Vous êtes sur la page 1sur 118

[REPUBLIC ACT NO.

10173]

AN ACT PROTECTING INDIVIDUAL PERSONAL INFORMATION IN INFORMATION AND


COMMUNICATIONS SYSTEMS IN THE GOVERNMENT AND THE PRIVATE SECTOR,
CREATING FOR THIS PURPOSE A NATIONAL PRIVACY COMMISSION, AND FOR OTHER
PURPOSES

Be it enacted, by the Senate and House of Representatives of the Philippines in


Congress assembled:

CHAPTER I
GENERAL PROVISIONS

SECTION 1. Short Title. – This Act shall be known as the “Data Privacy Act of 2012”.

SEC. 2. Declaration of Policy. – It is the policy of the State to protect the


fundamental human right of privacy, of communication while ensuring free flow of
information to promote innovation and growth. The State recognizes the vital role
of information and communications technology in nation-building and its inherent
obligation to ensure that personal information in information and communications
systems in the government and in the private sector are secured and protected.

SEC. 3. Definition of Terms. – Whenever used in this Act, the following terms shall
have the respective meanings hereafter set forth:

(a) Commission shall refer to the National Privacy Commission created by virtue of
this Act.

(b) Consent of the data subject refers to any freely given, specific, informed
indication of will, whereby the data subject agrees to the collection and
processing of personal information about and/or relating to him or her. Consent
shall be evidenced by written, electronic or recorded means. It may also be given
on behalf of the data subject by an agent specifically authorized by the data
subject to do so.

(c) Data subject refers to an individual whose personal information is processed.

(d) Direct marketing refers to communication by whatever means of any


advertising or marketing material which is directed to particular individuals.

(e) Filing system refers to any act of information relating to natural or juridical
persons to the extent that, although the information is not processed by equipment
operating automatically in response to instructions given for that purpose, the set is
structured, either by reference to individuals or by reference to criteria relating to
individuals, in such a way that specific information relating to a particular person is
readily accessible.

(f) Information and Communications System refers to a system for generating,


sending, receiving, storing or otherwise processing electronic data messages or
electronic documents and includes the computer system or other similar device by
or which data is recorded, transmitted or stored and any procedure related to the
recording, transmission or storage of electronic data, electronic message, or
electronic document.

(g) Personal information refers to any information whether recorded in a material


form or not, from which the identity of an individual is apparent or can be
reasonably and directly ascertained by the entity holding the information, or when
put together with other information would directly and certainly identify an
individual.

(h) Personal information controller refers to a person or organization who controls


the collection, holding, processing or use of personal information, including a
person or organization who instructs another person or organization to collect,
hold, process, use, transfer or disclose personal information on his or her behalf. The
term excludes:

(1) A person or organization who performs such functions as instructed by another


person or organization; and

(2) An individual who collects, holds, processes or uses personal information in


connection with the individual’s personal, family or household affairs.

(i) Personal information processor refers to any natural or juridical person qualified
to act as such under this Act to whom a personal information controller may
outsource the processing of personal data pertaining to a data subject.

(j) Processing refers to any operation or any set of operations performed upon
personal information including, but not limited to, the collection, recording,
organization, storage, updating or modification, retrieval, consultation, use,
consolidation, blocking, erasure or destruction of data.

(k) Privileged information refers to any and all forms of data which under the Rules
of Court and other pertinent laws constitute privileged communication.

(l) Sensitive personal information refers to personal information:

(1) About an individual’s race, ethnic origin, marital status, age, color, and
religious, philosophical or political affiliations;

(2) About an individual’s health, education, genetic or sexual life of a person, or to


any proceeding for any offense committed or alleged to have been committed
by such person, the disposal of such proceedings, or the sentence of any court in
such proceedings;

(3) Issued by government agencies peculiar to an individual which includes, but


not limited to, social security numbers, previous or cm-rent health records, licenses
or its denials, suspension or revocation, and tax returns; and
(4) Specifically established by an executive order or an act of Congress to be kept
classified.

SEC. 4. Scope. – This Act applies to the processing of all types of personal
information and to any natural and juridical person involved in personal
information processing including those personal information controllers and
processors who, although not found or established in the Philippines, use
equipment that are located in the Philippines, or those who maintain an office,
branch or agency in the Philippines subject to the immediately succeeding
paragraph: Provided, That the requirements of Section 5 are complied with.

This Act does not apply to the following:

(a) Information about any individual who is or was an officer or employee of a


government institution that relates to the position or functions of the individual,
including:

(1) The fact that the individual is or was an officer or employee of the government
institution;

(2) The title, business address and office telephone number of the individual;

(3) The classification, salary range and responsibilities of the position held by the
individual; and

(4) The name of the individual on a document prepared by the individual in the
course of employment with the government;

(b) Information about an individual who is or was performing service under


contract for a government institution that relates to the services performed,
including the terms of the contract, and the name of the individual given in the
course of the performance of those services;

(c) Information relating to any discretionary benefit of a financial nature such as


the granting of a license or permit given by the government to an individual,
including the name of the individual and the exact nature of the benefit;

(d) Personal information processed for journalistic, artistic, literary or research


purposes;

(e) Information necessary in order to carry out the functions of public authority
which includes the processing of personal data for the performance by the
independent, central monetary authority and law enforcement and regulatory
agencies of their constitutionally and statutorily mandated functions. Nothing in
this Act shall be construed as to have amended or repealed Republic Act No.
1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No. 6426,
otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510,
otherwise known as the Credit Information System Act (CISA);
(f) Information necessary for banks and other financial institutions under the
jurisdiction of the independent, central monetary authority or Bangko Sentral ng
Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as
amended, otherwise known as the Anti-Money Laundering Act and other
applicable laws; and

(g) Personal information originally collected from residents of foreign jurisdictions in


accordance with the laws of those foreign jurisdictions, including any applicable
data privacy laws, which is being processed in the Philippines.

SEC. 5. Protection Afforded to Journalists and Their Sources. – Nothing in this Act
shall be construed as to have amended or repealed the provisions of Republic Act
No. 53, which affords the publishers, editors or duly accredited reporters of any
newspaper, magazine or periodical of general circulation protection from being
compelled to reveal the source of any news report or information appearing in
said publication which was related in any confidence to such publisher, editor, or
reporter.

SEC. 6. Extraterritorial Application. – This Act applies to an act done or practice


engaged in and outside of the Philippines by an entity if:

(a) The act, practice or processing relates to personal information about a


Philippine citizen or a resident;

(b) The entity has a link with the Philippines, and the entity is processing personal
information in the Philippines or even if the processing is outside the Philippines as
long as it is about Philippine citizens or residents such as, but not limited to, the
following:

(1) A contract is entered in the Philippines;

(2) A juridical entity unincorporated in the Philippines but has central management
and control in the country; and

(3) An entity that has a branch, agency, office or subsidiary in the Philippines and
the parent or affiliate of the Philippine entity has access to personal information;
and

(c) The entity has other links in the Philippines such as, but not limited to:

(1) The entity carries on business in the Philippines; and

(2) The personal information was collected or held by an entity in the Philippines.

CHAPTER II
THE NATIONAL PRIVACY COMMISSION

SEC. 7. Functions of the National Privacy Commission. – To administer and


implement the provisions of this Act, and to monitor and ensure compliance of the
country with international standards set for data protection, there is hereby
created an independent body to be known as the National Privacy Commission,
winch shall have the following functions:

(a) Ensure compliance of personal information controllers with the provisions of this
Act;

(b) Receive complaints, institute investigations, facilitate or enable settlement of


complaints through the use of alternative dispute resolution processes, adjudicate,
award indemnity on matters affecting any personal information, prepare reports
on disposition of complaints and resolution of any investigation it initiates, and, in
cases it deems appropriate, publicize any such report: Provided, That in resolving
any complaint or investigation (except where amicable settlement is reached by
the parties), the Commission shall act as a collegial body. For this purpose, the
Commission may be given access to personal information that is subject of any
complaint and to collect the information necessary to perform its functions under
this Act;

(c) Issue cease and desist orders, impose a temporary or permanent ban on the
processing of personal information, upon finding that the processing will be
detrimental to national security and public interest;

(d) Compel or petition any entity, government agency or instrumentality to abide


by its orders or take action on a matter affecting data privacy;

(e) Monitor the compliance of other government agencies or instrumentalities on


their security and technical measures and recommend the necessary action in
order to meet minimum standards for protection of personal information pursuant
to this Act;

(f) Coordinate with other government agencies and the private sector on efforts to
formulate and implement plans and policies to strengthen the protection of
personal information in the country;

(g) Publish on a regular basis a guide to all laws relating to data protection;

(h) Publish a compilation of agency system of records and notices, including index
and other finding aids;

(i) Recommend to the Department of Justice (DOJ) the prosecution and imposition
of penalties specified in Sections 25 to 29 of this Act;

(j) Review, approve, reject or require modification of privacy codes voluntarily


adhered to by personal information controllers: Provided, That the privacy codes
shall adhere to the underlying data privacy principles embodied in this
Act: Provided, further,That such privacy codes may include private dispute
resolution mechanisms for complaints against any participating personal
information controller. For this purpose, the Commission shall consult with relevant
regulatory agencies in the formulation and administration of privacy codes
applying the standards set out in this Act, with respect to the persons, entities,
business activities and business sectors that said regulatory bodies are authorized
to principally regulate pursuant to the law: Provided, finally. That the Commission
may review such privacy codes and require changes thereto for purposes of
complying with this Act;

(k) Provide assistance on matters relating to privacy or data protection at the


request of a national or local agency, a private entity or any person;

(l) Comment on the implication on data privacy of proposed national or local


statutes, regulations or procedures, issue advisory opinions and interpret the
provisions of this Act and other data privacy laws;

(m) Propose legislation, amendments or modifications to Philippine laws on privacy


or data protection as may be necessary;

(n) Ensure proper and effective coordination with data privacy regulators in other
countries and private accountability agents, participate in international and
regional initiatives for data privacy protection;

(o) Negotiate and contract with other data privacy authorities of other countries
for cross-border application and implementation of respective privacy laws;

(p) Assist Philippine companies doing business abroad to respond to foreign


privacy or data protection laws and regulations; and

(q) Generally perform such acts as may be necessary to facilitate cross-border


enforcement of data privacy protection.

SEC. 8. Confidentiality. – The Commission shall ensure at all times the confidentiality
of any personal information that comes to its knowledge and possession.

SEC. 9. Organizational Structure of the Commission. – The Commission shall be


attached to the Department of Information and Communications Technology
(DICT) and shall be headed by a Privacy Commissioner, who shall also act as
Chairman of the Commission. The Privacy Commissioner shall be assisted by two (2)
Deputy Privacy Commissioners, one to be responsible for Data Processing Systems
and one to be responsible for Policies and Planning. The Privacy Commissioner and
the two (2) Deputy Privacy Commissioners shall be appointed by the President of
the Philippines for a term of three (3) years, and may be reappointed for another
term of three (3) years. Vacancies in the Commission shall be filled in the same
manner in which the original appointment was made.

The Privacy Commissioner must be at least thirty-five (35) years of age and of good
moral character, unquestionable integrity and known probity, and a recognized
expert in the field of information technology and data privacy. The Privacy
Commissioner shall enjoy the benefits, privileges and emoluments equivalent to the
rank of Secretary.
The Deputy Privacy Commissioners must be recognized experts in the field of
information and communications technology and data privacy. They shall enjoy
the benefits, privileges and emoluments equivalent to the rank of Undersecretary.

The Privacy Commissioner, the Deputy Commissioners, or any person acting on


their behalf or under their direction, shall not be civilly liable for acts done in good
faith in the performance of their duties. However, he or she shall be liable for willful
or negligent acts done by him or her which are contrary to law, morals, public
policy and good customs even if he or she acted under orders or instructions of
superiors: Provided, That in case a lawsuit is filed against such official on the subject
of the performance of his or her duties, where such performance is lawful, he or
she shall be reimbursed by the Commission for reasonable costs of litigation.

SEC. 10. The Secretariat. – The Commission is hereby authorized to establish a


Secretariat. Majority of the members of the Secretariat must have served for at
least five (5) years in any agency of the government that is involved in the
processing of personal information including, but not limited to, the following
offices: Social Security System (SSS), Government Service Insurance System (GSIS),
Land Transportation Office (LTO), Bureau of Internal Revenue (BIR), Philippine
Health Insurance Corporation (PhilHealth), Commission on Elections (COMELEC),
Department of Foreign Affairs (DFA), Department of Justice (DOJ), and Philippine
Postal Corporation (Philpost).

CHAPTER III
PROCESSING OF PERSONAL INFORMATION

SEC. 11. General Data Privacy Principles. – The processing of personal information
shall be allowed, subject to compliance with the requirements of this Act and
other laws allowing disclosure of information to the public and adherence to the
principles of transparency, legitimate purpose and proportionality.

Personal information must, be:

(a) Collected for specified and legitimate purposes determined and declared
before, or as soon as reasonably practicable after collection, and later processed
in a way compatible with such declared, specified and legitimate purposes only;

(b) Processed fairly and lawfully;

(c) Accurate, relevant and, where necessary for purposes for which it is to be used
the processing of personal information, kept up to date; inaccurate or incomplete
data must be rectified, supplemented, destroyed or their further processing
restricted;

(d) Adequate and not excessive in relation to the purposes for which they are
collected and processed;
(e) Retained only for as long as necessary for the fulfillment of the purposes for
which the data was obtained or for the establishment, exercise or defense of legal
claims, or for legitimate business purposes, or as provided by law; and

(f) Kept in a form which permits identification of data subjects for no longer than is
necessary for the purposes for which the data were collected and
processed: Provided, That personal information collected for other purposes may
lie processed for historical, statistical or scientific purposes, and in cases laid down
in law may be stored for longer periods: Provided, further,That adequate
safeguards are guaranteed by said laws authorizing their processing.

The personal information controller must ensure implementation of personal


information processing principles set out herein.

SEC. 12. Criteria for Lawful Processing of Personal Information. – The processing of
personal information shall be permitted only if not otherwise prohibited by law, and
when at least one of the following conditions exists:

(a) The data subject has given his or her consent;

(b) The processing of personal information is necessary and is related to the


fulfillment of a contract with the data subject or in order to take steps at the
request of the data subject prior to entering into a contract;

(c) The processing is necessary for compliance with a legal obligation to which the
personal information controller is subject;

(d) The processing is necessary to protect vitally important interests of the data
subject, including life and health;

(e) The processing is necessary in order to respond to national emergency, to


comply with the requirements of public order and safety, or to fulfill functions of
public authority which necessarily includes the processing of personal data for the
fulfillment of its mandate; or

(f) The processing is necessary for the purposes of the legitimate interests pursued
by the personal information controller or by a third party or parties to whom the
data is disclosed, except where such interests are overridden by fundamental
rights and freedoms of the data subject which require protection under the
Philippine Constitution.

SEC. 13. Sensitive Personal Information and Privileged Information. – The processing
of sensitive personal information and privileged information shall be prohibited,
except in the following cases:

(a) The data subject has given his or her consent, specific to the purpose prior to
the processing, or in the case of privileged information, all parties to the exchange
have given their consent prior to processing;
(b) The processing of the same is provided for by existing laws and
regulations: Provided, That such regulatory enactments guarantee the protection
of the sensitive personal information and the privileged information: Provided,
further, That the consent of the data subjects are not required by law or regulation
permitting the processing of the sensitive personal information or the privileged
information;

(c) The processing is necessary to protect the life and health of the data subject or
another person, and the data subject is not legally or physically able to express his
or her consent prior to the processing;

(d) The processing is necessary to achieve the lawful and noncommercial


objectives of public organizations and their associations: Provided, That such
processing is only confined and related to the bona fide members of these
organizations or their associations: Provided, further, That the sensitive personal
information are not transferred to third parties: Provided, finally,That consent of the
data subject was obtained prior to processing;

(e) The processing is necessary for purposes of medical treatment, is carried out by
a medical practitioner or a medical treatment institution, and an adequate level
of protection of personal information is ensured; or

(f) The processing concerns such personal information as is necessary for the
protection of lawful rights and interests of natural or legal persons in court
proceedings, or the establishment, exercise or defense of legal claims, or when
provided to government or public authority.

SEC. 14. Subcontract of Personal Information. – A personal information controller


may subcontract the processing of personal information: Provided, That the
personal information controller shall be responsible for ensuring that proper
safeguards are in place to ensure the confidentiality of the personal information
processed, prevent its use for unauthorized purposes, and generally, comply with
the requirements of this Act and other laws for processing of personal information.
The personal information processor shall comply with all the requirements of this
Act and other applicable laws.

SEC. 15. Extension of Privileged Communication. – Personal information controllers


may invoke the principle of privileged communication over privileged information
that they lawfully control or process. Subject to existing laws and regulations, any
evidence gathered on privileged information is inadmissible.

CHAPTER IV
RIGHTS OF THE DATA SUBJECT

SEC. 16. Rights of the Data Subject. – The data subject is entitled to:

(a) Be informed whether personal information pertaining to him or her shall be, are
being or have been processed;
(b) Be furnished the information indicated hereunder before the entry of his or her
personal information into the processing system of the personal information
controller, or at the next practical opportunity:

(1) Description of the personal information to be entered into the system;

(2) Purposes for which they are being or are to be processed;

(3) Scope and method of the personal information processing;

(4) The recipients or classes of recipients to whom they are or may be disclosed;

(5) Methods utilized for automated access, if the same is allowed by the data
subject, and the extent to which such access is authorized;

(6) The identity and contact details of the personal information controller or its
representative;

(7) The period for which the information will be stored; and

(8) The existence of their rights, i.e., to access, correction, as well as the right to
lodge a complaint before the Commission.

Any information supplied or declaration made to the data subject on these


matters shall not be amended without prior notification of data
subject: Provided, That the notification under subsection (b) shall not apply should
the personal information be needed pursuant to a subpoena or when the
collection and processing are for obvious purposes, including when it is necessary
for the performance of or in relation to a contract or service or when necessary or
desirable in the context of an employer-employee relationship, between the
collector and the data subject, or when the information is being collected and
processed as a result of legal obligation;

(c) Reasonable access to, upon demand, the following:

(1) Contents of his or her personal information that were processed;

(2) Sources from which personal information were obtained;

(3) Names and addresses of recipients of the personal information;

(4) Manner by which such data were processed;

(5) Reasons for the disclosure of the personal information to recipients;

(6) Information on automated processes where the data will or likely to be made
as the sole basis for any decision significantly affecting or will affect the data
subject;
(7) Date when his or her personal information concerning the data subject were
last accessed and modified; and

(8) The designation, or name or identity and address of the personal information
controller;

(d) Dispute the inaccuracy or error in the personal information and have the
personal information controller correct it immediately and accordingly, unless the
request is vexatious or otherwise unreasonable. If the personal information have
been corrected, the personal information controller shall ensure the accessibility of
both the new and the retracted information and the simultaneous receipt of the
new and the retracted information by recipients thereof: Provided, That the third
parties who have previously received such processed personal information shall he
informed of its inaccuracy and its rectification upon reasonable request of the
data subject;

(e) Suspend, withdraw or order the blocking, removal or destruction of his or her
personal information from the personal information controller’s filing system upon
discovery and substantial proof that the personal information are incomplete,
outdated, false, unlawfully obtained, used for unauthorized purposes or are no
longer necessary for the purposes for which they were collected. In this case, the
personal information controller may notify third parties who have previously
received such processed personal information; and

(f) Be indemnified for any damages sustained due to such inaccurate, incomplete,
outdated, false, unlawfully obtained or unauthorized use of personal information.

SEC. 17. Transmissibility of Rights of the Data Subject. – The lawful heirs and assigns
of the data subject may invoke the rights of the data subject for, which he or she is
an heir or assignee at any time after the death of the data subject or when the
data subject is incapacitated or incapable of exercising the rights as enumerated
in the immediately preceding section.

SEC. 18. Right to Data Portability. – The data subject shall have the right, where
personal information is processed by electronic means and in a structured and
commonly used format, to obtain from the personal information controller a copy
of data undergoing processing in an electronic or structured format, which is
commonly used and allows for further use by the data subject. The Commission
may specify the electronic format referred to above, as well as the technical
standards, modalities and procedures for their transfer.

SEC. 19. Non-Applicability. – The immediately preceding sections are not


applicable if the processed personal information are used only for the needs of
scientific and statistical research and, on the basis of such, no activities are carried
out and no decisions are taken regarding the data subject: Provided, That the
personal information shall be held under strict confidentiality and shall be used
only for the declared purpose. Likewise, the immediately preceding sections are
not applicable to processing of personal information gathered for the purpose of
investigations in relation to any criminal, administrative or tax liabilities of a data
subject.

CHAPTER V
SECURITY OF PERSONAL INFORMATION

SEC. 20. Security of Personal Information. – (a) The personal information controller
must implement reasonable and appropriate organizational, physical and
technical measures intended for the protection of personal information against
any accidental or unlawful destruction, alteration and disclosure, as well as against
any other unlawful processing.

(b) The personal information controller shall implement reasonable and


appropriate measures to protect personal information against natural dangers
such as accidental loss or destruction, and human dangers such as unlawful
access, fraudulent misuse, unlawful destruction, alteration and contamination.

(c) The determination of the appropriate level of security under this section must
take into account the nature of the personal information to be protected, the risks
represented by the processing, the size of the organization and complexity of its
operations, current data privacy best practices and the cost of security
implementation. Subject to guidelines as the Commission may issue from time to
time, the measures implemented must include:

(1) Safeguards to protect its computer network against accidental, unlawful or


unauthorized usage or interference with or hindering of their functioning or
availability;

(2) A security policy with respect to the processing of personal information;

(3) A process for identifying and accessing reasonably foreseeable vulnerabilities in


its computer networks, and for taking preventive, corrective and mitigating action
against security incidents that can lead to a security breach; and

(4) Regular monitoring for security breaches and a process for taking preventive,
corrective and mitigating action against security incidents that can lead to a
security breach.

(d) The personal information controller must further ensure that third parties
processing personal information on its behalf shall implement the security measures
required by this provision.

(e) The employees, agents or representatives of a personal information controller


who are involved in the processing of personal information shall operate and hold
personal information under strict confidentiality if the personal information are not
intended for public disclosure. This obligation shall continue even after leaving the
public service, transfer to another position or upon termination of employment or
contractual relations.
(f) The personal information controller shall promptly notify the Commission and
affected data subjects when sensitive personal information or other information
that may, under the circumstances, be used to enable identity fraud are
reasonably believed to have been acquired by an unauthorized person, and the
personal information controller or the Commission believes (bat such unauthorized
acquisition is likely to give rise to a real risk of serious harm to any affected data
subject. The notification shall at least describe the nature of the breach, the
sensitive personal information possibly involved, and the measures taken by the
entity to address the breach. Notification may be delayed only to the extent
necessary to determine the scope of the breach, to prevent further disclosures, or
to restore reasonable integrity to the information and communications system.

(1) In evaluating if notification is unwarranted, the Commission may take into


account compliance by the personal information controller with this section and
existence of good faith in the acquisition of personal information.

(2) The Commission may exempt a personal information controller from notification
where, in its reasonable judgment, such notification would not be in the public
interest or in the interests of the affected data subjects.

(3) The Commission may authorize postponement of notification where it may


hinder the progress of a criminal investigation related to a serious breach.

CHAPTER VI
ACCOUNTABILITY FOR TRANSFER OF PERSONAL INFORMATION

SEC. 21. Principle of Accountability. – Each personal information controller is


responsible for personal information under its control or custody, including
information that have been transferred to a third party for processing, whether
domestically or internationally, subject to cross-border arrangement and
cooperation.

(a) The personal information controller is accountable for complying with the
requirements of this Act and shall use contractual or other reasonable means to
provide a comparable level of protection while the information are being
processed by a third party.

(b) The personal information controller shall designate an individual or individuals


who are accountable for the organization’s compliance with this Act. The identity
of the individual(s) so designated shall be made known to any data subject upon
request.

CHAPTER VII
SECURITY OF SENSITIVE PERSONAL
INFORMATION IN GOVERNMENT

SEC 22. Responsibility of Heads of Agencies. – All sensitive personal information


maintained by the government, its agencies and instrumentalities shall be secured,
as far as practicable, with the use of the most appropriate standard recognized by
the information and communications technology industry, and as recommended
by the Commission. The head of each government agency or instrumentality shall
be responsible for complying with the security requirements mentioned herein
while the Commission shall monitor the compliance and may recommend the
necessary action in order to satisfy the minimum standards.

SEC. 23. Requirements Relating to Access by Agency Personnel to Sensitive


Personal Information. – (a) On-site and Online Access – Except as may be allowed
through guidelines to be issued by the Commission, no employee of the
government shall have access to sensitive personal information on government
property or through online facilities unless the employee has received a security
clearance from the head of the source agency.

(b) Off-site Access – Unless otherwise provided in guidelines to be issued by the


Commission, sensitive personal information maintained by an agency may not be
transported or accessed from a location off government property unless a request
for such transportation or access is submitted and approved by the head of the
agency in accordance with the following guidelines:

(1) Deadline for Approval or Disapproval – In the case of any request submitted to
the head of an agency, such head of the agency shall approve or disapprove the
request within two (2) business days after the date of submission of the request. In
case there is no action by the head of the agency, then such request is
considered disapproved;

(2) Limitation to One thousand (1,000) Records – If a request is approved, the head
of the agency shall limit the access to not more than one thousand (1,000) records
at a time; and

(3) Encryption – Any technology used to store, transport or access sensitive


personal information for purposes of off-site access approved under this subsection
shall be secured by the use of the most secure encryption standard recognized by
the Commission.

The requirements of this subsection shall be implemented not later than six (6)
months after the date of the enactment of this Act.

SEC. 24. Applicability to Government Contractors. – In entering into any contract


that may involve accessing or requiring sensitive personal information from one
thousand (1,000) or more individuals, an agency shall require a contractor and its
employees to register their personal information processing system with the
Commission in accordance with this Act and to comply with the other provisions of
this Act including the immediately preceding section, in the same manner as
agencies and government employees comply with such requirements.

CHAPTER VIII
PENALTIES
SEC. 25. Unauthorized Processing of Personal Information and Sensitive Personal
Information. – (a) The unauthorized processing of personal information shall be
penalized by imprisonment ranging from one (1) year to three (3) years and a fine
of not less than Five hundred thousand pesos (Php500,000.00) but not more than
Two million pesos (Php2,000,000.00) shall be imposed on persons who process
personal information without the consent of the data subject, or without being
authorized under this Act or any existing law.

(b) The unauthorized processing of personal sensitive information shall be


penalized by imprisonment ranging from three (3) years to six (6) years and a fine
of not less than Five hundred thousand pesos (Php500,000.00) but not more than
Four million pesos (Php4,000,000.00) shall be imposed on persons who process
personal information without the consent of the data subject, or without being
authorized under this Act or any existing law.

SEC. 26. Accessing Personal Information and Sensitive Personal Information Due to
Negligence. – (a) Accessing personal information due to negligence shall be
penalized by imprisonment ranging from one (1) year to three (3) years and a fine
of not less than Five hundred thousand pesos (Php500,000.00) but not more than
Two million pesos (Php2,000,000.00) shall be imposed on persons who, due to
negligence, provided access to personal information without being authorized
under this Act or any existing law.

(b) Accessing sensitive personal information due to negligence shall be penalized


by imprisonment ranging from three (3) years to six (6) years and a fine of not less
than Five hundred thousand pesos (Php500,000.00) but not more than Four million
pesos (Php4,000,000.00) shall be imposed on persons who, due to negligence,
provided access to personal information without being authorized under this Act or
any existing law.

SEC. 27. Improper Disposal of Personal Information and Sensitive Personal


Information. – (a) The improper disposal of personal information shall be penalized
by imprisonment ranging from six (6) months to two (2) years and a fine of not less
than One hundred thousand pesos (Php100,000.00) but not more than Five
hundred thousand pesos (Php500,000.00) shall be imposed on persons who
knowingly or negligently dispose, discard or abandon the personal information of
an individual in an area accessible to the public or has otherwise placed the
personal information of an individual in its container for trash collection.

b) The improper disposal of sensitive personal information shall be penalized by


imprisonment ranging from one (1) year to three (3) years and a fine of not less
than One hundred thousand pesos (Php100,000.00) but not more than One million
pesos (Php1,000,000.00) shall be imposed on persons who knowingly or negligently
dispose, discard or abandon the personal information of an individual in an area
accessible to the public or has otherwise placed the personal information of an
individual in its container for trash collection.

SEC. 28. Processing of Personal Information and Sensitive Personal Information for
Unauthorized Purposes. – The processing of personal information for unauthorized
purposes shall be penalized by imprisonment ranging from one (1) year and six (6)
months to five (5) years and a fine of not less than Five hundred thousand pesos
(Php500,000.00) but not more than One million pesos (Php1,000,000.00) shall be
imposed on persons processing personal information for purposes not authorized
by the data subject, or otherwise authorized under this Act or under existing laws.

The processing of sensitive personal information for unauthorized purposes shall be


penalized by imprisonment ranging from two (2) years to seven (7) years and a fine
of not less than Five hundred thousand pesos (Php500,000.00) but not more than
Two million pesos (Php2,000,000.00) shall be imposed on persons processing
sensitive personal information for purposes not authorized by the data subject, or
otherwise authorized under this Act or under existing laws.

SEC. 29. Unauthorized Access or Intentional Breach. – The penalty of imprisonment


ranging from one (1) year to three (3) years and a fine of not less than Five
hundred thousand pesos (Php500,000.00) but not more than Two million pesos
(Php2,000,000.00) shall be imposed on persons who knowingly and unlawfully, or
violating data confidentiality and security data systems, breaks in any way into any
system where personal and sensitive personal information is stored.

SEC. 30. Concealment of Security Breaches Involving Sensitive Personal


Information. – The penalty of imprisonment of one (1) year and six (6) months to
five (5) years and a fine of not less than Five hundred thousand pesos
(Php500,000.00) but not more than One million pesos (Php1,000,000.00) shall be
imposed on persons who, after having knowledge of a security breach and of the
obligation to notify the Commission pursuant to Section 20(f), intentionally or by
omission conceals the fact of such security breach.

SEC. 31. Malicious Disclosure. – Any personal information controller or personal


information processor or any of its officials, employees or agents, who, with malice
or in bad faith, discloses unwarranted or false information relative to any personal
information or personal sensitive information obtained by him or her, shall be
subject to imprisonment ranging from one (1) year and six (6) months to five (5)
years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but
not more than One million pesos (Php1,000,000.00).

SEC. 32. Unauthorized Disclosure. – (a) Any personal information controller or


personal information processor or any of its officials, employees or agents, who
discloses to a third party personal information not covered by the immediately
preceding section without the consent of the data subject, shall he subject to
imprisonment ranging from one (1) year to three (3) years and a fine of not less
than Five hundred thousand pesos (Php500,000.00) but not more than One million
pesos (Php1,000,000.00).

(b) Any personal information controller or personal information processor or any of


its officials, employees or agents, who discloses to a third party sensitive personal
information not covered by the immediately preceding section without the
consent of the data subject, shall be subject to imprisonment ranging from three
(3) years to five (5) years and a fine of not less than Five hundred thousand pesos
(Php500,000.00) but not more than Two million pesos (Php2,000,000.00).

SEC. 33. Combination or Series of Acts. – Any combination or series of acts as


defined in Sections 25 to 32 shall make the person subject to imprisonment ranging
from three (3) years to six (6) years and a fine of not less than One million pesos
(Php1,000,000.00) but not more than Five million pesos (Php5,000,000.00).

SEC. 34. Extent of Liability. – If the offender is a corporation, partnership or any


juridical person, the penalty shall be imposed upon the responsible officers, as the
case may be, who participated in, or by their gross negligence, allowed the
commission of the crime. If the offender is a juridical person, the court may
suspend or revoke any of its rights under this Act. If the offender is an alien, he or
she shall, in addition to the penalties herein prescribed, be deported without
further proceedings after serving the penalties prescribed. If the offender is a
public official or employee and lie or she is found guilty of acts penalized under
Sections 27 and 28 of this Act, he or she shall, in addition to the penalties
prescribed herein, suffer perpetual or temporary absolute disqualification from
office, as the case may be.

SEC. 35. Large-Scale. – The maximum penalty in the scale of penalties respectively
provided for the preceding offenses shall be imposed when the personal
information of at least one hundred (100) persons is harmed, affected or involved
as the result of the above mentioned actions.

SEC. 36. Offense Committed by Public Officer. – When the offender or the person
responsible for the offense is a public officer as defined in the Administrative Code
of the Philippines in the exercise of his or her duties, an accessory penalty
consisting in the disqualification to occupy public office for a term double the term
of criminal penalty imposed shall he applied.

SEC. 37. Restitution. – Restitution for any aggrieved party shall be governed by the
provisions of the New Civil Code.

CHAPTER IX
MISCELLANEOUS PROVISIONS

SEC. 38. Interpretation. – Any doubt in the interpretation of any provision of this Act
shall be liberally interpreted in a manner mindful of the rights and interests of the
individual about whom personal information is processed.

SEC. 39. Implementing Rules and Regulations (IRR). – Within ninety (90) days from
the effectivity of this Act, the Commission shall promulgate the rules and
regulations to effectively implement the provisions of this Act.

SEC. 40. Reports and Information. – The Commission shall annually report to the
President and Congress on its activities in carrying out the provisions of this Act. The
Commission shall undertake whatever efforts it may determine to be necessary or
appropriate to inform and educate the public of data privacy, data protection
and fair information rights and responsibilities.

SEC. 41. Appropriations Clause. – The Commission shall be provided with an initial
appropriation of Twenty million pesos (Php20,000,000.00) to be drawn from the
national government. Appropriations for the succeeding years shall be included in
the General Appropriations Act. It shall likewise receive Ten million pesos
(Php10,000,000.00) per year for five (5) years upon implementation of this Act
drawn from the national government.

SEC. 42. Transitory Provision. – Existing industries, businesses and offices affected by
the implementation of this Act shall be given one (1) year transitory period from
the effectivity of the IRR or such other period as may be determined by the
Commission, to comply with the requirements of this Act.

In case that the DICT has not yet been created by the time the law takes full force
and effect, the National Privacy Commission shall be attached to the Office of the
President.

SEC. 43. Separability Clause. – If any provision or part hereof is held invalid or
unconstitutional, the remainder of the law or the provision not otherwise affected
shall remain valid and subsisting.

SEC. 44. Repealing Clause. – The provision of Section 7 of Republic Act No. 9372,
otherwise known as the “Human Security Act of 2007”, is hereby amended. Except
as otherwise expressly provided in this Act, all other laws, decrees, executive
orders, proclamations and administrative regulations or parts thereof inconsistent
herewith are hereby repealed or modified accordingly.

SEC. 45. Effectivity Clause. – This Act shall take effect fifteen (15) days after its
publication in at least two (2) national newspapers of general circulation.

Implementing Rules and Regulations of Republic Act No. 10173, known as the
“Data Privacy Act of 2012”

Pursuant to the mandate of the National Privacy Commission to administer and


implement the provisions of the Data Privacy Act of 2012, and to monitor and
ensure compliance of the country with international standards set for data
protection, the following rules and regulations are hereby promulgated to
effectively implement the provisions of the Act: Rule I. Preliminary Provisions

1. Title
2. Policy
3. Definitions

Rule II. Scope of Application

4. Scope
5. Special Cases
6. Protection afforded to data subjects
7. Protection afforded to journalists and their sources

Rule III. National Privacy Commission

8. Mandate
9. Functions
10. Administrative Issuances
11. Reports and Public Information
12. Confidentiality of Personal Data
13. Organizational Structure
14. Secretariat
15. Effect of Lawful Performance of Duty
16. Magna Carta for Science and Technology Personnel

Rule IV. Data Privacy Principles

17. General Principles


18. Principles of Transparency, Legitimate Purpose and Proportionality
19. Principles in Collection, Processing and Retention
a. Collection must be for a specified and legitimate purpose
b. Personal Data shall be processed fairly and lawfully
c. Processing should ensure data quality
d. Personal data shall not be retained longer than necessary
e. Any authorized further processing shall have adequate safeguards
20. Principles for Data Sharing

Rule V. Lawful Processing of Personal Data

21. Lawful Processing of Personal Information


22. Lawful Processing of Sensitive Personal Information and Privileged
Information
23. Extension of Privileged Communication
24. Surveillance of Subjects and Interception of Recording of Communications

Rule VI. Security Measures for Protection of Personal Data

25. Data Privacy and Security


26. Organizational Security
27. Physical Security
28. Technical Security
29. Appropriate Level of Security
Rule VII. Security of Sensitive Personal Information in Government

30. Responsibility of Heads of Agencies


31. Requirements Relating to Access by Agency Personnel to Sensitive Personal
Information
32. Implementation of Security Requirements
33. Applicability to Government Contractors

Rule VIII. Rights of Data Subject

34. Rights of the Data Subject


a. Right to be informed
b. Right to object
c. Right to access
d. Right to correct
e. Right to rectification, erasure or blocking
35. Transmissibility of Rights of the Data Subject
36. Right to Data Portability
37. Limitation on Rights

Rule IX. Data Breach Notification.

38. Data Breach Notification


39. Contents of Notification
40. Delay of Notification
41. Breach Report
42. Procedure for Notification

Rule X. Outsourcing and Subcontracting Agreements.

43. Subcontract of Personal Data


44. Agreements for Outsourcing
45. Duty of Personal Information Processor

Rule XI. Registration and Compliance Requirements

46. Enforcement of the Data Privacy Act


47. Registration of Data Processing Systems
48. Notification for Automated Processing Operations
49. Review by the Commission

Rule XII. Rules on Accountability

50. Accountability for Transfer of Personal Information


51. Accountability for Violation of the Act, these Rules and other issuances

Rule XIII. Penalties


52. Unauthorized Processing of Personal Information and Sensitive Personal
Information
53. Accessing Personal Information and Sensitive Personal Information Due to
Negligence
54. Improper Disposal of Personal Information and Sensitive Personal Information
55. Processing of Personal Information and Sensitive Personal Information for
Unauthorized Purposes
56. Unauthorized Access or Intentional Breach
57. Concealment of Security Breaches Involving Sensitive Personal Information
58. Malicious Disclosure
59. Unauthorized Disclosure
60. Combination or Series of Acts
61. Extent of Liability
62. Large-Scale
63. Offense Committed by Public Officer
64. Restitution
65. Fines and Penalties

Rule XIV. Miscellaneous Provisions

66. Appeal
67. Period for Compliance
68. Appropriations Clause
69. Interpretation
70. Separability Clause
71. Repealing Clause
72. Effectivity Clause

Rule I. Preliminary Provisions

Section 1. Title. These rules and regulations shall be known as the “Implementing
Rules and Regulations of the Data Privacy Act of 2012”, or the “Rules”. Section
2. Policy. These Rules further enforce the Data Privacy Act and adopt generally
accepted international principles and standards for personal data protection.
They safeguard the fundamental human right of every individual to privacy while
ensuring free flow of information for innovation, growth, and national
development. These Rules also recognize the vital role of information and
communications technology in nation-building and enforce the State’s inherent
obligation to ensure that personal data in information and communications
systems in the government and in the private sector are secured and protected.
Section 3. Definitions. Whenever used in these Rules, the following terms shall have
the respective meanings hereafter set forth:
a. “Act” refers to Republic Act No. 10173, also known as the Data Privacy Act
of 2012;

b. “Commission” refers to the National Privacy Commission;


c. “Consent of the data subject” refers to any freely given, specific,
informed indication of will, whereby the data subject agrees to the collection and
processing of his or her personal, sensitive personal, or privileged information.
Consent shall be evidenced by written, electronic or recorded means. It may also
be given on behalf of a data subject by a lawful representative or an agent
specifically authorized by the data subject to do so;

d. “Data subject” refers to an individual whose personal, sensitive personal, or


privileged information is processed;

e. “Data processing systems” refers to the structure and procedure by which


personal data is collected and further processed in an information and
communications system or relevant filing system, including the purpose and
intended output of the processing;

f. “Data sharing” is the disclosure or transfer to a third party of personal data


under the custody of a personal information controller or personal information
processor. In the case of the latter, such disclosure or transfer must have been
upon the instructions of the personal information controller concerned. The term
excludes outsourcing, or the disclosure or transfer of personal data by a personal
information controller to a personal information processor;

g. “Direct marketing” refers to communication by whatever means of any


advertising or marketing material which is directed to particular individuals;

h. “Filing system” refers to any set of information relating to natural or juridical


persons to the extent that, although the information is not processed by equipment
operating automatically in response to instructions given for that purpose, the set is
structured, either by reference to individuals or by reference to criteria relating to
individuals, in such a way that specific information relating to a particular
individual is readily accessible;

i. “Information and communications system” refers to a system for


generating, sending, receiving, storing, or otherwise processing electronic data
messages or electronic documents, and includes the computer system or other
similar device by which data is recorded, transmitted, or stored, and any
procedure related to the recording, transmission, or storage of electronic data,
electronic message, or electronic document;

j. “Personal data” refers to all types of personal information;

k. “Personal data breach” refers to a breach of security leading to the


accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or
access to, personal data transmitted, stored, or otherwise processed;

l. “Personal information” refers to any information, whether recorded in a


material form or not, from which the identity of an individual is apparent or can be
reasonably and directly ascertained by the entity holding the information, or when
put together with other information would directly and certainly identify an
individual;

m. “Personal information controller” refers to a natural or juridical person, or any


other body who controls the processing of personal data, or instructs another to
process personal data on its behalf. The term excludes:

1. A natural or juridical person, or any other body, who performs such


functions as instructed by another person or organization; or

2. A natural person who processes personal data in connection with his or her
personal, family, or household affairs;

There is control if the natural or juridical person or any other body decides on what
information is collected, or the purpose or extent of its processing;

n. “Personal information processor” refers to any natural or juridical person or


any other body to whom a personal information controller may outsource or
instruct the processing of personal data pertaining to a data subject;

o. “Processing” refers to any operation or any set of operations performed


upon personal data including, but not limited to, the collection, recording,
organization, storage, updating or modification, retrieval, consultation, use,
consolidation, blocking, erasure or destruction of data. Processing may be
performed through automated means, or manual processing, if the personal data
are contained or are intended to be contained in a filing system;

p. “Profiling” refers to any form of automated processing of personal data


consisting of the use of personal data to evaluate certain personal aspects relating
to a natural person, in particular to analyze or predict aspects concerning that
natural person’s performance at work, economic situation, health, personal
preferences, interests, reliability, behavior, location or movements;

q. “Privileged information” refers to any and all forms of data, which, under
the Rules of Court and other pertinent laws constitute privileged communication;

r. “Public authority” refers to any government entity created by the


Constitution or law, and vested with law enforcement or regulatory authority and
functions;

s. “Security incident” is an event or occurrence that affects or tends to


affect data protection, or may compromise the availability, integrity and
confidentiality of personal data. It includes incidents that would result to a personal
data breach, if not for safeguards that have been put in place;

t. Sensitive personal information refers to personal information:

1. About an individual’s race, ethnic origin, marital status, age, color, and
religious, philosophical or political affiliations;
2. About an individual’s health, education, genetic or sexual life of a person,
or to any proceeding for any offense committed or alleged to have been
committed by such individual, the disposal of such proceedings, or the sentence
of any court in such proceedings;

3. Issued by government agencies peculiar to an individual which includes,


but is not limited to, social security numbers, previous or current health records,
licenses or its denials, suspension or revocation, and tax returns; and

4. Specifically established by an executive order or an act of Congress to be


kept classified.

Rule II. Scope of Application

Section 4. Scope. The Act and these Rules apply to the processing of personal
data by any natural and juridical person in the government or private sector. They
apply to an act done or practice engaged in and outside of the Philippines if:
a. The natural or juridical person involved in the processing of personal data
is found or established in the Philippines;

b. The act, practice or processing relates to personal data about a Philippine


citizen or Philippine resident;

c. The processing of personal data is being done in the Philippines; or

d. The act, practice or processing of personal data is done or engaged in by


an entity with links to the Philippines, with due consideration to international law
and comity, such as, but not limited to, the following:

1. Use of equipment located in the country, or maintains an office, branch or


agency in the Philippines for processing of personal data;

2. A contract is entered in the Philippines;

3. A juridical entity unincorporated in the Philippines but has central


management and control in the country;

4. An entity that has a branch, agency, office or subsidiary in the Philippines


and the parent or affiliate of the Philippine entity has access to personal data;

5. An entity that carries on business in the Philippines;

6. An entity that collects or holds personal data in the Philippines.

Section 5. Special Cases. The Act and these Rules shall not apply to the following
specified information, only to the minimum extent of collection, access, use,
disclosure or other processing necessary to the purpose, function, or activity
concerned:
a. Information processed for purpose of allowing public access to
information that fall within matters of public concern, pertaining to:

1. Information about any individual who is or was an officer or employee of


government that relates to his or her position or functions, including:

(a) The fact that the individual is or was an officer or employee of the
government;

(b) The title, office address, and office telephone number of the individual;

(c) The classification, salary range, and responsibilities of the position held by
the individual; and

(d) The name of the individual on a document he or she prepared in the course
of his or her employment with the government;

2. Information about an individual who is or was performing a service under


contract for a government institution, but only in so far as it relates to such service,
including the the name of the individual and the terms of his or her contract;

3. Information relating to a benefit of a financial nature conferred on an


individual upon the discretion of the government, such as the granting of a license
or permit, including the name of the individual and the exact nature of the
benefit: Provided, that they do not include benefits given in the course of an
ordinary transaction or as a matter of right;

b. Personal information processed for journalistic, artistic or literary purpose, in


order to uphold freedom of speech, of expression, or of the press, subject to
requirements of other applicable law or regulations;

c. Personal information that will be processed for research purpose,


intended for a public benefit, subject to the requirements of applicable laws,
regulations, or ethical standards;

d. Information necessary in order to carry out the functions of public authority,


in accordance with a constitutionally or statutorily mandated function pertaining
to law enforcement or regulatory function, including the performance of the
functions of the independent, central monetary authority, subject to restrictions
provided by law. Nothing in this Act shall be construed as having amended or
repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits
Act; Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act;
and Republic Act No. 9510, otherwise known as the Credit Information System Act
(CISA);

e. Information necessary for banks, other financial institutions under the


jurisdiction of the independent, central monetary authority or Bangko Sentral ng
Pilipinas, and other bodies authorized by law, to the extent necessary to comply
with Republic Act No. 9510 (CISA), Republic Act No. 9160, as amended, otherwise
known as the Anti-Money Laundering Act, and other applicable laws;

f. Personal information originally collected from residents of foreign


jurisdictions in accordance with the laws of those foreign jurisdictions, including any
applicable data privacy laws, which is being processed in the Philippines. The
burden of proving the law of the foreign jurisdiction falls on the person or body
seeking exemption. In the absence of proof, the applicable law shall be
presumed to be the Act and these Rules:

Provided, that the non-applicability of the Act or these Rules do not extend to
personal information controllers or personal information processors, who remain
subject to the requirements of implementing security measures for personal data
protection: Provided further, that the processing of the information provided in the
preceding paragraphs shall be exempted from the requirements of the Act only to
the minimum extent necessary to achieve the specific purpose, function, or
activity. Section 6. Protection afforded to Data Subjects.
a. Unless directly incompatible or inconsistent with the preceding sections in
relation to the purpose, function, or activities the non-applicability concerns, the
personal information controller or personal information processor shall uphold the
rights of data subjects, and adhere to general data privacy principles and the
requirements of lawful processing.

b. The burden of proving that the Act and these Rules are not applicable to
a particular information falls on those involved in the processing of personal data
or the party claiming the non-applicability.

c. In all cases, the determination of any exemption shall be liberally


interpreted in favor of the rights and interests of the data subject.

Section 7. Protection Afforded to Journalists and their Sources.


a. Publishers, editors, or duly accredited reporters of any newspaper, magazine
or periodical of general circulation shall not be compelled to reveal the source of
any news report or information appearing in said publication if it was related in any
confidence to such publisher, editor, or reporter.

b. Publishers, editors, or duly accredited reporters who are likewise personal


information controllers or personal information processors within the meaning of
the law are still bound to follow the Data Privacy Act and related issuances with
regard to the processing of personal data, upholding rights of their data subjects
and maintaining compliance with other provisions that are not incompatible with
the protection provided by Republic Act No. 53.

Rule III. National Privacy Commission

Section 8. Mandate. The National Privacy Commission is an independent body


mandated to administer and implement the Act, and to monitor and ensure
compliance of the country with international standards set for personal data
protection. Section 9. Functions. The National Privacy Commission shall have the
following functions:
a. Rule Making. The Commission shall develop, promulgate, review or amend
rules and regulations for the effective implementation of the Act. This includes:

1. Recommending organizational, physical and technical security measures


for personal data protection, encryption, and access to sensitive personal
information maintained by government agencies, considering the most
appropriate standard recognized by the information and communications
technology industry, as may be necessary;

2. Specifying electronic format and technical standards, modalities and


procedures for data portability, as may be necessary;

3. Issuing guidelines for organizational, physical, and technical security


measures for personal data protection, taking into account the nature of the
personal data to be protected, the risks presented by the processing, the size of
the organization and complexity of its operations, current data privacy best
practices, cost of security implementation, and the most appropriate standard
recognized by the information and communications technology industry, as may
be necessary;

4. Consulting with relevant regulatory agencies in the formulation, review,


amendment, and administration of privacy codes, applying the standards set out
in the Act, with respect to the persons, entities, business activities, and business
sectors that said regulatory bodies are authorized to principally regulate pursuant
to law;

5. Proposing legislation, amendments or modifications to Philippine laws on


privacy or data protection, as may be necessary;

6. Ensuring proper and effective coordination with data privacy regulators in


other countries and private accountability agents;

7. Participating in international and regional initiatives for data privacy


protection.

b. Advisory. The Commission shall be the advisory body on matters affecting


protection of personal data. This includes:

1. Commenting on the implication on data privacy of proposed national or


local statutes, regulations or procedures, issuing advisory opinions, and interpreting
the provisions of the Act and other data privacy laws;

2. Reviewing, approving, rejecting, or requiring modification of privacy codes


voluntarily adhered to by personal information controllers, which may include
private dispute resolution mechanisms for complaints against any participating
personal information controller, and which adhere to the underlying data privacy
principles embodied in the Act and these Rules;
3. Providing assistance on matters relating to privacy or data protection at
the request of a national or local agency, a private entity or any person, including
the enforcement of rights of data subjects;

4. Assisting Philippine companies doing business abroad to respond to data


protection laws and regulations.

c. Public Education. The Commission shall undertake necessary or


appropriate efforts to inform and educate the public of data privacy, data
protection, and fair information rights and responsibilities. This includes:

1. Publishing, on a regular basis, a guide to all laws relating to data


protection;

2. Publishing a compilation of agency system of records and notices,


including index and other finding aids;

3. Coordinating with other government agencies and the private sector on


efforts to formulate and implement plans and policies to strengthen the protection
of personal data in the country;

d. Compliance and Monitoring. The Commission shall perform compliance


and monitoring functions to ensure effective implementation of the Act, these
Rules, and other issuances. This includes:

1. Ensuring compliance by personal information controllers with the provisions


of the Act;

2. Monitoring the compliance of all government agencies or instrumentalities


as regards their security and technical measures, and recommending the
necessary action in order to meet minimum standards for protection of personal
data pursuant to the Act;

3. Negotiating and contracting with other data privacy authorities of other


countries for cross-border application and implementation of respective privacy
laws;

4. Generally performing such acts as may be necessary to facilitate cross-


border enforcement of data privacy protection;

5. Managing the registration of personal data processing systems in the


country, including the personal data processing system of contractors and their
employees entering into contracts with government agencies that involves
accessing or requiring sensitive personal information of at least one thousand
(1,000) individuals.

e. Complaints and Investigations. The Commission shall adjudicate on


complaints and investigations on matters affecting personal data: Provided, that In
resolving any complaint or investigation, except where amicable settlement is
reached by the parties, the Commission shall act as a collegial body. This includes:

1. Receiving complaints and instituting investigations regarding violations of


the Act, these Rules, and other issuances of the Commission, including violations of
the rights of data subjects and other matters affecting personal data;

2. Summoning witnesses, and requiring the production of evidence by a


subpoena duces tecum for the purpose of collecting the information necessary to
perform its functions under the Act: Provided, that the Commission may be given
access to personal data that is subject of any complaint;

3. Facilitating or enabling settlement of complaints through the use of


alternative dispute resolution processes, and adjudicating on matters affecting
any personal data;

4. Preparing reports on the disposition of complaints and the resolution of any


investigation it initiates, and, in cases it deems appropriate, publicizing such
reports;

f. Enforcement. The Commission shall perform all acts as may be necessary


to effectively implement the Act, these Rules, and its other issuances, and to
enforce its Orders, Resolutions or Decisions, including the imposition of
administrative sanctions, fines, or penalties. This includes:

1. Issuing compliance or enforcement orders;

2. Awarding indemnity on matters affecting any personal data, or rights of


data subjects;

3. Issuing cease and desist orders, or imposing a temporary or permanent


ban on the processing of personal data, upon finding that the processing will be
detrimental to national security or public interest, or if it is necessary to preserve
and protect the rights of data subjects;

4. Recommending to the Department of Justice (DOJ) the prosecution of


crimes and imposition of penalties specified in the Act;

5. Compelling or petitioning any entity, government agency, or


instrumentality, to abide by its orders or take action on a matter affecting data
privacy;

6. Imposing administrative fines for violations of the Act, these Rules, and
other issuances of the Commission.

g. Other functions. The Commission shall exercise such other functions as may
be necessary to fulfill its mandate under the Act.
Section 10. Administrative Issuances. The Commission shall publish or issue official
directives and administrative issuances, orders, and circulars, which include:
a. Rules of procedure in the exercise of its quasi-judicial functions, subject to
the suppletory application of the Rules of Court;

b. Schedule of administrative fines and penalties for violations of the Act,


these Rules, and issuances or Orders of the Commission, including the applicable
fees for its administrative services and filing fees;

c. Procedure for registration of data processing systems, and notification;

d. Other administrative issuances consistent with its mandate and other


functions.

Section 11. Reports and Information. The Commission shall report annually to the
President and Congress regarding its activities in carrying out the provisions of the
Act, these Rules, and its other issuances. It shall undertake all efforts it deems
necessary or appropriate to inform and educate the public of data privacy, data
protection, and fair information rights and responsibilities. Section
12. Confidentiality of Personal Data. Members, employees, and consultants of the
Commission shall ensure at all times the confidentiality of any personal data that
come to their knowledge and possession: Provided, that such duty of
confidentiality shall remain even after their term, employment, or contract has
ended. Section 13. Organizational Structure. The Commission is attached to the
Department of Information and Communications Technology for policy and
program coordination in accordance with Section 38(3) of Executive Order No.
292, series of 1987, also known as the Administrative Code of 1987. The Commission
shall remain completely independent in the performance of its functions. The
Commission shall be headed by a Privacy Commissioner, who shall act as
Chairman of the Commission. The Privacy Commissioner must be at least thirty-five
(35) years of age and of good moral character, unquestionable integrity and
known probity, and a recognized expert in the field of information technology and
data privacy. The Privacy Commissioner shall enjoy the benefits, privileges, and
emoluments equivalent to the rank of Secretary. The Privacy Commissioner shall be
assisted by two (2) Deputy Privacy Commissioners. One shall be responsible for
Data Processing Systems, while the other shall be responsible for Policies and
Planning. The Deputy Privacy Commissioners must be recognized experts in the
field of information and communications technology and data privacy. They shall
enjoy the benefits, privileges, and emoluments equivalent to the rank of
Undersecretary. Section 14. Secretariat. The Commission is authorized to establish a
Secretariat, which shall assist in the performance of its functions. The Secretariat
shall be headed by an Executive Director and shall be organized according to the
following offices:
a. Data Security and Compliance Office;

b. Legal and Enforcement Office;

c. Finance and Administrative Office;


d. Privacy Policy Office;

e. Public Information and Assistance Office.

Majority of the members of the Secretariat, in so far as practicable, must have


served for at least five (5) years in any agency of the government that is involved
in the processing of personal data including, but not limited to, the following
offices: Social Security System (SSS), Government Service Insurance System (GSIS),
Land Transportation Office (LTO), Bureau of Internal Revenue (BIR), Philippine
Health Insurance Corporation (PhilHealth), Commission on Elections (COMELEC),
Department of Foreign Affairs (DFA), Department of Justice (DOJ), and Philippine
Postal Corporation (Philpost). The organizational structure shall be subject to review
and modification by the Commission, including the creation of new divisions and
units it may deem necessary, and shall appoint officers and employees of the
Commission in accordance with civil service law, rules, and regulations. Section
15. Effect of Lawful Performance of Duty. The Privacy Commissioner, the Deputy
Commissioners, or any person acting on their behalf or under their direction, shall
not be civilly liable for acts done in good faith in the performance of their duties:
Provided, that they shall be liable for willful or negligent acts, which are contrary to
law, morals, public policy, and good customs, even if they acted under orders or
instructions of superiors: Provided further, that in case a lawsuit is filed against them
in relation to the performance of their duties, where such performance is lawful, he
or she shall be reimbursed by the Commission for reasonable costs of litigation.
Section 16. Magna Carta for Science and Technology Personnel. Qualified
employees of the Commission shall be covered by Republic Act No. 8349, which
provides a magna carta for scientists, engineers, researchers, and other science
and technology personnel in the government.
Rule IV. Data Privacy Principles

Section 17. General Data Privacy Principles. The processing of personal data shall
be allowed, subject to compliance with the requirements of the Act and other
laws allowing disclosure of information to the public, and adherence to the
principles of transparency, legitimate purpose, and proportionality. Section
18. Principles of Transparency, Legitimate Purpose and Proportionality. The
processing of personal data shall be allowed subject to adherence to the
principles of transparency, legitimate purpose, and proportionality.
a. Transparency. The data subject must be aware of the nature, purpose,
and extent of the processing of his or her personal data, including the risks and
safeguards involved, the identity of personal information controller, his or her rights
as a data subject, and how these can be exercised. Any information and
communication relating to the processing of personal data should be easy to
access and understand, using clear and plain language.

b. Legitimate purpose. The processing of information shall be compatible


with a declared and specified purpose which must not be contrary to law, morals,
or public policy.

c. Proportionality. The processing of information shall be adequate, relevant,


suitable, necessary, and not excessive in relation to a declared and specified
purpose. Personal data shall be processed only if the purpose of the processing
could not reasonably be fulfilled by other means.

Section 19. General principles in collection, processing and retention. The


processing of personal data shall adhere to the following general principles in the
collection, processing, and retention of personal data:
a. Collection must be for a declared, specified, and legitimate purpose.

1. Consent is required prior to the collection and processing of personal data,


subject to exemptions provided by the Act and other applicable laws and
regulations. When consent is required, it must be time-bound in relation to the
declared, specified and legitimate purpose. Consent given may be withdrawn.

2. The data subject must be provided specific information regarding the


purpose and extent of processing, including, where applicable, the automated
processing of his or her personal data for profiling, or processing for direct
marketing, and data sharing.

3. Purpose should be determined and declared before, or as soon as


reasonably practicable, after collection.

4. Only personal data that is necessary and compatible with declared,


specified, and legitimate purpose shall be collected.

b. Personal data shall be processed fairly and lawfully.

1. Processing shall uphold the rights of the data subject, including the right to
refuse, withdraw consent, or object. It shall likewise be transparent, and allow the
data subject sufficient information to know the nature and extent of processing.

2. Information provided to a data subject must always be in clear and plain


language to ensure that they are easy to understand and access.

3. Processing must be in a manner compatible with declared, specified, and


legitimate purpose.

4. Processed personal data should be adequate, relevant, and limited to


what is necessary in relation to the purposes for which they are processed.

5. Processing shall be undertaken in a manner that ensures appropriate


privacy and security safeguards.

c. Processing should ensure data quality.

1. Personal data should be accurate and where necessary for declared,


specified and legitimate purpose, kept up to date.

2. Inaccurate or incomplete data must be rectified, supplemented,


destroyed or their further processing restricted.
d. Personal Data shall not be retained longer than necessary.

1. Retention of personal data shall only for as long as necessary:

(a) for the fulfillment of the declared, specified, and legitimate purpose, or
when the processing relevant to the purpose has been terminated;

(b) for the establishment, exercise or defense of legal claims; or

(c) for legitimate business purposes, which must be consistent with standards
followed by the applicable industry or approved by appropriate government
agency.

2. Retention of personal data shall be allowed in cases provided by law.

3. Personal data shall be disposed or discarded in a secure manner that


would prevent further processing, unauthorized access, or disclosure to any other
party or the public, or prejudice the interests of the data subjects.

e. Any authorized further processing shall have adequate safeguards.

1. Personal data originally collected for a declared, specified, or legitimate


purpose may be processed further for historical, statistical, or scientific purposes,
and, in cases laid down in law, may be stored for longer periods, subject to
implementation of the appropriate organizational, physical, and technical security
measures required by the Act in order to safeguard the rights and freedoms of the
data subject.

2. Personal data which is aggregated or kept in a form which does not


permit identification of data subjects may be kept longer than necessary for the
declared, specified, and legitimate purpose.

3. Personal data shall not be retained in perpetuity in contemplation of a


possible future use yet to be determined.

Section 20. General Principles for Data Sharing. Further Processing of Personal Data
collected from a party other than the Data Subject shall be allowed under any of
the following conditions:
a. Data sharing shall be allowed when it is expressly authorized by
law: Provided, that there are adequate safeguards for data privacy and security,
and processing adheres to principle of transparency, legitimate purpose and
proportionality.

b. Data Sharing shall be allowed in the private sector if the data subject
consents to data sharing, and the following conditions are complied with:

1. Consent for data sharing shall be required even when the data is to be
shared with an affiliate or mother company, or similar relationships;
2. Data sharing for commercial purposes, including direct marketing, shall be
covered by a data sharing agreement.

(a) The data sharing agreement shall establish adequate safeguards for data
privacy and security, and uphold rights of data subjects.

(b) The data sharing agreement shall be subject to review by the Commission,
on its own initiative or upon complaint of data subject;

3. The data subject shall be provided with the following information prior to
collection or before data is shared:

(a) Identity of the personal information controllers or personal information


processors that will be given access to the personal data;

(b) Purpose of data sharing;

(c) Categories of personal data concerned;

(d) Intended recipients or categories of recipients of the personal data;

(e) Existence of the rights of data subjects, including the right to access and
correction, and the right to object;

(f) Other information that would sufficiently notify the data subject of the
nature and extent of data sharing and the manner of processing.

4. Further processing of shared data shall adhere to the data privacy


principles laid down in the Act, these Rules, and other issuances of the
Commission.

c. Data collected from parties other than the data subject for purpose of
research shall be allowed when the personal data is publicly available, or has the
consent of the data subject for purpose of research: Provided, that adequate
safeguards are in place, and no decision directly affecting the data subject shall
be made on the basis of the data collected or processed. The rights of the data
subject shall be upheld without compromising research integrity.

d. Data sharing between government agencies for the purpose of a public


function or provision of a public service shall be covered a data sharing
agreement.

1. Any or all government agencies party to the agreement shall comply with
the Act, these Rules, and all other issuances of the Commission, including putting in
place adequate safeguards for data privacy and security.

2. The data sharing agreement shall be subject to review of the Commission,


on its own initiative or upon complaint of data subject.
Rule V. Lawful Processing of Personal Data

Section 21. Criteria for Lawful Processing of Personal Information. Processing of


personal information is allowed, unless prohibited by law. For processing to be
lawful, any of the following conditions must be complied with:
a. The data subject must have given his or her consent prior to the collection,
or as soon as practicable and reasonable;

b. The processing involves the personal information of a data subject who is a


party to a contractual agreement, in order to fulfill obligations under the contract
or to take steps at the request of the data subject prior to entering the said
agreement;

c. The processing is necessary for compliance with a legal obligation to


which the personal information controller is subject;

d. The processing is necessary to protect vitally important interests of the data


subject, including his or her life and health;

e. The processing of personal information is necessary to respond to national


emergency or to comply with the requirements of public order and safety, as
prescribed by law;

f. The processing of personal information is necessary for the fulfillment of


the constitutional or statutory mandate of a public authority; or

g. The processing is necessary to pursue the legitimate interests of the


personal information controller, or by a third party or parties to whom the data is
disclosed, except where such interests are overridden by fundamental rights and
freedoms of the data subject, which require protection under the Philippine
Constitution.

Section 22. Sensitive Personal Information and Privileged Information. The


processing of sensitive personal and privileged information is prohibited, except in
any of the following cases:
a. Consent is given by data subject, or by the parties to the exchange of
privileged information, prior to the processing of the sensitive personal information
or privileged information, which shall be undertaken pursuant to a declared,
specified, and legitimate purpose;

b. The processing of the sensitive personal information or privileged


information is provided for by existing laws and regulations: Provided, that said laws
and regulations do not require the consent of the data subject for the processing,
and guarantee the protection of personal data;

c. The processing is necessary to protect the life and health of the data
subject or another person, and the data subject is not legally or physically able to
express his or her consent prior to the processing;
d. The processing is necessary to achieve the lawful and noncommercial
objectives of public organizations and their associations provided that:

1. Processing is confined and related to the bona fide members of these


organizations or their associations;

2. The sensitive personal information are not transferred to third parties; and

3. Consent of the data subject was obtained prior to processing;

e. The processing is necessary for the purpose of medical


treatment: Provided, that it is carried out by a medical practitioner or a medical
treatment institution, and an adequate level of protection of personal data is
ensured; or

f. The processing concerns sensitive personal information or


privileged information necessary for the protection of lawful rights and interests of
natural or legal persons in court proceedings, or the establishment, exercise, or
defense of legal claims, or when provided to government or public authority
pursuant to a constitutional or statutory mandate.

Section 23. Extension of Privileged Communication. Personal information controllers


may invoke the principle of privileged communication over privileged information
that they lawfully control or process. Subject to existing laws and regulations, any
evidence gathered from privileged information is inadmissible. When the
Commission inquires upon communication claimed to be privileged, the personal
information controller concerned shall prove the nature of the communication in
an executive session. Should the communication be determined as privileged, it
shall be excluded from evidence, and the contents thereof shall not form part of
the records of the case: Provided, that where the privileged communication itself is
the subject of a breach, or a privacy concern or investigation, it may be disclosed
to the Commission but only to the extent necessary for the purpose of
investigation, without including the contents thereof in the records. Section
24. Surveillance of Suspects and Interception of Recording of Communications.
Section 7 of Republic Act No. 9372, otherwise known as the “Human Security Act of
2007”, is hereby amended to include the condition that the processing of personal
data for the purpose of surveillance, interception, or recording of communications
shall comply with the Data Privacy Act, including adherence to the principles of
transparency, proportionality, and legitimate purpose.
Rule VI. Security Measures for the Protection of Personal Data

Section 25. Data Privacy and Security. Personal information controllers and
personal information processors shall implement reasonable and appropriate
organizational, physical, and technical security measures for the protection of
personal data. The personal information controller and personal information
processor shall take steps to ensure that any natural person acting under their
authority and who has access to personal data, does not process them except
upon their instructions, or as required by law. The security measures shall aim to
maintain the availability, integrity, and confidentiality of personal data and are
intended for the protection of personal data against any accidental or unlawful
destruction, alteration, and disclosure, as well as against any other unlawful
processing. These measures shall be implemented to protect personal data
against natural dangers such as accidental loss or destruction, and human
dangers such as unlawful access, fraudulent misuse, unlawful destruction,
alteration and contamination. Section 26. Organizational Security
Measures. Where appropriate, personal information controllers and personal
information processors shall comply with the following guidelines for organizational
security:
a. Compliance Officers. Any natural or juridical person or other body
involved in the processing of personal data shall designate an individual or
individuals who shall function as data protection officer, compliance officer or
otherwise be accountable for ensuring compliance with applicable laws and
regulations for the protection of data privacy and security.

b. Data Protection Policies. Any natural or juridical person or other body


involved in the processing of personal data shall implement appropriate data
protection policies that provide for organization, physical, and technical security
measures, and, for such purpose, take into account the nature, scope, context
and purposes of the processing, as well as the risks posed to the rights and
freedoms of data subjects.

1. The policies shall implement data protection principles both at the time of
the determination of the means for processing and at the time of the processing
itself.

2. The policies shall implement appropriate security measures that, by


default, ensure only personal data which is necessary for the specified purpose of
the processing are processed. They shall determine the amount of personal data
collected, including the extent of processing involved, the period of their storage,
and their accessibility.

3. The polices shall provide for documentation, regular review, evaluation,


and updating of the privacy and security policies and practices.

c. Records of Processing Activities. Any natural or juridical person or other


body involved in the processing of personal data shall maintain records that
sufficiently describe its data processing system, and identify the duties and
responsibilities of those individuals who will have access to personal data. Records
should include:

1. Information about the purpose of the processing of personal data,


including any intended future processing or data sharing;

2. A description of all categories of data subjects, personal data, and


recipients of such personal data that will be involved in the processing;
3. General information about the data flow within the organization, from the
time of collection, processing, and retention, including the time limits for disposal or
erasure of personal data;

4. A general description of the organizational, physical, and technical


security measures in place;

5. The name and contact details of the personal information controller and,
where applicable, the joint controller, the its representative, and the compliance
officer or Data Protection Officer, or any other individual or individuals
accountable for ensuring compliance with the applicable laws and regulations for
the protection of data privacy and security.

d. Management of Human Resources. Any natural or juridical person or other


entity involved in the processing of personal data shall be responsible for selecting
and supervising its employees, agents, or representatives, particularly those who
will have access to personal data.

The said employees, agents, or representatives shall operate and hold personal
data under strict confidentiality if the personal data are not intended for public
disclosure. This obligation shall continue even after leaving the public service,
transferring to another position, or upon terminating their employment or
contractual relations. There shall be capacity building, orientation or training
programs for such employees, agents or representatives, regarding privacy or
security policies.

e. Processing of Personal Data. Any natural or juridical person or other body


involved in the processing of personal data shall develop, implement and review:

1. A procedure for the collection of personal data, including procedures for


obtaining consent, when applicable;

2. Procedures that limit the processing of data, to ensure that it is only to the
extent necessary for the declared, specified, and legitimate purpose;

3. Policies for access management, system monitoring, and protocols to


follow during security incidents or technical problems;

4. Policies and procedures for data subjects to exercise their rights under the
Act;

5. Data retention schedule, including timeline or conditions for erasure or


disposal of records.

f. Contracts with Personal Information Processors. The personal information


controller, through appropriate contractual agreements, shall ensure that its
personal information processors, where applicable, shall also implement the
security measures required by the Act and these Rules. It shall only engage those
personal information processors that provide sufficient guarantees to implement
appropriate security measures specified in the Act and these Rules, and ensure the
protection of the rights of the data subject.

Section 27. Physical Security Measures. Where appropriate, personal information


controllers and personal information processors shall comply with the following
guidelines for physical security:
a. Policies and procedures shall be implemented to monitor and limit access to
and activities in the room, workstation or facility, including guidelines that specify
the proper use of and access to electronic media;

b. Design of office space and work stations, including the physical arrangement
of furniture and equipment, shall provide privacy to anyone processing personal
data, taking into consideration the environment and accessibility to the public;

c. The duties, responsibilities and schedule of individuals involved in the


processing of personal data shall be clearly defined to ensure that only the
individuals actually performing official duties shall be in the room or work station, at
any given time;

d. Any natural or juridical person or other body involved in the processing of


personal data shall implement Policies and procedures regarding the transfer,
removal, disposal, and re-use of electronic media, to ensure appropriate
protection of personal data;

e. Policies and procedures that prevent the mechanical destruction of files and
equipment shall be established. The room and workstation used in the processing
of personal data shall, as far as practicable, be secured against natural disasters,
power disturbances, external access, and other similar threats.

Section 28. Guidelines for Technical Security Measures. Where appropriate,


personal information controllers and personal information processors shall adopt
and establish the following technical security measures:
a. A security policy with respect to the processing of personal data;

b. Safeguards to protect their computer network against accidental, unlawful


or unauthorized usage, any interference which will affect data integrity or hinder
the functioning or availability of the system, and unauthorized access through an
electronic network;

c. The ability to ensure and maintain the confidentiality, integrity, availability,


and resilience of their processing systems and services;

d. Regular monitoring for security breaches, and a process both for identifying
and accessing reasonably foreseeable vulnerabilities in their computer networks,
and for taking preventive, corrective, and mitigating action against security
incidents that can lead to a personal data breach;

e. The ability to restore the availability and access to personal data in a


timely manner in the event of a physical or technical incident;
f. A process for regularly testing, assessing, and evaluating the effectiveness
of security measures;

g. Encryption of personal data during storage and while in transit,


authentication process, and other technical security measures that control and
limit access.

Section 29. Appropriate Level of Security. The Commission shall monitor the
compliance of natural or juridical person or other body involved in the processing
of personal data, specifically their security measures, with the guidelines provided
in these Rules and subsequent issuances of the Commission. In determining the
level of security appropriate for a particular personal information controller or
personal information processor, the Commission shall take into account the nature
of the personal data that requires protection, the risks posed by the processing, the
size of the organization and complexity of its operations, current data privacy best
practices, and the cost of security implementation. The security measures provided
herein shall be subject to regular review and evaluation, and may be updated as
necessary by the Commission in separate issuances, taking into account the most
appropriate standard recognized by the information and communications
technology industry and data privacy best practices.
Rule VII. Security of Sensitive Personal Information in Government

Section 30. Responsibility of Heads of Agencies. All sensitive personal information


maintained by the government, its agencies, and instrumentalities shall be
secured, as far as practicable, with the use of the most appropriate standard
recognized by the information and communications technology industry, subject
to these Rules and other issuances of the Commission. The head of each
government agency or instrumentality shall be responsible for complying with the
security requirements mentioned herein. The Commission shall monitor government
agency compliance and may recommend the necessary action in order to satisfy
the minimum standards. Section 31. Requirements Relating to Access by Agency
Personnel to Sensitive Personal Information.
a. On-site and Online Access.

1. No employee of the government shall have access to sensitive personal


information on government property or through online facilities unless he or she the
employee has received a security clearance from the head of the source
agency. The source agency is the government agency who originally collected
the personal data.

2. A source agency shall strictly regulate access to sensitive personal


information under its custody or control, particularly when it allows online access.
An employee of the government shall only be granted a security clearance when
the performance of his or her official functions or the provision of a public service
directly depends on and cannot otherwise be performed unless access to the
personal data is allowed.

3. Where allowed under the next preceding sections, online access to


sensitive personal information shall be subject to the following conditions:
(a) An information technology governance framework has been designed and
implemented;

(b) Sufficient organizational, physical and technical security measures have


been established;

(c) The agency is capable of protecting sensitive personal information in


accordance with data privacy practices and standards recognized by the
information and communication technology industry;

(d) The employee of the government is only given online access to sensitive
personal information necessary for the performance of official functions or the
provision of a public service.

b. Off-site access.

1. Sensitive personal information maintained by an agency may not be


transported or accessed from a location off or outside of government property,
whether by its agent or employee, unless the head of agency has ensured the
implementation of privacy policies and appropriate security measures. A request
for such transportation or access shall be submitted to and approved by the head
of agency. The request must include proper accountability mechanisms in the
processing of data.

2. The head of agency shall approve requests for off-site access in


accordance with the following guidelines:

(a) Deadline for Approval or Disapproval. The head of agency shall approve
or disapprove the request within two (2) business days after the date of submission
of the request. Where no action is taken by the head of agency, the request is
considered disapproved;

(b) Limitation to One thousand (1,000) Records. Where a request is approved,


the head of agency shall limit the access to not more than one thousand (1,000)
records at a time, subject to the next succeeding paragraph.

(c) Encryption. Any technology used to store, transport or access sensitive


personal information for purposes of off-site access approved under this subsection
shall be secured by the use of the most secure encryption standard recognized by
the Commission.

Section 32. Implementation of Security Requirements. Notwithstanding the


effective date of these Rules, the requirements in the preceding sections shall be
implemented before any off-site or online access request is approved. Any data
sharing agreement between a source agency and another government agency
shall be subject to review of the Commission on its own initiative or upon complaint
of data subject. Section 33. Applicability to Government Contractors. In entering
into any contract with a private service provider that may involve accessing or
requiring sensitive personal information from one thousand (1,000) or more
individuals, a government agency shall require such service provider and its
employees to register their personal data processing system with the Commission in
accordance with the Act and these Rules. The service provider, as personal
information processor, shall comply with the other provisions of the Act and these
Rules, particularly the immediately preceding sections, similar to a government
agency and its employees.
Rule VIII. Rights of Data Subjects

Section 34. Rights of the Data Subject. The data subject is entitled to the following
rights:
a. Right to be informed.

1. The data subject has a right to be informed whether personal data


pertaining to him or her shall be, are being, or have been processed, including the
existence of automated decision-making and profiling.

2. The data subject shall be notified and furnished with information indicated
hereunder before the entry of his or her personal data into the processing system
of the personal information controller, or at the next practical opportunity:

(a) Description of the personal data to be entered into the system;

(b) Purposes for which they are being or will be processed, including processing
for direct marketing, profiling or historical, statistical or scientific purpose;

(c) Basis of processing, when processing is not based on the consent of the
data subject;

(d) Scope and method of the personal data processing;

(e) The recipients or classes of recipients to whom the personal data are or
may be disclosed;

(f) Methods utilized for automated access, if the same is allowed by the data
subject, and the extent to which such access is authorized, including meaningful
information about the logic involved, as well as the significance and the
envisaged consequences of such processing for the data subject;

(g) The identity and contact details of the personal data controller or its
representative;

(h) The period for which the information will be stored; and

(i) The existence of their rights as data subjects, including the right to access,
correction, and object to the processing, as well as the right to lodge a complaint
before the Commission.

b. Right to object. The data subject shall have the right to object to the
processing of his or her personal data, including processing for direct marketing,
automated processing or profiling. The data subject shall also be notified and
given an opportunity to withhold consent to the processing in case of changes or
any amendment to the information supplied or declared to the data subject in the
preceding paragraph.

When a data subject objects or withholds consent, the personal information


controller shall no longer process the personal data, unless:

1. The personal data is needed pursuant to a subpoena;

2. The collection and processing are for obvious purposes, including, when it
is necessary for the performance of or in relation to a contract or service to which
the data subject is a party, or when necessary or desirable in the context of an
employer-employee relationship between the collector and the data subject; or

3. The information is being collected and processed as a result of a legal


obligation.

c. Right to Access. The data subject has the right to reasonable access to,
upon demand, the following:

1. Contents of his or her personal data that were processed;

2. Sources from which personal data were obtained;

3. Names and addresses of recipients of the personal data;

4. Manner by which such data were processed;

5. Reasons for the disclosure of the personal data to recipients, if any;

6. Information on automated processes where the data will, or is likely to, be


made as the sole basis for any decision that significantly affects or will affect the
data subject;

7. Date when his or her personal data concerning the data subject were last
accessed and modified; and

8. The designation, name or identity, and address of the personal information


controller.

d. Right to rectification. The data subject has the right to dispute the
inaccuracy or error in the personal data and have the personal information
controller correct it immediately and accordingly, unless the request is vexatious or
otherwise unreasonable. If the personal data has been corrected, the personal
information controller shall ensure the accessibility of both the new and the
retracted information and the simultaneous receipt of the new and the retracted
information by the intended recipients thereof: Provided, That recipients or third
parties who have previously received such processed personal data shall be
informed of its inaccuracy and its rectification, upon reasonable request of the
data subject.

e. Right to Erasure or Blocking. The data subject shall have the right to
suspend, withdraw or order the blocking, removal or destruction of his or her
personal data from the personal information controller’s filing system.

1. This right may be exercised upon discovery and substantial proof of any of
the following:

(a) The personal data is incomplete, outdated, false, or unlawfully obtained;

(b) The personal data is being used for purpose not authorized by the data
subject;

(c) The personal data is no longer necessary for the purposes for which they
were collected;

(d) The data subject withdraws consent or objects to the processing, and there
is no other legal ground or overriding legitimate interest for the processing;

(e) The personal data concerns private information that is prejudicial to data
subject, unless justified by freedom of speech, of expression, or of the press or
otherwise authorized;

(f) The processing is unlawful;

(g) The personal information controller or personal information processor


violated the rights of the data subject.

2. The personal information controller may notify third parties who have
previously received such processed personal information.

f. Right to damages. The data subject shall be indemnified for any damages
sustained due to such inaccurate, incomplete, outdated, false, unlawfully
obtained or unauthorized use of personal data, taking into account any violation
of his or her rights and freedoms as data subject.

Section 35. Transmissibility of Rights of the Data Subject. The lawful heirs and assigns
of the data subject may invoke the rights of the data subject to which he or she is
an heir or an assignee, at any time after the death of the data subject, or when
the data subject is incapacitated or incapable of exercising the rights as
enumerated in the immediately preceding section. Section 36. Right to Data
Portability. Where his or her personal data is processed by electronic means and in
a structured and commonly used format, the data subject shall have the right to
obtain from the personal information controller a copy of such data in an
electronic or structured format that is commonly used and allows for further use by
the data subject. The exercise of this right shall primarily take into account the right
of data subject to have control over his or her personal data being processed
based on consent or contract, for commercial purpose, or through automated
means. The Commission may specify the electronic format referred to above, as
well as the technical standards, modalities, procedures and other rules for their
transfer. Section 37. Limitation on Rights. The immediately preceding sections shall
not be applicable if the processed personal data are used only for the needs of
scientific and statistical research and, on the basis of such, no activities are carried
out and no decisions are taken regarding the data subject: Provided, that the
personal data shall be held under strict confidentiality and shall be used only for
the declared purpose. The said sections are also not applicable to the processing
of personal data gathered for the purpose of investigations in relation to any
criminal, administrative or tax liabilities of a data subject. Any limitations on the
rights of the data subject shall only be to the minimum extent necessary to
achieve the purpose of said research or investigation.
Rule IX. Data Breach Notification.

Section 38. Data Breach Notification.


a. The Commission and affected data subjects shall be notified by the
personal information controller within seventy-two (72) hours upon knowledge of,
or when there is reasonable belief by the personal information controller or
personal information processor that, a personal data breach requiring notification
has occurred.

b. Notification of personal data breach shall be required when sensitive


personal information or any other information that may, under the circumstances,
be used to enable identity fraud are reasonably believed to have been acquired
by an unauthorized person, and the personal information controller or the
Commission believes that such unauthorized acquisition is likely to give rise to a real
risk of serious harm to any affected data subject.

c. Depending on the nature of the incident, or if there is delay or failure to


notify, the Commission may investigate the circumstances surrounding the
personal data breach. Investigations may include on-site examination of systems
and procedures.

Section 39. Contents of Notification. The notification shall at least describe the
nature of the breach, the personal data possibly involved, and the measures taken
by the entity to address the breach. The notification shall also include measures
taken to reduce the harm or negative consequences of the breach, the
representatives of the personal information controller, including their contact
details, from whom the data subject can obtain additional information about the
breach, and any assistance to be provided to the affected data subjects. Section
40. Delay of Notification. Notification may be delayed only to the extent necessary
to determine the scope of the breach, to prevent further disclosures, or to restore
reasonable integrity to the information and communications system.
a. In evaluating if notification is unwarranted, the Commission may take into
account compliance by the personal information controller with this section and
existence of good faith in the acquisition of personal data.
b. The Commission may exempt a personal information controller from
notification where, in its reasonable judgment, such notification would not be in
the public interest, or in the interest of the affected data subjects.

c. The Commission may authorize postponement of notification where it may


hinder the progress of a criminal investigation related to a serious breach.

Section 41. Breach Report.


a. The personal information controller shall notify the Commission by
submitting a report, whether written or electronic, containing the required contents
of notification. The report shall also include the name of a designated
representative of the personal information controller, and his or her contact details.

b. All security incidents and personal data breaches shall be documented


through written reports, including those not covered by the notification
requirements. In the case of personal data breaches, a report shall include the
facts surrounding an incident, the effects of such incident, and the remedial
actions taken by the personal information controller. In other security incidents not
involving personal data, a report containing aggregated data shall constitute
sufficient documentation. These reports shall be made available when requested
by the Commission. A general summary of the reports shall be submitted to the
Commission annually.

Section 42. Procedure for Notification. The Procedure for breach notification shall
be in accordance with the Act, these Rules, and any other issuance of the
Commission.
Rule X. Outsourcing and Subcontracting Agreements.

Section 43. Subcontract of Personal Data. A personal information controller may


subcontract or outsource the processing of personal data: Provided, that the
personal information controller shall use contractual or other reasonable means to
ensure that proper safeguards are in place, to ensure the confidentiality, integrity
and availability of the personal data processed, prevent its use for unauthorized
purposes, and generally, comply with the requirements of the Act, these Rules,
other applicable laws for processing of personal data, and other issuances of the
Commission. Section 44. Agreements for Outsourcing. Processing by a personal
information processor shall be governed by a contract or other legal act that
binds the personal information processor to the personal information controller.
a. The contract or legal act shall set out the subject-matter and duration of
the processing, the nature and purpose of the processing, the type of personal
data and categories of data subjects, the obligations and rights of the personal
information controller, and the geographic location of the processing under the
subcontracting agreement.

b. The contract or other legal act shall stipulate, in particular, that the
personal information processor shall:
1. Process the personal data only upon the documented instructions of the
personal information controller, including transfers of personal data to another
country or an international organization, unless such transfer is authorized by law;

2. Ensure that an obligation of confidentiality is imposed on persons


authorized to process the personal data;

3. Implement appropriate security measures and comply with the Act, these
Rules, and other issuances of the Commission;

4. Not engage another processor without prior instruction from the personal
information controller: Provided, that any such arrangement shall ensure that the
same obligations for data protection under the contract or legal act are
implemented, taking into account the nature of the processing;

5. Assist the personal information controller, by appropriate technical and


organizational measures and to the extent possible, fulfill the obligation to respond
to requests by data subjects relative to the exercise of their rights;

6. Assist the personal information controller in ensuring compliance with the


Act, these Rules, other relevant laws, and other issuances of the Commission,
taking into account the nature of processing and the information available to the
personal information processor;

7. At the choice of the personal information controller, delete or return all


personal data to the personal information controller after the end of the provision
of services relating to the processing: Provided, that this includes deleting existing
copies unless storage is authorized by the Act or another law;

8. Make available to the personal information controller all information


necessary to demonstrate compliance with the obligations laid down in the Act,
and allow for and contribute to audits, including inspections, conducted by the
personal information controller or another auditor mandated by the latter;

9. Immediately inform the personal information controller if, in its opinion, an


instruction infringes the Act, these Rules, or any other issuance of the Commission.

Section 45. Duty of personal information processor. The personal information


processor shall comply with the requirements of the Act, these Rules, other
applicable laws, and other issuances of the Commission, in addition to obligations
provided in a contract, or other legal act with a personal information controller.
Rule XI. Registration and Compliance Requirements

Section 46. Enforcement of the Data Privacy Act. Pursuant to the mandate of the
Commission to administer and implement the Act, and to ensure the compliance
of personal information controllers with its obligations under the law, the
Commission requires the following:
a. Registration of personal data processing systems operating in the country
that involves accessing or requiring sensitive personal information of at least one
thousand (1,000) individuals, including the personal data processing system of
contractors, and their personnel, entering into contracts with government
agencies;

b. Notification of automated processing operations where the processing


becomes the sole basis of making decisions that would significantly affect the
data subject;

c. Annual report of the summary of documented security incidents and


personal data breaches;

d. Compliance with other requirements that may be provided in other


issuances of the Commission.

Section 47. Registration of Personal Data Processing Systems. The personal


information controller or personal information processor that employs fewer than
two hundred fifty (250) persons shall not be required to register unless the
processing it carries out is likely to pose a risk to the rights and freedoms of data
subjects, the processing is not occasional, or the processing includes sensitive
personal information of at least one thousand (1,000) individuals.
a. The contents of registration shall include:

1. The name and address of the personal information controller or personal


information processor, and of its representative, if any, including their contact
details;

2. The purpose or purposes of the processing, and whether processing is


being done under an outsourcing or subcontracting agreement;

3. A description of the category or categories of data subjects, and of the


data or categories of data relating to them;

4. The recipients or categories of recipients to whom the data might be


disclosed;

5. Proposed transfers of personal data outside the Philippines;

6. A general description of privacy and security measures for data


protection;

7. Brief description of the data processing system;

8. Copy of all policies relating to data governance, data privacy, and


information security;

9. Attestation to all certifications attained that are related to information and


communications processing; and
10. Name and contact details of the compliance or data protection officer,
which shall immediately be updated in case of changes.

b. The procedure for registration shall be in accordance with these Rules and
other issuances of the Commission.

Section 48. Notification of Automated Processing Operations. The personal


information controller carrying out any wholly or partly automated processing
operations or set of such operations intended to serve a single purpose or several
related purposes shall notify the Commission when the automated processing
becomes the sole basis for making decisions about a data subject, and when the
decision would significantly affect the data subject.
a. The notification shall include the following information:

1. Purpose of processing;

2. Categories of personal data to undergo processing;

3. Category or categories of data subject;

4. Consent forms or manner of obtaining consent;

5. The recipients or categories of recipients to whom the data are to be


disclosed;

6. The length of time the data are to be stored;

7. Methods and logic utilized for automated processing;

8. Decisions relating to the data subject that would be made on the basis of
processed data or that would significantly affect the rights and freedoms of data
subject; and

9. Names and contact details of the compliance or data protection officer.

b. No decision with legal effects concerning a data subject shall be made


solely on the basis of automated processing without the consent of the data
subject.

Section 49. Review by the Commission. The following are subject to the review of
the Commission, upon its own initiative or upon the filing of a complaint by a data
subject:
a. Compliance by a personal information controller or personal information
processor with the Act, these Rules, and other issuances of the Commission;

b. Compliance by a personal information controller or personal information


processor with the requirement of establishing adequate safeguards for data
privacy and security;
c. Any data sharing agreement, outsourcing contract, and similar contracts
involving the processing of personal data, and its implementation;

d. Any off-site or online access to sensitive personal data in government


allowed by a head of agency;

e. Processing of personal data for research purposes, public functions, or


commercial activities;

f. Any reported violation of the rights and freedoms of data subjects;

g. Other matters necessary to ensure the effective implementation and


administration of the Act, these Rules, and other issuances of the Commission.

Rule XII. Rules on Accountability

Section 50. Accountability for Transfer of Personal Data. A personal information


controller shall be responsible for any personal data under its control or custody,
including information that have been outsourced or transferred to a personal
information processor or a third party for processing, whether domestically or
internationally, subject to cross-border arrangement and cooperation.
a. A personal information controller shall be accountable for complying with
the requirements of the Act, these Rules, and other issuances of the Commission. It
shall use contractual or other reasonable means to provide a comparable level of
protection to the personal data while it is being processed by a personal
information processor or third party.

b. A personal information controller shall designate an individual or individuals


who are accountable for its compliance with the Act. The identity of the individual
or individuals so designated shall be made known to a data subject upon request.

Section 51. Accountability for Violation of the Act, these Rules and Other Issuances
of the Commission.
a. Any natural or juridical person, or other body involved in the processing of
personal data, who fails to comply with the Act, these Rules, and other issuances
of the Commission, shall be liable for such violation, and shall be subject to its
corresponding sanction, penalty, or fine, without prejudice to any civil or criminal
liability, as may be applicable.

b. In cases where a data subject files a complaint for violation of his or her
rights as data subject, and for any injury suffered as a result of the processing of his
or her personal data, the Commission may award indemnity on the basis of the
applicable provisions of the New Civil Code.

c. In case of criminal acts and their corresponding personal penalties, the


person who committed the unlawful act or omission shall be recommended for
prosecution by the Commission based on substantial evidence. If the offender is a
corporation, partnership, or any juridical person, the responsible officers, as the
case may be, who participated in, or by their gross negligence, allowed the
commission of the crime, shall be recommended for prosecution by the
Commission based on substantial evidence.

Rule XIII. Penalties

Section 52. Unauthorized Processing of Personal Information and Sensitive Personal


Information.
a. A penalty of imprisonment ranging from one (1) year to three (3) years
and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not
more than Two million pesos (Php2,000,000.00) shall be imposed on persons who
process personal information without the consent of the data subject, or without
being authorized under the Act or any existing law.

b. A penalty of imprisonment ranging from three (3) years to six (6) years and
a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more
than Four million pesos (Php4,000,000.00) shall be imposed on persons who process
sensitive personal information without the consent of the data subject, or without
being authorized under the Act or any existing law.

Section 53. Accessing Personal Information and Sensitive Personal Information Due
to Negligence.
a. A penalty of imprisonment ranging from one (1) year to three (3) years
and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not
more than Two million pesos (Php2,000,000.00) shall be imposed on persons who,
due to negligence, provided access to personal information without being
authorized under the Act or any existing law.

b. A penalty of imprisonment ranging from three (3) years to six (6) years and
a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more
than Four million pesos (Php4,000,000.00) shall be imposed on persons who, due to
negligence, provided access to sensitive personal information without being
authorized under the Act or any existing law.

Section 54. Improper Disposal of Personal Information and Sensitive Personal


Information.
a. A penalty of imprisonment ranging from six (6) months to two (2) years and
a fine of not less than One hundred thousand pesos (Php100,000.00) but not more
than Five hundred thousand pesos (Php500,000.00) shall be imposed on persons
who knowingly or negligently dispose, discard, or abandon the personal
information of an individual in an area accessible to the public or has otherwise
placed the personal information of an individual in its container for trash collection.

b. A penalty of imprisonment ranging from one (1) year to three (3) years and
a fine of not less than One hundred thousand pesos (Php100,000.00) but not more
than One million pesos (Php1,000,000.00) shall be imposed on persons who
knowingly or negligently dispose, discard or abandon the sensitive personal
information of an individual in an area accessible to the public or has otherwise
placed the sensitive personal information of an individual in its container for trash
collection.
Section 55. Processing of Personal Information and Sensitive Personal Information
for Unauthorized Purposes.
a. A penalty of imprisonment ranging from one (1) year and six (6) months to
five (5) years and a fine of not less than Five hundred thousand pesos
(Php500,000.00) but not more than One million pesos (Php1,000,000.00) shall be
imposed on persons processing personal information for purposes not authorized
by the data subject, or otherwise authorized under the Act or under existing laws.

b. A penalty of imprisonment ranging from two (2) years to seven (7) years
and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not
more than Two million pesos (Php2,000,000.00) shall be imposed on persons
processing sensitive personal information for purposes not authorized by the data
subject, or otherwise authorized under the Act or under existing laws.

Section 56. Unauthorized Access or Intentional Breach. A penalty of imprisonment


ranging from one (1) year to three (3) years and a fine of not less than Five
hundred thousand pesos (Php500,000.00) but not more than Two million pesos
(Php2,000,000.00) shall be imposed on persons who knowingly and unlawfully, or
violating data confidentiality and security data systems, breaks in any way into any
system where personal and sensitive personal information are stored. Section
57. Concealment of Security Breaches Involving Sensitive Personal Information. A
penalty of imprisonment ranging from one (1) year and six (6) months to five (5)
years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but
not more than One million pesos (Php1,000,000.00) shall be imposed on persons
who, after having knowledge of a security breach and of the obligation to notify
the Commission pursuant to Section 20(f) of the Act, intentionally or by omission
conceals the fact of such security breach. Section 58. Malicious Disclosure. Any
personal information controller or personal information processor, or any of its
officials, employees or agents, who, with malice or in bad faith, discloses
unwarranted or false information relative to any personal information or sensitive
personal information obtained by him or her, shall be subject to imprisonment
ranging from one (1) year and six (6) months to five (5) years and a fine of not less
than Five hundred thousand pesos (Php500,000.00) but not more than One million
pesos (Php1,000,000.00). Section 59. Unauthorized Disclosure.
a. Any personal information controller or personal information processor, or
any of its officials, employees, or agents, who discloses to a third party personal
information not covered by the immediately preceding section without the
consent of the data subject, shall be subject to imprisonment ranging from one (1)
year to three (3) years and a fine of not less than Five hundred thousand pesos
(Php500,000.00) but not more than One million pesos (Php1,000,000.00).

b. Any personal information controller or personal information processor, or


any of its officials, employees or agents, who discloses to a third party sensitive
personal information not covered by the immediately preceding section without
the consent of the data subject, shall be subject to imprisonment ranging from
three (3) years to five (5) years and a fine of not less than Five hundred thousand
pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00).
Section 60. Combination or Series of Acts. Any combination or series of acts as
defined in Sections 52 to 59 shall make the person subject to imprisonment ranging
from three (3) years to six (6) years and a fine of not less than One million pesos
(Php1,000,000.00) but not more than Five million pesos (Php5,000,000.00). Section
61. Extent of Liability. If the offender is a corporation, partnership or any juridical
person, the penalty shall be imposed upon the responsible officers, as the case
may be, who participated in, or by their gross negligence, allowed the commission
of the crime. Where applicable, the court may also suspend or revoke any of its
rights under this Act. If the offender is an alien, he or she shall, in addition to the
penalties herein prescribed, be deported without further proceedings after serving
the penalties prescribed. If the offender is a public official or employee and he or
she is found guilty of acts penalized under Sections 54 and 55 of these Rules, he or
she shall, in addition to the penalties prescribed herein, suffer perpetual or
temporary absolute disqualification from office, as the case may be. Section
62. Large-Scale.The maximum penalty in the corresponding scale of penalties
provided for the preceding offenses shall be imposed when the personal data of
at least one hundred (100) persons are harmed, affected, or involved, as the result
of any of the above-mentioned offenses. Section 63. Offense Committed by Public
Officer. When the offender or the person responsible for the offense is a public
officer, as defined in the Administrative Code of 1987, in the exercise of his or her
duties, he or she shall likewise suffer an accessory penalty consisting of
disqualification to occupy public office for a term double the term of the criminal
penalty imposed. Section 64. Restitution. Pursuant to the exercise of its quasi-
judicial functions, the Commission shall award indemnity to an aggrieved party on
the basis of the provisions of the New Civil Code. Any complaint filed by a data
subject shall be subject to the payment of filing fees, unless the data subject is an
indigent. Section 65. Fines and Penalties. Violations of the Act, these Rules, other
issuances and orders of the Commission, shall, upon notice and hearing, be
subject to compliance and enforcement orders, cease and desist orders,
temporary or permanent ban on the processing of personal data, or payment of
fines, in accordance with a schedule to be published by the Commission.
Rule XIV. Miscellaneous Provisions

Section 66. Appeal. Appeal from final decisions of the Commission shall be made
to the proper courts in accordance with the Rules of Court, or as may be
prescribed by law. Section 67. Period for Compliance. Any natural or juridical
person or other body involved in the processing of personal data shall comply with
the personal data processing principles and standards of personal data privacy
and security already laid out in the Act. Personal information controllers and
Personal Information processors shall register with the Commission their data
processing systems or automated processing operations, subject to notification,
within one (1) year after the effectivity of these Rules. Any subsequent issuance of
the Commission, including those that implement specific standards for data
portability, encryption, or other security measures shall provide the period for its
compliance. For a period of one (1) year from the effectivity of these Rules, a
personal information controller or personal information processor may apply for an
extension of the period within which to comply with the issuances of the
Commission. The Commission may grant such request for good cause shown.

Section 68. Appropriations Clause. The Commission shall be provided with


appropriations for the performance of its functions which shall be included in the
General Appropriations Act. Section 69. Interpretation. Any doubt in the
interpretation of any provision of this Act shall be liberally interpreted in a manner
that would uphold the rights and interests of the individual about whom personal
data is processed.

Section 70. Separability Clause. If any provision or part hereof is held invalid or
unconstitutional, the remainder of these Rules or the provision not otherwise
affected shall remain valid and subsisting.

Section 71. Repealing Clause. Except as otherwise expressly provided in the Act or
these Rules, all other laws, decrees, executive orders, proclamations and
administrative regulations or parts thereof inconsistent herewith are hereby
repealed or modified accordingly. Section 72. Effectivity Clause. These Rules shall
take effect fifteen (15) days after its publication in the Official Gazette.

In 2012, the Congress of the Philippines passed Republic Act No. 10173, also known
as the Data Privacy Act (DPA) of 2012. Five years later, the DPA’s Implementing
Rules and Regulations was put in effect on September 9, 2016, thus mandating all
companies to comply.

The act is a necessary and important precaution in a world economy that’s swiftly
going digital. In 2014, it was estimated that 2.5 quintillion — or 2.5 billion billion —
bytes of data were created everyday. This includes unprecedented knowledge
about what real individuals are doing, watching, thinking, and feeling.

Companies must be held accountable not only for what they do with customer
data — but how they protect that data from third parties. The past few years of
security breaches, system errors, and ethical scandals within some of the country’s
major banks have reminded us that there is much work to be done.

So, where to begin for institutions who want to comply with RA 10173 and be
proactive about their consumers’ digital privacy?

What is RA 10173?

RA 10173, or the Data Privacy Act, protects individuals from unauthorized


processing of personal information that is (1) private, not publicly available; and (2)
identifiable, where the identity of the individual is apparent either through direct
attribution or when put together with other available information.

What does this entail?


First, all personal information must be collected for reasons that are specified,
legitimate, and reasonable. In other words, customers must opt in for their data to
be used for specific reasons that are transparent and legal.

Second, personal information must be handled properly. Information must be kept


accurate and relevant, used only for the stated purposes, and retained only for as
long as reasonably needed. Customers must be active in ensuring that other,
unauthorized parties do not have access to their customers’ information.

Third, personal information must be discarded in a way that does not make it
visible and accessible to unauthorized third parties.

Unauthorized processing, negligent handling, or improper disposal of personal


information is punishable with up to six (6) years in prison or up to five million pesos
(PHP 5,000,000) depending on the nature and degree of the violation.

Who needs to register?

Companies with at least 250 employees or access to the personal and identifiable
information of of at least 1,000 people are required to register with the National
Privacy Commission and comply with the Data Privacy Act of 2012. Some of these
companies are already on their way to compliance — but many more are
unaware that they are even affected by the law.

How do I remain in compliance of the Data Privacy Act?

The National Privacy Commission, which was created to enforce RA 10173, will
check whether companies are compliant based on a company having 5
elements:
1. Appointing a Data Protection Officer
2. Conducting a privacy impact assessment
3. Creating a privacy knowledge management program
4. Implementing a privacy and data protection polic

The Philippines has a growing and important business process management and health
information technology industry. Total IT spending reached $4.4 billion in 2016, and the
sector is expected to more than double by 2020. Filipinos are heavy social media users,
42.1 million are on Facebook, 13 million on Twitter, and 3.5 million are LinkedIn users.
The country is also in the process of enabling free public Wi-Fi. In the context of the rapid
growth of the digital economy and increasing international trade of data, the Philippines
has strengthened its privacy and security protections.

In 2012 the Philippines passed the Data Privacy Act 2012, comprehensive and strict
privacy legislation “to protect the fundamental human right of privacy, of communication
while ensuring free flow of information to promote innovation and growth.” (Republic Act.
No. 10173, Ch. 1, Sec. 2). This comprehensive privacy law also established a National
Privacy Commission that enforces and oversees it and is endowed with rulemaking power.
On September 9, 2016, the final implementing rules and regulations came into force,
adding specificity to the Privacy Act.
Scope and Application

The Data Privacy Act is broadly applicable to individuals and legal entities that process
personal information, with some exceptions. The law has extraterritorial application,
applying not only to businesses with offices in the Philippines, but when equipment based
in the Philippines is used for processing. The act further applies to the processing of the
personal information of Philippines citizens regardless of where they reside.

One exception in the act provides that the law does not apply to the processing of personal
information in the Philippines that was lawfully collected from residents of foreign
jurisdictions — an exception helpful for Philippines companies that offer cloud services.

Approach

The Philippines law takes the approach that “The processing of personal data shall be
allowed subject to adherence to the principles of transparency, legitimate purpose, and
proportionality.”

Collection, processing, and consent

The act states that the collection of personal data “must be a declared, specified, and
legitimate purpose” and further provides that consent is required prior to the collection
of all personal data. It requires that when obtaining consent, the data subject be informed
about the extent and purpose of processing, and it specifically mentions the “automated
processing of his or her personal data for profiling, or processing for direct marketing, and
data sharing.” Consent is further required for sharing information with affiliates or even
mother companies.

Consent must be “freely given, specific, informed,” and the definition further requires that
consent to collection and processing be evidenced by recorded means. However, processing
does not always require consent.

Consent is not required for processing where the data subject is party to a contractual
agreement, for purposes of fulfilling that contract. The exceptions of compliance with a
legal obligation upon the data controller, protection of the vital interests of the data
subject, and response to a national emergency are also available.

An exception to consent is allowed where processing is necessary to pursue the legitimate


interests of the data controller, except where overridden by the fundamental rights and
freedoms of the data subject.

Required agreements

The law requires that when sharing data, the sharing be covered by an agreement that
provides adequate safeguards for the rights of data subjects, and that these agreements are
subject to review by the National Privacy Commission.

Sensitive Personal and Privileged Information

The law defines sensitive personal information as being:

 About an individual’s race, ethnic origin, marital status, age, color, and religious,
philosophical or political affiliations;

 About an individual’s health, education, genetic or sexual life of a person, or to any


proceeding or any offense committed or alleged to have committed;

 Issued by government agencies “peculiar” (unique) to an individual, such as social


security number;

 Marked as classified by executive order or act of Congress.

All processing of sensitive and personal information is prohibited except in certain


circumstances. The exceptions are:

 Consent of the data subject;

 Pursuant to law that does not require consent;


 Necessity to protect life and health of a person;

 Necessity for medical treatment;

 Necessity to protect the lawful rights of data subjects in court proceedings, legal
proceedings, or regulation.

Surveillance

Interestingly, the Philippines law states that the country’s Human Security Act of 2007 (a
major anti-terrorism law that enables surveillance) must comply with the Privacy Act.

Privacy program required

The law requires that any entity involved in data processing and subject to the act must
develop, implement and review procedures for the collection of personal data, obtaining
consent, limiting processing to defined purposes, access management, providing recourse
to data subjects, and appropriate data retention policies. These requirements necessitate
the creation of a privacy program. Requirements for technical security safeguards in the act
also mandate that an entity have a security program.

Data subjects' rights

The law enumerates rights that are familiar to privacy professionals as related to the
principles of notice, choice, access, accuracy and integrity of data.

The Philippines law appears to contain a “right to be forgotten” in the form of a right to
erasure or blocking, where the data subject may order the removal of his or her personal
data from the filing system of the data controller. Exercising this right requires “substantial
proof,” the burden of producing which is placed on the data subject. This right is expressly
limited by the fact that continued publication may be justified by constitutional rights to
freedom of speech, expression and other rights.

Notably, the law provides a private right of action for damages for inaccurate, incomplete,
outdated, false, unlawfully obtained or unauthorized use of personal data.

A right to data portability is also provided.


Mandatory personal information breach notification

The law defines “security incident” and “personal data breach” ensuring that the two are
not confused. A “security incident” is an event or occurrence that affects or tends to affect
data protection, or may compromise availability, integrity or confidentiality. This
definition includes incidents that would result in a personal breach, if not for safeguards
that have been put in place.

A “personal data breach,” on the other hand, is a subset of a security breach that actually
leads to “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or
access to, personal data transmitted, stored, or otherwise processed.

Requirement to notify

The law further provides that not all “personal data breaches” require notification., which
provides several bases for not notifying data subjects or the data protection authority.
Section 38 of the IRRs provides the requirements of breach notification:

 The breached information must be sensitive personal information, or information that


could be used for identity fraud, and

 There is a reasonable belief that unauthorized acquisition has occurred, and

 The risk to the data subject is real, and

 The potential harm is serious.

The law provides that the Commission may determine that notification to data subjects is
unwarranted after taking into account the entity’s compliance with the Privacy Act, and
whether the acquisition was in good faith.

Notification timeline and recipients


The law places a concurrent obligation to notify the National Privacy Commission as well
as affected data subjects within 72 hours of knowledge of, or reasonable belief by the data
controller of, a personal data breach that requires notification.

It is unclear at present whether the commission would allow a delay in notification of data
subjects to allow the commission to determine whether a notification is unwarranted. By
the law, this would appear to be a gamble.

Notification contents

The contents of the notification must at least:

 Describe the nature of the breach;

 The personal data possibly involved;

 The measures taken by the entity to address the breach;

 The measures take to reduce the harm or negative consequence of the breach;

 The representatives of the personal information controller, including their contact


details;

 Any assistance to be provided to the affected data subjects.

Penalties

The law provides separate penalties for various violations, most of which also include
imprisonment. Separate counts exist for unauthorized processing, processing for
unauthorized purposes, negligent access, improper disposal, unauthorized access or
intentional breach, concealment of breach involving sensitive personal information,
unauthorized disclosure, and malicious disclosure.

Any combination or series of acts may cause the entity to be subject to imprisonment
ranging from three to six years as well as a fine of approximately $20,000 to $100,000.

Notably, there is also the previously mentioned private right of action for damages, which
would apply.

Penalties for failure to notify

Persons having knowledge of a security breach involving sensitive personal information


and of the obligation to notify the commission of same, and who fail to do so, may be
subject to penalty for concealment, including imprisonment for 1 1/2 to five years of
imprisonment, and a fine of approximately $10,000 - $20,000.

Depending upon the circumstances additional violations might apply.

photo credit: Storm Crypt For the 12th of June via photopin (license)
Author

Alex Wall, CIPP/E, CIPP/US, CIPM, FIP

Data Privacy Act of 2012


By: Raul J. Palabrica- @inquirerdotnet
Philippine Daily Inquirer / 02:01 AM August 31, 2012

With the advances in information technology, privacy in personal data has become
illusory. For the right price or with good connections, private information disclosed in
confidence to companies or government offices can be made available to or accessed by
interested parties.

This is the problem that is sought to be minimized, if not eliminated, by Republic Act
10173, otherwise known as the Data Privacy Act of 2012, which President Aquino
recently signed into law.

–– ADVERTISEMENT ––
learn more

In its declaration of policy, the law states that, although the free flow of information
promotes innovation and growth, it is essential that personal information in the
government’s and private sector’s information and communications systems are secured
and protected.
ADVERTISEMENT

Personal information is defined as “any information whether recorded in material form or


not, from which the identity of an individual is apparent or can be reasonably and directly
ascertained by the entity holding the information.”

It includes facts and figures about a person’s race, ethnic origin, marital status, age, color
and religious, philosophical and political affiliations. Or practically his life story.

Requirements

The most significant aspects of the law are: the procedures to be followed in the
collection, processing and handling of personal information; the rights of data subjects;
and the creation of a National Privacy Commission.

The law requires information collectors, holders and processors to follow strict rules on
transparency, legitimacy and proportionality in the conduct of their activities.

Among others, the collection should be conducted for “specific and legitimate purposes
determined and declared before, or as soon as reasonably practicable after collection, and
later processed in a way compatible with such declared, specified and legitimate purposes
only.”

Accuracy, relevance and essentiality of purpose must likewise be observed during the
collection stage.
Inaccurate or incomplete data should be corrected, supplemented, destroyed or their
further processing restricted.
ADVERTISEMENT

The information can be stored only as long as needed for the purpose for which it was
obtained, or “for the establishment, exercise or defense of legal claims, or for legitimate
business purposes, or as provided by law.”

Once collected, the information can be processed or used only if it is not prohibited by law
and the person who provided the information (or data subject) has given his consent; if no
such consent is given, the processing can still go on provided it meets the “necessity” test.

Necessary

The data subject’s lack of consent will not bar the processing if it is related to the
fulfillment of a contract with him or in order to take the steps he requested prior to
entering into the contract.

It may also be conducted in the following instances: to comply with a legal obligation that
the information collector has to obey; to protect the data subject’s vital interests, such as
life and health; to respond to the exigencies of a national emergency or public order and
security; and to serve the legitimate interests of the entity to which the information has
been disclosed as long as no constitutional rights are violated.

In the latter cases, the processing is allowed to continue even in the face of the data
subject’s opposition due to legal considerations (either on the part of the data subject or
the party that collects the information) or in order to serve the greater interests of the
public.

Such liberality, however, is tempered by the rights that the law gives to data subjects to
protect their privacy.

They have the right to know whether their personal information “shall be, are being or
have been processed.”

Before any such data are included in the collector’s information system, or at the next
practical opportunity, they can demand information about, among others, the purpose for
which it is processed, the scope and methodology of the process, the length of information
storage, and the identity of the people to whom their personal information shall be
disclosed.
Commission

In case the data subject finds that the information stored in the information system is
incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes, or no
longer necessary, he can demand its withdrawal, blocking or removal of the subject
information.

And if the harm caused to him is grave, he can sue the erring parties for whatever damages
he may have sustained as a consequence of the mishandling or misuse of his information.

The law lists nine violations that can give rise to fines and prison terms. In what appears to
be a concession to inflationary times, except for two offenses, the average fine imposable
is a minimum of P500,000 and a maximum of P2,000,000.

The task of administering and implementing this law has been assigned to a still to be
created National Privacy Commission, which shall consist of three members: a Privacy
Commissioner who shall act as its chair and two Deputy Privacy Commissioners.

They shall be appointed by the president for a term of three years and may be reappointed
for another term of three years. The members of the commission have to be experts in
information and communications technology and data privacy.

Although the law is complete in all respects, its implementation will have to await the
promulgation by the commission of its implementing rules and regulations.

“PHILIPPINES’ FIRST CONVICTION


UNDER THE DATA PRIVACY ACT OF
2012” BY: ATTY. EPHRAIM GARNET M.
SALEM
POSTED BY BSBLAW ON FEBRUARY 23, 2017 WITH 1 COMMENT

Recently, the Benitez Salem Baldonado Law Firm secured the country’s first ever conviction for a crime
involving R.A. No. 10173 otherwise known as the “Data Privacy Act of 2012.” On February 6, 2017, Presiding
Judge Hon. Carlito B. Calpatura of Branch 145 of the Regional Trial Court (RTC) of Makati City handed down
the judgment against the female accused in criminal case no. 16-01376 after the latter pleaded guilty to the charge.

On August 15, 2012, former President Aquino signed into law Republic Act (R.A.) No. 10173 or the “Data
Privacy Act of 2012”. The said law was the result of the consolidation of Senate Bill No. 2965 and House Bill No.
4115, which was passed by both houses of Congress on June 6, 2012. Thereafter, on September 12, 2012, former
President Aquino signed into law R.A. R.A. No. 10175 otherwise known as the “Cybercrime Prevention Act of
2012”. The said law was the result of the consolidation of Senate Bill No. 2796 and House Bill No. 5808, which
were finally passed by the Senate and the House of Representatives on June 5, 2012 and June 4, 2012,
respectively.

According to the Complaint filed by the complainant BPO on June 4, 2015, it was alleged that the accused
accessed several credit card accounts of a client credit card company without a call or actual request from their
real owners. Furthermore, according to the Complaint, the accused also illegally accessed personal identification
cards and changed into temporary PINs and that subsequently, a consistent amount of $500.00 were withdrawn as
cash advances from all the said credit cards.

According to Sec. 28 of the Data Privacy Act, it is prohibited for any person to process personal information and
sensitive personal information for any unauthorized purpose. Furthermore, Sec. 3 of the same law defines
“Personal Information” as “any information whether recorded in a material form or not, from which the identity of
an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or
when put together with other information would directly and certainly identify an individual.” On the other hand,
“Sensitive Personal Information” was also defined and included any information regarding an individual’s: race,
ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; health, education,
genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been
committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings; any
information issued by the government such as, but not limited to, social security numbers, previous or cm-rent
health records, licenses or its denials, suspension or revocation, and tax returns; and any information specifically
established by an executive order or an act of Congress to be kept classified.

Based on the records of the case, on May 30, 2016, the Office of the City Prosecutor (OCP) of Makati found
probable cause against the accused for several counts of violation Sec. 28 of Data Privacy Act of 2012 and Sec.
4(b)(3) of the Cybercrime Act of 2012. The said cases were raffled to fourteen (14) branches of the RTCs of
Makati City.

It was stated in the Information that the accused, “being a customer care professional” of a multinational BPO
company in the Philippines “unlawfully, willfully and feloniously accessed and processed without authority” the
account of one of said company’s American client account “by enrolling it to express cash and issuing a
temporary PIN for the said account, for the unauthorized purpose of withdrawing $500 from the said account,”
which was in violation of Section 28 of Republic Act (R.A.) No. 10173 otherwise known as the “Data Privacy Act
of 2012”.

According to the dispositive portion of the Judgment, the accused was sentenced to suffer imprisonment for one
(1) year and six (6) months as minimum and five (5) years as maximum, and a fine of Five Hundred Thousand
Pesos (PhP 500,000.00) pursuant to Sec. 28 of the R.A. 10173.

According to Atty. Ferdinand S. Benitez, one of the founding partners of Benitez Salem Baldonado Law Firm who
actively handled the prosecution of the case, this is a great development not only for our client but more
importantly the entire local BPO industry. Indeed, the Philippines has become a major hub for international
business process outsourcing companies (BPO). Industry leaders have projected its continuous expansion in the
coming years. Information technology, being the backbone of the industry, is dynamic and fast-paced in all
aspects. Unfortunately, these same characteristics make the industry vulnerable to online fraud, hacking and other
cybercrimes, which greatly affects the trust of multinational corporations in investing in the Philippines.

With the passage of Republic Act 10173, or the Data Privacy Act of 2012, companies may have to
change the way they handle employee data, supplie rs’ information, and even customer details. The
law, which was approved on August 15, 2012, is expected to not only create a new breed of human
resource executives or organizations specifically tasked to handle and protect employee information,
but also to compel the adoption of stringent measures to prevent any form of data breach.

In large organizations with thousands of employees, numerous suppliers and a wide customer base,
the careful handling of data may be taken for granted, which may result in unaut horized access, use,
misuse, and even disclosure of information. RA 10173 was enacted precisely “to protect the privacy of
communication while ensuring free flow of information to promote innovation and growth.” It also
seeks to ensure the security and pro tection of personal information stored in information and
communication systems in the government and in the private sector.
Section 3 of the law defines personal information as any information from which the identity of any
individual is apparent or can b e reasonably and directly ascertained by the entity holding the
information, or when put together with other information, would directly and certainly identify the
individual. The residential address, place of birth, and amount of salary are examples of pe rsonal
information. Meanwhile, sensitive personal information refers to personal information on an
individual’s marital status, age, religious affiliation, health, education, and tax returns. It also
includes information issued by government agencies pecul iar to an individual such as tax
identification and social security numbers, and licenses (or their denial, suspension or revocation).
Information that relates to the positions or functions of an incumbent or former government officer or
employee, and info rmation on government contractors or service providers on the performance of
such services, are excluded. RA 10173 likewise does not apply to information used for journalistic
purposes and those necessary to carry out the official functions of monetary aut horities and law
enforcement and regulatory agencies in pursuit of their legal mandate.

Personal information is gathered and collated on a regular basis. Under the law, this information may
be “processed” (i.e., collected, recorded, organized, stored, upda ted, used, consolidated, among
others) provided it is done in a transparent manner and for a legitimate purpose. Suffice it to say
that the gathered information must be accurate, adequate, and relevant for the purpose for which it
was collected.

Information can be exchanged and processed in a number of ways.


In a typical corporate setting, an employee furnishes data to the employer during application and/or
during recruitment. The Human Resources Department (HRD) normally encodes the data in a
database, or keeps the hard copies for future reference. The HRD may then access the data upon the
request of certain institutions, such as credit card companies and other financial institutions,
conducting background investigation; or when the company includes the emp loyee in the group
insurance coverage; or to comply with reportorial requirements of government institutions such as the
submission of the alpha list to the Bureau of Internal Revenue (BIR) or the updated list of Social
Security System members.

A service or utility company also requires its subscribers to provide personal data in the subscription
or service agreement. The submission of lease contracts with supporting valid government -issued
identification cards is also usually required. Credit card applicat ions are not processed without
certificates of employment and copies of the latest withholding tax returns indicating the annual
gross and net taxable compensation.

A supplier – whether participating in an open bid or entering into a negotiated contract – may
likewise be required to provide information on its business to its prospective customer.

While most companies are careful about divulging information to third parties, there are still some
institutions that have not embraced the culture of confidential ity. Thus, the law puts a premium on
the role of the personal information controller (PIC), the one who is tasked to implement appropriate
measures to protect personal information against any accidental or unlawful destruction, alteration,
or disclosure. The PIC shall also determine the appropriate level of security to be adopted, depending
on the nature of the personal information protected. More importantly, the PIC is not only responsible
for personal information under his or her custody, but also for in formation that have been transferred
to a third party for processing, whether domestically or internationally, including business process
outsourcing (BPO) companies. The PIC must comply with the requirements of RA 10173, including
notifying the affected p ersonnel and soon -to-be-formed National Privacy Commission of any
unauthorized data breach that may pose harm to data subjects. Notification of any data breach is
required to allow for any mitigation strategy and even promote trust and transparency within the
company.

In light of RA 10173, companies may need to secure the permission of employees, customers, and
suppliers to process data gathered in the course of their relationship. For instance, the employee
must be informed whether personal information on him or her will be, is being, or has been
processed. Before the entry into the processing system, the personal information and the purpose for
which these are processed must be described.

In lieu of securing such permission, any of the following conditions must exist:
• The processing is necessary for, or related to, the fulfillment of a contract;
• It is required for compliance with a legal obligation of the PIC;
• It is necessary to protect the life and health of the data subject;
• It is required due to a national emergency or to fulfill public authority functions; and
• Legitimate interests are served, except when such interests are overridden by fundamental
constitutional rights and freedoms.

Unless it falls under any of these six conditions, processing of personal information may not be
permitted and the burden of proving that any of the conditions exist lies on the PIC.

Latest jurisprudence on the right to privacy


In a July 24, 2012 decision, promulgated before the passage of RA 10173, the Supreme Cour t
reiterated its ruling in the landmark case of Morfe vs. Mutuc that compelling state interest may yield
to the right of privacy. However, the SC declined to specifically rule on whether the sharing of
information during intelligence gathering is illegal p ending the enactment of a data protection law. It
nonetheless cautioned investigating entities to observe strict confidentiality in information sharing.
The Supreme Court also discussed the writ of habeas data, which is a remedy designed to protect the
image, privacy, honor, information, and freedom of information of an individual. The writ, the
Supreme Court said, is available to any person whose right to privacy is violated or threatened by an
unlawful act or omission of a public official or employee, or of a private individual or entity engaged
in gathering, collecting or storing of data information on the aggrieved party.

With the Data Privacy Act, aggrieved parties are given the option to seek relief not directly from the
courts but from the National Privacy Commission, which can issue a temporary or permanent ban on
the processing of personal information and compel any entity to abide by its orders.
Next week, we will discuss the implementation of RA 10173 and how companies can comply with the
provisions of the new law.

G.R. No. 202666 September 29, 2014

RHONDA AVE S. VIVARES and SPS. MARGARITA and DAVID SUZARA, Petitioners,
vs.
ST. THERESA'S COLLEGE, MYLENE RHEZA T. ESCUDERO, and JOHN DOES, Respondents.

DECISION

VELASCO, JR., J.:

The individual's desire for privacy is never absolute, since participation in society is an equally powerful
desire. Thus each individual is continually engaged in a personal adjustment process in which he
balances the desire for privacy with the desire for disclosure and communication of himself to others, in
light of the environmental conditions and social norms set by the society in which he lives.

- Alan Westin, Privacy and Freedom (1967)

The Case

Before Us is a Petition for Review on Certiorari under Rule 45 of the Rules of Court, in relation to
Section 19 of A.M. No. 08-1-16-SC,1 otherwise known as the "Rule on the Writ of Habeas Data."
Petitioners herein assail the July 27, 2012 Decision2 of the Regional Trial Court, Branch 14 in Cebu City
(RTC) in SP. Proc. No. 19251-CEB, which dismissed their habeas data petition.

The Facts

Nenita Julia V. Daluz (Julia) and Julienne Vida Suzara (Julienne), both minors, were, during the period
material, graduating high school students at St. Theresa's College (STC), Cebu City. Sometime in
January 2012, while changing into their swimsuits for a beach party they were about to attend, Julia and
Julienne, along with several others, took digital pictures of themselves clad only in their undergarments.
These pictures were then uploaded by Angela Lindsay Tan (Angela) on her Facebook3 profile.

Back at the school, Mylene Rheza T. Escudero (Escudero), a computer teacher at STC’s high school
department, learned from her students that some seniors at STC posted pictures online, depicting
themselves from the waist up, dressed only in brassieres. Escudero then asked her students if they
knew who the girls in the photos are. In turn, they readily identified Julia, Julienne, and Chloe Lourdes
Taboada (Chloe), among others.

Using STC’s computers, Escudero’s students logged in to their respective personal Facebook accounts
and showed her photos of the identified students, which include: (a) Julia and Julienne drinking hard
liquor and smoking cigarettes inside a bar; and (b) Julia and Julienne along the streets of Cebu wearing
articles of clothing that show virtually the entirety of their black brassieres. What is more, Escudero’s
students claimed that there were times when access to or the availability of the identified students’
photos was not confined to the girls’ Facebook friends,4but were, in fact, viewable by any Facebook
user.5

Upon discovery, Escudero reported the matter and, through one of her student’s Facebook page,
showed the photosto Kristine Rose Tigol (Tigol), STC’s Discipline-in-Charge, for appropriate action.
Thereafter, following an investigation, STC found the identified students to have deported themselves in
a manner proscribed by the school’s Student Handbook, to wit:

1. Possession of alcoholic drinks outside the school campus;

2. Engaging in immoral, indecent, obscene or lewd acts;

3. Smoking and drinking alcoholicbeverages in public places;

4. Apparel that exposes the underwear;

5. Clothing that advocates unhealthy behaviour; depicts obscenity; contains sexually suggestive
messages, language or symbols; and 6. Posing and uploading pictures on the Internet that
entail ample body exposure.

On March 1, 2012, Julia, Julienne, Angela, and the other students in the pictures in question, reported,
as required, to the office of Sr. Celeste Ma. Purisima Pe (Sr. Purisima), STC’s high school principal and
ICM6 Directress. They claimed that during the meeting, they were castigated and verbally abused by the
STC officials present in the conference, including Assistant Principal Mussolini S. Yap (Yap), Roswinda
Jumiller, and Tigol. What is more, Sr. Purisima informed their parents the following day that, as part of
their penalty, they are barred from joining the commencement exercises scheduled on March 30, 2012.

A week before graduation, or on March 23, 2012, Angela’s mother, Dr. Armenia M. Tan (Tan), filed a
Petition for Injunction and Damages before the RTC of Cebu City against STC, et al., docketed as Civil
Case No. CEB-38594.7In it, Tan prayed that defendants therein be enjoined from implementing the
sanction that precluded Angela from joining the commencement exercises.

On March 25, 2012,petitioner Rhonda Ave Vivares (Vivares), the mother of Julia, joined the fray as an
intervenor. On March 28, 2012, defendants inCivil Case No. CEB-38594 filed their memorandum,
containing printed copies of the photographs in issue as annexes. That same day, the RTC issued a
temporary restraining order (TRO) allowing the students to attend the graduation ceremony, to which
STC filed a motion for reconsideration.

Despite the issuance of the TRO,STC, nevertheless, barred the sanctioned students from participating
in the graduation rites, arguing that, on the date of the commencement exercises, its adverted motion
for reconsideration on the issuance ofthe TRO remained unresolved.

Thereafter, petitioners filed before the RTC a Petition for the Issuance of a Writ of Habeas Data,
docketed as SP. Proc. No. 19251-CEB8 on the basis of the following considerations:

1. The photos of their children in their undergarments (e.g., bra) were taken for posterity before
they changed into their swimsuits on the occasion of a birthday beach party;
2. The privacy setting of their children’s Facebook accounts was set at "Friends Only." They,
thus, have a reasonable expectation of privacy which must be respected.

3. Respondents, being involved in the field of education, knew or ought to have known of laws
that safeguard the right to privacy. Corollarily, respondents knew or ought to have known that
the girls, whose privacy has been invaded, are the victims in this case, and not the offenders.
Worse, after viewing the photos, the minors were called "immoral" and were punished outright;

4. The photos accessed belong to the girls and, thus, cannot be used and reproduced without
their consent. Escudero, however, violated their rights by saving digital copies of the photos and
by subsequently showing them to STC’s officials. Thus, the Facebook accounts of petitioners’
children were intruded upon;

5. The intrusion into the Facebook accounts, as well as the copying of information, data, and
digital images happened at STC’s Computer Laboratory; and

6. All the data and digital images that were extracted were boldly broadcasted by respondents
through their memorandum submitted to the RTC in connection with Civil Case No. CEB-38594.
To petitioners, the interplay of the foregoing constitutes an invasion of their children’s privacy
and, thus, prayed that: (a) a writ of habeas databe issued; (b) respondents be ordered to
surrender and deposit with the court all soft and printed copies of the subjectdata before or at
the preliminary hearing; and (c) after trial, judgment be rendered declaring all information, data,
and digital images accessed, saved or stored, reproduced, spread and used, to have been
illegally obtained inviolation of the children’s right to privacy.

Finding the petition sufficient in form and substance, the RTC, through an Order dated July 5, 2012,
issued the writ of habeas data. Through the same Order, herein respondents were directed to file their
verified written return, together with the supporting affidavits, within five (5) working days from service of
the writ.

In time, respondents complied with the RTC’s directive and filed their verified written return, laying down
the following grounds for the denial of the petition, viz: (a) petitioners are not the proper parties to file
the petition; (b) petitioners are engaging in forum shopping; (c) the instant case is not one where a writ
of habeas data may issue;and (d) there can be no violation of their right to privacy as there is no
reasonable expectation of privacy on Facebook.

Ruling of the Regional Trial Court

On July 27, 2012, the RTC rendered a Decision dismissing the petition for habeas data. The dispositive
portion of the Decision pertinently states:

WHEREFORE, in view of the foregoing premises, the Petition is hereby DISMISSED.

The parties and media must observe the aforestated confidentiality.

xxxx

SO ORDERED.9

To the trial court, petitioners failed to prove the existence of an actual or threatened violation of the
minors’ right to privacy, one of the preconditions for the issuance of the writ of habeas data. Moreover,
the court a quoheld that the photos, having been uploaded on Facebook without restrictions as to who
may view them, lost their privacy in some way. Besides, the RTC noted, STC gathered the photographs
through legal means and for a legal purpose, that is, the implementation of the school’s policies and
rules on discipline.
Not satisfied with the outcome, petitioners now come before this Court pursuant to Section 19 of the
Rule on Habeas Data.10

The Issues

The main issue to be threshed out inthis case is whether or not a writ of habeas datashould be issued
given the factual milieu. Crucial in resolving the controversy, however, is the pivotal point of whether or
not there was indeed an actual or threatened violation of the right to privacy in the life, liberty, or
security of the minors involved in this case.

Our Ruling

We find no merit in the petition.

Procedural issues concerning the availability of the Writ of Habeas Data

The writ of habeas datais a remedy available to any person whose right to privacy in life, liberty or
security is violated or threatened by an unlawful act or omission of a public official or employee, or of a
private individual or entity engaged in the gathering, collecting or storing of data or information
regarding the person, family, home and correspondence of the aggrieved party.11 It is an independent
and summary remedy designed to protect the image, privacy, honor, information, and freedom of
information of an individual, and to provide a forum to enforce one’s right to the truth and to
informational privacy. It seeks to protect a person’s right to control information regarding oneself,
particularly in instances in which such information is being collected through unlawful means in order to
achieve unlawful ends.12

In developing the writ of habeas data, the Court aimed to protect an individual’s right to informational
privacy, among others. A comparative law scholar has, in fact, defined habeas dataas "a procedure
designed to safeguard individual freedom from abuse in the information age."13 The writ, however, will
not issue on the basis merely of an alleged unauthorized access to information about a
person.Availment of the writ requires the existence of a nexus between the right to privacy on the one
hand, and the right to life, liberty or security on the other.14 Thus, the existence of a person’s right to
informational privacy and a showing, at least by substantial evidence, of an actual or threatened
violation of the right to privacy in life, liberty or security of the victim are indispensable before the
privilege of the writ may be extended.15

Without an actionable entitlement in the first place to the right to informational privacy, a habeas
datapetition will not prosper. Viewed from the perspective of the case at bar,this requisite begs this
question: given the nature of an online social network (OSN)––(1) that it facilitates and promotes real-
time interaction among millions, if not billions, of users, sans the spatial barriers,16 bridging the gap
created by physical space; and (2) that any information uploaded in OSNs leavesan indelible trace in
the provider’s databases, which are outside the control of the end-users––is there a right to
informational privacy in OSN activities of its users? Before addressing this point, We must first resolve
the procedural issues in this case.

a. The writ of habeas data is not only confined to cases of extralegal killings and enforced
disappearances

Contrary to respondents’ submission, the Writ of Habeas Datawas not enacted solely for the purpose of
complementing the Writ of Amparoin cases of extralegal killings and enforced disappearances.

Section 2 of the Rule on the Writ of Habeas Data provides:

Sec. 2. Who May File. – Any aggrieved party may file a petition for the writ of habeas data. However, in
cases of extralegal killings and enforced disappearances, the petition may be filed by:
(a) Any member of the immediate family of the aggrieved party, namely: the spouse, children
and parents; or

(b) Any ascendant, descendant or collateral relative of the aggrieved party within the fourth civil
degreeof consanguinity or affinity, in default of those mentioned in the preceding paragraph.
(emphasis supplied)

Had the framers of the Rule intended to narrow the operation of the writ only to cases of extralegal
killings or enforced disappearances, the above underscored portion of Section 2, reflecting a variance
of habeas data situations, would not have been made.

Habeas data, to stress, was designed "to safeguard individual freedom from abuse in the information
age."17 As such, it is erroneous to limit its applicability to extralegal killings and enforced disappearances
only. In fact, the annotations to the Rule preparedby the Committee on the Revision of the Rules of
Court, after explaining that the Writ of Habeas Data complements the Writ of Amparo, pointed out that:

The writ of habeas data, however, can be availed of as an independent remedy to enforce one’s right to
privacy, more specifically the right to informational privacy. The remedies against the violation of such
right can include the updating, rectification, suppression or destruction of the database or information or
files in possession or in control of respondents.18 (emphasis Ours) Clearly then, the privilege of the Writ
of Habeas Datamay also be availed of in cases outside of extralegal killings and enforced
disappearances.

b. Meaning of "engaged" in the gathering, collecting or storing of data or information

Respondents’ contention that the habeas data writ may not issue against STC, it not being an entity
engaged in the gathering, collecting or storing of data or information regarding the person, family, home
and correspondence of the aggrieved party, while valid to a point, is, nonetheless, erroneous.

To be sure, nothing in the Rule would suggest that the habeas data protection shall be available only
against abuses of a person or entity engaged in the businessof gathering, storing, and collecting of
data. As provided under Section 1 of the Rule:

Section 1. Habeas Data. – The writ of habeas datais a remedy available to any person whose right to
privacy in life, liberty or security is violated or threatened by an unlawful act or omission of a public
official or employee, or of a private individual or entity engaged in the gathering, collecting or storing of
data or information regarding the person, family, home and correspondence of the aggrieved party.
(emphasis Ours)

The provision, when taken in its proper context, as a whole, irresistibly conveys the idea that habeas
data is a protection against unlawful acts or omissions of public officials and of private individuals or
entities engaged in gathering, collecting, or storing data about the aggrieved party and his or her
correspondences, or about his or her family. Such individual or entity need not be in the business of
collecting or storing data.

To "engage" in something is different from undertaking a business endeavour. To "engage" means "to
do or take part in something."19 It does not necessarily mean that the activity must be done in pursuit of
a business. What matters is that the person or entity must be gathering, collecting or storing said data
or information about the aggrieved party or his or her family. Whether such undertaking carries the
element of regularity, as when one pursues a business, and is in the nature of a personal endeavour,
for any other reason or even for no reason at all, is immaterial and such will not prevent the writ from
getting to said person or entity.

To agree with respondents’ above argument, would mean unduly limiting the reach of the writ to a very
small group, i.e., private persons and entities whose business is data gathering and storage, and in the
process decreasing the effectiveness of the writ asan instrument designed to protect a right which is
easily violated in view of rapid advancements in the information and communications technology––a
right which a great majority of the users of technology themselves are not capable of protecting.

Having resolved the procedural aspect of the case, We now proceed to the core of the controversy.

The right to informational privacy on Facebook

a. The Right to Informational Privacy

The concept of privacyhas, through time, greatly evolved, with technological advancements having an
influential part therein. This evolution was briefly recounted in former Chief Justice Reynato S. Puno’s
speech, The Common Right to Privacy,20 where he explained the three strands of the right to privacy,
viz: (1) locational or situational privacy;21(2) informational privacy; and (3) decisional privacy.22 Of the
three, what is relevant to the case at bar is the right to informational privacy––usually defined as the
right of individuals to control information about themselves.23

With the availability of numerous avenues for information gathering and data sharing nowadays, not to
mention each system’s inherent vulnerability to attacks and intrusions, there is more reason that every
individual’s right to control said flow of information should be protected and that each individual should
have at least a reasonable expectation of privacy in cyberspace. Several commentators regarding
privacy and social networking sites, however, all agree that given the millions of OSN users, "[i]n this
[Social Networking] environment, privacy is no longer grounded in reasonable expectations, but rather
in some theoretical protocol better known as wishful thinking."24

It is due to this notion that the Court saw the pressing need to provide for judicial remedies that would
allow a summary hearing of the unlawful use of data or information and to remedy possible violations of
the right to privacy.25 In the same vein, the South African High Court, in its Decision in the landmark
case, H v. W,26promulgated on January30, 2013, recognized that "[t]he law has to take into account the
changing realities not only technologically but also socially or else it will lose credibility in the eyes of the
people. x x x It is imperative that the courts respond appropriately to changing times, acting cautiously
and with wisdom." Consistent with this, the Court, by developing what may be viewed as the Philippine
model of the writ of habeas data, in effect, recognized that, generally speaking, having an expectation
of informational privacy is not necessarily incompatible with engaging in cyberspace activities, including
those that occur in OSNs.

The question now though is up to whatextent is the right to privacy protected in OSNs? Bear in mind
that informational privacy involves personal information. At the same time, the very purpose of OSNs is
socializing––sharing a myriad of information,27 some of which would have otherwise remained personal.

b. Facebook’s Privacy Tools: a response to the clamor for privacy in OSN activities

Briefly, the purpose of an OSN is precisely to give users the ability to interact and to stay connected to
other members of the same or different social media platform through the sharing of statuses, photos,
videos, among others, depending on the services provided by the site. It is akin to having a room filled
with millions of personal bulletin boards or "walls," the contents of which are under the control of each
and every user. In his or her bulletin board, a user/owner can post anything––from text, to pictures, to
music and videos––access to which would depend on whether he or she allows one, some or all of the
other users to see his or her posts. Since gaining popularity, the OSN phenomenon has paved the way
to the creation of various social networking sites, includingthe one involved in the case at bar,
www.facebook.com (Facebook), which, according to its developers, people use "to stay connected with
friends and family, to discover what’s going on in the world, and to share and express what matters to
them."28

Facebook connections are established through the process of "friending" another user. By sending a
"friend request," the user invites another to connect their accounts so that they can view any and all
"Public" and "Friends Only" posts of the other.Once the request is accepted, the link is established and
both users are permitted to view the other user’s "Public" or "Friends Only" posts, among others.
"Friending," therefore, allows the user to form or maintain one-to-one relationships with other users,
whereby the user gives his or her "Facebook friend" access to his or her profile and shares certain
information to the latter.29

To address concerns about privacy,30 but without defeating its purpose, Facebook was armed with
different privacy tools designed to regulate the accessibility of a user’s profile31 as well as information
uploaded by the user. In H v. W,32 the South Gauteng High Court recognized this ability of the users to
"customize their privacy settings," but did so with this caveat: "Facebook states in its policies that,
although it makes every effort to protect a user’s information, these privacy settings are not foolproof."33

For instance, a Facebook user canregulate the visibility and accessibility of digital images(photos),
posted on his or her personal bulletin or "wall," except for the user’sprofile picture and ID, by selecting
his or her desired privacy setting:

(a) Public - the default setting; every Facebook user can view the photo;

(b) Friends of Friends - only the user’s Facebook friends and their friends can view the photo;

(b) Friends - only the user’s Facebook friends can view the photo;

(c) Custom - the photo is made visible only to particular friends and/or networks of the
Facebook user; and

(d) Only Me - the digital image can be viewed only by the user.

The foregoing are privacy tools, available to Facebook users, designed to set up barriers to broaden or
limit the visibility of his or her specific profile content, statuses, and photos, among others, from another
user’s point of view. In other words, Facebook extends its users an avenue to make the availability of
their Facebook activities reflect their choice as to "when and to what extent to disclose facts about
[themselves] – and to put others in the position of receiving such confidences."34 Ideally, the selected
setting will be based on one’s desire to interact with others, coupled with the opposing need to withhold
certain information as well as to regulate the spreading of his or her personal information. Needless to
say, as the privacy setting becomes more limiting, fewer Facebook users can view that user’s particular
post.

STC did not violate petitioners’ daughters’ right to privacy

Without these privacy settings, respondents’ contention that there is no reasonable expectation of
privacy in Facebook would, in context, be correct. However, such is not the case. It is through the
availability of said privacy tools that many OSN users are said to have a subjective expectation that only
those to whomthey grant access to their profile will view the information they post or upload thereto.35

This, however, does not mean thatany Facebook user automatically has a protected expectation of
privacy inall of his or her Facebook activities.

Before one can have an expectation of privacy in his or her OSN activity, it is first necessary that said
user, in this case the children of petitioners,manifest the intention to keepcertain posts private, through
the employment of measures to prevent access thereto or to limit its visibility.36 And this intention can
materialize in cyberspace through the utilization of the OSN’s privacy tools. In other words, utilization of
these privacy tools is the manifestation,in cyber world, of the user’s invocation of his or her right to
informational privacy.37

Therefore, a Facebook user who opts to make use of a privacy tool to grant or deny access to his or her
post orprofile detail should not be denied the informational privacy right which necessarily accompanies
said choice.38Otherwise, using these privacy tools would be a feckless exercise, such that if, for
instance, a user uploads a photo or any personal information to his or her Facebook page and sets its
privacy level at "Only Me" or a custom list so that only the user or a chosen few can view it, said photo
would still be deemed public by the courts as if the user never chose to limit the photo’s visibility and
accessibility. Such position, if adopted, will not only strip these privacy tools of their function but it would
also disregard the very intention of the user to keep said photo or information within the confines of his
or her private space.

We must now determine the extent that the images in question were visible to other Facebook users
and whether the disclosure was confidential in nature. In other words, did the minors limit the disclosure
of the photos such that the images were kept within their zones of privacy? This determination is
necessary in resolving the issue of whether the minors carved out a zone of privacy when the photos
were uploaded to Facebook so that the images will be protected against unauthorized access and
disclosure.

Petitioners, in support of their thesis about their children’s privacy right being violated, insist that
Escudero intruded upon their children’s Facebook accounts, downloaded copies ofthe pictures and
showed said photos to Tigol. To them, this was a breach of the minors’ privacy since their Facebook
accounts, allegedly, were under "very private" or "Only Friends" setting safeguarded with a
password.39 Ultimately, they posit that their children’s disclosure was only limited since their profiles
were not open to public viewing. Therefore, according to them, people who are not their Facebook
friends, including respondents, are barred from accessing said post without their knowledge and
consent. Aspetitioner’s children testified, it was Angelawho uploaded the subjectphotos which were only
viewable by the five of them,40 although who these five are do not appear on the records.

Escudero, on the other hand, stated in her affidavit41 that "my students showed me some pictures of
girls cladin brassieres. This student [sic] of mine informed me that these are senior high school
[students] of STC, who are their friends in [F]acebook. x x x They then said [that] there are still many
other photos posted on the Facebook accounts of these girls. At the computer lab, these students then
logged into their Facebook account [sic], and accessed from there the various photographs x x x. They
even told me that there had been times when these photos were ‘public’ i.e., not confined to their
friends in Facebook."

In this regard, We cannot give muchweight to the minors’ testimonies for one key reason: failure to
question the students’ act of showing the photos to Tigol disproves their allegation that the photos were
viewable only by the five of them. Without any evidence to corroborate their statement that the images
were visible only to the five of them, and without their challenging Escudero’s claim that the other
students were able to view the photos, their statements are, at best, self-serving, thus deserving scant
consideration.42

It is well to note that not one of petitioners disputed Escudero’s sworn account that her students, who
are the minors’ Facebook "friends," showed her the photos using their own Facebook accounts. This
only goes to show that no special means to be able to viewthe allegedly private posts were ever
resorted to by Escudero’s students,43 and that it is reasonable to assume, therefore, that the photos
were, in reality, viewable either by (1) their Facebook friends, or (2) by the public at large.

Considering that the default setting for Facebook posts is"Public," it can be surmised that the
photographs in question were viewable to everyone on Facebook, absent any proof that petitioners’
children positively limited the disclosure of the photograph. If suchwere the case, they cannot invoke the
protection attached to the right to informational privacy. The ensuing pronouncement in US v. Gines-
Perez44 is most instructive:

[A] person who places a photograph on the Internet precisely intends to forsake and renounce all
privacy rights to such imagery, particularly under circumstances suchas here, where the Defendant did
not employ protective measures or devices that would have controlled access to the Web page or the
photograph itself.45

Also, United States v. Maxwell46 held that "[t]he more open the method of transmission is, the less
privacy one can reasonably expect. Messages sent to the public at large inthe chat room or e-mail that
is forwarded from correspondent to correspondent loses any semblance of privacy."
That the photos are viewable by "friends only" does not necessarily bolster the petitioners’ contention.
In this regard, the cyber community is agreed that the digital images under this setting still remain to be
outside the confines of the zones of privacy in view of the following:

(1) Facebook "allows the world to be more open and connected by giving its users the tools to
interact and share in any conceivable way;"47

(2) A good number of Facebook users "befriend" other users who are total strangers;48

(3) The sheer number of "Friends" one user has, usually by the hundreds; and

(4) A user’s Facebook friend can "share"49 the former’s post, or "tag"50 others who are not
Facebook friends with the former, despite its being visible only tohis or her own Facebook
friends.

It is well to emphasize at this point that setting a post’s or profile detail’s privacy to "Friends" is no
assurance that it can no longer be viewed by another user who is not Facebook friends with the source
of the content. The user’s own Facebook friend can share said content or tag his or her own Facebook
friend thereto, regardless of whether the user tagged by the latter is Facebook friends or not with the
former. Also, when the post is shared or when a person is tagged, the respective Facebook friends of
the person who shared the post or who was tagged can view the post, the privacy setting of which was
set at "Friends."

To illustrate, suppose A has 100 Facebook friends and B has 200. A and B are not Facebook friends. If
C, A’s Facebook friend, tags B in A’s post, which is set at "Friends," the initial audience of 100 (A’s own
Facebook friends) is dramatically increased to 300 (A’s 100 friends plus B’s 200 friends or the public,
depending upon B’s privacy setting). As a result, the audience who can view the post is effectively
expanded––and to a very large extent.

This, along with its other features and uses, is confirmation of Facebook’s proclivity towards user
interaction and socialization rather than seclusion or privacy, as it encourages broadcasting of individual
user posts. In fact, it has been said that OSNs have facilitated their users’ self-tribute, thereby resulting
into the "democratization of fame."51Thus, it is suggested, that a profile, or even a post, with visibility set
at "Friends Only" cannot easily, more so automatically, be said to be "very private," contrary to
petitioners’ argument.

As applied, even assuming that the photos in issue are visible only to the sanctioned students’
Facebook friends, respondent STC can hardly be taken to task for the perceived privacy invasion since
it was the minors’ Facebook friends who showed the pictures to Tigol. Respondents were mere
recipients of what were posted. They did not resort to any unlawful means of gathering the information
as it was voluntarily given to them by persons who had legitimate access to the said posts. Clearly, the
fault, if any, lies with the friends of the minors. Curiously enough, however, neither the minors nor their
parents imputed any violation of privacy against the students who showed the images to Escudero.

Furthermore, petitioners failed to prove their contention that respondents reproduced and broadcasted
the photographs. In fact, what petitioners attributed to respondents as an act of offensive disclosure
was no more than the actuality that respondents appended said photographs in their memorandum
submitted to the trial court in connection with Civil Case No. CEB-38594.52 These are not tantamount to
a violation of the minor’s informational privacy rights, contrary to petitioners’ assertion.

In sum, there can be no quibbling that the images in question, or to be more precise, the photos of
minor students scantily clad, are personal in nature, likely to affect, if indiscriminately circulated, the
reputation of the minors enrolled in a conservative institution. However, the records are bereft of any
evidence, other than bare assertions that they utilized Facebook’s privacy settings to make the photos
visible only to them or to a select few. Without proof that they placed the photographs subject of this
case within the ambit of their protected zone of privacy, they cannot now insist that they have an
expectation of privacy with respect to the photographs in question.
Had it been proved that the access tothe pictures posted were limited to the original uploader, through
the "Me Only" privacy setting, or that the user’s contact list has been screened to limit access to a
select few, through the "Custom" setting, the result may have been different, for in such instances, the
intention to limit access to the particular post, instead of being broadcasted to the public at large or all
the user’s friends en masse, becomes more manifest and palpable.

On Cyber Responsibility

It has been said that "the best filter is the one between your children’s ears."53 This means that self-
regulation on the part of OSN users and internet consumers ingeneral is the best means of avoiding
privacy rights violations.54 As a cyberspace communitymember, one has to be proactive in protecting his
or her own privacy.55 It is in this regard that many OSN users, especially minors, fail.Responsible social
networking or observance of the "netiquettes"56 on the part of teenagers has been the concern of many
due to the widespreadnotion that teenagers can sometimes go too far since they generally lack the
people skills or general wisdom to conduct themselves sensibly in a public forum.57

Respondent STC is clearly aware of this and incorporating lessons on good cyber citizenship in its
curriculum to educate its students on proper online conduct may be mosttimely. Too, it is not only STC
but a number of schools and organizations have already deemed it important to include digital literacy
and good cyber citizenshipin their respective programs and curricula in view of the risks that the
children are exposed to every time they participate in online activities.58 Furthermore, considering the
complexity of the cyber world and its pervasiveness,as well as the dangers that these children are
wittingly or unwittingly exposed to in view of their unsupervised activities in cyberspace, the participation
of the parents in disciplining and educating their children about being a good digital citizen is
encouraged by these institutions and organizations. In fact, it is believed that "to limit such risks, there’s
no substitute for parental involvement and supervision."59

As such, STC cannot be faulted for being steadfast in its duty of teaching its students to beresponsible
in their dealings and activities in cyberspace, particularly in OSNs, whenit enforced the disciplinary
actions specified in the Student Handbook, absenta showing that, in the process, it violated the
students’ rights.

OSN users should be aware of the risks that they expose themselves to whenever they engage
incyberspace activities. Accordingly, they should be cautious enough to control their privacy and to
1âw phi 1

exercise sound discretion regarding how much information about themselves they are willing to give up.
Internet consumers ought to be aware that, by entering or uploading any kind of data or information
online, they are automatically and inevitably making it permanently available online, the perpetuation of
which is outside the ambit of their control. Furthermore, and more importantly, information, otherwise
private, voluntarily surrendered by them can be opened, read, or copied by third parties who may or
may not be allowed access to such.

It is, thus, incumbent upon internet users to exercise due diligence in their online dealings and activities
and must not be negligent in protecting their rights. Equity serves the vigilant. Demanding relief from the
courts, as here, requires that claimants themselves take utmost care in safeguarding a right which they
allege to have been violated. These are indispensable. We cannot afford protection to persons if they
themselves did nothing to place the matter within the confines of their private zone. OSN users must be
mindful enough to learn the use of privacy tools, to use them if they desire to keep the information
private, and to keep track of changes in the available privacy settings, such as those of Facebook,
especially because Facebook is notorious for changing these settings and the site's layout often.

In finding that respondent STC and its officials did not violate the minors' privacy rights, We find no
cogent reason to disturb the findings and case disposition of the court a quo.

In light of the foregoing, the Court need not belabor the other assigned errors.

WHEREFORE, premises considered, the petition is hereby DENIED. The Decision dated July 27, 2012
of the Regional Trial Court, Branch 14 in Cebu City in SP. Proc. No. 19251-CEB is hereby AFFIRMED.
No pronouncement as to costs.

REPUBLIC ACT NO. 10175

AN ACT DEFINING CYBERCRIME, PROVIDING FOR THE PREVENTION, INVESTIGATION,


SUPPRESSION AND THE IMPOSITION OF PENALTIES THEREFOR AND FOR OTHER PURPOSES

Be it enacted by the Senate and House of Representatives of the Philippines in Congress assembled:

CHAPTER I
PRELIMINARY PROVISIONS

Section 1. Title. — This Act shall be known as the "Cybercrime Prevention Act of 2012″.

Section 2. Declaration of Policy. — The State recognizes the vital role of information and
communications industries such as content production, telecommunications, broadcasting electronic
commerce, and data processing, in the nation’s overall social and economic development. The State
also recognizes the importance of providing an environment conducive to the development,
acceleration, and rational application and exploitation of information and communications technology
(ICT) to attain free, easy, and intelligible access to exchange and/or delivery of information; and the
need to protect and safeguard the integrity of computer, computer and communications systems,
networks, and databases, and the confidentiality, integrity, and availability of information and data
stored therein, from all forms of misuse, abuse, and illegal access by making punishable under the law
such conduct or conducts. In this light, the State shall adopt sufficient powers to effectively prevent and
combat such offenses by facilitating their detection, investigation, and prosecution at both the domestic
and international levels, and by providing arrangements for fast and reliable international cooperation.

Section 3. Definition of Terms. — For purposes of this Act, the following terms are hereby defined as
follows:

(a) Access refers to the instruction, communication with, storing data in, retrieving data from, or
otherwise making use of any resources of a computer system or communication network.

(b) Alteration refers to the modification or change, in form or substance, of an existing computer
data or program.

(c) Communication refers to the transmission of information through ICT media, including voice,
video and other forms of data.

(d) Computer refers to an electronic, magnetic, optical, electrochemical, or other data


processing or communications device, or grouping of such devices, capable of performing
logical, arithmetic, routing, or storage functions and which includes any storage facility or
equipment or communications facility or equipment directly related to or operating in conjunction
with such device. It covers any type of computer device including devices with data processing
capabilities like mobile phones, smart phones, computer networks and other devices connected
to the internet.

(e) Computer data refers to any representation of facts, information, or concepts in a form
suitable for processing in a computer system including a program suitable to cause a computer
system to perform a function and includes electronic documents and/or electronic data
messages whether stored in local computer systems or online.

(f) Computer program refers to a set of instructions executed by the computer to achieve
intended results.

(g) Computer system refers to any device or group of interconnected or related devices, one or
more of which, pursuant to a program, performs automated processing of data. It covers any
type of device with data processing capabilities including, but not limited to, computers and
mobile phones. The device consisting of hardware and software may include input, output and
storage components which may stand alone or be connected in a network or other similar
devices. It also includes computer data storage devices or media.

(h) Without right refers to either: (i) conduct undertaken without or in excess of authority; or (ii)
conduct not covered by established legal defenses, excuses, court orders, justifications, or
relevant principles under the law.

(i) Cyber refers to a computer or a computer network, the electronic medium in which online
communication takes place.

(j) Critical infrastructure refers to the computer systems, and/or networks, whether physical or
virtual, and/or the computer programs, computer data and/or traffic data so vital to this country
that the incapacity or destruction of or interference with such system and assets would have a
debilitating impact on security, national or economic security, national public health and safety,
or any combination of those matters.

(k) Cybersecurity refers to the collection of tools, policies, risk management approaches,
actions, training, best practices, assurance and technologies that can be used to protect the
cyber environment and organization and user’s assets.

(l) Database refers to a representation of information, knowledge, facts, concepts, or


instructions which are being prepared, processed or stored or have been prepared, processed
or stored in a formalized manner and which are intended for use in a computer system.

(m) Interception refers to listening to, recording, monitoring or surveillance of the content of
communications, including procuring of the content of data, either directly, through access and
use of a computer system or indirectly, through the use of electronic eavesdropping or tapping
devices, at the same time that the communication is occurring.

(n) Service provider refers to:

(1) Any public or private entity that provides to users of its service the ability to
communicate by means of a computer system; and

(2) Any other entity that processes or stores computer data on behalf of such
communication service or users of such service.

(o) Subscriber’s information refers to any information contained in the form of computer data or
any other form that is held by a service provider, relating to subscribers of its services other
than traffic or content data and by which identity can be established:

(1) The type of communication service used, the technical provisions taken thereto and
the period of service;

(2) The subscriber’s identity, postal or geographic address, telephone and other access
numbers, any assigned network address, billing and payment information, available on
the basis of the service agreement or arrangement; and

(3) Any other available information on the site of the installation of communication
equipment, available on the basis of the service agreement or arrangement.

(p) Traffic data or non-content data refers to any computer data other than the content of the
communication including, but not limited to, the communication’s origin, destination, route, time,
date, size, duration, or type of underlying service.
CHAPTER II
PUNISHABLE ACTS

Section 4. Cybercrime Offenses. — The following acts constitute the offense of cybercrime punishable
under this Act:

(a) Offenses against the confidentiality, integrity and availability of computer data and systems:

(1) Illegal Access. – The access to the whole or any part of a computer system without
right.

(2) Illegal Interception. – The interception made by technical means without right of any
non-public transmission of computer data to, from, or within a computer system
including electromagnetic emissions from a computer system carrying such computer
data.

(3) Data Interference. — The intentional or reckless alteration, damaging, deletion or


deterioration of computer data, electronic document, or electronic data message,
without right, including the introduction or transmission of viruses.

(4) System Interference. — The intentional alteration or reckless hindering or


interference with the functioning of a computer or computer network by inputting,
transmitting, damaging, deleting, deteriorating, altering or suppressing computer data or
program, electronic document, or electronic data message, without right or authority,
including the introduction or transmission of viruses.

(5) Misuse of Devices.

(i) The use, production, sale, procurement, importation, distribution, or otherwise


making available, without right, of:

(aa) A device, including a computer program, designed or adapted


primarily for the purpose of committing any of the offenses under this
Act; or

(bb) A computer password, access code, or similar data by which the


whole or any part of a computer system is capable of being accessed
with intent that it be used for the purpose of committing any of the
offenses under this Act.

(ii) The possession of an item referred to in paragraphs 5(i)(aa) or (bb) above


with intent to use said devices for the purpose of committing any of the offenses
under this section.

(6) Cyber-squatting. – The acquisition of a domain name over the internet in bad faith to
profit, mislead, destroy reputation, and deprive others from registering the same, if such
a domain name is:

(i) Similar, identical, or confusingly similar to an existing trademark registered


with the appropriate government agency at the time of the domain name
registration:

(ii) Identical or in any way similar with the name of a person other than the
registrant, in case of a personal name; and

(iii) Acquired without right or with intellectual property interests in it.


(b) Computer-related Offenses:

(1) Computer-related Forgery. —

(i) The input, alteration, or deletion of any computer data without right resulting
in inauthentic data with the intent that it be considered or acted upon for legal
purposes as if it were authentic, regardless whether or not the data is directly
readable and intelligible; or

(ii) The act of knowingly using computer data which is the product of computer-
related forgery as defined herein, for the purpose of perpetuating a fraudulent or
dishonest design.

(2) Computer-related Fraud. — The unauthorized input, alteration, or deletion of


computer data or program or interference in the functioning of a computer system,
causing damage thereby with fraudulent intent: Provided, That if no

damage has yet been caused, the penalty imposable shall be one (1) degree lower.

(3) Computer-related Identity Theft. – The intentional acquisition, use, misuse, transfer,
possession, alteration or deletion of identifying information belonging to another,
whether natural or juridical, without right: Provided, That if no damage has yet been
caused, the penalty imposable shall be one (1) degree lower.

(c) Content-related Offenses:

(1) Cybersex. — The willful engagement, maintenance, control, or operation, directly or


indirectly, of any lascivious exhibition of sexual organs or sexual activity, with the aid of
a computer system, for favor or consideration.

(2) Child Pornography. — The unlawful or prohibited acts defined and punishable
by Republic Act No. 9775 or the Anti-Child Pornography Act of 2009, committed through
a computer system: Provided, That the penalty to be imposed shall be (1) one degree
higher than that provided for in Republic Act No. 9775. 1âw phi1

(3) Unsolicited Commercial Communications. — The transmission of commercial


electronic communication with the use of computer system which seek to advertise, sell,
or offer for sale products and services are prohibited unless:

(i) There is prior affirmative consent from the recipient; or

(ii) The primary intent of the communication is for service and/or administrative
announcements from the sender to its existing users, subscribers or customers;
or

(iii) The following conditions are present:

(aa) The commercial electronic communication contains a simple, valid,


and reliable way for the recipient to reject. receipt of further commercial
electronic messages (opt-out) from the same source;

(bb) The commercial electronic communication does not purposely


disguise the source of the electronic message; and

(cc) The commercial electronic communication does not purposely


include misleading information in any part of the message in order to
induce the recipients to read the message.
(4) Libel. — The unlawful or prohibited acts of libel as defined in Article 355 of the
Revised Penal Code, as amended, committed through a computer system or any other
similar means which may be devised in the future.

Section 5. Other Offenses. — The following acts shall also constitute an offense:

(a) Aiding or Abetting in the Commission of Cybercrime. – Any person who willfully abets or aids
in the commission of any of the offenses enumerated in this Act shall be held liable.

(b) Attempt in the Commission of Cybercrime. — Any person who willfully attempts to commit
any of the offenses enumerated in this Act shall be held liable.

Section 6. All crimes defined and penalized by the Revised Penal Code, as amended, and special
laws, if committed by, through and with the use of information and communications technologies shall
be covered by the relevant provisions of this Act: Provided, That the penalty to be imposed shall be one
(1) degree higher than that provided for by the Revised Penal Code, as amended, and special laws, as
the case may be.

Section 7. Liability under Other Laws. — A prosecution under this Act shall be without prejudice to any
liability for violation of any provision of the Revised Penal Code, as amended, or special laws.

CHAPTER III
PENALTIES

Section 8. Penalties. — Any person found guilty of any of the punishable acts enumerated in Sections
4(a) and 4(b) of this Act shall be punished with imprisonment of prision mayor or a fine of at least Two
hundred thousand pesos (PhP200,000.00) up to a maximum amount commensurate to the damage
incurred or both.

Any person found guilty of the punishable act under Section 4(a)(5) shall be punished with
imprisonment of prision mayor or a fine of not more than Five hundred thousand pesos
(PhP500,000.00) or both.

If punishable acts in Section 4(a) are committed against critical infrastructure, the penalty of reclusion
temporal or a fine of at least Five hundred thousand pesos (PhP500,000.00) up to maximum amount
commensurate to the damage incurred or both, shall be imposed.

Any person found guilty of any of the punishable acts enumerated in Section 4(c)(1) of this Act shall be
punished with imprisonment of prision mayor or a fine of at least Two hundred thousand pesos
(PhP200,000.00) but not exceeding One million pesos (PhPl,000,000.00) or both.

Any person found guilty of any of the punishable acts enumerated in Section 4(c)(2) of this Act shall be
punished with the penalties as enumerated in Republic Act No. 9775 or the "Anti-Child Pornography Act
of 2009″: Provided,That the penalty to be imposed shall be one (1) degree higher than that provided for
in Republic Act No. 9775, if committed through a computer system.

Any person found guilty of any of the punishable acts enumerated in Section 4(c)(3) shall be punished
with imprisonment of arresto mayor or a fine of at least Fifty thousand pesos (PhP50,000.00) but not
exceeding Two hundred fifty thousand pesos (PhP250,000.00) or both.

Any person found guilty of any of the punishable acts enumerated in Section 5 shall be punished with
imprisonment one (1) degree lower than that of the prescribed penalty for the offense or a fine of at
least One hundred thousand pesos (PhPl00,000.00) but not exceeding Five hundred thousand pesos
(PhP500,000.00) or both.

Section 9. Corporate Liability. — When any of the punishable acts herein defined are knowingly
committed on behalf of or for the benefit of a juridical person, by a natural person acting either
individually or as part of an organ of the juridical person, who has a leading position within, based on:
(a) a power of representation of the juridical person provided the act committed falls within the scope of
such authority; (b) an authority to take decisions on behalf of the juridical person: Provided, That the act
committed falls within the scope of such authority; or (c) an authority to exercise control within the
juridical person, the juridical person shall be held liable for a fine equivalent to at least double the fines
imposable in Section 7 up to a maximum of Ten million pesos (PhP10,000,000.00).

If the commission of any of the punishable acts herein defined was made possible due to the lack of
supervision or control by a natural person referred to and described in the preceding paragraph, for the
benefit of that juridical person by a natural person acting under its authority, the juridical person shall be
held liable for a fine equivalent to at least double the fines imposable in Section 7 up to a maximum of
Five million pesos (PhP5,000,000.00).

The liability imposed on the juridical person shall be without prejudice to the criminal liability of the
natural person who has committed the offense.

CHAPTER IV
ENFORCEMENT AND IMPLEMENTATION

Section 10. Law Enforcement Authorities. — The National Bureau of Investigation (NBI) and the
Philippine National Police (PNP) shall be responsible for the efficient and effective law enforcement of
the provisions of this Act. The NBI and the PNP shall organize a cybercrime unit or center manned by
special investigators to exclusively handle cases involving violations of this Act.

Section 11. Duties of Law Enforcement Authorities. — To ensure that the technical nature of
cybercrime and its prevention is given focus and considering the procedures involved for international
cooperation, law enforcement authorities specifically the computer or technology crime divisions or units
responsible for the investigation of cybercrimes are required to submit timely and regular reports
including pre-operation, post-operation and investigation results and such other documents as may be
required to the Department of Justice (DOJ) for review and monitoring.

Section 12. Real-Time Collection of Traffic Data. — Law enforcement authorities, with due cause, shall
be authorized to collect or record by technical or electronic means traffic data in real-time associated
with specified communications transmitted by means of a computer system.

Traffic data refer only to the communication’s origin, destination, route, time, date, size, duration, or
type of underlying service, but not content, nor identities.

All other data to be collected or seized or disclosed will require a court warrant.

Service providers are required to cooperate and assist law enforcement authorities in the collection or
recording of the above-stated information.

The court warrant required under this section shall only be issued or granted upon written application
and the examination under oath or affirmation of the applicant and the witnesses he may produce and
the showing: (1) that there are reasonable grounds to believe that any of the crimes enumerated
hereinabove has been committed, or is being committed, or is about to be committed: (2) that there are
reasonable grounds to believe that evidence that will be obtained is essential to the conviction of any
person for, or to the solution of, or to the prevention of, any such crimes; and (3) that there are no other
means readily available for obtaining such evidence.

Section 13. Preservation of Computer Data. — The integrity of traffic data and subscriber information
relating to communication services provided by a service provider shall be preserved for a minimum
period of six (6) months from the date of the transaction. Content data shall be similarly preserved for
six (6) months from the date of receipt of the order from law enforcement authorities requiring its
preservation.
Law enforcement authorities may order a one-time extension for another six (6) months: Provided, That
once computer data preserved, transmitted or stored by a service provider is used as evidence in a
case, the mere furnishing to such service provider of the transmittal document to the Office of the
Prosecutor shall be deemed a notification to preserve the computer data until the termination of the
case.

The service provider ordered to preserve computer data shall keep confidential the order and its
compliance.

Section 14. Disclosure of Computer Data. — Law enforcement authorities, upon securing a court
warrant, shall issue an order requiring any person or service provider to disclose or submit subscriber’s
information, traffic data or relevant data in his/its possession or control within seventy-two (72) hours
from receipt of the order in relation to a valid complaint officially docketed and assigned for investigation
and the disclosure is necessary and relevant for the purpose of investigation.

Section 15. Search, Seizure and Examination of Computer Data. — Where a search and seizure
warrant is properly issued, the law enforcement authorities shall likewise have the following powers and
duties.

Within the time period specified in the warrant, to conduct interception, as defined in this Act, and:

(a) To secure a computer system or a computer data storage medium;

(b) To make and retain a copy of those computer data secured;

(c) To maintain the integrity of the relevant stored computer data;

(d) To conduct forensic analysis or examination of the computer data storage medium; and

(e) To render inaccessible or remove those computer data in the accessed computer or
computer and communications network.

Pursuant thereof, the law enforcement authorities may order any person who has knowledge about the
functioning of the computer system and the measures to protect and preserve the computer data
therein to provide, as is reasonable, the necessary information, to enable the undertaking of the search,
seizure and examination.

Law enforcement authorities may request for an extension of time to complete the examination of the
computer data storage medium and to make a return thereon but in no case for a period longer than
thirty (30) days from date of approval by the court.

Section 16. Custody of Computer Data. — All computer data, including content and traffic data,
examined under a proper warrant shall, within forty-eight (48) hours after the expiration of the period
fixed therein, be deposited with the court in a sealed package, and shall be accompanied by an affidavit
of the law enforcement authority executing it stating the dates and times covered by the examination,
and the law enforcement authority who may access the deposit, among other relevant data. The law
enforcement authority shall also certify that no duplicates or copies of the whole or any part thereof
have been made, or if made, that all such duplicates or copies are included in the package deposited
with the court. The package so deposited shall not be opened, or the recordings replayed, or used in
evidence, or then contents revealed, except upon order of the court, which shall not be granted except
upon motion, with due notice and opportunity to be heard to the person or persons whose conversation
or communications have been recorded.

Section 17. Destruction of Computer Data. — Upon expiration of the periods as provided in Sections
13 and 15, service providers and law enforcement authorities, as the case may be, shall immediately
and completely destroy the computer data subject of a preservation and examination.
Section 18. Exclusionary Rule. — Any evidence procured without a valid warrant or beyond the
authority of the same shall be inadmissible for any proceeding before any court or tribunal.

Section 19. Restricting or Blocking Access to Computer Data. — When a computer data is prima facie
found to be in violation of the provisions of this Act, the DOJ shall issue an order to restrict or block
access to such computer data.

Section 20. Noncompliance. — Failure to comply with the provisions of Chapter IV hereof specifically
the orders from law enforcement authorities shall be punished as a violation of Presidential Decree No.
1829 with imprisonment of prision correctional in its maximum period or a fine of One hundred thousand
pesos (Php100,000.00) or both, for each and every noncompliance with an order issued by law
enforcement authorities.

CHAPTER V
JURISDICTION

Section 21. Jurisdiction. — The Regional Trial Court shall have jurisdiction over any violation of the
provisions of this Act. including any violation committed by a Filipino national regardless of the place of
commission. Jurisdiction shall lie if any of the elements was committed within the Philippines or
committed with the use of any computer system wholly or partly situated in the country, or when by
such commission any damage is caused to a natural or juridical person who, at the time the offense
was committed, was in the Philippines.

There shall be designated special cybercrime courts manned by specially trained judges to handle
cybercrime cases.

CHAPTER VI
INTERNATIONAL COOPERATION

Section 22. General Principles Relating to International Cooperation. — All relevant international
instruments on international cooperation in criminal matters, arrangements agreed on the basis of
uniform or reciprocal legislation, and domestic laws, to the widest extent possible for the purposes of
investigations or proceedings concerning criminal offenses related to computer systems and data, or for
the collection of evidence in electronic form of a criminal, offense shall be given full force and effect.

CHAPTER VII
COMPETENT AUTHORITIES

Section 23. Department of Justice (DOJ). — There is hereby created an Office of Cybercrime within the
DOJ designated as the central authority in all matters related to international mutual assistance and
extradition.

Section 24. Cybercrime Investigation and Coordinating Center. — There is hereby created, within thirty
(30) days from the effectivity of this Act, an inter-agency body to be known as the Cybercrime
Investigation and Coordinating Center (CICC), under the administrative supervision of the Office of the
President, for policy coordination among concerned agencies and for the formulation and enforcement
of the national cybersecurity plan.

Section 25. Composition. — The CICC shall be headed by the Executive Director of the Information
and Communications Technology Office under the Department of Science and Technology (ICTO-
DOST) as Chairperson with the Director of the NBI as Vice Chairperson; the Chief of the PNP; Head of
the DOJ Office of Cybercrime; and one (1) representative from the private sector and academe, as
members. The CICC shall be manned by a secretariat of selected existing personnel and
representatives from the different participating agencies.1âwphi 1

Section 26. Powers and Functions. — The CICC shall have the following powers and functions:
(a) To formulate a national cybersecurity plan and extend immediate assistance for the
suppression of real-time commission of cybercrime offenses through a computer emergency
response team (CERT);

(b) To coordinate the preparation of appropriate and effective measures to prevent and
suppress cybercrime activities as provided for in this Act;

(c) To monitor cybercrime cases being bandied by participating law enforcement and
prosecution agencies;

(d) To facilitate international cooperation on intelligence, investigations, training and capacity


building related to cybercrime prevention, suppression and prosecution;

(e) To coordinate the support and participation of the business sector, local government units
and nongovernment organizations in cybercrime prevention programs and other related
projects;

(f) To recommend the enactment of appropriate laws, issuances, measures and policies;

(g) To call upon any government agency to render assistance in the accomplishment of the
CICC’s mandated tasks and functions; and

(h) To perform all other matters related to cybercrime prevention and suppression, including
capacity building and such other functions and duties as may be necessary for the proper
implementation of this Act.

CHAPTER VIII
FINAL PROVISIONS

Section 27. Appropriations. — The amount of Fifty million pesos (PhP50,000,000_00) shall be
appropriated annually for the implementation of this Act.

Section 28. Implementing Rules and Regulations. — The ICTO-DOST, the DOJ and the Department of
the Interior and Local Government (DILG) shall jointly formulate the necessary rules and regulations
within ninety (90) days from approval of this Act, for its effective implementation.

Section 29. Separability Clause — If any provision of this Act is held invalid, the other provisions not
affected shall remain in full force and effect.

Section 30. Repealing Clause. — All laws, decrees or rules inconsistent with this Act are hereby
repealed or modified accordingly. Section 33(a) of Republic Act No. 8792 or the "Electronic Commerce
Act" is hereby modified accordingly.

Section 31. Effectivity. — This Act shall take effect fifteen (15) days after the completion of its
publication in the Official Gazette or in at least two (2) newspapers of general circulation.

Rules and Regulations Implementing


Republic Act No. 10175, Otherwise Known as the
“Cybercrime Prevention Act of 2012”

Pursuant to the authority of the Department of Justice, Department of Interior and Local
Government, and Department of Science and Technology under Republic Act No. 10175, otherwise
known as the “Cybercrime Prevention Act of 2012”, the following rules and regulations are hereby
promulgated to implement the provisions of said Act:
RULE 1
Preliminary Provisions

Section 1. Title. – These Rules shall be referred to as the Implementing Rules and Regulations of
Republic Act No. 10175, or the “Cybercrime Prevention Act of 2012”.

Section 2. Declaration of Policy. – The State recognizes the vital role of information and
communications industries, such as content production, telecommunications, broadcasting,
electronic commerce and data processing, in the State’s overall social and economic development.

The State also recognizes the importance of providing an environment conducive to the
development, acceleration, and rational application and exploitation of information and
communications technology to attain free, easy, and intelligible access to exchange and/or delivery
of information; and the need to protect and safeguard the integrity of computer, computer and
communications systems, networks and databases, and the confidentiality, integrity, and availability
of information and data stored therein from all forms of misuse, abuse and illegal access by making
punishable under the law such conduct or conducts.

The State shall adopt sufficient powers to effectively prevent and combat such offenses by
facilitating their detection, investigation and prosecution at both the domestic and international
levels, and by providing arrangements for fast and reliable international cooperation.

Section 3. Definition of Terms. – The following terms are defined as follows:

a) Access refers to the instruction, communication with, storing data in, retrieving data from, or
otherwise making use of any resources of a computer system or communication network;

b) Act refers to Republic Act No. 10175 or the “Cybercrime Prevention Act of 2012”;

c) Alteration refers to the modification or change, in form or substance, of an existing computer


data or program;

d) Central Authority refers to the DOJ – Office of Cybercrime;

e) Child Pornography refers to the unlawful or prohibited acts defined and punishable by Republic
Act No. 9775 or the “Anti-Child Pornography Act of 2009”, committed through a computer
system: Provided, that the penalty to be imposed shall be one (1) degree higher than that provided
for in Republic Act No. 9775;

f) Collection refers to gathering and receiving information;

g) Communication refers to the transmission of information through information and


communication technology (ICT) media, including voice, video and other forms of data;

h) Competent Authority refers to either the Cybercrime Investigation and Coordinating Center or
the DOJ – Office of Cybercrime, as the case may be;

i) Computer refers to an electronic, magnetic, optical, electrochemical, or other data processing or


communications device, or grouping of such devices, capable of performing logical, arithmetic,
routing or storage functions, and which includes any storage facility or equipment or
communications facility or equipment directly related to or operating in conjunction with such
device. It covers any type of computer device, including devices with data processing capabilities
like mobile phones, smart phones, computer networks and other devices connected to the internet;

j) Computer data refers to any representation of facts, information, or concepts in a form suitable
for processing in a computer system, including a program suitable to cause a computer system to
perform a function, and includes electronic documents and/or electronic data messages whether
stored in local computer systems or online;

k) Computer program refers to a set of instructions executed by the computer to achieve intended
results;

l) Computer system refers to any device or group of interconnected or related devices, one or more
of which, pursuant to a program, performs automated processing of data. It covers any type of
device with data processing capabilities, including, but not limited to, computers and mobile
phones. The device consisting of hardware and software may include input, output and storage
components, which may stand alone or be connected to a network or other similar devices. It also
includes computer data storage devices or media;

m) Content Data refers to the communication content of the communication, the meaning or
purport of the communication, or the message or information being conveyed by the
communication, other than traffic data.

n) Critical infrastructure refers to the computer systems, and/or networks, whether physical or
virtual, and/or the computer programs, computer data and/or traffic data that are so vital to this
country that the incapacity or destruction of or interference with such system and assets would have
a debilitating impact on security, national or economic security, national public health and safety, or
any combination of those matters;

o) Cybersecurity refers to the collection of tools, policies, risk management approaches, actions,
training, best practices, assurance and technologies that can be used to protect the cyber
environment, and organization and user’s assets;

p) National Cybersecurity Plan refers to a comprehensive plan of actions designed to improve the
security and enhance cyber resilience of infrastructures and services. It is a top-down approach to
cybersecurity that contains broad policy statements and establishes a set of national objectives and
priorities that should be achieved within a specific timeframe;

q) Cybersex refers to the willful engagement, maintenance, control or operation, directly or


indirectly, of any lascivious exhibition of sexual organs or sexual activity, with the aid of a
computer system, for favor or consideration;

r) Cyber refers to a computer or a computer network, the electronic medium in which online
communication takes place;

s) Database refers to a representation of information, knowledge, facts, concepts or instructions


which are being prepared, processed or stored, or have been prepared, processed or stored in a
formalized manner, and which are intended for use in a computer system;

t) Digital evidence refers to digital information that may be used as evidence in a case. The
gathering of the digital information may be carried out by confiscation of the storage media (data
carrier), the tapping or monitoring of network traffic, or the making of digital copies (e.g., forensic
images, file copies, etc.), of the data held;
u) Electronic evidence refers to evidence, the use of which is sanctioned by existing rules of
evidence, in ascertaining in a judicial proceeding, the truth respecting a matter of fact, which
evidence is received, recorded, transmitted, stored, processed, retrieved or produced electronically;

v) Forensics refers to the application of investigative and analytical techniques that conform to
evidentiary standards, and are used in, or appropriate for, a court of law or other legal context;

w) Forensic image, also known as a forensic copy, refers to an exact bit-by-bit copy of a data
carrier, including slack, unallocated space and unused space. There are forensic tools available for
making these images. Most tools produce information, like a hash value, to ensure the integrity of
the image;

x) Hash value refers to the mathematical algorithm produced against digital information (a file, a
physical disk or a logical disk) thereby creating a “digital fingerprint” or “digital DNA” for that
information. It is a one-way algorithm and thus it is not possible to change digital evidence without
changing the corresponding hash values;

y) Identifying information refers to any name or number that may be used alone or in conjunction
with any other information to identify any specific individual, including any of the following:

1. Name, date of birth, driver’s license number, passport number or tax identification number;
2. Unique biometric data, such as fingerprint or other unique physical representation;
3. Unique electronic identification number, address or routing code; and
4. Telecommunication identifying information or access device.

z) Information and communication technology system refers to system intended for, and capable
of, generating, sending, receiving, storing or otherwise processing electronic data messages or
electronic documents, and includes the computer system or other similar device by or in which data
is recorded or stored, and any procedures related to the recording or storage of electronic data
message or electronic document;

aa) Interception refers to listening to, recording, monitoring or surveillance of the content of
communications, including procurement of the content of data, either directly through access and
use of a computer system, or indirectly through the use of electronic eavesdropping or tapping
devices, at the same time that the communication is occurring;

bb) Internet content host refers to a person who hosts or who proposes to host internet content in
the Philippines;

cc) Law enforcement authorities refers to the National Bureau of Investigation (NBI) and the
Philippine National Police (PNP) under Section 10 of the Act;

dd) Original author refers to the person who created or is the origin of the assailed electronic
statement or post using a computer system;

ee) Preservation refers to the keeping of data that already exists in a stored form, protected from
anything that would cause its current quality or condition to change or deteriorate. It is the activity
that keeps that stored data secure and safe;

ff) Service provider refers to:


1. any public or private entity that provides users of its service with the ability to communicate
by means of a computer system; and
2. any other entity that processes or stores computer data on behalf of such communication
service or users of such service.

gg) Subscriber’s information refers to any information contained in the form of computer data or
any other form that is held by a service provider, relating to subscribers of its services, other than
traffic or content data, and by which any of the following can be established:

The type of communication service used, the technical provisions taken thereto and the period of
service;

The subscriber’s identity, postal or geographic address, telephone and other access number, any
assigned network address, billing and payment information that are available on the basis of the
service agreement or arrangement; or

Any other available information on the site of the installation of communication equipment that is
available on the basis of the service agreement or arrangement.

hh) Traffic Data or Non-Content Data refers to any computer data other than the content of the
communication, including, but not limited to the communication’s origin, destination, route, time,
date, size, duration, or type of underlying service; and

ii) Without Right refers to either: (i) conduct undertaken without or in excess of authority; or (ii)
conduct not covered by established legal defenses, excuses, court orders, justifications or relevant
principles under the law.

RULE 2
Punishable Acts and Penalties

Cybercrimes

Section 4. Cybercrime Offenses. – The following acts constitute the offense of core cybercrime
punishable under the Act:

A. Offenses against the confidentiality, integrity and availability of computer data and
systems shall be punished with imprisonment of prision mayor or a fine of at least Two Hundred
Thousand Pesos (P200,000.00) up to a maximum amount commensurate to the damage incurred, or
both, except with respect to number 5 herein:

1. Illegal Access – The access to the whole or any part of a computer system without right.
2. Illegal Interception – The interception made by technical means and without right, of any
non-public transmission of computer data to, from, or within a computer system, including
electromagnetic emissions from a computer system carrying such computer data: Provided,
however, That it shall not be unlawful for an officer, employee, or agent of a service
provider, whose facilities are used in the transmission of communications, to intercept,
disclose or use that communication in the normal course of employment, while engaged in
any activity that is necessary to the rendition of service or to the protection of the rights or
property of the service provider, except that the latter shall not utilize service observing or
random monitoring other than for purposes of mechanical or service control quality checks.
3. Data Interference – The intentional or reckless alteration, damaging, deletion or
deterioration of computer data, electronic document or electronic data message, without
right, including the introduction or transmission of viruses.
4. System Interference – The intentional alteration, or reckless hindering or interference with
the functioning of a computer or computer network by inputting, transmitting, damaging,
deleting, deteriorating, altering or suppressing computer data or program, electronic
document or electronic data message, without right or authority, including the introduction
or transmission of viruses.
5. Misuse of Devices, which shall be punished with imprisonment of prision mayor, or a fine
of not more than Five Hundred Thousand Pesos (P500,000.00), or both, is committed
through any of the following acts:

a. The use, production, sale, procurement, importation, distribution or otherwise making available,
intentionally and without right, of any of the following:

i. A device, including a computer program, designed or adapted primarily for the purpose of
committing any of the offenses under this rules; or

ii. A computer password, access code, or similar data by which the whole or any part of a computer
system is capable of being accessed with the intent that it be used for the purpose of committing any
of the offenses under this rules.

b. The possession of an item referred to in subparagraphs 5(a)(i) or (ii) above, with the intent to use
said devices for the purpose of committing any of the offenses under this section.

Provided, That no criminal liability shall attach when the use, production, sale, procurement,
importation, distribution, otherwise making available, or possession of computer devices or data
referred to in this section is for the authorized testing of a computer system.

If any of the punishable acts enumerated in Section 4(A) is committed against critical infrastructure,
the penalty of reclusion temporal, or a fine of at least Five Hundred Thousand Pesos (P500,000.00)
up to maximum amount commensurate to the damage incurred, or both shall be imposed.

B. Computer-related Offenses, which shall be punished with imprisonment of prision mayor, or a


fine of at least Two Hundred Thousand Pesos (P200,000.00) up to a maximum amount
commensurate to the damage incurred, or both, are as follows:

1. Computer-related Forgery –

a. The input, alteration or deletion of any computer data without right, resulting in inauthentic data,
with the intent that it be considered or acted upon for legal purposes as if it were authentic,
regardless whether or not the data is directly readable and intelligible; or

b. The act of knowingly using computer data, which is the product of computer-related forgery as
defined herein, for the purpose of perpetuating a fraudulent or dishonest design.

2. Computer-related Fraud – The unauthorized “Input, alteration or deletion of computer data or


program, or interference in the functioning of a computer system, causing damage thereby with
fraudulent intent: Provided, That if no damage has yet been caused, the penalty imposable shall be
one (1) degree lower.
3. Computer-related Identity Theft – The intentional acquisition, use, misuse, transfer,
possession, alteration or deletion of identifying information belonging to another, whether natural or
juridical, without right: Provided, That if no damage has yet been caused, the penalty imposable
shall be one (1) degree lower.

C. Content-related Offenses:

1. Any person found guilty of Child Pornography shall be punished in accordance with the penalties
set forth in Republic Act No. 9775 or the “Anti-Child Pornography Act of 2009”: Provided, That
the penalty to be imposed shall be one (1) degree higher than that provided for in Republic Act No.
9775 if committed through a computer system.

Section 5. Other Cybercrimes. – The following constitute other cybercrime offenses punishable
under the Act:

1. Cyber-squatting – The acquisition of a domain name over the internet, in bad faith, in order to
profit, mislead, destroy reputation, and deprive others from registering the same, if such a domain
name is:

a. Similar, identical, or confusingly similar to an existing trademark registered with the


appropriate government agency at the time of the domain name registration;
b. Identical or in any way similar with the name of a person other than the registrant, in case of
a personal name; and
c. Acquired without right or with intellectual property interests in it.

Cyber-squatting shall be punished with imprisonment of prision mayor, or a fine of at least Two
Hundred Thousand Pesos (P200,000.00) up to a maximum amount commensurate to the damage
incurred, or both: Provided, That if it is committed against critical infrastructure, the penalty
of reclusion temporal, or a fine of at least Five Hundred Thousand Pesos (P500,000.00) up to
maximum amount commensurate to the damage incurred, or both shall be imposed.

2. Cybersex – The willful engagement, maintenance, control or operation, directly or indirectly, of


any lascivious exhibition of sexual organs or sexual activity, with the aid of a computer system, for
favor or consideration. Any person found guilty cybersex shall be punished with imprisonment
of prision mayor, or a fine of at least Two Hundred Thousand Pesos (P200,000.00), but not
exceeding One Million Pesos (P1,000,000.00), or both.

Cybersex involving a child shall be punished in accordance with the provision on child pornography
of the Act.

Where the maintenance, control, or operation of cybersex likewise constitutes an offense punishable
under Republic Act No. 9208, as amended, a prosecution under the Act shall be without prejudice to
any liability for violation of any provision of the Revised Penal Code, as amended, or special laws,
including R.A. No. 9208, consistent with Section 8 hereof.

3. Libel – The unlawful or prohibited acts of libel, as defined in Article 355 of the Revised Penal
Code, as amended, committed through a computer system or any other similar means which may be
devised in the future shall be punished with prision correccional in its maximum period to prision
mayor in its minimum period or a fine ranging from Six Thousand Pesos (P6,000.00) up to the
maximum amount determined by Court, or both, in addition to the civil action which may be
brought by the offended party: Provided, That this provision applies only to the original author of
the post or online libel, and not to others who simply receive the post and react to it.
4. Other offenses – The following acts shall also constitute an offense which shall be punished with
imprisonment of one (1) degree lower than that of the prescribed penalty for the offense, or a fine of
at least One Hundred Thousand Pesos (P100,000.00) but not exceeding Five Hundred Thousand
Pesos (P500,000.00), or both:

A. Aiding or Abetting in the Commission of Cybercrime. – Any person who willfully abets,
aids, or financially benefits in the commission of any of the offenses enumerated in the Act
shall be held liable, except with respect to Sections 4(c)(2) on Child Pornography and
4(c)(4) on online Libel.
B. Attempt to Commit Cybercrime. – Any person who willfully attempts to commit any of the
offenses enumerated in the Act shall be held liable, except with respect to Sections 4(c)(2)
on Child Pornography and 4(c)(4) on online Libel.

Other Liabilities and Penalties

Section 6. Corporate Liability. – When any of the punishable acts herein defined are knowingly
committed on behalf of or for the benefit of a juridical person, by a natural person acting either
individually or as part of an organ of the juridical person, who has a leading position within, based
on: (a) a power of representation of the juridical person; (b) an authority to take decisions on behalf
of the juridical person; or (c) an authority to exercise control within the juridical person, the
juridical person shall be held liable for a fine equivalent to at least double the fines imposable in
Section 7 up to a maximum of Ten Million Pesos (P10,000,000.00).

If the commission of any of the punishable acts herein defined was made possible due to the lack of
supervision or control by a natural person referred to and described in the preceding paragraph, for
the benefit of that juridical person by a natural person acting under its authority, the juridical person
shall be held liable for a fine equivalent to at least double the fines imposable in Section 7 up to a
maximum of Five Million Pesos (P5,000,000.00).

The liability imposed on the juridical person shall be without prejudice to the criminal liability of
the natural person who has committed the offense.

Section 7. Violation of the Revised Penal Code, as Amended, Through and With the Use of
Information and Communication Technology. – All crimes defined and penalized by the Revised
Penal Code, as amended, and special criminal laws committed by, through and with the use of
information and communications technologies shall be covered by the relevant provisions of the
Act: Provided, That the penalty to be imposed shall be one (1) degree higher than that provided for
by the Revised Penal Code, as amended, and special laws, as the case may be.

Section 8. Liability under Other Laws. – A prosecution under the Act shall be without prejudice to
any liability for violation of any provision of the Revised Penal Code, as amended, or special
laws: Provided, That this provision shall not apply to the prosecution of an offender under (1) both
Section 4(c)(4) of R.A. 10175 and Article 353 of the Revised Penal Code; and (2) both Section
4(c)(2) of R.A. 10175 and R.A. 9775 or the “Anti-Child Pornography Act of 2009”.

RULE 3
Enforcement and Implementation

Section 9. Law Enforcement Authorities. – The National Bureau of Investigation (NBI) and the
Philippine National Police (PNP) shall be responsible for the efficient and effective law
enforcement of the provisions of the Act. The NBI and the PNP shall organize a cybercrime
division or unit to be manned by Special Investigators to exclusively handle cases involving
violations of the Act.

The NBI shall create a cybercrime division to be headed by at least a Head Agent. The PNP shall
create an anti-cybercrime unit headed by at least a Police Director.

The DOJ – Office of Cybercrime (OOC) created under the Act shall coordinate the efforts of the
NBI and the PNP in enforcing the provisions of the Act.

Section 10. Powers and Functions of Law Enforcement Authorities. – The NBI and PNP
cybercrime unit or division shall have the following powers and functions:

a. Investigate all cybercrimes where computer systems are involved;


b. Conduct data recovery and forensic analysis on computer systems and other electronic
evidence seized;
c. Formulate guidelines in investigation, forensic evidence recovery, and forensic data analysis
consistent with industry standard practices;
d. Provide technological support to investigating units within the PNP and NBI including the
search, seizure, evidence preservation and forensic recovery of data from crime scenes and
systems used in crimes, and provide testimonies;
e. Develop public, private sector, and law enforcement agency relations in addressing
cybercrimes;
f. Maintain necessary and relevant databases for statistical and/or monitoring purposes;
g. Develop capacity within their organizations in order to perform such duties necessary for the
enforcement of the Act;
h. Support the formulation and enforcement of the national cybersecurity plan; and
i. Perform other functions as may be required by the Act.

Section 11. Duties of Law Enforcement Authorities. – To ensure that the technical nature of
cybercrime and its prevention is given focus, and considering the procedures involved for
international cooperation, law enforcement authorities, specifically the computer or technology
crime divisions or units responsible for the investigation of cybercrimes, are required to submit
timely and regular reports including pre-operation, post-operation and investigation results, and
such other documents as may be required to the Department of Justice (DOJ) – Office of
Cybercrime for review and monitoring.

Law enforcement authorities shall act in accordance with the guidelines, advisories and procedures
issued and promulgated by the competent authority in all matters related to cybercrime, and utilize
the prescribed forms and templates, including, but not limited to, preservation orders, chain of
custody, consent to search, consent to assume account/online identity and request for computer
forensic examination.

Section 12. Preservation and Retention of Computer Data. – The integrity of traffic data and
subscriber information shall be kept, retained and preserved by a service provider for a minimum
period of six (6) months from the date of the transaction. Content data shall be similarly preserved
for six (6) months from the date of receipt of the order from law enforcement authorities requiring
its preservation.

Law enforcement authorities may order a one-time extension for another six (6) months: Provided,
That once computer data that is preserved, transmitted or stored by a service provider is used as
evidence in a case, the mere act of furnishing such service provider with a copy of the transmittal
document to the Office of the Prosecutor shall be deemed a notification to preserve the computer
data until the final termination of the case and/or as ordered by the Court, as the case may be.

The service provider ordered to preserve computer data shall keep the order and its compliance
therewith confidential.

Section 13. Collection of Computer Data. Law enforcement authorities, upon the issuance of a
court warrant, shall be authorized to collect or record by technical or electronic means, and the
service providers are required to collect or record by technical or electronic means and/or to
cooperate and assist in the collection or recording of computer data that are associated with
specified communications transmitted by means of a computer system.

The court warrant required under this section shall be issued or granted upon written application,
after the examination under oath or affirmation of the applicant and the witnesses he may produce,
and the showing that: (1) there are reasonable grounds to believe that any of the crimes enumerated
hereinabove has been committed, is being committed or is about to be committed; (2) there are
reasonable grounds to believe that the evidence that will be obtained is essential to the conviction of
any person for, or to the solution of, or to the prevention of any such crimes; and (3) there are no
other means readily available for obtaining such evidence.

Section 14. Disclosure of Computer Data. – Law enforcement authorities, upon securing a court
warrant, shall issue an order requiring any person or service provider to disclose or submit, within
seventy-two (72) hours from receipt of such order, subscriber’s information, traffic data or relevant
data in his/its possession or control, in relation to a valid complaint officially docketed and assigned
for investigation by law enforcement authorities, and the disclosure of which is necessary and
relevant for the purpose of investigation.

Law enforcement authorities shall record all sworn complaints in their official docketing system for
investigation.

Section 15. Search, Seizure and Examination of Computer Data. – Where a search and seizure
warrant is properly issued, the law enforcement authorities shall likewise have the following powers
and duties:

a. Within the time period specified in the warrant, to conduct interception, as defined in this Rules,
and to:

1. Search and seize computer data;


2. Secure a computer system or a computer data storage medium;
3. Make and retain a copy of those computer data secured;
4. Maintain the integrity of the relevant stored computer data;
5. Conduct forensic analysis or examination of the computer data storage medium; and
6. Render inaccessible or remove those computer data in the accessed computer or computer
and communications network.

b. Pursuant thereto, the law enforcement authorities may order any person, who has knowledge
about the functioning of the computer system and the measures to protect and preserve the computer
data therein, to provide, as is reasonable, the necessary information to enable the undertaking of the
search, seizure and examination.
c. Law enforcement authorities may request for an extension of time to complete the examination of
the computer data storage medium and to make a return thereon, but in no case for a period longer
than thirty (30) days from date of approval by the court.

Section 16. Custody of Computer Data. – All computer data, including content and traffic data, that
are examined under a proper warrant shall, within forty-eight (48) hours after the expiration of the
period fixed therein, be deposited with the court in a sealed package, and shall be accompanied by
an affidavit of the law enforcement authority executing it, stating the dates and times covered by the
examination, and the law enforcement authority who may have access to the deposit, among other
relevant data. The law enforcement authority shall also certify that no duplicates or copies of the
whole or any part thereof have been made or, if made, that all such duplicates or copies are included
in the package deposited with the court. The package so deposited shall not be opened, or the
recordings replayed, or used in evidence, or their contents revealed, except upon order of the court,
which shall not be granted except upon motion, with due notice and opportunity to be heard to the
person or persons whose conversation or communications have been recorded.

Section 17. Destruction of Computer Data. – Upon expiration of the periods as provided in
Sections 12 and 15 hereof, or until the final termination of the case and/or as ordered by the Court,
as the case may be, service providers and law enforcement authorities, as the case may be, shall
immediately and completely destroy the computer data that are the subject of a preservation and
examination order or warrant.

Section 18. Exclusionary Rule. – Any evidence obtained without a valid warrant or beyond the
authority of the same shall be inadmissible for any proceeding before any court or tribunal.

The Rules of Court shall have suppletory application in implementing the Act.

Section 19. Non-compliance. – Failure to comply with the provisions of Chapter IV of the Act, and
Rules 7 and 8 of Chapter VII hereof, specifically the orders from law enforcement authorities, shall
be punished as a violation of Presidential Order No. 1829 (entitled “Penalizing Obstruction Of
Apprehension And Prosecution Of Criminal Offenders”) with imprisonment of prision
correccional in its maximum period, or a fine of One Hundred Thousand Pesos (P100,000.00), or
both for each and every noncompliance with an order issued by law enforcement authorities.

Section 20. Extent of Liability of a Service Provider. – Except as otherwise provided in this
Section, no person or party shall be subject to any civil or criminal liability in respect of a computer
data for which the person or party acting as a service provider merely provides access if such
liability is founded on:

a. The obligations and liabilities of the parties under a computer data;

b. The making, publication, dissemination or distribution of such computer data or any statement
made in such computer data, including possible infringement of any right subsisting in or in relation
to such computer data: Provided, That:

1. The service provider does not have actual knowledge, or is not aware of the facts or
circumstances from which it is apparent, that the making, publication, dissemination or
distribution of such material is unlawful or infringes any rights subsisting in or in relation to
such material;
2. The service provider does not knowingly receive a financial benefit directly attributable to
the unlawful or infringing activity; and
3. The service provider does not directly commit any infringement or other unlawful act, does
not induce or cause another person or party to commit any infringement or other unlawful
act, and/or does not directly benefit financially from the infringing activity or unlawful act
of another person or party: Provided, further, That nothing in this Section shall affect:

i. Any obligation arising from contract;

ii. The obligation of a service provider as such under a licensing or other regulatory regime
established under law;

iii. Any obligation imposed under any law; or

iv. The civil liability of any party to the extent that such liability forms the basis for injunctive relief
issued by a court under any law requiring that the service provider take or refrain from actions
necessary to remove, block or deny access to any computer data, or to preserve evidence of a
violation of law.

RULE 4
Jurisdiction

Section 21. Jurisdiction. – The Regional Trial Court shall have jurisdiction over any violation of
the provisions of the Act, including any violation committed by a Filipino national regardless of the
place of commission. Jurisdiction shall lie if any of the elements was committed within the
Philippines, or committed with the use of any computer system that is wholly or partly situated in
the country, or when by such commission any damage is caused to a natural or juridical person who,
at the time the offense was committed, was in the Philippines.

Section 22. Venue. – Criminal action for violation of the Act may be filed with the RTC of the
province or city where the cybercrime or any of its elements is committed, or where any part of the
computer system used is situated, or where any of the damage caused to a natural or juridical person
took place: Provided, That the court where the criminal action is first filed shall acquire jurisdiction
to the exclusion of other courts.

Section 23. Designation of Cybercrime Courts. – There shall be designated special cybercrime
courts manned by specially trained judges to handle cybercrime cases.

Section 24. Designation of Special Prosecutors and Investigators. – The Secretary of Justice shall
designate prosecutors and investigators who shall comprise the prosecution task force or division
under the DOJ-Office of Cybercrime, which will handle cybercrime cases in violation of the Act.

RULE 5
International Cooperation

Section 25. International Cooperation. – All relevant international instruments on international


cooperation on criminal matters, and arrangements agreed on the basis of uniform or reciprocal
legislation and domestic laws shall be given full force and effect, to the widest extent possible for
the purposes of investigations or proceedings concerning crimes related to computer systems and
data, or for the collection of electronic evidence of crimes.

The DOJ shall cooperate and render assistance to other contracting parties, as well as request
assistance from foreign states, for purposes of detection, investigation and prosecution of offenses
referred to in the Act and in the collection of evidence in electronic form in relation thereto. The
principles contained in Presidential Decree No. 1069 and other pertinent laws, as well as existing
extradition and mutual legal assistance treaties, shall apply. In this regard, the central authority
shall:

a. Provide assistance to a requesting State in the real-time collection of traffic data associated with
specified communications in the country transmitted by means of a computer system, with respect
to criminal offenses defined in the Act for which real-time collection of traffic data would be
available, subject to the provisions of Section 13 hereof;

b. Provide assistance to a requesting State in the real-time collection, recording or interception of


content data of specified communications transmitted by means of a computer system, subject to the
provision of Section 13 hereof;

c. Allow another State to:

1. Access publicly available stored computer data located in the country or elsewhere; or
2. Access or receive, through a computer system located in the country, stored computer data
located in another country, if the other State obtains the lawful and voluntary consent of the
person who has the lawful authority to disclose the data to said other State through that
computer system.

d. Receive a request of another State for it to order or obtain the expeditious preservation of data
stored by means of a computer system located within the country, relative to which the requesting
State shall submit a request for mutual assistance for the search or similar access, seizure or similar
securing, or disclosure of the stored computer data: Provided, That:

1. A request for preservation of data under this section shall specify:

i. The authority seeking the preservation;

ii. The offense that is the subject of a criminal investigation or proceedings and a brief summary of
the related facts;

iii. The stored computer data to be preserved and its relationship to the offense;

iv. The necessity of the preservation; and

v. That the requesting State shall submit a request for mutual assistance for the search or similar
access, seizure or similar securing, or disclosure of the stored computer data.

2. Upon receiving the request from another State, the DOJ and law enforcement agencies shall take
all appropriate measures to expeditiously preserve the specified data, in accordance with the Act
and other pertinent laws. For the purposes of responding to a request for preservation, dual
criminality shall not be required as a condition;

3. A request for preservation may only be refused if:

i. The request concerns an offense that the Philippine Government considers as a political offense or
an offense connected with a political offense; or
ii. The Philippine Government considers the execution of the request to be prejudicial to its
sovereignty, security, public order or other national interest.

4. Where the Philippine Government believes that preservation will not ensure the future
availability of the data, or will threaten the confidentiality of, or otherwise prejudice the requesting
State’s investigation, it shall promptly so inform the requesting State. The requesting State will
determine whether its request should be executed; and

5. Any preservation effected in response to the request referred to in paragraph (d) shall be for a
period not less than sixty (60) days, in order to enable the requesting State to submit a request for
the search or similar access, seizure or similar securing, or disclosure of the data. Following the
receipt of such a request, the data shall continue to be preserved pending a decision on that request.

e. Accommodate request from another State to search, access, seize, secure, or disclose data stored
by means of a computer system located within the country, including data that has been preserved
under the previous subsection.

The Philippine Government shall respond to the request through the proper application of
international instruments, arrangements and laws, and in accordance with the following rules:

1. The request shall be responded to on an expedited basis where:

i. There are grounds to believe that relevant data is particularly vulnerable to loss or modification;
or

ii. The instruments, arrangements and laws referred to in paragraph (b) of this section otherwise
provide for expedited cooperation.

2. The requesting State must maintain the confidentiality of the fact or the subject of request for
assistance and cooperation. It may only use the requested information subject to the conditions
specified in the grant.

f. Make a request to any foreign state for assistance for purposes of detection, investigation and
prosecution of offenses referred to in the Act;

g. The criminal offenses described under Chapter II of the Act shall be deemed to be included as
extraditable offenses in any extradition treaty where the Philippines is a party: Provided, That the
offense is punishable under the laws of both Parties concerned by deprivation of liberty for a
minimum period of at least one year or by a more severe penalty.

The Secretary of Justice shall designate appropriate State Counsels to handle all matters of
international cooperation as provided in this Rule.

RULE 6
Competent Authorities

Section 26. Cybercrime Investigation and Coordinating Center; Composition. – The inter-agency
body known as the Cybercrime Investigation and Coordinating Center (CICC), under the
administrative supervision of the Office of the President, established for policy coordination among
concerned agencies and for the formulation and enforcement of the national cyber security plan, is
headed by the Executive Director of the Information and Communications Technology Office under
the Department of Science and Technology (ICTO-DOST) as Chairperson; the Director of the NBI
as Vice-Chairperson; and the Chief of the PNP, the Head of the DOJ Office of Cybercrime, and one
(1) representative each from the private sector, non-governmental organizations, and the academe as
members.

The CICC members shall be constituted as an Executive Committee and shall be supported by
Secretariats, specifically for Cybercrime, Administration, and Cybersecurity. The Secretariats shall
be manned from existing personnel or representatives of the participating agencies of the CICC.

The CICC may enlist the assistance of any other agency of the government including government-
owned and -controlled corporations, and the following:

a. Bureau of Immigration;
b. Philippine Drug Enforcement Agency;
c. Bureau of Customs;
d. National Prosecution Service;
e. Anti-Money Laundering Council;
f. Securities and Exchange Commission;
g. National Telecommunications Commission; and
h. Such other offices, agencies and/or units, as may be necessary.

The DOJ Office of Cybercrime shall serve as the Cybercrime Operations Center of the CICC and
shall submit periodic reports to the CICC.

Participation and representation in the Secretariat and/or Operations Center does not require
physical presence, but may be done through electronic modes such as email, audio-visual
conference calls, and the like.

Section 27. Powers and Functions. – The CICC shall have the following powers and functions:

a. Formulate a national cybersecurity plan and extend immediate assistance for the suppression
of real-time commission of cybercrime offenses through a computer emergency response
team (CERT);
b. Coordinate the preparation of appropriate and effective measures to prevent and suppress
cybercrime activities as provided for in the Act;
c. Monitor cybercrime cases being handled by participating law enforcement and prosecution
agencies;
d. Facilitate international cooperation on intelligence, investigations, training and capacity-
building related to cybercrime prevention, suppression and prosecution through the DOJ-
Office of Cybercrime;
e. Coordinate the support and participation of the business sector, local government units and
NGOs in cybercrime prevention programs and other related projects;
f. Recommend the enactment of appropriate laws, issuances, measures and policies;
g. Call upon any government agency to render assistance in the accomplishment of the CICC’s
mandated tasks and functions;
h. Establish and perform community awareness program on cybercrime prevention in
coordination with law enforcement authorities and stakeholders; and
i. Perform all other matters related to cybercrime prevention and suppression, including
capacity-building and such other functions and duties as may be necessary for the proper
implementation of the Act.
Section 28. Department of Justice (DOJ); Functions and Duties. – The DOJ-Office of Cybercrime
(OOC), designated as the central authority in all matters related to international mutual assistance
and extradition, and the Cybercrime Operations Center of the CICC, shall have the following
functions and duties:

a. Act as a competent authority for all requests for assistance for investigation or proceedings
concerning cybercrimes, facilitate the provisions of legal or technical advice, preservation
and production of data, collection of evidence, giving legal information and location of
suspects;
b. Act on complaints/referrals, and cause the investigation and prosecution of cybercrimes and
other violations of the Act;
c. Issue preservation orders addressed to service providers;
d. Administer oaths, issue subpoena and summon witnesses to appear in an investigation or
proceedings for cybercrime;
e. Require the submission of timely and regular reports including pre-operation, post-operation
and investigation results, and such other documents from the PNP and NBI for monitoring
and review;
f. Monitor the compliance of the service providers with the provisions of Chapter IV of the
Act, and Rules 7 and 8 hereof;
g. Facilitate international cooperation with other law enforcement agencies on intelligence,
investigations, training and capacity-building related to cybercrime prevention, suppression
and prosecution;
h. Issue and promulgate guidelines, advisories, and procedures in all matters related to
cybercrime investigation, forensic evidence recovery, and forensic data analysis consistent
with industry standard practices;
i. Prescribe forms and templates, including, but not limited to, those for preservation orders,
chain of custody, consent to search, consent to assume account/online identity, and request
for computer forensic examination;
j. Undertake the specific roles and responsibilities of the DOJ related to cybercrime under the
Implementing Rules and Regulation of Republic Act No. 9775 or the “Anti-Child
Pornography Act of 2009”; and
k. Perform such other acts necessary for the implementation of the Act.

Section 29. Computer Emergency Response Team (CERT). – The DOST-ICT Office shall
establish and operate the Computer Emergency Response Team (CERT) that shall serve as
coordinator for cybersecurity related activities, including but not limited to the following functions
and duties:

a. Extend immediate assistance to the CICC to fulfil its mandate under the Act with respect to
matters related to cybersecurity and the national cybersecurity plan;

b. Issue and promulgate guidelines, advisories, and procedures in all matters related to cybersecurity
and the national cybersecurity plan;

c. Facilitate international cooperation with other security agencies on intelligence, training, and
capacity-building related to cybersecurity; and

d. Serve as the focal point for all instances of cybersecurity incidents by:

1. Providing technical analysis of computer security incidents;


2. Assisting users in escalating abuse reports to relevant parties;
3. Conducting research and development on emerging threats to computer security;
4. Issuing relevant alerts and advisories on emerging threats to computer security.
5. Coordinating cyber security incident responses with trusted third parties at the national and
international levels; and
6. Conducting technical training on cyber security and related topics.

The Philippine National Police and the National Bureau of Investigation shall serve as the field
operations arm of the CERT. The CERT may also enlist other government agencies to perform
CERT functions.

RULE 7
Duties of Service Providers

Section 30. Duties of a Service Provider. – The following are the duties of a service provider:

a. Preserve the integrity of traffic data and subscriber information for a minimum period of six
(6) months from the date of the transaction;
b. Preserve the integrity of content data for six (6) months from the date of receipt of the order
from law enforcement or competent authorities requiring its preservation;
c. Preserve the integrity of computer data for an extended period of six (6) months from the
date of receipt of the order from law enforcement or competent authorities requiring
extension on its preservation;
d. Preserve the integrity of computer data until the final termination of the case and/or as
ordered by the Court, as the case may be, upon receipt of a copy of the transmittal document
to the Office of the Prosecutor;
e. Ensure the confidentiality of the preservation orders and its compliance;
f. Collect or record by technical or electronic means, and/or cooperate and assist law
enforcement or competent authorities in the collection or recording of computer data that are
associated with specified communications transmitted by means of a computer system, in
relation to Section 13 hereof;
g. Disclose or submit subscriber’s information, traffic data or relevant data in his/its possession
or control to law enforcement or competent authorities within seventy-two (72) hours after
receipt of order and/or copy of the court warrant;
h. Report to the DOJ – Office of Cybercrime compliance with the provisions of Chapter IV of
the Act, and Rules 7 and 8 hereof;
i. Immediately and completely destroy the computer data subject of a preservation and
examination after the expiration of the period provided in Sections 13 and 15 of the Act; and
j. Perform such other duties as may be necessary and proper to carry into effect the provisions
of the Act.

Section 31. Duties of a Service Provider in Child Pornography Cases. – In line with RA 9775 or
the “Anti-Child Pornography Act of 2009”, the following are the duties of a service provider in
child pornography cases:

1. An internet service provider (ISP)/internet content host shall install available technology,
program or software, such as, but not limited to, system/technology that produces hash value
or any similar calculation, to ensure that access to or transmittal of any form of child
pornography will be blocked or filtered;
2. Service providers shall immediately notify law enforcement authorities within seven (7)
days of facts and circumstances relating to any form child pornography that passes through
or are being committed in their system; and
3. A service provider or any person in possession of traffic data or subscriber’s information,
shall, upon the request of law enforcement or competent authorities, furnish the particulars
of users who gained or attempted to gain access to an internet address that contains any form
of child pornography. ISPs shall also preserve customer data records, specifically the time,
origin, and destination of access, for purposes of investigation and prosecution by relevant
authorities under Sections 9 and 11 of R.A. 9775.

RULE 8
Prescribed Forms and Procedures

SEC. 32. Prescribed Forms and Procedures. – The DOJ – Office of Cybercrime shall issue and
promulgate guidelines, advisories, and procedures in all matters related to cybercrime, investigation,
forensic evidence recovery, and forensic data analysis consistent with international best practices, in
accordance with Section 28(h) and (i) hereof.

It shall also prescribe forms and templates such as, but not limited to, preservation orders, chain of
custody, consent to search, consent to assume account/online identity, request for computer forensic
assistance, write-blocking device validation and first responder checklist.

RULE 9
Final Provisions

SEC. 33. Appropriations. – The amount of Fifty Million Pesos (P50,000,000.00) shall be
appropriated annually for the implementation of the Act under the fiscal management of DOJ –
Office of Cybercrime.

Section 34. Separability Clause. – If any provision of these Rules is held invalid, the other
provisions not affected shall remain in full force and effect.

Section 35. Repealing Clause. – All rules and regulations inconsistent with these Rules are hereby
repealed or modified accordingly.

Section 36. Effectivity. – These rules and regulations shall take effect fifteen (15) days after the
completion of its publication in at least two (2) newspapers of general circulation.

Republic Act 10175 – Cybercrime Prevention Act was signed into law last September 12,
2012. This law is already in effect as the Supreme Court uphold its constitutionality
(February 18, 2014). Although some provisions were deemed as unconstitutional (struck down)
particularly Sections 4(c)(3), 7, 12, and 19.

It is a law considered to be 11 years in the making as various groups, organizations, and


personalities lobbied for its passage. It took awhile for the law to be passed as legislators and
various stakeholders need to understand the magnitude of cybercrime and whether the penalty
provisions indicated in the E-Commerce Law – Republic Act 8792 is sufficient or not.
At a PTV4 Forum on Anti-Cybercrime Law, Department of Justice Assistant Secretary Geronimo
Sy explained that laws on cybercrime are considered as the 3rd building block of legislations
necessary to protect the people from crimes committed in cyberspace and use of ICT. I always
look at cybercrime as something under the 2nd block or special penal laws (where I think the E-
Commerce Law is in). Although it seems there is now a set of laws in place that are already in
that 3rd block and increasing further (which may already include the E-Commerce Law as it is
the first policy in place against hacking and online piracy). As we use and integrate ICT and
Internet in our lives, perhaps it is possible that new forms of crimes can happen online and where
broader or special legislation will have to be created (that provides mandate for resource
allotment too). Nevertheless, that perspective, whether agreeable or not, brings the importance of
having more organized groups of netizens who can interact with policy makers proactively on
Internet / ICT related policies and do its share of stakeholder consultation.
From my review and understanding, the law:

1. Penalizes (section 8) sixteen types of cybercrime (Section 4). They are:

Types of Cybercrime Penalty


Prision mayor (imprisonment of six years
and 1 day up to 12 years) or a fine of at least
Two hundred thousand pesos (P200,000) up
to a maximum amount commensurate to the
damage incurred or BOTH.———————
1. Illegal access
—If committed against critical
Unauthorized access (without right) to a computer
infrastructure:Reclusion temporal
system or application.
(imprisonment for twelve years and one day
up to twenty years) or a fine of at least Five
hundred thousand pesos (P500,000) up to a
maximum amount commensurate to the
damage incurred or BOTH
2. Illegal interception
Unauthorized interception of any non-public
– same as above
transmission of computer data to, from, or within a
computer system.
3. Data Interference
Unauthorized alteration, damaging, deletion or
deterioration of computer data, electronic document,
or electronic data message, and including the
– same as above
introduction or transmission of viruses.Authorized
action can also be covered by this provision if the
action of the person went beyond agreed scope
resulting to damages stated in this provision.
4. System Interference
Unauthorized hindering or interference with the
functioning of a computer or computer network by
inputting, transmitting, damaging, deleting,
deteriorating, altering or suppressing computer data or
program, electronic document, or electronic data – same as above
messages, and including the introduction or
transmission of viruses.Authorized action can also be
covered by this provision if the action of the person
went beyond agreed scope resulting to damages stated
in this provision.
5. Misuse of devices
The unauthorized use, possession, production, sale,
procurement, importation, distribution, or otherwise
making available, of devices, computer program – same as above except fine should be no
designed or adapted for the purpose of committing more than Five hundred thousand pesos
any of the offenses stated in Republic Act (P500,000).
10175.Unauthorized use of computer password,
access code, or similar data by which the whole or
any part of a computer system is capable of being
accessed with intent that it be used for the purpose of
committing any of the offenses under Republic Act
10175.
6. Cyber-squatting
Acquisition of domain name over the Internet in bad
faith to profit, mislead, destroy reputation, and
deprive others from the registering the same. This
includes those existing trademark at the time of
registration; names of persons other than the
registrant; and acquired with intellectual property
interests in it.Those who get domain names of – same as above
prominent brands and individuals which in turn is
used to damage their reputation – can be sued under
this provision.Note that freedom of expression and
infringement on trademarks or names of person are
usually treated separately. A party can exercise
freedom of expression without necessarily violating
the trademarks of a brand or names of persons.
7. Computer-related Forgery
Unauthorized input, alteration, or deletion of
computer data resulting to inauthentic data with the
Prision mayor (imprisonment of six years
intent that it be considered or acted upon for legal
and 1 day up to 12 years) or a fine of at least
purposes as if it were authentic, regardless whether or
Two hundred thousand pesos (P200,000) up
not the data is directly readable and intelligible; orThe
to a maximum amount commensurate to the
act of knowingly using computer data which is the
damage incurred or BOTH.
product of computer-related forgery as defined here,
for the purpose of perpetuating a fraudulent or
dishonest design.
8. Computer-related Fraud
Unauthorized input, alteration, or deletion of – same as aboveProvided, That if no damage
computer data or program or interference in the has yet been caused, the penalty imposed
functioning of a computer system, causing damage shall be one (1) degree lower.
thereby with fraudulent intent.
9. Computer-related Identity Theft
Unauthorized acquisition, use, misuse, transfer,
possession, alteration or deletion of identifying – same as above
information belonging to another, whether natural or
juridical.
10. Cybersex
Willful engagement, maintenance, control, or
operation, directly or indirectly, of any lascivious
exhibition of sexual organs or sexual activity, with the
Prision mayor (imprisonment of six years
aid of a computer system, for favor or
and 1 day up to 12 years) or a fine of at least
consideration.There is a discussion on this matter if it
Two hundred thousand pesos (P200,000) but
involves “couples” or “people in relationship” who
not exceeding One million pesos
engage in cybersex. For as long it is not done for
(P1,000,000) or BOTH.
favor or consideration, I don’t think it will be
covered. However, if one party (in a couple or
relationship) sues claiming to be forced to do
cybersex, then it can be covered.
11. Child Pornography
Penalty to be imposed shall be one (1) degree
Unlawful or prohibited acts defined and punishable
higher than that provided for in Republic Act
by Republic Act No. 9775 or the Anti-Child
9775, if committed through a computer
Pornography Act of 2009, committed through a
system.
computer system.
****** Unsolicited Commercial
Communications (SPAMMING)
THIS PROVISION WAS STRUCK DOWN BY
THE SUPREME COURT AS
UNCONSTITUTIONAL.
12. Libel
Unlawful or prohibited acts of libel as defined in
Article 355 of the Revised Penal Code, as amended
committed through a computer system or any other
similar means which may be devised in the
future.Revised Penal Code Art. 355 states Libel
means by writings or similar means. — A libel
committed by means of writing, printing, lithography,
engraving, radio, phonograph, painting, theatrical
exhibition, cinematographic exhibition, or any similar
means, shall be punished by prision correccional in its Penalty to be imposed shall be one (1)
minimum and medium periods or a fine ranging from degree higher than that provided for by the
200 to 6,000 pesos, or both, in addition to the civil Revised Penal Code, as amended, and
action which may be brought by the offended special laws, as the case may be.
party.The Cybercrime Prevention Act strengthened
libel in terms of penalty provisions.

The electronic counterpart of libel has been


recognized since the year 2000 when the E-
Commerce Law was passed. The E-Commerce
Law empowered all existing laws to recognize its
electronic counterpart whether commercial or not
in nature.

Imprisonment of one (1) degree lower than


13. Aiding or Abetting in the commission of that of the prescribed penalty for the
cybercrime – Any person who willfully abets or aids offense or a fine of at least One hundred
in the commission of any of the offenses enumerated thousand pesos (P100,000) but not exceeding
in this Act shall be held liable. Five hundred thousand pesos (P500,000) or
both.
14. Attempt in the commission of cybercrime Any
person who willfully attempts to commit any of the – same as above
offenses enumerated in this Act shall be held liable.
15. All crimes defined and penalized by the Revised
Penalty to be imposed shall be one (1)
Penal Code, as amended, and special laws, if
degree higher than that provided for by the
committed by, through and with the use of
Revised Penal Code, as amended, and
information and communications technologies shall
special laws, as the case may be.
be covered by the relevant provisions of this Act.
Although not exactly a cybercrime, I am including For sanctioned actions, Juridical person shall
this here as penalties are also imposed by the law. be held liable for a fine equivalent to at least
16. Corporate Liability. (Section 9) double the fines imposable in Section 7 up to
When any of the punishable acts herein defined are a maximum of Ten million pesos
knowingly committed on behalf of or for the benefit (P10,000,000).For neglect such as misuse of
of a juridical person, by a natural person acting either computer resources that resulted to
individually or as part of an organ of the juridical cybercrime committed in organization
person, who has a leading position within, based physical or virtual premises or
on:(a) a power of representation of the juridical resources, juridical person shall be held liable
person provided the act committed falls within the for a fine equivalent to at least double the
scope of such authority;(b) an authority to take fines imposable in Section 7 up to a
decisions on behalf of the juridical person. Provided, maximum of Five million pesos
That the act committed falls within the scope of such (P5,000,000).Criminal liability may still
authority; or(c) an authority to exercise control within apply to the natural person.
the juridical person,It also includes commission of
any of the punishable acts made possible due to the
lack of supervision or control.

If you are going to include all provisions in the Revised Penal Code, there can even be more than
16 types of cybercrime as a result.

2. Liability on other laws

Section 7 was struck down by Supreme Court as it violated the provision on double
jeopardy.

3. Jurisdiction

(a) The Regional Trial Court designated special cybercrime courts shall have jurisdiction over
any violation of the provisions of this Act including any violation committed by a Filipino
national regardless of the place of commission. Jurisdiction shall lie if any of the elements was
committed within the Philippines or committed with the use of any computer system wholly or
partly situation in the country, or when by such commission any damage is caused to a natural or
juridical person who, at the time the offense was committed, was in the Philippines. (section 21)

(b) For international and trans-national cybercrime investigation and prosecution, all relevant
international instruments on international cooperation in criminal maters, arrangements agreed on
the basis of uniform or reciprocal legislation, and domestic laws, to the widest extent possible for
the purposes of investigations or proceedings concerning criminal offenses related to computer
systems and data, or for the collection of evidence in electronic form of a criminal offense shall
be given full force and effect. (section 21)

This gives the Philippines the ability to participate in treaties and of mutual cooperation with
countries that have counterpart legislation effectively – especially – on cybercrime cases that
have team members or victims residing in the Philippines.

4. Responsibilities of the Philippine National Police (PNP) and National Bureau of


Investigation (NBI)

The law gave police authorities the mandate it needs to initiate investigation to process the
various complaints / report it gets from citizens. There are instances of online attacks, done
anonymously, where victims approach police authorities for help. They often find themselves lost
in getting investigation assistance as police authorities can’t effectively initiate an investigation
(only do special request) – as their legal authority to request for logs or data does not exist at all
unless a case is already filed. (which in case of anonymously done – will be hard to initiate)
I truly believe in giving citizen victims, regardless of stature, the necessary investigation
assistance they deserve. This law – gave our police authorities just that.

The PNP and NBI shall be responsible for the enforcement of this law. This includes:

(a) The PNP and NBI are mandated to organize a cybercrime unit or center manned by special
investigators to exclusively handle cases involving violations of this Act. (Section 10).

(b) The PNP and NBI are required to submit timely and regular reports including pre-operation,
post operation, and investigation results and such other documents as may be required to the
Department of Justice for review and monitoring. (Section 11)

(c) THE SUPREME COURT STRUCK DOWN SECTION 12 THAT IS SUPPOSED TO


authorize law enforcement authorities, without court warrant, to collect or record by
technical or electronic means traffic data in real time associated with specified
communications transmitted by means of a computer system. (Section 12) Getting a COURT
WARRANT is a must.

(d) May order a one-time extension of another six (6) months on computer data requested for
preservation. Provided, That once computer data preserved, transmitted or stored by service
provider is used as evidence in a case, the mere furnishing to such service provider of the
transmittal document to the Office of the Prosecutor shall be deemed a notification to preserve
the computer data until the termination of the case. (Section 13)

(e) Carry out search and seizure warrants on computer data. (section 15) Once done, turn-over
custody in a sealed manner to courts within 48 hours (section 16) unless extension for no more
than 30 days was given by the courts (section 15).

(f) Upon expiration of time required to preserve data, police authorities shall immediately and
completely destroy the computer data subject of a preservation and examination. (section 17)

5. Responsibility of service providers (SP)

Service provider refers any public or private entity that provides to users of its service the ability
to communicate by means of a computer system, and processes or stores computer data on behalf
of such communication service or users of such service. (Section 3(n).

(a) SP upon receipt of a court warrant from police authorities to disclose or submit subscriber’s
information, traffic data or relevant data in its possession or control shall comply within seventy-
two (72) hours from receipt of the order in relation to a valid complaint officially docketed and
assigned for investigation and the disclosure is necessary and relevant for the purpose of
investigation. (section 14)

(b) The integrity of traffic data and subscriber information relating to communication services
provided by a service provider shall be preserved for a minimum of six (6) months period from
the date of the transaction. Content data shall be similarly preserved for six (6) months from the
date of receipt of the order from law enforcement authorities requiring its preservation.(Section
13)

(c) Once computer data preserved, transmitted or stored by service provider is used as evidence
in a case, the mere furnishing to such service provider of the transmittal document to the Office
of the Prosecutor shall be deemed a notification to preserve the computer data until the
termination of the case. (Section 13)
(d) Upon expiration of time required to preserve data, SP shall immediately and completely
destroy the computer data subject of a preservation and examination. (section 17)

(e) Failure to comply with the provisions of Chapter IV specifically the orders from law
enforcement authorities shall be punished as a violation of Presidential Decree No. 1829 with
imprisonment of prision correccional in its maximum period or a fine of One hundred thousand
pesos (P100,000) or both for each and every non-compliance with an order issued by law
enforcement authorities.

Service Provider protection insofar as liability is concern is already covered under the E-
Commerce Law.

6. Responsibility of individuals

(a) Individuals upon receipt of a court warrant being required to disclose or submit subscriber’s
information, traffic data or relevant data in his possession or control shall comply within seventy-
two (72) hours from receipt of the order in relation to a valid complaint officially docketed and
assigned for investigation and the disclosure is necessary and relevant for the purpose of
investigation.

(b) Failure to comply with the provisions of Chapter IV specifically the orders from law
enforcement authorities shall be punished as a violation of Presidential Decree No. 1829 with
imprisonment of prision correccional in its maximum period or a fine of One hundred thousand
pesos (P100,000) or both for each and every non-compliance with an order issued by law
enforcement authorities.

7. Inadmissible evidence

(a) Any evidence procured without a valid warrant or beyond the authority of the same shall be
inadmissible for any proceeding before any court or tribunal. (section 18)

8. Access limitation

The Supreme Court struck down Section 19 of the law that gives the Department of Justice
powers to order the blocking of access to a site provided there is prima facie evidence supporting
it.

9. Cybercrime new authorities

(a) Office of Cybercrime within the DOJ designated as the central authority in all matters relating
to international mutual assistance and extradition. (section 23)

(b) Cybercrime Investigation and Coordinating Center (CICC) an inter-agency body to be


created under the administrative supervision of the Office of the President, for policy
coordination among concerned agencies and for the formulation and enforcement of the national
cybersecurity plan. (section 24)

CICC will be headed by the Executive Director of the Information and Communications
Technology Office under the Department of Science and Technology as Chairperson with the
Director of the NBI as Vice Chairperson; the Chief of the PNP, Head of the DOJ Office of
Cybercrime; and one (1) representative from the private sector and academe, as members.
(section 25)
The CICC is the cybercrime czar tasked to ensure this law is effectively implemented. (section
26)

Although the law specifically stated a fifty million pesos (P50,000,000) annual budget, the
determination as where it would go or allotted to, I assume shall be to the CICC.

DEBATE / DISPUTE on the Cybercrime Prevention Act.

In my discussion with lawyers, journalist, bloggers, among others, concerns were raised on how
the law can be in violation of the Constitution and other laws. This includes:

1. Discrimination against online crime.

In crimes committed online, the law gives higher penalty compared to its offline counterpart.
This is seen as violation of principles within the E-Commerce Law where both offline and online
evidence is given equal weight. In its implementing rules and regulations, it also indicated not to
give special benefit or penalty to electronic transactions just because it is committed online.

However, I note that perhaps the reason for this also is to increase the penalties. The original
Revised Penal Code for example gives penalty for libel in the amount of up to six thousand pesos
(P6,000).

2. Did the Cybercrime Law criminalized online libel? Will it result to double jeopardy?
Some see the Cybercrime Law as enabling criminalization of online libel. I think that is not
correct.

Libel being a criminal offense was defined under the Revised Penal Code.

The E-Commerce Law empowered all existing laws to recognize its electronic counterpart. It
recognized both commercial and non-commercial in form. This made electronic documents (text
message, email, web pages, blog post, etc) admissible as evidence in court (and can’t be denied
legal admissibility just because it is electronic form and have the same primary evidence weight).
Existing penalties under the laws where offense fall in shall apply. That is why filing of libel
cases committed electronically became possible in the past years (and there were cases filed,
some won, some lost, and some are ongoing).

Libel is already a criminal offense under the Revised Penal Code as is. Then it got extended to its
electronic form since 2000 (with the recognition of its electronic form provided by the E-
Commerce Law) with existing penalties applying to it. With the Cybercrime Law, it increased the
penalty further if committed with the use of ICT.

According to Atty. Geronimo Sy (Department of Justice), during the PTV4 Forum on Anti-
Cybercrime Law, a complaint on electronic libel will only have one (1) case to be filed. The
maximum penalty for electronic libel is 8 years.

Hitting the “Like” button on Facebook does not make you commit the act of libel. In this ANC
interview, Senator Ed Angara clarified that posting a comment where you get to share your
thoughts is covered under “protected expression”.

The amount of penalty is still to be set by the DOJ as there is usually no automatic degree scaling
in special penal laws. If a person who got accused of committing electronic libel also did the
same in traditional (offline) form, only one case shall be filed. It will be interesting to see how the
DOJ will implement the scaling in effect as a result of this.

The mention of libel in the Cybercrime Law is the most contested provision in the law. The
additional penalties is seen to curtail freedom of expression. Most of the petitions against the
Cybercrime Law focused on this provision.

Numerous legislators are already expressing interest as well in amending the Cybercrime Law
and Revised Penal Code.

3. Real time data access

I appreciate the need for real-time access to data, such as cellular traffic data, especially in
tracking scammers and any critical incident as it happens (such as kidnapping and other in-
progress crimes) where immediate access is important.

However, the mining of this data for surveillance can be seen as subject abuse. Furthermore, if no
intervention such as a judge approval, comes first before getting access where need can be
justified.

Although I think this will slow down the process if anything needs court approval first. But other
parties believe that this is a must requirement. As the Supreme Court struck down Section 12,
I hope processes will be set-up to assist law enforcement with its investigation, to fasten
court warrant issuance, especially as it receives complaints from victims of cybercrime.
As the Cybercrime Law gets upheld by the Supreme Court, here are my
personal notes on the development of its implementing rules and
regulations:
1. Ensure that procedures for police assistance and securing court orders will be fair regardless
whether complainants can afford a lawyer or not to assist them.

2. Make the process for data access efficient so that text and online scams culprits can be made
accountable soon while ensuring that the data collected won’t be abused.

I am glad that lobbying moves to strike down the whole Cybercrime Prevention Act
(Republic Act 10175) did not prosper. The law has greater purposes and intentions that can
be helpful in protecting the interest of our netizens and country online.

13 Responses to “16 Cybercrimes covered under


Cybercrime Prevention Act – Republic Act 10175”
1. Roel PinedaMarch 20th, 2014

does downloading through utorrent, bit torrent, etc, belongs to the scope of the cybercrime law?even if
the contents downloaded were already old?like old movies, songs etc?

Reply
o Janette ToralMarch 31st, 2014

Yes it is. But only if the copyright holder will be the one to sue you.

Reply
2. EdJune 15th, 2015

Is the libelous or defamatory exchange in the PM inbox of Facebook can be used as evidence for Libel in
RA 10175?

Reply
o Janette ToralJuly 4th, 2015

Yes it can be since the year 2000 when the E-Commerce Law or Republic Act 8792 was passed.

Reply
3. JKenneth RendalDecember 25th, 2015

i’ve been trying to file a case against my neighbors but they have been continously blocking all evident
proof and other forms of evidence, they have tried all sorts of ways just for me to send the given pictures
and videos how should i consult the NBI or the PNP with the correct approach on this? since i already
tried but authorities here in Dumaguete are still naive about the cybercrime law, and by far has been
gradually increasing with more of my friends experiencing the same technical issues i’m dealing with.
They are using the OS program Linux, please give me an IT or Programmer who’s under the supervision
of the NBI or the PNP to contact in region 7 please.

Reply
4. Dhan JarinFebruary 24th, 2016

Hello sakop po b nito yung pag sell online. Niloko po kasi ako ng pinagbilihan ko ng laptop. May sira
yunf item. Ano pwede kong icase dun? Thank you.

Reply
o Janette ToralFebruary 25th, 2016

Hi Dhan. You can file a complaint sa NBI or PNP. Cover siya ng Consumer Act of the Philippines.

Reply
5. Danriel CabertoJune 12th, 2017

Hi po. Ah ma’am i would like to ask if sakop ba nito kapag ba yung naka away mo is post ng post online
pero shes not naming you . She has a lot of post po ma’am concerning to our fight. Amd even using bad
words. ? Her post dont contain my name and the case po is sinasabi niyang chinismis ko siya about sa
pagkakaroon po niya ng ibang kinakasama and nagpapabayad po siya sakin ng 10k for moral damage. I
cant afford to pay her so she posted a lot na. Po what case can i file to her?

Reply
o Janette ToralJuly 11th, 2017

If it does not mention you in anyway – it will be hard to push it. Unless this person started giving clues that
will clearly allude to you.

Reply
6. Gail satorreJune 16th, 2017

Does the libelous or defamatory exchange in the PM inbox of skype can be used as evidence for Libel in
RA 10175?

Reply
o Janette ToralJuly 11th, 2017

It can be. But it will also put the person sharing that conversation at risk for violating confidentiality.

Reply
7. RemoJune 26th, 2017

If some body blackmails some one to post their nude pictures online . Does it comes under cyber crime?

Reply
o Janette ToralJuly 11th, 2017
Yes and other related crimes (including extortion).