NPC mulls P5 million limit on fines for data breaches

MANILA, Philippines — The National Privacy Commission (NPC) is proposing to set a P5 million cap on the administrative fines to be imposed on personal information controllers (PICs) or personal information processors (PIPs) for data privacy violations.

In a statement, NPC said an online public hearing was conducted on March 22, where the updated draft circular on the administrative fines for the Data Privacy Act (DPA) violations committed by PICs or PIPs, including the consolidated comments from previous hearings, was presented.

Among the changes in the current draft is the proposal to include a ceiling for the total administrative fine to be imposed.

A provision was inserted in the draft to set the limit on the total imposable fine to no more than P5 million, which will apply whether the infraction results in single or multiple violations arising from a single act of PICs and PIPs.

NPC said the single act refers to a per processing activity basis and not a per data privacy principle or data subject right violated.

An administrative fine may be imposed based on the annual gross income of PICs or PIPs within the range of 0.25 percent to three percent for grave violations, and 0.25 percent to two percent for major violations.

NPC’s computation of the administrative fine would take into account the number of data subjects affected; the degree of negligence or the intent of the PICs or PIPs that contributed or resulted in the violation; the categories of personal data affected; and the nature, duration and severity of the infraction.

To determine the annual gross income of the PIC or PIP, the NPC may require audited financial statements filed with the tax authorities for the preceding year of the violation, or the last balance sheet or annual statement of income and expenses, and other financial documents to be submitted.

If the PIC or PIP has not been operating for more than one year, the administrative fines would be based on the entity’s total gross income when the violation was committed.

Refusal to pay administrative fines may lead to the issuance of a cease-and-desist order, and other processes NPC can pursue under Section 7 of the DPA and/or appropriate contempt proceedings under the Rules of Court.

Privacy Commissioner John Henry Naga said the NPC has been issuing proactive measures for PICs and PIPs to comply with the DPA.

“By now, we expect PICs and PIPs to have incorporated in their respective processes and implemented necessary measures, to protect data subjects and uphold data privacy rights,” he said.

Stakeholders may submit comments on the draft circular until April 6, of this year to [email protected].