By Shaira Mae Jamolor, JD1 and Archelle Marie Azuro, JD1


An era enabled by extraordinary technology innovation which affects the way people live, work, and interact with each other. The Fourth Industrial Revolution is a technology-driven change that blurs the boundaries between the physical, digital, and biological worlds. This is an opportunity to harness emerging technologies to create an inclusive, human-centered future, and positively impact people’s lives.

This shift however can not be achieved smoothly. One of the risks brought about by this development is the democratization of the information space. Internet and social media gain more significance- increasing access to the internet results in a speed of personal data transmission. Massive personal information, including photos of daily activities, is freely circulating on the internet. The Data Privacy Act (DPA) of 2012 addresses 21st century crimes and concerns. It protects the privacy of individuals while ensuring the free flow of information to promote innovation and growth.

The Philippines passed Republic Act No. 10173 or the Data Privacy Act of 2012 (DPA) in accordance with the Philippines agreements under ASEAN Vision 2020. DPA aims to protect the fundamental human right to privacy of communication and the country’s inherent obligation to ensure that personal information and communications systems in government and the private sector are secured and protected.

The DPA was also passed in accordance with the people’s constitutional rights provided under Section 2 and 3 of Article III of the 1987 Constitution which states that the right of the people to be secure in their persons, houses, papers, and effects against unreasonable searches and the privacy of communication and correspondence.

It is an act protecting individual personal information in information and communication systems in the government and the private sector, creating for this purpose a National Privacy Commission (NPC) and other purposes. NPC administers and implements the provisions of DPA, and to monitor and ensure compliance of the country with international standards set for data protection. Pursuant to the mandate of the NPC, the Implementing Rules and Regulations (IRR) was released last August 24, 2016.

The DPA of 2012 at a closer look

The law focuses on three general privacy principles, namely: (1) transparency, that is the awareness of the data subject on the details relevant to the processing[1]  of their personal data; (2) legitimate purpose, that is the declared and specified purpose for processing of personal data which must not be contrary to law, morals, or public policy; and (3) proportionality, that is the adequacy, relevance, suitability, necessity, and non-excessiveness in relation to a declared and specified purpose. Only upon adherence to these principles and compliance with other applicable laws shall processing of personal data be allowed. One of the most important concepts in data privacy, particularly privacy laws, is the concept of personal data. The law defines personal data as a collective term referring to all types of personal information (PI)[2], including sensitive personal information (SPI)[3]. Persons to whom these personal data pertain to are called data subjects, and natural or juridical persons in the private and public sector that control or are instructed to process these personal data are called personal information controllers (PICs)[4] and personal information processors (PIPs)[5].

Under the law, data subjects are entitled to rights[6] that can be invoked to protect their privacy and remedies in case it is breached. However, these rights also have limitations in their applicability and transmissibility. The NPC provides accessible avenues for data subjects to lodge queries and complaints related to data privacy and the exercise of data subject rights.

Rights of a Data Subject

On the other hand, responsibilities and legal obligations of PICs and PIPs are also outlined in the law, the IRR, and succeeding advisory opinions released by the NPC. The NPC has provided guidance to comply with these obligations in an accountability and compliance framework anchored in its Five Pillars of Compliance[7].

NPC’s Five Pillars of Compliance

The goal is to empower the government and private sectors into implementing organizational, technical, and physical security measures[8] to protect personal data appropriately and adequately. The PICs and PIPs may be criminally liable for personal data breaches[9] as the law imposes penalties through fines and imprisonment depending on the gravity of the offenses.

Table 1: Penalties based on Chapter VIII of the Data Privacy Act of 2012 and Rule XIII of its IRR


Countless of frauds, violent crimes against persons and properties, and discrimination that have been committed started with simple disclosures of personal data by unsuspecting Filipinos. With the speed of innovation and growth, data being the new currency of the economy as we move through the new era of the industrial revolution, it has been harder and harder to ensure that the rights of the people are being continuously protected.

The Data Privacy Act has caused a ripple effect in various industries that gave rise and awareness to a long, unappreciated field in regulatory compliance. Businesses, small and blue-chip corporations alike, scrambled to fast-track their compliance initiatives and escape the scrutiny of the public and regulatory bodies.

The government and its instrumentalities are not exempted from these obligations. In fact, the first administrative case heard by NPC, one of the biggest personal data breaches in the country in recent years that sadly did not receive as much attention, was the #ComeLeak in 2016 that exposed more than 75 million records of registered voter’s personal data stored in several COMELEC-run websites. Since then, NPC has implemented stricter monitoring and emphasized the compliance of government agencies. In its most recent Road to Compliance Report published on September 22, 2020[10], out of 324 national government agencies, 44% (144 out of 324) have been registered in accordance with the requirements of the IRR, while 49% (159) have not yet registered, and 7% (21) have incomplete registration.

Technology and innovation are powerful tools we can leverage as a nation towards globalization, but it should not be at the expense of the rights and freedom of our people. Senator Edgardo Angara, in his sponsorship speech for the Data Privacy Act, said that “In this digital era, information is the currency of power – valuable, coveted, but at a very high risk”.



[1] RA 10173 IRR Sec 3.J – Processing refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure, or destruction of data.

[2] RA 10173 IRR Sec 3.L – Personal information refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.

[3] RA 10173 IRR Sec 3.T – Sensitive Personal Information refers to personal information:

  • 1. About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical, or political affiliations.
  • 2. About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings.
  • 3. Issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
  • 4. Specifically established by an executive order or an act of Congress to be kept classified.

[4] RA 10173 IRR Sec 3.M – Personal information controller refers to a natural or juridical person, or any other body who controls the processing of personal data or instructs another to process personal data on its behalf. The term excludes:

  • 1. A natural or juridical person, or any other body, who performs such functions as instructed by another person or organization; or
  • 2. A natural person who processes personal data in connection with his or her personal, family, or household affairs.
  • 3. There is control if the natural or juridical person or any other body decides on what information is collected, or the purpose or extent of its processing.

[5] RA 10173 Sec 3.N – Personal information processor refers to any natural or juridical person or any other body to whom a personal information controller may outsource or instruct the processing of personal data pertaining to a data subject.

[6] RA 10173 Chapter IV Section 16 – Rights of the Data Subject, and can also be found in the Rule VII Sec 34 of the IRR

[7] NPC DPO 12 – Compliance Framework Presentation —

[8] RA 10173 IRR Sec 25-29 – Security Measures for the Protection of Personal Data

[9] RA 10173 Sec 3.K – Personal Data Breach refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

[10] NPC’s Road to DPA Compliance Report (September 22, 2020) —

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s