Data privacy act philippines penalties

What are the potential penalties / remedies for non-compliance with the key data privacy and cybersecurity laws in the jurisdiction?

Last review date: 30 December 2023

☒ administrative remedies / civil penalties applied by regulators and law enforcement

The NPC shall perform all acts as may be necessary to effectively implement the DPA, its IRR, and its other issuances and to enforce its Orders, Resolutions or Decisions, including the imposition of administrative sanctions, fines, or penalties. This includes:

• Issuing compliance or enforcement orders.
• Awarding indemnity on matters affecting any personal data, or rights of data subjects.
• Issuing cease and desist orders or imposing a temporary or permanent ban on the processing of personal data, upon finding that the processing will be detrimental to national security or public interest, or if it is necessary to preserve and protect the rights of data subjects.
• Recommending to the Department of Justice (DOJ) the prosecution of crimes and imposition of penalties specified in the Act.
• Compelling or petitioning any entity, government agency, or instrumentality, to abide by its orders or take action on a matter affecting data privacy.
• Imposing administrative fines for violations of the DPA, its IRR, and other issuances of the NPC.

Additionally, the NPC recently issued Circular No. 2022-01 on the imposition of administrative fines. In light of said circular, the NPC may now impose administrative fines ranging from 0.5% to 3% of the annual gross income of the PIC or PIP in case of grave infractions and 0.25% to 2% of the annual gross income of the PIC or PIP in case of major infractions.

A grave infraction is committed when:

• There is an infraction of any of the general privacy principles in the processing of personal data pursuant to Section 11 of the DPA, where the total number of affected data subjects exceeds one thousand (1,001 or more).
• There is an infraction of any of the data subject rights pursuant to Section 16 of the DPA, where the total number of affected data subjects exceeds one thousand (1,001 or more).
• There is a repetition of the same infraction penalized under the circular, regardless of whether the first infraction was classified as a major or other infraction.

A major infraction is committed when:

• There is an infraction of any of the general privacy principles in the processing of personal data pursuant to Section 11 of the DPA, where the total number of affected data subjects is one thousand or below (1-1,000).
• There is an infraction of any of the data subject rights pursuant to Section 16 of the DPA, where the total number of affected data subjects is one thousand or below (1- 1,000).
• There is failure on the part of the PIC to implement reasonable and appropriate measures to protect the security of personal information pursuant to Section 20 (a), (b), (c), or (e) of the DPA.
• There is failure on the part of the PIC to ensure that third parties processing personal information on its behalf shall implement security measures pursuant to Section 20 (c) or (d) of the DPA.
• There is failure on the part of the PIC to notify the NPC and affected data subjects of personal data breaches pursuant to Section 20 (f) of the DPA, unless otherwise punishable by Section 30 of the DPA.

In both cases, the computation shall be based on the PIC's or PIP's annual gross income of the immediately preceding year when the infraction occurred. Note that for purposes of said computation, the NPC may require the PIC or PIP to submit its audited financial statement filed with the appropriate tax authorities for the immediately preceding year when the infraction occurred, its last regularly prepared balance sheet or annual statement of income and expenses, and such other financial documents as the NPC may deem relevant and appropriate. However, where the PIC or PIP has not been operating for more than one year, the basis for the NPC's computation will be its gross income at the time the infraction was committed.

The NPC is also empowered to impose administrative fines for other infractions, including the failure to register the true identity or contact details of the PIC, the data processing system, or information on automated decision-making which can reach up to either PHP 200,000 (approximately USD 4,000) or PHP 50,000 (approximately USD 1,000), depending on the violation committed.

Notwithstanding the foregoing, please note that the total imposable administrative fine for a single act or omission of a PIC or PIP, whether resulting in a single or multiple infractions, shall not exceed PHP 5 million (approximately USD 100,000).

☒ criminal penalties from regulators and law enforcement

The following are the criminal penalties:

• Unauthorized Processing of Personal Information and Sensitive Personal Information
  • The unauthorized processing of personal information shall be penalized by imprisonment ranging from one to three years and a fine of PHP 500,000 to PHP 2,000,000 shall be imposed on persons who process personal information without the consent of the data subject, or without being authorized under the DPA or any existing law.
  • The unauthorized processing of personal sensitive information shall be penalized by imprisonment ranging from three to six years and a fine of PHP 500,000 to PHP 4,000,000 shall be imposed on persons who process personal information without the consent of the data subject, or without being authorized under the DPA or any existing law.
  • Accessing personal information due to negligence shall be penalized by imprisonment ranging from one to three years and a fine of PHP 500,000 to PHP 2,000,000 shall be imposed on persons who, due to negligence, provided access to personal information without being authorized under the DPA or any existing law.
  • Accessing sensitive personal information due to negligence shall be penalized by imprisonment ranging from three to six years and a fine of PHP 500,000 to PHP 4,000,000 shall be imposed on persons who, due to negligence, provided access to personal information without being authorized under the DPA or any existing law.
  • The improper disposal of personal information shall be penalized by imprisonment ranging from six months to two years and a fine of PHP 100,000 to PHP 500,000 shall be imposed on persons who knowingly or negligently dispose, discard or abandon the personal information of an individual in an area accessible to the public or has otherwise placed the personal information of an individual in its container for trash collection.
  • The improper disposal of sensitive personal information shall be penalized by imprisonment ranging from one to three years and a fine of PHP 100,000 to PHP 1,000,000 shall be imposed on persons who knowingly or negligently dispose, discard or abandon the personal information of an individual in an area accessible to the public or has otherwise placed the personal information of an individual in its container for trash collection.
  • The processing of personal information for unauthorized purposes shall be penalized by imprisonment ranging from one year and six months to five years and a fine of PHP 500,000 to PHP 1,000,000 shall be imposed on persons processing personal information for purposes not authorized by the data subject, or otherwise authorized under the DPA or under existing laws.
  • The processing of sensitive personal information for unauthorized purposes shall be penalized by imprisonment ranging from two to seven years and a fine of PHP 500,000 to PHP 2,000,000 shall be imposed on persons processing sensitive personal information for purposes not authorized by the data subject, or otherwise authorized under the DPA or under existing laws.
  • The penalty of imprisonment ranging from one to three years and a fine of PHP 500,000 to PHP 2,000,000 shall be imposed on persons who knowingly and unlawfully, or violating data confidentiality and security data systems, breaks in any way into any system where personal and sensitive personal information is stored.
  • The penalty of imprisonment of one year and six months to five years and a fine of PHP 500,000 to PHP 1,000,000 shall be imposed on persons who, after having knowledge of a security breach and of the obligation to notify the NPC, intentionally or by omission conceals the fact of such security breach.
  • Any personal information controller or personal information processor or any of its officials, employees or agents, who, with malice or in bad faith, discloses unwarranted or false information relative to any personal information or personal sensitive information obtained by him or her, shall be subject to imprisonment ranging from one year and six months to five years and a fine of PHP 500,000 to PHP 1,000,000.
  • Any personal information controller or personal information processor or any of its officials, employees or agents, who discloses to a third party personal information not covered by the immediately preceding section without the consent of the data subject, shall he subject to imprisonment ranging from one to three years and a fine of PHP 500,000 to PHP 1,000,000.
  • Any PIC or PIP or any of its officials, employees or agents, who discloses to a third party sensitive personal information not covered by the immediately preceding section without the consent of the data subject, shall be subject to imprisonment ranging from three to five years and a fine of (PHP 500,000 to PHP 2,000,000).

  The NPC, sua sponte, or persons who are the subject of a privacy violation or personal data breach, or who are otherwise personally affected by a violation of the Data Privacy Act, may file complaints for violations of the DPA. The person who is the subject of the privacy violation or personal data breach, or his or her duly authorized representative may file the complaint, Provided, that the circumstances of the authority must be established.

  Any person who is not personally affected by the privacy violation or personal data breach may: (a) request for an advisory opinion on matters affecting protection of personal data; or (b) inform the NPC of the data protection concern, which may in its discretion, conduct monitoring activities on the organization or take such further action as may be necessary.