Professor Abu Bakar Munir
In June 2011, the Philippines House of Representatives passed the Data Privacy Bill. Subsequently, the proposed law was considered by the Senate in its second regular session and some changes were adopted. Understandably, the proposed law seeks to protect personal information. Like the data protection laws around the world, the suggested Act, in both versions, specify the privacy or data protection principles, rights of the data subjects, and penalties for the breach of the law.
Under the General Data Privacy Principles, the processing of personal information must be based on the principles of transparency, legitimate purpose and proportionality. Specifically, personal information must be collected for specified and legitimate purpose. The personal information must be relevant, accurate, adequate and not excessive for the purposes that it is collected. Personal information can be retained as long as necessary for the fulfilment of the purposes.
The House of Representatives’ draft law requires that personal information must be processed fairly and lawfully. The Senate dropped out the word “fairly”. So, the Senate’s version only requires the data controller to ensure that the processing is lawful. The Senate added the Principle of Accountability, which is non-existence under the House of Representatives’ version. Under this Principle, every data controller is accountable to comply with the proposed Act and also be accountable for the action or inaction of the data processor. Each data controller is required to designate an individual that will be responsible to ensure compliance.
Both versions of the proposed law provide for several rights to the individual. They are the right to be informed whether an individual’s data is being processed, to have access to personal data and to correct. Remarkably, the proposed law gives a right to the data subject to suspend, block, remove or destruct personal information from the data controller’s filing system if the information is incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes or direct marketing. Another interesting point is that the proposed law gives a right to the data subject to be indemnified for any damages sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal information.
The proposed Act distinguishes personal information and sensitive personal information. The latter, is defined, in a very broad manner by the House of Representatives to include an individual’s race, ethnic origin, marital status, age, genetic or sexual life and education. The Senate, however, does not regard factors such as age, marital status and education as sensitive information.
The major difference relates to the enforcement body. The House of Representatives desires to use the existing organisation, the Commission on Information and Communications Technology (CICT), to enforce the Act. In contrast, the Senate prefers a new entity called the National Privacy Commission to be established to do the job.