Exemption for Personal Data of Foreign Origin in the Philippines

The Data Privacy Act of 2012 in the Philippines explicitly exempts certain personal information of foreign origin from its scope of applicability.

Text of Relevant Provisions

DPA of 2012 Sec.4(2g):

"This Act does not apply to the following: [...] (g) Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines."

Analysis of Provisions

The Data Privacy Act of 2012 in the Philippines incorporates a specific exemption for personal information collected from foreign jurisdictions. This exemption is contingent on two key conditions:

1. The personal information must be "originally collected from residents of foreign jurisdictions"
2. The collection must be "in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws"

This provision effectively creates a carve-out for data that originates from outside the Philippines, provided it was collected in compliance with the laws of its origin jurisdiction.

The phrase "which is being processed in the Philippines" indicates that this exemption applies even when the data is subsequently processed within Philippine territory. This is significant as it extends the exemption beyond mere collection to include ongoing data processing activities.

Implications

This exemption has several important implications for businesses and data controllers:

1. Reduced compliance burden: Companies processing foreign-origin data in the Philippines may not need to comply with the full requirements of the Data Privacy Act for this specific subset of data.
2. Reliance on foreign laws: The exemption places importance on compliance with the laws of the foreign jurisdiction where the data originated. This may require companies to be familiar with and adhere to multiple foreign data protection regimes.
3. Potential for regulatory arbitrage: Companies might strategically collect data in jurisdictions with less stringent data protection laws and then process it in the Philippines to avoid stricter local requirements.
4. Limited protection for foreign data subjects: Individuals whose data was collected outside the Philippines may have reduced protections under Philippine law when their data is processed there.
5. Complexity in data segregation: Organizations handling both domestic and foreign-origin data may need to implement systems to segregate and apply different standards to different data sets based on their origin.
6. Potential conflicts with other jurisdictions: This exemption might conflict with data protection laws of other countries that assert extraterritorial application, potentially placing companies in a difficult position of conflicting legal obligations.

It's important to note that while this exemption limits the application of the Data Privacy Act, it does not necessarily exempt companies from all data protection obligations. Other laws, regulations, or contractual obligations may still apply, and companies should carefully consider their overall compliance strategy when relying on this exemption.