The Philippines' Data Privacy Act of 2012 (DPA) and its Implementing Rules and Regulations (IRR) explicitly use the factor of contracts entered into within the Philippines as a basis for determining the law's applicability.

Text of Relevant Provisions

DPA of 2012 Sec.6(b1):

"This Act applies to an act done or practice engaged in and outside of the Philippines by an entity if: (b) The entity has a link with the Philippines, and the entity is processing personal information in the Philippines or even if the processing is outside the Philippines as long as it is about Philippine citizens or residents such as, but not limited to, the following: (1) A contract is entered in the Philippines;"

Implementing Rules and Regulations Sec.4(d2):

"The Act and these Rules apply to the processing of personal data by any natural and juridical person in the government or private sector. They apply to an act done or practice engaged in and outside of the Philippines if: d. The act, practice or processing of personal data is done or engaged in by an entity with links to the Philippines, with due consideration to international law and comity, such as, but not limited to, the following: (2) A contract is entered in the Philippines;"

Analysis of Provisions

The DPA and its IRR establish that entering into a contract within the Philippines creates a sufficient link to the jurisdiction to trigger the application of Philippine data protection law. This factor extends the law's reach to entities that may not be physically present in the Philippines but have contractual ties to the country.The phrase "

act done or practice engaged in and outside of the Philippines

" in both provisions indicates that this factor applies to extraterritorial activities. This means that even if the data processing occurs outside the Philippines, the law can still apply if a contract was entered into within the country.It's important to note that this factor is part of a broader set of criteria. The DPA Sec.6(b) specifies that the entity must be "

processing personal information in the Philippines or even if the processing is outside the Philippines as long as it is about Philippine citizens or residents

". This suggests that the contract must be related to the processing of personal data of Philippine citizens or residents for this factor to apply.The IRR Sec.4(d) provides a slightly broader scope, stating that the act, practice, or processing of personal data must be done "

with due consideration to international law and comity

". This indicates that while a contract entered in the Philippines is a strong factor, it may not be absolute and could be subject to international legal principles.

Implications

This provision has significant implications for businesses and organizations:

1. Foreign entities: Companies based outside the Philippines that enter into contracts within the country may become subject to Philippine data protection law, even if their data processing activities occur elsewhere.
2. Online transactions: The provision could potentially apply to online contracts where the offer or acceptance occurs within the Philippines, though this may require further interpretation.
3. Subcontractors and service providers: Foreign companies that contract with Philippine-based service providers for data processing activities may fall under the law's scope.
4. Due diligence: Organizations should carefully consider the implications of entering into contracts in the Philippines, as it may subject them to additional regulatory requirements under the DPA.
5. Compliance obligations: Entities with contracts in the Philippines should assess their data processing activities and ensure compliance with Philippine data protection standards, even if they don't have a physical presence in the country.

This factor reflects the Philippine legislature's intent to protect its citizens' and residents' personal data, regardless of where the processing occurs, by leveraging contractual connections to the jurisdiction as a basis for applying its data protection law.