This bulletin is on recent Philippine legal developments in data privacy, fintech and digital banks.
Caring about Sharing: New Rules on Data Sharing Agreements
On December 23, 2020, the Philippine data privacy regulator, the National Privacy Commission (NPC) issued NPC Circular No. 2020-03 on data sharing agreements (2020 DSA Circular).1 The circular supersedes NPC Circular No. 16-02 which specifically applied to data sharing agreements (DSAs) among government agencies, although the NPC had pointed to 16-02 as a source of guidance for personal information controllers (PICs) in the private sector. The 2020 DSA Circular applies to PICs in all sectors.
The Data Privacy Act of 2012 or the DPA (the Philippines' principal data privacy statute) and its implementing rules (IRR) generally categorize transfers of personal data subject to the DPA into outsourcing agreements and DSAs. Outsourcing agreements are those where data is transferred from a PIC to its personal information processor (PIP) and may only be processed by the PIP pursuant to the purposes and instructions of the PIC, while DSAs cover transfers from a PIC to another PIC that may process the data for its own purposes.
The 2020 DSA Circular tracks the somewhat sparse provisions of the DPA and IRR on data sharing, but clarifies some aspects, as well as provides more guidance on the contents of a DSA. Thus, while the IRR states that data sharing in the private sector requires the consent of the data subject, the 2020 DSA Circular makes it clear that data sharing may be based on any criteria for lawful processing of personal data as set out in the DPA. Thus, consent of the data subject may not always be necessary, and the circular specifically states that in those cases, a privacy notice is sufficient.
In this regard, the IRR advises what information needs to be provided to a data subject for any type of collection of data, but where data sharing will also be pursued, the PIC must provide or have provided the data subject with the following information:
- categories of recipients of the personal data; provided that a PIC must provide a data subject with the identity of the recipients upon request;
- purpose and objective of the data sharing;
- categories of data to be shared;
- existence of data subject rights; and,
- other information that would inform the data subject of the nature and extent of the data sharing and the manner of processing involved.2
The IRR only requires the execution of a DSA when the data sharing is for commercial purposes, such as the use of personal data to enable marketing. The 2020 DSA Circular, however, does push for the execution of DSAs as a sound recourse, which demonstrates accountable personal data processing and good faith in complying with the requirements of the DPA and its related issuances.3 The circular also hints that having a DSA will allow a PIC to score "brownie points,"4 and that the NPC will look with disfavor at parties' failure to execute one. The issuance states that the NPC "shall take [the DSA having been put into place] into account in case a complaint if filed pertaining to such data sharing and/or in the course of any investigation relating thereto, as well as in the conduct of compliance checks."5
A PIC that engages in data sharing must establish and maintain a record of its DSAs. Subject to the terms of the DSA, each party to the agreement will be responsible for any personal data under its control or custody. Covered by a DSA or not, any data sharing arrangement may be reviewed by the NPC and may, on its own, terminate the arrangement if it determines that a party has violated the DPA or any NPC issuance.
What's up, WhatsApp?
- Gathering of information about the user through third parties
- Having authority to delete the user's account without prior notice or reason
- Keeping user logs for an undefined period of time
- Lack of warranty regarding uninterrupted, timely, secure or error-free service
- Possibility of using tracking pixels, web beacons, browser fingerprinting, and/or device fingerprinting on users8
In order to address these matters, the NPC advised that it is closely monitoring developments and will coordinate with WhatsApp to ensure the transparent and easily understandable consent processes.9 In the meantime, the regulator suggests that those using the application back up their data in case the user determines that it is more prudent to move to a different platform.10
New National Privacy Commission Rules of Procedure Hint at Stricter Enforcement
On January 28, 2021, the NPC issued NPC Circular No. 2021-01, or the 2021 Rules of Procedure of the National Privacy Commission (2021 NPC Rules of Procedure),11 which supersedes NPC Circular No. 16-04,12 NPC Circular No. 18-03.13
The rules set out the procedure for the NPC's exercise of its quasi-judicial and enforcement powers14 in relation to complaints filed with and investigations initiated by the NPC.15
Data subjects filing complaints under the rules must be able to show that: (i) he or she had sent a written notice to the PIC, PIP, or concerned entity of the privacy violation or personal data breach, and (ii) there has been no timely or appropriate response. The rules appear to consider that response within 15 calendar days from receipt of notice is timely.
Complaints will go through pre-investigation, investigation, and decision phases. PICs, PIPs, or entities, as respondents, are given opportunities to be heard by way of comments to be filed during the pre-investigation phase;16 and, by way of memoranda during the investigation phase.17
Further, during the pre-investigation and investigation phases, the NPC may order a temporary ban on the processing of personal information on certain grounds18 only after due notice and summary hearing.19
The rules likewise include a procedure for the discovery of electronically-stored information. During the preliminary conference, either party may file motions or stipulations on issues pertaining to production, access to, and preservation and protection of electronically-stored information.20 Failure of either party to appear during the preliminary conference constitutes a waiver of rights pertaining to mediation, discovery, stipulation of acts, and such other matters which may be discussed during preliminary conference.21
The NPC's decision on complaints may include enforcement orders, such as:
- an award of indemnity;
- permanent ban on the processing of personal data;
- a recommendation to the Department of Justice for the prosecution and imposition of penalties specified in the DPA;
- compel or petition any entity, government agency or instrumentality to abide by its orders or take action on a matter affecting data privacy;
- impose fines for violations of the DPA or issuances of the NPC; or,
- any other order to enforce compliance with the DPA.
The 2021 NPC Rules of Procedure provides a more rigid framework of enforcement of the DPA, with particular interest in the filing, investigation, and resolution of complaints for alleged data breach and/or other violations of the law.
Even prior to the issuance, however, the NPC has been investigating complaints of alleged violations of the DPA. For example, it recently ordered Familyhan Credit Corporation (Familyhan) to immediately take down its online master database containing sensitive information of its borrowers.22 After the NPC received numerous complaints about online lenders using the personal data of their clients to compel payment causing damage to their reputation and violating their rights as data subjects,23 the NPC issued NPC Circular No. 20-01, or the Guidelines on the Processing of Personal Data for Loan-Related Transactions.24
BSP to Conduct Baseline Study on Governance and Use of Clients' Digital Data
In a February 2021 press briefing, the Bangko Sentral ng Pilipinas (BSP) or the Philippine Central Bank said that it will conduct a baselining exercise to gather data from the banking and finance industry, specifically looking into processes on data governance and its ethical use for financial institutions vis-à-vis the global standards set under the Basel Committee on Banking Supervision's Principles for Effective Risk Data Aggregation and Risk Reporting (BCBS Principles).25 The baseline study will inform the development of a policy on data governance for and the ethical use of data by supervised entities.26 The BSP is expected to come out with a discussion paper on the proposed policy within the first half of 2021.27
This is in further implementation of the BSP's Digital Payments Transformation Roadmap 2020-2023,28 which seeks: (i) to ensure that all data and information obtained and passing through different digital channels will be handled ethically and that all participants will be bound by key data governance principles; and, (ii) to incorporate into policy the BCBS Principles to support decision making for enterprise-wide risk management.29
This policy thrust is geared towards creating an efficient, inclusive, safe, and secure digital payments ecosystem.30
1. National Privacy Commission, Data Sharing Agreements, NPC Circular No. 2020-03 (Dec. 23, 2020).
2. NPC Circular No. 2020-03, §5, ¶1.
3. Id. §8.
4. Id. The provision states, in part, "The execution of a DSA is a sound recourse and demonstrates accountable personal data processing, as well as good faith in complying with the requirements of the DPA, its IRR, and issuances of the NPC."
5. Id. §8.
11. National Privacy Commission, 2021 Rules of Procedure of the National Privacy Commission [2021 NPC Rules of Procedure], NPC Circular No. 2021-01 (Jan. 28, 2021).
12. National Privacy Commission, Rules of Procedure of the National Privacy Commission, NPC Circular No. 16-04 (Dec. 15, 2016).
13. National Privacy Commission, Rules on Mediation Before the National Privacy Commission, NPC Circular No. 18-03 (Dec. 18, 2018).
14. 2021 NPC Rules of Procedure, pmbl. See also An Act Protecting Individual Personal Information in Information and Communications Systems in the Government and the Private Sector, Creating for this Purpose a National Privacy Commission, and for Other Purposes [Data Privacy Act of 2012], Republic Act No. 10173, §7(b) (2012).
15. Id. rule I, §3. The 2021 NPC Rules of Procedure applies to the receipt, investigation, alternative dispute resolution, preliminary conference, adjudication, and all other proceedings before the NPC.
16. Id. rule IV, §§ 3,4, & 6.
17. Id. rule VII, §2.
18. Id. rule IX, §3(1).
19. Id. rule IX, §§4 & 5.
20. 2021 NPC Rules of Procedure, rule V, §4.
21. Id. rule V, §3.
22. National Privacy Commission, Privacy Commission orders lender Familyhan to take down list online of 6,000 borrowers, available at https://www.privacy.gov.ph/2021/01/privacy-commission-orders-lender-familyhan-to-take-down-list-online-of-6000-borrowers/ (last accessed Feb. 10, 2021).
23. National Privacy Commission, Online lenders barred from harvesting borrowers' phone and social- media contact list, says Privacy Commission, National Privacy Commission, available at https://www.privacy.gov.ph/2020/10/online-lenders-barred-from-harvesting-borrowers-phone-and-social-media-contact-list-says-privacy-commission/ (last accessed Feb. 10, 2021).
24. National Privacy Commission, Guidelines on the Processing of Personal Data for Loan-Related Transactions, NPC Circular No. 20-01 (Sep. 14, 2020).
25. Daxim L. Lucas, BSP eyes unified standard for handling, use of bank clients' digital data, Feb. 18, 2021, PHIL. DAILY INQ., available at https://business.inquirer.net/317992/bsp-eyes-unified-standard-for-handling-use-of-bank-clients-digital-data#ixzz6nAILjCNt (last accessed Feb. 22, 2021) (citing Basel Committee on Banking Supervision, Principles for Effective Risk Data Aggregation and Risk Reporting, Jan. 9, 2013, available at https://www.bis.org/publ/bcbs239.pdf (last accessed Feb. 22, 2021)).
26. Bangko Sentral ng Pilipinas, Digital Payments Transformation Roadmap 2020-2023, Oct. 11, 2020, at 30, available at https://https://www.bsp.gov.ph/Media_And_Research/Primers%20Faqs/Digital%20Payments%20Transformation%20Roadmap%20Report.pdf (last accessed Feb. 22, 2021).
27. Lucas, supra note 25.
28. Digital Payments Transformation Roadmap 2020-2023, supra note 26.
29. Id. at 30.
30. Id. at 1.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.