MANILA, Philippines — The National Privacy Commission (NPC) will penalize personal information controllers (PICs) or processors from the private sector for data privacy violations.
A separate initiative, meanwhile, is being undertaken for violations by government agencies.
Under the draft circular on the guidelines on administrative fines to concerned organizations and stakeholders, the NPC said the proposed fines are separate from the criminal penalties and fines provided under the Data Privacy Act (DPA) and its implementing rules and regulations.
The draft circular proposes fines ranging from 0.5 percent to five percent of the annual gross income of the PIC or processor handling the data, depending on the violation committed.
The range of fines was based on an economic analysis of the law conducted by NPC with the University of the Philippines (UP) Law Center and an expert from the UP School of Economics.
In determining the amount of fine to be imposed, the NPC will consider the number of data subjects affected, failure to notify the Commission and affected data subjects of personal data breaches, and the intentional or negligent character of the offense, among others.
The administrative fine shall be imposed only after the notice of violation is received by the PIC and personal information processor (PIP), and the conduct of a hearing.
“The proposed circular considers the proportionality of the fine meted, its dissuasive effects, the costs of precaution, and other social, regulatory and economic impacts that its adoption may create to all PICs and processors,” Privacy Commissioner Raymund Liboro said.
Fines may be reduced at the discretion of the NPC should there be financial hardship that the PIC or PIP may sustain when the penalty is imposed.
Deputy Privacy Commissioner Leandro Angelo Aguirre said the fines are not intended to burden companies with additional cost, but to promote data protection.
“The fines are incentives for companies to protect all of us. Because if we are all protecting the information we process, that benefits both the companies and data subjects. It serves to incentivize the implementation of appropriate measures while disincentivizing the misuse of data,” he said.
Liboro said the circular is in line with the aim to build a high-trust, resilient and knowledge-based society amid the growing economy.
“The NPC hopes that this administrative circular will further enhance the culture of data privacy accountability in the Philippines, incentivize compliance for the DPA, build maximum data privacy resilience by encouraging full accountability, compliance and ethics from our data users,” Liboro said.