The Data Privacy Act of 2012 (DPA) of the Philippines explicitly uses citizenship and residency as factors to determine the law's applicability, extending its scope to personal data processing related to Philippine citizens or residents, regardless of where the processing occurs.

Text of Relevant Provisions

DPA of 2012 Sec.6(a):

"This Act applies to an act done or practice engaged in and outside of the Philippines by an entity if: (a) The act, practice or processing relates to personal information about a Philippine citizen or a resident;"

DPA of 2012 Sec.6(b):

"This Act applies to an act done or practice engaged in and outside of the Philippines by an entity if: (b) The entity has a link with the Philippines, and the entity is processing personal information in the Philippines or even if the processing is outside the Philippines as long as it is about Philippine citizens or residents such as, but not limited to, the following: (1) A contract is entered in the Philippines; (2) A juridical entity unincorporated in the Philippines but has central management and control in the country; and (3) An entity that has a branch, agency, office or subsidiary in the Philippines and the parent or affiliate of the Philippine entity has access to personal information; and"

Implementing Rules and Regulations Sec.4(b):

"The Act and these Rules apply to the processing of personal data by any natural and juridical person in the government or private sector. They apply to an act done or practice engaged in and outside of the Philippines if: b. The act, practice or processing relates to personal data about a Philippine citizen or Philippine resident;"

Analysis of Provisions

The DPA of 2012 and its Implementing Rules and Regulations (IRR) clearly establish that the law applies to the processing of personal information about Philippine citizens or residents, regardless of where the processing takes place. This extraterritorial application is evident in the phrase "

act done or practice engaged in and outside of the Philippines

" used in both Sec.6 of the DPA and Sec.4 of the IRR.The law's scope is further expanded in Sec.6(b) of the DPA, which introduces the concept of an entity having a "

link with the Philippines

". This provision extends the law's applicability to entities processing personal information of Philippine citizens or residents, even if the processing occurs outside the Philippines, provided there is a connection to the country. This connection can be established through various means, such as entering into contracts in the Philippines, having central management and control in the country, or maintaining a branch, agency, office, or subsidiary in the Philippines.

Implications

The broad scope of applicability based on citizenship and residency has significant implications for businesses:

1. Extraterritorial reach: Companies operating outside the Philippines must comply with the DPA if they process personal data of Philippine citizens or residents, even if they have no physical presence in the country.
2. Broad definition of "link": The law's application to entities with a "link" to the Philippines creates a wide net, potentially affecting multinational corporations, online businesses, and data processors worldwide.
3. Compliance challenges: Foreign entities may need to implement specific data protection measures for Philippine citizens and residents, potentially requiring separate data handling processes.
4. Cross-border data transfers: Companies transferring personal data of Philippine citizens or residents across borders must ensure compliance with the DPA, regardless of the data's destination.
5. Potential conflicts with other laws: The extraterritorial application may create conflicts with data protection laws in other jurisdictions, requiring careful navigation of potentially conflicting legal requirements.

This approach to applicability reflects the Philippine government's intent to protect its citizens' and residents' personal data in an increasingly globalized digital landscape, regardless of where the data processing occurs.