Fine time

By Jamael Jacob

Last January, I wrote here a list of items I felt deserved the attention of the National Privacy Commission (NPC), particularly in light of its new(ish) leadership. At the top of that heap was the release of the schedule of fines it would enforce against violators of the country’s data protection law—the Data Privacy Act of 2012 (DPA)—and related regulations.

I noted then that many stakeholders have been eagerly awaiting the policy’s formal issuance. Whether they were for the policy or against it, they were essentially on the same page when it came to the view that it was long overdue.

Well, last August 12, the long wait finally came to an end because on that day the NPC formally announced the issuance of its guidelines on administrative fines, courtesy of NPC Circular No. 2022-01.

Some key features of the policy are as follows:

  • Scope. It applies to all personal information controllers (PICs) and personal information processors (PIPs), as defined under the DPA.
  • Types of offenses. It classifies violations into three types:

A “grave infraction” can be: (1) an infringement of any of the general privacy principles in the processing of personal data where more than 1,000 people are affected; (2) an infringement of any of the rights of data subjects where more than 1,000 people are affected; or (3) a repetition of any act classified as either a “major infraction” or “other infraction”.

A “major infraction” can be an act similar to the first and second type of grave infraction, except that the number of affected individuals does not exceed 1,000. It can also be a failure on the part of a PIC to either implement appropriate data protection measures, or ensure that its PIPs also do the same. Finally, a PIC’s failure to notify the NPC and affected individuals of a personal data breach (i.e., subject to mandatory notification) also counts as a major infraction.

“Other infractions” include a PIC’s failure to register with the NPC or to notify it of any automated decision-making activity the PIC is engaged in. Also covered are a PIC’s failure to: (1) update its registration information, and (2) comply with any NPC Order, Resolution, or Decision.

  • Imposable fines. For grave infractions, a fine between 0.5% to 3% of an erring entity’s annual gross income during the immediately preceding year awaits. Major infractions, on the other hand, could earn the entity a fine between 0.25% to 2%. It is different with “other infractions” where the imposable fine can only be between P50,000 and P200,000. That said, the maximum imposable penalty for failing to comply with NPC Orders, Resolutions, and Decisions is P50,000.

The NPC also notes that the maximum imposable fine for a single act is five million pesos.

  • Basis for computing the imposable fine. To determine an entity’s “annual gross income”, the NPC may evaluate audited financial statements, balance sheets, annual statements of income and expenses, as well as other relevant and appropriate financial documents.
  • Factors considered when determining the amount of fine to impose. The NPC may consider a number of factors when figuring out how much fine an erring entity deserves: (1) whether an infraction was intentional or due to negligence; (2) whether an infraction resulted in damage (i.e., harm) to the affected individuals—including the degree of such damage; (3) nature or duration of the infraction, in relation to the nature, scope, and purpose of the data processing involved; (4) data protection measures taken by the erring entity prior to the infraction; (5) prior infractions committed by the erring entity (and the fines imposed on it, if any), and the length of time that has elapsed since those prior infractions; (6) categories of personal data affected by the infraction; (7) manner by which the erring entity discovered the infraction, and (if applicable) whether it reported the incident to the NPC; (8) any mitigating action adopted by the erring entity to reduce the harm it has inflicted on the affected individuals; and (9) any other aggravating or mitigating circumstances appreciated by the Commission.

Based on these, it is evident that the NPC has finally addressed the long-standing question regarding its ability to enforce the DPA via the imposition of regulatory fines. Apparently, it believes it can. What it has not done, however, is quell all potential problem points its newest policy can give rise to. This is because scattered across its text are provisions that people are bound to question or at least seek guidance on.

Take, for instance, the fact that when the Circular talks about rights of data subjects, it specifically refers to Section 16 only of the DPA. This would mean that the right to data portability, which is in Section 18 of the law is out of the picture. So is the right to object, which is only found in the implementing rules. If these are intended omissions on the part of the NPC, it isn’t clear why.

Also requiring clarification is the Circular’s reference to the so-called “general privacy principles in the processing of personal data” supposedly found in Section 11 of the DPA. Anyone familiar with this provision knows that it is not an easy one to decipher. Although it talks about (personal) data processing needing to comply with the principles of transparency, legitimate purpose, and proportionality, it goes on to describe how data processing must also meet other requirements (i.e., principles)—among them are items that overlap with the three already identified. Which ones exactly are the “general privacy principles in the processing of personal data”?

There are also practical questions that need answers. For example, how would the NPC determine the amount of imposable fine when the erring entity is a government agency? Will it be taking a look at the latter’s Congress-approved budget? More importantly, where would such an agency get the funds to pay for fines? It obviously cannot just repurpose funds allocated for budgeted expenses without getting into trouble.

The NPC should meet head on these questions and many more that are sure to surface after the public has been given time to read and digest Circular 2022-01. It may have to release guidance documents and even hold public-facing events where various stakeholders can field their questions directly to the Commission. This approach could ward off potential legal challenges, while eliciting crucial popular support.

Meanwhile, PICs and PIPs out there must take this development seriously and consider their current approach to data protection. Those well on their way towards having a sound privacy program in place may only have to reassess their current system and decide if major changes are necessary. But for those who have been stalling or who have refused to invest in anything that remotely resembles a compliance effort, this is likely going to be a moment of reckoning. They either invest now to comply, or fail to comply and end up paying for it later on.

Jamael Jacob (@jamjacob) is a lawyer specializing in the field of law, ICT, and human rights. He works for the University Data Protection Office of the Ateneo de Manila University, the Foundation for Media Alternatives, and the LIGHTS Institute. The views expressed herein do not necessarily represent or reflect the views of the organizations he is currently affiliated with.