Applicability of the Philippines Data Privacy Act of 2012

The Philippines established its data protection framework through comprehensive legislation addressing the processing of personal information. The primary role of this framework is governed by Republic Act No. 10173 – Data Privacy Act of 2012, which serves as the country's principal data protection statute.

The Republic Act No. 10173 – Data Privacy Act of 2012 was adopted on August 15, 2012 and became effective on September 8, 2012. The Philippines has established a comprehensive data protection framework to regulate the processing of personal information. The primary role of the Implementing Rules and Regulations of Republic Act No. 10173, also known as the Data Privacy Act of 2012 is to provide detailed implementation guidelines and procedures for the Data Privacy Act of 2012.

The Implementing Rules and Regulations were adopted on August 24, 2016 and became effective on September 9, 2016.

Material Scope (DPA Section 4)

"This Act applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing..."

Key exemptions:

1. Government employee/officer information related to their position
2. Government contractor information related to services
3. Public license and permit information
4. Information processed for journalistic, artistic, literary or research purposes
5. Information for public authority functions
6. Information required by banks/financial institutions for regulatory compliance
7. Personal information from foreign jurisdictions processed according to their laws

Territorial Scope (DPA Section 6)

Applies to acts done outside Philippines if:

1. Related to personal information about Philippine citizens/residents
2. Entity has links with Philippines through:
   • Contract entered in Philippines
   • Central management in Philippines
   • Branch/agency/office with data access
3. Entity has other links:
   • Carries on business in Philippines
   • Collects/holds data in Philippines

Analysis of Applicability

Material Applicability

1. General Rule: The DPA applies broadly to all personal information processing by both public and private entities.
2. Key Exemptions:
   • Official information of public servants (transparency purposes)
   • Government contractor information (accountability)
   • Regulatory compliance data (avoiding duplicate regulation)
   • Special purposes (balancing other rights/interests)
3. Sectoral Considerations:
   • Financial sector has specific exemptions for regulatory compliance
   • Media/journalism has exemptions for freedom of expression
   • Research has exemptions for public benefit purposes

Territorial Applicability

1. Primary Connecting Factors:
   • Processing in Philippines
   • Processing about Philippine citizens/residents
   • Use of equipment in Philippines
   • Business presence in Philippines
2. Extraterritorial Reach:
   • Applies to foreign entities processing Philippine residents' data
   • Covers foreign companies with Philippine operations
   • Includes online businesses targeting Philippine market
3. Establishment Requirements:
   • Physical presence through office/branch
   • Use of equipment in Philippines
   • Contractual relationships in Philippines
   • Business operations targeting Philippines

Practical Implications

1. For Local Organizations:
   • Must comply with DPA for all personal data processing
   • Need to identify applicable exemptions
   • Must implement appropriate safeguards
2. For Foreign Organizations:
   • Must assess Philippine connections
   • Need to comply if targeting Philippine market
   • Should consider local representation if processing Philippine data
3. For Data Subjects:
   • Rights protected regardless of processor location
   • Special protections for sensitive personal information
   • Exemptions may limit certain rights in specific contexts