By Archelle Marie G. Azuro, Kariza Louise S. Celis, and Donna Lerma Janica A. Paco, JD1

Image by Progress Software

INTRODUCTION

Background of the Study 

The 21st century ushered in a digital era, where almost all of the world’s population rely on online transactions and communications. The free flow of information has made the world borderless, since data is shared and communicated not only within the country of origin, but throughout the world, where internet could be accessed. The era presented ease in sharing, transacting, and communicating, and with comes the different issues and crimes of data breach. 

In order to regulate and protect personal data and information of online users, different states have passed Privacy Acts, and most notable of all is the European Union’s General Data Protection Regulation, which has become the standard for other country’s Data Privacy Act. 

The Philippines passed in 2012 its very own law to regulate and protect the use of information and data by its citizen, including the juridical entities operating within it. Republic Act No. 10173 “An Act Protecting Individual Personal Information in Information and Communications Systems in the Government and the Private Sector, Creating for this Purpose a National Privacy Commission, and for Other Purpose” or known as the Data Privacy Act of 2012.  

This study aims to know the similarities and differences between the global standard for Data Privacy law EU’s General Data Protection Regulation (GDPR) and our very own Data Privacy Act (DPA) and how these differences change or affect our own social climate as well as the legal implication it leads to.  

The researchers will analyze and come up with recommendations and solutions, to help individuals manage their data security and know their options in cases of breach, as well as the different local businesses that aims to enter the global market in order to keep up and comply with international privacy laws to compete in the global standard of privacy.

Objectives of the Study 

This study specifically aims to: 

  • Distinguish the key similarities and differences between the Philippine Data Privacy Act (hereafter referred to as ‘DPA’) and European Union’s General Data Protection Regulation (hereafter referred to as ‘GDPR’); and
  • Identify legal provisions from the GDPR that can be incorporated or adapted to the DPA and further improve its implementation.

Scope and Limitation 

This comparative study covers only provisions of the DPA and GDPR due to limited information on the privacy laws of other countries. These laws are the most similar in terms of general application, GDPR being one of the most widely used and long-running implementations compared to other international privacy laws.  

Additionally, practical application and industry insights on compliance with various provisions of the privacy laws under study do not include those of the GDPR due to limitations in resource persons that could provide reliable knowledge on these matters. On the other hand, insights related to the DPA were obtained from experienced practitioners and consultants using the research instrument and data gathering procedures discussed in Chapter 2 – Methodology.  

Lastly, this study is not intended to provide a comprehensive discussion and serve as a resource material for the fundamental understanding of both subject laws. The purpose of the study is to identify similarities and analyze differences on provisions and implementation of the laws to make a sound conclusion and provide feasible recommendations. Therefore, readers and users of materials produced through this study is expected to have a working knowledge or have read the subject laws in its original full text form, at the minimum.  

Significance of the Study

Understanding the key similarities and differences between the Philippine data privacy and international privacy laws aims to bring about the following: 

  • Increase local and global awareness as to the key similarities and differences between the GDPR and DPA
  • Assist data protection authorities (both private and public) in applying the local privacy law and tackle matters that require alignment with international privacy laws (i.e., cross border data transfers)
  • Provide an avenue or space for local authorities and regulatory bodies to explore areas that the local privacy law can improve on

In a study conducted by the Social Weather Stations (2017), about 94% of Filipino adults are interested to know more about the usage of personal information they provide in their transactions while 85% signified their affirmation in viewing that the rights of data subjects, which includes the right to be informed, the right to object, the right to access, the right to correct, the right to erasure or blocking, and the right to damages are all significant.

On the other hand, research data showed that overall, 69% of the people in the European Union are aware of the GDPR with 95% of respondents from Poland garnering the highest results, and the lowest awareness rate comes from the respondents from Estonia with only 38% (Johnson, 2020).

This drive for awareness allows us to envision the importance of people’s awareness of their rights as individuals, particularly their protection from elements that would violate their right to privacy.

Not only that, but ever since the advent of globalization, people from all parts of the globe have acquired a need for data from all sources available to formulate new information that would benefit them in their day-to-day transactions.

With these, accounting for the comparison of the aspects of both laws will enlighten everyone, Filipinos and members of the European Union alike, on the privacy laws implemented and the strengths and weaknesses implicit in each, with an aim for enhancement.

METHODOLOGY

Operational Framework

Research Design

The researchers employed a qualitative and comparative research design to distinguish the two variables in the study, namely the DPA and GDPR. According to California State University Sacramento (n.d.), qualitative research uses observations and interviews to gather data and describe meaningful circumstances which are not quantifiable. On the other hand, comparative analysis pertains to comparing and contrasting two things under the same group (Walk, 1998). Additionally, Delve (n.d.) states that qualitative comparative analysis aids in understanding and explaining the reason behind differences and similarities discovered in the study. However, missing information in one variable will render the affected case unworkable, or in other words, impossible for evaluation.

The above-mentioned research methods are appropriate for the study because it seeks to point out similarities and differences between the two main subjects through an in-depth review of the legal provisions and, at the same time, identify the possible factors which produced such resemblance or variation. Also, it recognizes areas missing from each of the laws under review.

Research Instrument 

This study utilized interview as a data collection method for qualitative research. Specifically, the type of interview employed is an informal and conversational interview, also known as unstructured interview. This type of interview is described as “conversations held with a purpose in mind”. Researchers do not follow a specific set of guidelines to gain as much information as they can by ethically approaching the participants in a conversational type of interview geared toward answering the questions which will help respond to the objectives of the research study (QuestionPro, n.d.).

Since the consultant is in Metro Manila, the researchers arranged a conference-type interview through Zoom to gather information. Recent studies show that Zoom as a video conferencing platform is an effective research tool that enables the researchers and consultant to conduct qualitative interviews. Specifically, it is convenient, easy to use, secure, and includes advanced and unique features to facilitate a more personal connection between users (Archibald, Ambagtsheer, Casey, & Lawless, 2019). On the other hand, this type of communication also has its disadvantages. In a research conducted by LDA Research in 2020, certain disadvantages in using Zoom for qualitative research include possible violations of privacy, technical difficulties, and working with markets where the application is unavailable. 

The researchers have established security measures to ensure the integrity and highest level of confidentiality during the process.

Data Gathering Procedure

Initially, the researchers contacted the consultant to set an appointment date. Utmost consideration was placed into selecting the preferred schedule of both parties to ensure that the interview process was not interrupted. At the same time, the overall environmental setting during the exchange was considered to secure the efficient flow of the discussion. Technical issues such as the device used, proper functioning of the microphone and camera, and internet connectivity are some of the prior checks performed before the commencement of the online meeting.

The researchers gave an overview of the study and explained the significance of the consultant’s role and participation. His anonymity and data confidentiality was assured to not be used against him in any manner possible. The interview format and duration were also explained.

The interview process commenced with the researchers asking relevant questions that the consultant answered correspondingly. The researchers did not follow a standardized method of giving out questions. Rather, follow-up questions were asked depending on the answers given by the consultant. Similarly, the consultant freely discussed points for clarification during the interview.

Given all the information required for the study has been answered by the consultant, the researchers wrapped up the interview with words of gratitude to thank the consultant for his valuable contribution to the study. The researchers kept open contact with the consultant for other questions that would necessitate his opinion.

Data Analysis Procedure

Both objectives of the study were answered through analysis of the framework of both subject laws and synthesis of data collected during the interview. All data were evaluated to form conclusions, specifically as to similarities and differences, and the formulation of recommendations for improvement of the existing DPA implemented in the country.

The areas of both laws examined were presented in a tabular format to illustrate similar and dissimilar features. A detailed discussion of the observations follows.

Ethical Consideration

The researchers are expected to uphold the values of reliability and credibility during the conduct of the study. Interviewer bias was carefully avoided through the employment of controls such as formulation of questions based on existing facts sourced from the laws under review, specifically Republic Act No. 10173, known as the “Data Privacy Act of 2012” and the General Data Protection Regulation (EU) 2016/679 of the European Parliament and the Council of the European Union.

Furthermore, the questions posed during the interview were carefully curated to secure substantial responses to relevant topics raised about the comparability of the two laws. All possible risks that could violate the integrity of the data gathering procedures were minimized, if not eliminated.

The anonymity of the consultant was also upheld. Consent was obtained regarding the disclosure of the contents of the interview for research appreciation. Before publishing the text, the consultant provided his confirmation.

The researchers took extra steps to ensure that plagiarism is avoided. Proper citations and references were observed throughout the conduct of the research study.

PRESENTATION AND ANALYSIS OF DATA

This section presents a side-by-side analysis of the DPA and GDPR per identified focus area applicable and relevant to both subject laws. Each analysis of the focus areas is concluded with a summary of the corresponding insights as a result of the discussion with the Data Privacy Consultant and supplemental information gathered by the researchers.

CONCLUSION AND RECOMMENDATION

Given the history of how the DPA came to be and how its framers took into consideration other privacy laws existing during its development, it is not a surprise to discover how much similar are its provisions with the GDPR.

Differences in the structure, composition, and function of regulatory bodies established under the DPA and the GDPR may be attributed to their different government structure and is also affected by the difference between the Philippines and the EU composed of several countries geographically.

Other distinctions identified in this study are the punishable acts and penalties imposed to those who are held liable under both laws. This may be due to the nature of both privacy laws, where the DPA includes criminal prosecution of liable persons while the GDPR, though imposes fines and defines acts that are considered violations, reserves the addition of civil, administrative, and criminal penalties to the EU member states.

However, the various initiatives and developments driven by the NPC over the years since the implementation of the DPA should also be noted. A significant number of these initiatives are focused on stricter implementation and bringing the Philippines’ DPA to the global scene through coordination with other countries and bridging the gap towards notable data protection laws and practices.

Additionally, it should be noted that the similarities on some provisions of both laws indicate similarity on how it is being implemented as well. Data privacy principles and data subject rights might have been defined the same way by both laws, but the difference lies on how the various sectors have taken these provisions and translate to compliance of their actual operations. Discrepancy with what is practical to implement as against the compliance required by the law may push organizations to design compliance management programs that merely submits to the requirement of the law and defeat the purpose of collective accountability over data privacy rights of the Filipino people.

As a result of the observations noted through this study, the researchers recommend the following:

  • Explore the cost effectiveness and benefits of establishing localized arms or offices of the NPC to bring data privacy awareness and allow the exercise of data subject rights be more accessible to provinces and islands outside of Metro Manila.
  • Consider the creation of a compliance framework that focuses on industry-specific application of the data privacy principles and cross-border data transfer guidelines to tackle feasible and practical compliance by various private and public sectors.

Bibliography

Data Privacy Act of 2012 (RA 10173)
European Union’s General Data Protection Regulation (GDPR)

Research Methodology
https://www.privacy.gov.ph/2017/08/npc-survey-filipinos-value-data-privacy/
https://csus.libguides.com/res-meth/qual-res
https://www.ldaresearch.com/the-pros-and-cons-of-using-zoom-for-qualitative-research/
https://www.questionpro.com/blog/types-of-interviews/
• Johnson 2020, https://www.statista.com/statistics/1175252/awareness-of-gdpr-by-country-europe/
• Archibald, Ambagtsheer, Casey, & Lawless, 2019, https://journals.sagepub.com/doi/10.1177/1609406919874596

Presentation and Analysis of Data
https://www.privacy.gov.ph/about-us/#orgchart
https://www.privacy.gov.ph/about-us/#comms
https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en#national-data-protection-authorities
https://www.unapcict.org/sites/default/files/2021-01/Resource%20Materials%20on%20Data%20Privacy%20Laws%20in%20Asia%20and%20the%20Pacific.pdf
https://www.apec.org/about-us/about-apec/fact-sheets/what-is-the-cross-border-privacy-rules-system
https://www.privacy.gov.ph/2021/10/privacy-commission-launches-open-call-for-accountability-agent-applicants-for-apec-cross-border-privacy-rules-system/
https://www.privacy.gov.ph/2022/03/npc-presents-the-revised-draft-circular-on-administrative-fines-for-data-privacy-violators/.

Unknown's avatar

Published by dljpaco

Leave a comment