Skip to main content

NPC Advisory No. 2023-01: Implications for Businesses and Data Privacy in the Philippines

NPC Advisory No. 2023-01: Implications for Businesses and Data Privacy in the Philippines

On November 7, 2023, the National Privacy Commission (NPC) of the Philippines issued Advisory No. 2023-01, providing crucial guidelines on deceptive design patterns. This advisory has significant implications for businesses operating in the Philippines, particularly those with digital interfaces that process personal data. Here’s what you need to know:

What Are Deceptive Design Patterns?

The NPC defines deceptive design patterns as “design techniques embedded on an analog or digital interface that aim to manipulate or deceive a data subject to perform a specific act relating to the processing of their personal data.” These can be categorized into two main types:

1. Appearance-Based Deceptive Design Patterns

2. Content-Based Deceptive Design Patterns

Key Points of the Advisory

1. Impact on Consent

The use of deceptive design patterns can invalidate a data subject’s consent, potentially rendering the processing of personal data unlawful. This aligns with the NPC’s previous Guidelines on Consent, which emphasize that consent must be freely given.

2. Transparency and Fairness

The advisory underscores the importance of transparency in presenting information to data subjects. User interfaces must provide clear, concise, and straightforward language about data processing activities. Moreover, the principle of fairness dictates that data processing should not be detrimental, discriminatory, unexpected, or misleading to data subjects.

3. Accountability and Privacy by Design

Personal Information Controllers (PICs) are held accountable for the data they process through analog or digital interfaces. The advisory also emphasizes that using deceptive design patterns is inconsistent with the obligation to adopt a Privacy by Design approach.

Implications for Businesses

1. Review of Digital Interfaces: Companies should conduct thorough audits of their websites, apps, and other digital platforms to identify and eliminate any deceptive design patterns.

2. Consent Mechanisms: Businesses must reassess their consent acquisition processes to ensure they are transparent, fair, and free from manipulation.

3. User Experience (UX) Design: UX designers and developers need to be aware of these guidelines to create interfaces that respect user privacy and autonomy.

4. Privacy Policy Updates: Organizations may need to update their privacy policies and consent forms to align with the advisory’s requirements.

5. Training and Awareness: Staff involved in UI/UX design, data processing, and privacy compliance should be trained on recognizing and avoiding deceptive design patterns.

The NPC’s Advisory No. 2023-01 represents a significant step towards protecting data subject rights in the digital age. It places the onus on businesses to ensure their digital interfaces are designed with privacy and transparency in mind. Non-compliance could lead to invalidated consent and potential regulatory action.

As the digital landscape continues to evolve, it’s crucial for businesses to stay informed about such regulatory developments and adapt their practices accordingly. This advisory serves as a reminder that data privacy considerations should be at the forefront of digital design and user experience strategies.

NPC Advisory No. 2024-01: Model Contractual Clauses for Cross-Border Transfers of Personal Data

The National Privacy Commission (NPC) of the Philippines has recently issued Advisory No. 2024-01, dated May 30, 2024, addressing the use of Model Contractual Clauses (MCCs) for cross-border transfers of personal data. This advisory is a significant development in the Philippine data privacy landscape, reflecting the country’s commitment to international data protection standards while facilitating global data flows.

Key Points of the Advisory

1. Voluntary Adoption: The NPC emphasizes that the use of MCCs is voluntary. Organizations are not required to adopt these clauses but are encouraged to consider them as a means of upholding the accountability principle in cross-border data transfers.

2. International Alignment: The advisory references several international MCC frameworks, including those from ASEAN, the EU, and other jurisdictions. This demonstrates the NPC’s efforts to align with global best practices.

3. Comparative Resources: The NPC highlights two key resources:

   – The Global Privacy Assembly’s Comparative Tables of Contractual Clauses

   – The Joint Guide to ASEAN MCCs and EU SCCs

4. Flexibility: While providing guidance, the NPC allows organizations to determine which MCCs best suit their needs and to negotiate additional terms as necessary.

5. No Official Review: The NPC will not review agreements for conformity with MCCs, placing the onus on organizations to ensure compliance.

Implications for Businesses

1. Enhanced Options for Data Transfers: Organizations now have access to a variety of MCC templates, potentially simplifying the process of ensuring compliant cross-border data transfers.

2. Increased Responsibility: With the NPC not offering reviews, businesses must take greater responsibility in selecting and implementing appropriate MCCs.

3. Global Interoperability: The advisory facilitates easier data flows between the Philippines and other jurisdictions, particularly within ASEAN and with the EU.

4. Compliance Flexibility: The voluntary nature of the MCCs allows businesses to tailor their approach to cross-border data transfers while still adhering to data protection principles.

Recommendations

1. Review Existing Practices: Organizations should assess their current cross-border data transfer mechanisms in light of this advisory.

2. Consider MCC Adoption: While not mandatory, adopting MCCs can demonstrate a commitment to data protection best practices.

3. Stay Informed: Keep abreast of further developments, as the data privacy landscape continues to evolve both locally and globally.

4. Seek Expert Advice: Given the complexity of international data transfers, consulting with legal experts in data privacy can help ensure compliance and optimize data transfer strategies.

This advisory reflects the Philippines’ proactive approach to data protection in an increasingly interconnected world. By providing guidance on MCCs, the NPC is empowering organizations to engage in international data transfers with greater confidence and security.

For specific advice on how this advisory may impact your organization’s data transfer practices, please contact our data privacy team.

Registration of Data Processing Systems (NPC Circular 17-01)

The National Privacy Commission recently issued NPC Circular 17-01 on the registration of data processing systems and notifications regarding automated decision-making.

Under the Circular, covered Personal Information Controllers and Personal Information Processors should complete Phase 1 of the process for the registration of data processing systems by September 9, 2017 and Phase 2 by March 8, 2018.

A copy of the circular can be downloaded here.

FAQ on the NPC Rules of Procedure

Who may file a complaint?

1. The person claiming to be the subject of the privacy breach/violation;
2. His or her authorized representative; or
3. the National Privacy Commission (NPC), on its own initiative
(Sec. 3, NPC Rules)
 
Can someone not personally affected, and likewise not an authorized representative, file a complaint?

No. However, he or she may opt for either of the following:
1. Request for an advisory opinion; or
2. Inform the NPC on the data privacy concern
(Sec. 3, NPC Rules)
 
Will filing a complaint or requesting an advisory opinion require the payment of fees?
 
Yes. Otherwise, it will not be entertained. (Sec. 5, NPC Rules)
 
Is the rule on filing fees absolute?
 
No. The following instances are the exceptions to the rule on filing fees:
1. The complainant is the government, or any agency or instrumentality thereof, including government-owned and controlled corporations (excluding, however, GOCCS incorporated under the Corporation Code);
2. The complainant is an indigent or pauper litigant under the Rules of Court, i.e. one who has no money or property sufficient and available for food, shelter, and basic necessities for himself and his family (Sec. 21, Rule 3, Rules of Court); or one whose gross income and that of his immediate family do not exceed an amount double the monthly minimum wage of an employee (Sec. 19, Rule 141, Rules of Court) and do not own real property with fair market value exceeding PhP 300,000.00.
3. NPC waives the requirement for good cause shown.
 
Where should the complaint be filed?
 
The complaint can be filed with any office of the NPC (Sec. 7, NPC Rules). Note that the Rules are permissive as to which office the same can be filed and does not limit the filing of the same to the
office located in the same locality/region as that of the residence of the complainant. Note, also, that while “any office” is mentioned, at present, the NPC has only one existing office, located in Quezon City. Nonetheless, electronic filing is allowed via e-mail to complaints@privacy.gov.ph, with a copy furnished to all other parties to the complaint (Sec. 8, NPC Rules).
 
What shall be the form and contents of the complaint?
 
It shall be in writing, verified and under oath, or contained in a sworn affidavit. The Efficient Use of Paper Rule must be complied with. In addition, the following shall be included:
 
* a brief narration of the material facts;
* supporting documents (original or certified true copy) and testimonial evidence;
* specific violation of the Data Privacy Act or related issuances;
* particular acts or omissions amounting to the alleged data privacy violations; and
* any and all correspondence with the respondent on the matter complained of, including a statement of the action taken by the latter to address
the matter, if any. 
(Sec. 10, NPC Rules)
 
What will happen next upon filing the complaint?
 
The case will be assigned by the NPC to an investigating officer for evaluation. Said officer will then recommend any of the following:
1. outright dismissal,
2. referral to the respondent for comment,
3. further monitoring,
4. that the complaint be treated as a request for an advisory opinion, or
5. indorsement to the proper government agency.
(Sec. 11, NPC Rules)
 
If the allegations are deemed to be sufficient, the investigating officer shall issue an Order to Confer for Discovery within 10 days from receipt of said Order. Whatever is agreed upon during such conference shall then be reduced into a Discovery Conference Report to be submitted to the NPC within five days from conclusion of the conference. (Sec. 13, NPC Rules)
 
Thereafter, the respondent/s will be directed, via an Order, to submit a Comment to the Complaint within 10 days from receipt of said Order. (Sec. 15, NPC Rules)
 
If the investigating officer deems it necessary, he or she may then require the complainant to file a Reply within 10 days, and the respondent, a Rejoinder, also within 10 days. (Sec. 15, NPC Rules)
 
The investigating officer will then proceed to investigate the circumstances surrounding the alleged privacy violation (Sec. 16, NPC Rules) and, thereafter, submit a fact-finding report, with corresponding recommendations, to the Office of the Commissioner (Sec. 18, NPC Rules).
 
The NPC will review the evidence presented, together with the fact-finding report. It may either:
1. promulgate a Decision; or
2. order the conduct of a clarificatory hearing.
 
The Decision may include enforcement orders. (Sec. 21 & 22, NPC Rules)
 
Is the Decision of the NPC appealable?
 
Yes. The party adversely affected may file an appeal within 15 days from receipt of a copy of the Decision. Otherwise, the same will become final and executory. (Sec. 30, NPC Rules)

Data Privacy in the Time of Leaks and Hackers

#Comeleak became a trending topic early in 2016 when hackers exposed the data of over 55 million registered voters. The wealth of information leaked included crucial data that could enable identity theft – including full names, birthdays, addresses, height, weight, and passport details, among others.
 
Roughly a year after, the National Privacy Commission (NPC) released a press statement singling out Chairman Andres Bautista of the Commission on Elections (COMELEC) as the lone officio personally liable for the leak. The NPC posits that Bautista is liable under the Data Privacy Act of 2012 for failing to put data privacy policies in place. Specifically, NPC recommends the filing of criminal charges against Bautista based on Section 26, which provides for a penalty of imprisonment for one to three years and a fine ranging from Php500,000 to Php2,000,000.00 for accessing of personal information due to negligence, and a penalty of imprisonment for three to six years and a fine ranging from Php500,000 to Php4,000,000.00 for accessing sensitive personal information due to negligence.
 
COMELEC, for its part, issued a statement maintaining that data breach is not a new phenomenon, and that it has been following generally accepted standards and international best practices regarding technology-related activities. In his personal Facebook page, Bautista shared a December 2016 news article pertaining to Yahoo! data security issues, wherein the international tech-giant admitted that over one billion user accounts have been hacked. Indeed, “Comeleak” is just one of the many “leaks” surfacing in the political arena – with a number of otherwise privileged information/communication being exposed via “WikiLeaks”, among others.
 
At present, there is yet no landmark Supreme Court decision tackling the Data Privacy Act. To what extent can individuals be protected? What measures are expected to be taken? If even tech giants are vulnerable to hackers, is anyone really safe? Where do we draw the line in establishing liability? It would be interesting to monitor the jurisprudential development of data privacy laws as this case progresses.

FOINALLY!

After years of languishing in Congress without any progress, President Rodrigo Duterte breathes life to Freedom of Information (FOI) by issuing Executive Order No. 2, which mandates disclosure of information of all offices under the executive branch.