Applicability of Data Protection Law in the Philippines to Organizations Doing Business in the Jurisdiction

The factor of "doing business in the jurisdiction" is utilized to determine the scope of applicability of the Data Privacy Act of 2012 and its Implementing Rules and Regulations (IRR) within the Philippines. This factor ensures that the law applies to organizations that have a commercial presence or engage in economic activities within the Philippines, regardless of where the data processing occurs.

Text of Relevant Provisions

Implementing Rules and Regulations Sec.4(d5):

"The Act and these Rules apply to the processing of personal data by any natural and juridical person in the government or private sector. They apply to an act done or practice engaged in and outside of the Philippines if:d. The act, practice or processing of personal data is done or engaged in by an entity with links to the Philippines, with due consideration to international law and comity, such as, but not limited to, the following:5. An entity that carries on business in the Philippines;"

Analysis of Provisions

The provision in IRR Sec.4(d5) extends the applicability of the Data Privacy Act 2012 to any entity that carries on business in the Philippines. This provision ensures that foreign entities with business activities in the Philippines are subject to the same data protection obligations as local entities.

• Scope of Application: The Act applies to both domestic and foreign entities that process personal data in the context of their business operations within the Philippines. This includes organizations that have a sustained business presence or engage in systematic business practices within the country.
• Carrying on Business: The term "carries on business" implies consistent and ongoing economic activities. This provision ensures that entities engaging in such activities in the Philippines are subject to the same data protection obligations as local businesses.

The rationale for including this factor in the law is to ensure comprehensive data protection for individuals in the Philippines by holding foreign businesses accountable for their data processing activities within the jurisdiction. This approach prevents regulatory gaps and ensures that personal data is protected regardless of the origin of the business.

Implications

For Businesses and Data Processors:

• Extended Compliance: Foreign businesses that carry on business in the Philippines must comply with the Data Privacy Act of 2012. This includes adhering to principles related to the collection, storage, and processing of personal data as outlined in the Act.
• Regulatory Oversight: The National Privacy Commission (NPC) has the authority to enforce compliance with the Data Privacy Act for these foreign entities, ensuring that data protection standards are upheld.
• Case Examples:
  • A multinational company with a subsidiary or branch office in the Philippines conducting regular business operations must comply with the Data Privacy Act.
  • An international e-commerce platform that targets Filipino consumers and processes their personal data must adhere to the Data Privacy Act, even if its main operations are outside the Philippines.
• Compliance Challenges: Foreign entities must understand and implement the Philippines' data protection laws, which may differ from those in their home countries. This may require legal adjustments and operational changes to align with the Data Privacy Act requirements.

By extending the Data Privacy Act's applicability to businesses that engage in regular practices in the Philippines, the law ensures that data protection standards are consistently applied, fostering trust and protecting the personal data of individuals within the Philippines.