, using multi-factor authentication, updating your applications, installing anti-malware software, and other acts of good digital hygiene are steps we can take to make sure our digital data processing environments are secure.

As regards physical data, data subjects can insist that steps be taken so as not to expose data unnecessarily. Data subjects can also require from the persons collecting information the reasons for the processing of the data fields being collected from them. Should the purposes for that processing be more than what is necessary for your relationship with the personal information controller, then you can refuse to answer those questions.

Please advise aspiring professionals in the data privacy field based on your experience and achievements.

The late, great professor Ruben Balane once said, “do not take yourselves seriously, take your work seriously.” Data privacy requires lifelong learning, and there’s always something to learn. Read, write, and read again. Always be willing to accept that you may be wrong. Just because they’re not a lawyer doesn’t mean they don’t know anything. Conversely, and because there are lawyers that you encounter, just because they are a lawyer, it doesn’t mean they know everything there is to know about data privacy.

Data privacy compliance requires people in leadership roles to actually lead, not just bark orders and preen. This leadership often means finding solutions, forging pathways, and balancing interests. You are able to achieve this if you are able to find common ground – what unites you? What is the bigger picture? How do you present yourself as someone who understands the larger picture while driving home compliance culture? Take from your previous experiences and bring them into your current privacy practice.