Philippines: Processing in jurisdiction

The Philippines Data Privacy Act of 2012 and its Implementing Rules and Regulations explicitly include the physical location of data processing as a factor determining the law's applicability.

Text of Relevant Provisions

Implementing Rules and Regulations Sec.4(c):

*"The Act and these Rules apply to the processing of personal data by any natural and juridical person in the government or private sector. They apply to an act done or practice engaged in and outside of the Philippines if:

c. The processing of personal data is being done in the Philippines; or"*

Implementing Rules and Regulations Sec.4(d6):

*"The Act and these Rules apply to the processing of personal data by any natural and juridical person in the government or private sector. They apply to an act done or practice engaged in and outside of the Philippines if:

d. The act, practice or processing of personal data is done or engaged in by an entity with links to the Philippines, with due consideration to international law and comity, such as, but not limited to, the following:

An entity that collects or holds personal data in the Philippines."*

Analysis of Provisions

Section 4 of the Implementing Rules and Regulations clarifies the extraterritorial scope of the Data Privacy Act. Section 4(c) clearly states that the Act applies to data processing activities taking place within the Philippines, regardless of the entity's location or the data subject's residency.

Furthermore, Section 4(d6) expands the scope by capturing entities that may not be physically present in the Philippines but maintain a connection through the collection or holding of personal data within the country. This suggests that even if the processing occurs outside the Philippines, the mere act of collecting or storing data within its borders could trigger the Act's application.

This broad approach emphasizes the Philippines' jurisdiction over data processing activities occurring within its territory and involving data collected or stored within its borders.

Implications

The inclusion of "processing in the Philippines" as an applicability factor has several implications for businesses:

Foreign companies processing data in the Philippines: Companies based outside the Philippines but using data centers or cloud services located within the country for processing personal data would be subject to the Philippine Data Privacy Act.
Due diligence for data handling: Companies must exercise due diligence when engaging third-party data processors or cloud service providers, ensuring they understand where the data processing will occur and whether it aligns with the Act's requirements.
Broader scope of application: The Act's focus on both data processing location and data collection/storage location creates a wider scope of application compared to laws solely focused on the data controller's establishment.

Jurisdiction Overview

Philippines

👮🏿 Exemption for Official Information of Public Servants 🏦 Central Bank and Financial Institutions Exclusion 🏛️ Government and Public Agency Exemption 🪑 Entity's Link or Presence in Jurisdiction 🤝🏿 Applicability Based on Contract Concluded in Jurisdiction 🔗 Processing in Context of Local Establishment 🏠 Processing in jurisdiction 🛂 Applicability to Citizens and Residents' Data 📍 Processing by Local Establishment 🎯 Exemption for Specific Purposes of Processing 🛡️ Exemption for Personal Data of Foreign Origin with Adequate Protection 🚎 Public License and Permit Information Exemption 🖥️ Use of Equipment Within Jurisdiction Physical Location/Residency of Data Subject in Jurisdiction ⚖️ Sectoral Exceptions Regulated by Other Laws 💼 Doing Business in Jurisdiction