Penalties for violations of Data Privacy Law, its IRR, and other NPC Issuances, Data Privacy Law

Violations of Data Privacy Law, its IRR, and other NPC Issuances

Unauthorized processing of PI or SPI

Section 52. Unauthorized Processing of Personal Information and Sensitive Personal Information.
a. A penalty of imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00) shall be imposed on persons who process personal information without the consent of the data subject, or without being authorized under the Act or any existing law.
b. A penalty of imprisonment ranging from three (3) years to six (6) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Four million pesos (Php4,000,000.00) shall be imposed on persons who process sensitive personal information without the consent of the data subject, or without being authorized under the Act or any existing law. (IRR, Rule XII)
ViolationImprisonmentFine
Unauthorized processing of personal information (IRR, Section 52[a], Rule XIII))1 year to 3 yearsPhp500,000 to Php2,000,000
Unauthorized processing of sensitive personal information (IRR, Section 52[b], Rule XIII))3 years to 6 yearsPhp500,000 to Php4,000,000

Elements

Elements for unauthorized processing of personal information:

1) That the offender processes personal information;

2) That the offender does so:

a) Without the consent of the data subject, or

b) Without being authorized under the [Data Privacy Law] or any existing law.

Elements for unauthorized processing of sensitive personal information:

1) That the offender processes sensitive personal information;

2) That the offender does so:

a) Without the consent of the data subject, or

b) Without being authorized under the [Data Privacy Law] or any existing law.

Terms

1) Unauthorized – means “without authority or permission.” (Merriam-Webster Online Dictionary)

2) “Processing” refers to any operation or any set of operations performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed through automated means, or manual processing, if the personal data are contained or are intended to be contained in a filing system. (IRR, Section 3[o], Rule I)

Examples

1) Processing of personal data without the consent of the data subject; or

2) Processing of personal data by a Personal Information Processor (PIP) outside of the scope or in violation of the contract with a Personal Information Controller (PIC);

3) Processing of personal data that is contrary to the Data Privacy Law, its IRR, and other NPC issuances.

Accessing PI or SPI due to negligence

Section 53. Accessing Personal Information and Sensitive Personal Information Due to Negligence.
a. A penalty of imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00) shall be imposed on persons who, due to negligence, provided access to personal information without being authorized under the Act or any existing law.
b. A penalty of imprisonment ranging from three (3) years to six (6) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Four million pesos (Php4,000,000.00) shall be imposed on persons who, due to negligence, provided access to sensitive personal information without being authorized under the Act or any existing law. (IRR, Rule XIII)
ViolationImprisonmentFine
Accessing personal information due to negligence (IRR, Section 53[a], Rule XIII)1 year to 3 yearsPhp500,000 to Php2,000,000
Accessing sensitive personal information due to negligence (IRR, Section 53[b], Rule XIII)3 years to 6 yearsPhp500,000 to Php4,000,000

Elements

Elements for accessing personal information due to negligence:

1) That the offender provided access to personal information without being authorized under the [Data Privacy Law] or any existing law; and

2) That it was due to negligence.

Elements for accessing sensitive personal information due to negligence:

1) That the offender provided access to sensitive personal information without being authorized under the [Data Privacy Law] or any existing law; and

2) That it was due to negligence.

Terms

1) Access – means “permission, liberty, or ability to enter, approach, or pass to and from a place or to approach or communicate with a person or thing”, or “a way or means of entering or approaching”. (Merriam-Webster Online Dictionary)

2) Negligence is the omission to do something which a reasonable man, guided by those considerations which ordinarily regulate the conduct of human affairs, would do, or the doing of something which a prudent and reasonable man would not do. (Layugan v. Intermediate Appellate Court, G.R. No. 73998, November 14, 1988, Per Sarmiento, J., citing Black Law Dictionary, Fifth Edition, 930)

NB: This violation only requires simple or ordinary kind of negligence, and not gross negligence.

3) Here, the violation involves another being able to access personal data due to negligence of the offender. To be clear, the offender is not the person who was able to access personal data, rather the person responsible for protecting the personal data but due to negligence was unable to do so resulting in the access.

Examples

1) Leaving a secured office room without locking it;

2) Placing passwords in plain view, instead of being concealed/hidden; or

3) Improperly configuring an information and communication system.

Improper disposal of PI or SPI

Section 54. Improper Disposal of Personal Information and Sensitive Personal Information.
a. A penalty of imprisonment ranging from six (6) months to two (2) years and a fine of not less than One hundred thousand pesos (Php100,000.00) but not more than Five hundred thousand pesos (Php500,000.00) shall be imposed on persons who knowingly or negligently dispose, discard, or abandon the personal information of an individual in an area accessible to the public or has otherwise placed the personal information of an individual in its container for trash collection.
b. A penalty of imprisonment ranging from one (1) year to three (3) years and a fine of not less than One hundred thousand pesos (Php100,000.00) but not more than One million pesos (Php1,000,000.00) shall be imposed on persons who knowingly or negligently dispose, discard or abandon the sensitive personal information of an individual in an area accessible to the public or has otherwise placed the sensitive personal information of an individual in its container for trash collection. (IRR, Rule XIII)
ViolationImprisonmentFine
Improper disposal of personal information (IRR, Section 54[a], Rule XIII6 months to 2 yearsPhp100,000 to Php500,00
Improper disposal of sensitive personal information (IRR, Section 54[b], Rule XIII)1 year to 3 yearsPhp100,000 to Php1,000,000

Elements

Elements for improper disposal of personal information:

1) That the offender disposes, discards, or abandons the personal information of an individual;

2) That it was done in: (a) an area accessible to the public, or (b) has otherwise placed the personal information of an individual in its container for trash collection; and

3) That it was done so knowingly or negligently.

Elements for improper disposal of sensitive personal information:

1) That the offender disposes, discards, or abandons the sensitive personal information of an individual;

2) That it was done in: (a) an area accessible to the public, or (b) has otherwise placed the personal information of an individual in its container for trash collection; and

3) That it was done so knowingly or negligently.

Terms

1) Improper – means “not suited to the circumstances, design, or end.” (Merriam-Webster Online Dictionary)

2) Disposal – means “systematic destruction.” (Merriam-Webster Online Dictionary)

3) Improper disposal means destroying or deleting personal data that is not in keeping with generally accepted proper means of disposing personal data.

Examples

1) Throwing away flash disks, hard disk drives, and other storage devices, without using a secure deletion tool/application/software to completely erase data beyond recovery, and thereafter smashing these devices into pieces;

2) Throwing away desktops, laptops, tablets, mobile phones, and other mobile devices, without using a secure deletion tool/application/software to completely erase data beyond recovery, and thereafter smashing these devices into pieces;

3) Deleting databases in cloud storage without using a secure deletion tool/application/software to completely erase data beyond recovery;

4) Proper disposal of personal data is to delete or destroy beyond recovery, usually by means of using a tool//application/software, smashing storage devices into pieces, and similar therewith.

Processing of PI or SPI for unauthorized purposes

Section 55. Processing of Personal Information and Sensitive Personal Information for Unauthorized Purposes.
a. A penalty of imprisonment ranging from one (1) year and six (6) months to five (5) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00) shall be imposed on persons processing personal information for purposes not authorized by the data subject, or otherwise authorized under the Act or under existing laws.
b. A penalty of imprisonment ranging from two (2) years to seven (7) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00) shall be imposed on persons processing sensitive personal information for purposes not authorized by the data subject, or otherwise authorized under the Act or under existing laws. (IRR, Rule XIII)
ViolationImprisonmentFine
Processing of personal information for unauthorized purposes (IRR, Section 55[a], Rule XIII)1 year and 6 months to 5 yearsPhp500,000 to Php1,000,000
Processing of sensitive personal information for unauthorized purposes (IRR, Section 55[b], Rule XIII)2 years to 7 yearsPhp500,000 to Php2,000,000

Elements

Elements for processing of personal information for unauthorized purposes:

1) That the offender processed personal information; and

2) That it was for purposes not authorized by the data subject, or otherwise authorized under the [Data Privacy Law] or under existing laws.

Elements for processing of sensitive personal information for unauthorized purposes:

1) That the offender processed sensitive personal information; and

2) That it was for purposes not authorized by the data subject, or otherwise authorized under the [Data Privacy Law] or under existing laws.

Terms

1) Purpose – means “something set up as an object or end to be attained.” (Merriam-Webster Online Dictionary)

Examples

1) If purpose of obtaining personal data is to schedule a medical appointment, then further processing of personal data for marketing vitamins to the data subject is a violation; or

2) If the purpose of personal data was limited to Project A, then further processing of personal data for Project X would be a violation.

Unauthorized access or intentional breach

Section 56. Unauthorized Access or Intentional Breach. A penalty of imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00) shall be imposed on persons who knowingly and unlawfully, or violating data confidentiality and security data systems, breaks in any way into any system where personal and sensitive personal information are stored. (IRR, Rule XIII)
ViolationImprisonmentFine
Unauthorized access or intentional breach (IRR, Section 56, Rule XIII1 year to 3 yearsPhp500,000 to Php2,000,000

Elements

Elements of unauthorized access or intentional breach:

1) That the offender breaks in any way into any system where personal and sensitive personal information are stored;

2) That the offender does so:

a) Knowingly and unlawfully, or

b) Violating data confidentiality and security data systems.

Terms

1) Intend – means “to design for a specified use or future.” (Merriam-Webster Online Dictionary)

Examples

1) A bad actor being able to get inside a secure room where personal information and/or sensitive personal information is being processed; or

2) A cyber attacker being able to penetrate an information and communication system containing personal information and/or sensitive personal information.

Concealment of security breaches involving SPI

Section 57. Concealment of Security Breaches Involving Sensitive Personal Information. A penalty of imprisonment ranging from one (1) year and six (6) months to five (5) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00) shall be imposed on persons who, after having knowledge of a security breach and of the obligation to notify the Commission pursuant to Section 20(f) of the Act, intentionally or by omission conceals the fact of such security breach.(IRR, Rule XIII)
ViolationImprisonmentFine
Concealment of security breaches involving sensitive personal information (IRR, Section 57, Rule XIII)1 year and 6 month to 5 yearsPhp500,000 to Php1,000,000

Elements

Elements for concealment of security breaches involving sensitive personal information:

1) That the offender has knowledge of a security breach and of the obligation to notify the Commission pursuant to Section 20(f) of the [Data Privacy Law];

2) That the offender conceals the fact of such security breach; and

3) That it was done so intentionally or by omission.

Terms

1) Concealment – means “to prevent disclosure or recognition of.” (Merriam-Webster Online Dictionary)

2) Security – means “the quality or state of being secure.” (Merriam-Webster Online Dictionary)

3) Breach – means to “break” or “violate”. (Merriam-Webster Online Dictionary)

4) Security breach means a break or violation of security.

5) “Personal data breach” refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. (IRR, Section 3[k], Rule I)

NB: Unauthorized access to personal data is sufficient. The data breach does not necessarily have to result in destruction, loss, alteration, or unauthorized disclosure of personal data.

Examples

1) Intentionally not reporting to the NPC a security breach involving a bad actor being able to get inside a secure room where sensitive personal information is being processed; or

2) Failing to report to the NPC a bad actor or black hat hacker being able to penetrate an information and communication system containing sensitive personal information.

Malicious disclosure

Section 58. Malicious Disclosure. Any personal information controller or personal information processor, or any of its officials, employees or agents, who, with malice or in bad faith, discloses unwarranted or false information relative to any personal information or sensitive personal information obtained by him or her, shall be subject to imprisonment ranging from one (1) year and six (6) months to five (5) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00).(IRR, Rule XIII)
ViolationImprisonmentFine
Malicious disclosure (IRR, Section 58, Rule XIII)1 year and 6 months to 5 yearsPhp500,000 to Php1,000,000

Elements

Elements for malicious disclosure:

1) That the offender is any personal information controller or personal information processor, or any of its officials, employees or agents;

2) That the offender discloses unwarranted or false information relative to any personal information or sensitive personal information obtained by him or her; and

3) That it was done so with malice or in bad faith.

Terms

1) Malicious – means “intent to commit an unlawful act or cause harm without legal justification or excuse.” (Merriam-Webster Online Dictionary)

2) Disclose – means “to make known or public,” or “to expose to view”. (Merriam-Webster Online Dictionary)

3) Bad faith does not simply connote bad judgment or negligence. It imports a dishonest purpose or some moral obliquity and conscious doing of a wrong, a breach of known duty through some motive or interest or ill will that partakes of the nature of fraud. It is, therefore, a question of intention, which can be inferred from one’s conduct and/or contemporaneous statements. (Adriano v. Lasala, G.R. No. 197842, October 9, 2013, Per Mendoza, J.)

NB: Under the law, malice is often equated to bad faith.

Examples

1) A PIC, or an of its employees/agents, publicly posting personal data in bad faith; or

2) A PIC, or any of its employees/agents, maliciously selling personal data.

Unauthorized disclosure of PI or SPI

Section 59. Unauthorized Disclosure.
a. Any personal information controller or personal information processor, or any of its officials, employees, or agents, who discloses to a third party personal information not covered by the immediately preceding section without the consent of the data subject, shall be subject to imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00).(IRR, Rule XIII)
b. Any personal information controller or personal information processor, or any of its officials, employees or agents, who discloses to a third party sensitive personal information not covered by the immediately preceding section without the consent of the data subject, shall be subject to imprisonment ranging from three (3) years to five (5) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00).(IRR, Rule XIII)
ViolationImprisonmentFine
Unauthorized disclosure of personal information (IRR, Section 59, Rule XIII)1 year to 3 yearsPhp500,000 to Php1,000,000
Unauthorized disclosure of sensitive personal information (IRR, Section 59, Rule XIII)3 years to 5 yearsPhp500,000 to Php2,000,000

Elements

Elements for unauthorized disclosure of personal information:

1) That the offender is a personal information controller or personal information processor, or any of its officials, employees, or agents;

2) That the offender discloses to a third party personal information not covered by the crime of malicious disclosure;

3) That it was done without the consent of the data subject.

Elements for unauthorized disclosure of sensitive personal information:

1) That the offender is a personal information controller or personal information processor, or any of its officials, employees, or agents;

2) That the offender discloses to a third party sensitive personal information not covered by the crime of malicious disclosure;

3) That it was done without the consent of the data subject.

Examples

1) A PIC, or any of its employees/agents, incorrectly transmitting sensitive personal information to an incorrect recipient; or

2) A PIC, or any of its employees/agents, incorrectly posting online sensitive personal information.

Combination or series of acts

Section 60. Combination or Series of Acts. Any combination or series of acts as defined in Sections 52 to 59 shall make the person subject to imprisonment ranging from three (3) years to six (6) years and a fine of not less than One million pesos (Php1,000,000.00) but not more than Five million pesos (Php5,000,000.00). (IRR, Rule XIII)
ViolationImprisonmentFine
Combination or series of acts (IRR, Section 60, Rule XIII)3 years to 6 yearsPhp1,000,000 to Php5,000,000

Elements

Elements for combination or series of acts:

1) That the offender has committed has more than one crime punishable under the Data Privacy Law; and

2) That such crimes were done in combination or via a series.

Terms

1) Combine – means “to become one.” (Merriam-Webster Online Dictionary)

2) Series – “a number of things or events of the same class coming one after another in spatial or temporal succession.” (Merriam-Webster Online Dictionary)

Examples

1) A bad actor gaining entry to a secured premises, stealing files and folders of personal data, then posting them online; or

2) A cyber attacker penetrating an information communication systems and stealing personal data, sells them on the dark web, and delivering them to a buyer;

Extent of Liability

Section 61. Extent of Liability. If the offender is a corporation, partnership or any juridical person, the penalty shall be imposed upon the responsible officers, as the case may be, who participated in, or by their gross negligence, allowed the commission of the crime. Where applicable, the court may also suspend or revoke any of its rights under this Act.
If the offender is an alien, he or she shall, in addition to the penalties herein prescribed, be deported without further proceedings after serving the penalties prescribed.
If the offender is a public official or employee and he or she is found guilty of acts penalized under Sections 54 and 55 of these Rules, he or she shall, in addition to the penalties prescribed herein, suffer perpetual or temporary absolute disqualification from office, as the case may be. (IRR, Rule XIII)

Responsible officers

If the offender is a corporation, partnership or any juridical person, the penalty shall be imposed upon the responsible officers, as the case may be:

1) who participated in, or

2) by their gross negligence, allowed the commission of the crime. (IRR, Section 61, Rule XIII)

Suspension or revocation of rights

Where applicable, the court may also suspend or revoke any of its rights under this Act. (IRR, Section 61, Rule XIII)

Offender: alien or foreign national

If the offender is an alien [or a foreign national], he or she shall, in addition to the penalties herein prescribed, be deported without further proceedings after serving the penalties prescribed. (IRR, Paragraph 2, Section 61, Rule XIII)

Offender: public official or employee

If the offender is a public official or employee and he or she is found guilty of acts penalized under Sections 54 and 55 of these Rules, he or she shall, in addition to the penalties prescribed herein, suffer perpetual or temporary absolute disqualification from office, as the case may be. (IRR, Paragraph 3, Section 61, Rule XIII)

Large-Scale

Section 62. Large-Scale. The maximum penalty in the corresponding scale of penalties provided for the preceding offenses shall be imposed when the personal data of at least one hundred (100) persons are harmed, affected, or involved, as the result of any of the above-mentioned offenses. (IRR, Rule XIII)

The maximum penalty in the corresponding scale of penalties provided for the preceding offenses shall be imposed when the personal data of at least one hundred (100) persons are harmed, affected, or involved, as the result of any of the above-mentioned offenses. (IRR, Rule XIII)

Offense Committed by Public Officer

Section 63. Offense Committed by Public Officer. When the offender or the person responsible for the offense is a public officer, as defined in the Administrative Code of 1987, in the exercise of his or her duties, he or she shall likewise suffer an accessory penalty consisting of disqualification to occupy public office for a term double the term of the criminal penalty imposed. (IRR, Rule XIII)

When the offender or the person responsible for the offense is a public officer, as defined in the Administrative Code of 1987, in the exercise of his or her duties, he or she shall likewise suffer an accessory penalty consisting of disqualification to occupy public office for a term double the term of the criminal penalty imposed. (IRR, Rule XIII)

Restitution

Section 64. Restitution. Pursuant to the exercise of its quasi-judicial functions, the Commission shall award indemnity to an aggrieved party on the basis of the provisions of the New Civil Code. Any complaint filed by a data subject shall be subject to the payment of filing fees, unless the data subject is an indigent. (IRR, Rule XIII)

1) Pursuant to the exercise of its quasi-judicial functions, the [NPC] shall award indemnity to an aggrieved party on the basis of the provisions of the New Civil Code. (IRR, Rule XIII)

2) Any complaint filed by a data subject shall be subject to the payment of filing fees, unless the data subject is an indigent. (IRR, Rule XIII)

Other fines and penalties

Section 65. Fines and Penalties. Violations of the Act, these Rules, other issuances and orders of the Commission, shall, upon notice and hearing, be subject to compliance and enforcement orders, cease and desist orders, temporary or permanent ban on the processing of personal data, or payment of fines, in accordance with a schedule to be published by the Commission. (IRR, Rule XIII)

Violations of the [Data Privacy Law, its IRR], other issuances and orders of the [NPC], shall, upon notice and hearing, be subject to:

1) compliance and enforcement orders,

2) cease and desist orders,

3) temporary or permanent ban on the processing of personal data, or

4) payment of fines, in accordance with a schedule to be published by the [NPC]. (IRR, Rule XIII)

REFERENCES

National Privacy Commission. (n.d.) Implementing Rules and Regulations or Republic Act No. 10173, also known as the “Data Privacy Act of 2012”. https://privacy.gov.ph/implementing-rules-regulations-data-privacy-act-2012/

National Privacy Commission. (n.d.). Powers & Functions. https://privacy.gov.ph/powers-functions/

Republic Act No. 10173. (2012). Data Privacy Act of 2012. https://privacy.gov.ph/data-privacy-act/

Similar Posts