The Philippines' Data Privacy Act of 2012 and its Implementing Rules and Regulations apply the "Use of Equipment Within Jurisdiction" factor to determine the scope of applicability of the data protection law.

Text of Relevant Provisions

DPA of 2012 Sec.4(1):

"This Act applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines subject to the immediately succeeding paragraph: Provided, that the requirements of Section 5 are complied with."

Implementing Rules and Regulations Sec.4(d1):

"The Act and these Rules apply to the processing of personal data by any natural and juridical person in the government or private sector. They apply to an act done or practice engaged in and outside of the Philippines if: d. The act, practice or processing of personal data is done or engaged in by an entity with links to the Philippines, with due consideration to international law and comity, such as, but not limited to, the following: 1. Use of equipment located in the country, or maintains an office, branch or agency in the Philippines for processing of personal data;"

Analysis of Provisions

The Philippines' data protection law explicitly incorporates the "Use of Equipment Within Jurisdiction" factor to extend its applicability. This factor is significant as it allows the law to cover data processing activities by entities that may not be physically established in the Philippines but utilize equipment located within the country for data processing purposes.The DPA of 2012 Sec.4(1) states that the Act applies to

"personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines"

. This provision clearly extends the law's reach to foreign entities that process data using equipment within Philippine territory.The Implementing Rules and Regulations further clarify this point in Sec.4(d1), which states that the Act applies to data processing done outside the Philippines if the entity has links to the Philippines, including the

"Use of equipment located in the country"

for processing personal data.

Implications

This factor has significant implications for businesses and organizations:

1. Foreign companies using servers or other data processing equipment in the Philippines must comply with Philippine data protection laws, even if they don't have a physical presence in the country.
2. Cloud service providers with data centers in the Philippines may be subject to Philippine data protection regulations, potentially affecting their operations and client relationships.
3. Companies outsourcing data processing activities to the Philippines need to ensure compliance with Philippine data protection laws, as the use of equipment in the country would trigger the law's applicability.
4. Multinational corporations with any form of data processing equipment in the Philippines must adhere to the country's data protection regulations, regardless of where their headquarters are located.
5. The law's broad scope may encourage companies to carefully consider the location of their data processing equipment and potentially influence decisions about where to establish data centers or other IT infrastructure.

By including this factor, the Philippine lawmakers have ensured that the country's data protection regime has a wide reach, covering not just local entities but also foreign organizations that utilize Philippine-based equipment for data processing. This approach aims to protect the personal data of Philippine citizens and residents more comprehensively, regardless of the geographical location of the data controller or processor.