Legal Developments in the Philippines: Focus on Data Privacy, Digital Banks and FinTech
This bulletin is on recent Philippine legal developments in data privacy, fintech and digital banks.
PRIVACY UPDATE
Caring about Sharing: New Rules on Data Sharing Agreements
On December 23, 2020, the Philippine data privacy regulator, the National Privacy Commission (NPC) issued NPC Circular No. 2020-03 on data sharing agreements (2020 DSA Circular).1 The circular supersedes NPC Circular No. 16-02 which specifically applied to data sharing agreements (DSAs) among government agencies, although the NPC had pointed to 16-02 as a source of guidance for personal information controllers (PICs) in the private sector. The 2020 DSA Circular applies to PICs in all sectors.
The Data Privacy Act of 2012 or the DPA (the Philippines’ principal data privacy statute) and its implementing rules (IRR) generally categorize transfers of personal data subject to the DPA into outsourcing agreements and DSAs. Outsourcing agreements are those where data is transferred from a PIC to its personal information processor (PIP) and may only be processed by the PIP pursuant to the purposes and instructions of the PIC, while DSAs cover transfers from a PIC to another PIC that may process the data for its own purposes.
The 2020 DSA Circular tracks the somewhat sparse provisions of the DPA and IRR on data sharing, but clarifies some aspects, as well as provides more guidance on the contents of a DSA.
Thus, while the IRR states that data sharing in the private sector requires the consent of the data subject, the 2020 DSA Circular makes it clear that data sharing may be based on any criteria for lawful processing of personal data as set out in the DPA. Thus, consent of the data subject may not always be necessary, and the circular specifically states that in those cases, a privacy notice is sufficient.
In this regard, the IRR advises what information needs to be provided to a data subject for any type of collection of data, but where data sharing will also be pursued, the PIC must provide or have provided the data subject with the following information:
- categories of recipients of the personal data; provided that a PIC must provide a data subject with the identity of the recipients upon request;
- purpose and objective of the data sharing;
- categories of data to be shared;
- existence of data subject rights; and,
- other information that would inform the data subject of the nature and extent of the data sharing and the manner of processing involved.2
The IRR only requires the execution of a DSA when the data sharing is for commercial purposes, such as the use of personal data to enable marketing. The 2020 DSA Circular, however, does push for the execution of DSAs as a sound recourse, which demonstrates accountable personal data processing and good faith in complying with the requirements of the DPA and its related issuances.3 The circular also hints that having a DSA will allow a PIC to score “brownie points,”4 and that the NPC will look with disfavor at parties’ failure to execute one. The issuance states that the NPC “shall take [the DSA having been put into place] into account in case a complaint if filed pertaining to such data sharing and/or in the course of any investigation relating thereto, as well as in the conduct of compliance checks.”5
A PIC that engages in data sharing must establish and maintain a record of its DSAs. Subject to the terms of the DSA, each party to the agreement will be responsible for any personal data under its control or custody. Covered by a DSA or not, any data sharing arrangement may be reviewed by the NPC and may, on its own, terminate the arrangement if it determines that a party has violated the DPA or any NPC issuance.
What’s up, WhatsApp?
The NPC has issued a statement raising concerns on the impending change in the privacy policy of the mobile application WhatsApp.6 According to the NPC, the new privacy policy would expand the data processing authority of the mobile application and would allow the sharing of data with third-party companies hosted by its parent firm, the social media and IT giant Facebook.7
Click here to continue reading
Footnotes: 1 National Privacy Commission, Data Sharing Agreements, NPC Circular No. 2020-03 (Dec. 23, 2020). |