BA 164

November 15, 2019

PDIC Act
1. Policy (2)
a. Duty to insure (6, 5d, 5i)
2. Coverage
a. Concept of insured deposit (5g, 5j)
3. Creation of PDIC (1, 3)
a. Powers
i. Financial assistance (22e)
ii. Liquidation of banks (12a, 5e)
iii. Payment of insured deposit (19, 5e)
1. Procedure (14a, 21)
2. Subrogation to all rights of depositors (20)

Data Privacy Act

1. The NPC
a. Organization (9, 10)
b. Powers and function (7)
2. Coverage (4, 3g-l)
3. Processing of personal information (11-15)
4. Rights of data subject (16-19)
5. Security of personal information (20)
a. Accountability for transfer of personal information (21)
6. Security of sensitive personal information in the government (22-24)
7. Penalties for violation (25-37)

Organization – NPC attached to DICT, headed by Privacy Commissioner (Chairman), assisted by 2 deputy
commissioners (Data Processing Systems, Policies and Planning) – 3-yr term, may be reappointed for
another 3-yr term.
 Privacy Commissioner – at least 35 yo, good moral character, unquestionable integrity and known
probity, recognized expert in the field of IT and DP (Secretary)
 Deputy PC – expert in IT and DP (Undersecretary)
 PC & DPC – not civilly liable for acts done in good faith, liable for willful or negligent acts,
reimbursed by NPC for reasonable litigation costs
 Secretariat – must have served for at least 5 yrs in SSS, GSIS, LTO, BIR, PhilHealth, COMELEC,
DFA, DOJ, Philpost, others involved in processing of personal information

Coverage – processing of all types of personal info and to any natural and juridical person involved in
personal information processing, including personal information controllers and processors who use
equipment or maintain an office, branch or agency in the Philippines
Does not apply to the following:
 Information about government officer or employee
o Fact
o Title, business address, office telephone number
 o Classification, salary range, responsibilities of position
o Name
 Information about individual performing service under contract for a government institution
 Information about discretionary benefit of financial nature
 Personal information for journalistic, artistic, literary, or research purposes
 Information necessary in order to carry out the functions of public authority
 Information necessary for banks and other financial institutions (AMLA)
 Personal information from foreign residents in accordance with foreign laws
Personal information – any information, identity apparent or can be ascertained by entity holding info
PI controller – controls collection, holding, processing, use of personal information
PI processor – any person to whom a PI controller may outsource processing of personal data
Processing – operations performed upon personal information
Privileged information – data which under laws constitute privileged communication
Sensitive personal information
 Race, ethnic origin, marital status, age, color, affiliations
 Health, education, genetic or sexual life, proceeding for any offense
 Issued by government agencies peculiar to an individual
 Specifically established by an Executive Order or Act

Processing of personal information

 Sec. 11 – shall be allowed, subject to compliance with legal requirements re: disclosure
 Personal information must be (a) collected for specific and legitimate purposes (b) processed fairly
and lawfully (c) accurate, relevant, and up to date (d) adequate and not excessive (e) retained only
for as long as necessary (f) kept in a form which permits identification of data subjects
 Sec. 12 – shall be permitted only if not otherwise provided by law, and at least (a) consent of the
data subject (b) fulfillment of contract (c) compliance with legal obligation (d) protect vitally
important interests of data subject (e) national emergency, public order and safety, public
authority (f) purposes of legitimate interests
 Sec. 13 – Processing of SPI and Privileged Information, prohibited except (a) consent of the data
subject (b) provided by laws and regulations (c) protect life and health (d) achieve objectives of
public organizations (e) medical treatment (f) protection of lawful rights and interests of persons
in court proceedings
 Sec. 14 – PI controller may subcontract processing of PI (PI controller responsible for safeguards
to ensure confidentiality, prevent unauthorized use, comply with legal requirements)
 Sec. 15 – PI controllers may invoke principle of privileged communication over privileged information

Rights of data subject

 Sec. 16
o Be informed whether personal information is processed
o Be furnished (1) description of personal information (2) purpose (3) scope and method (4)
recipients (5) methods utilized (6) identity and contact details (7) period (8) existence of
rights
o Reasonable access to (1) contents of personal information (2) sources from which obtained
(3) names and addresses of recipients (4) manner by which processed (5) reasons for
disclosure (6) information on automated processes (7) date last accessed and modified (8)
designation, name/identity, address of personal information controller
 o Dispute inaccuracy or error in the personal information and have the PI controller correct
immediately and accordingly
o Suspend, withdraw/order blocking, removal or destruction of his or her personal information
o Be indemnified for any damages
 Sec. 17 – lawful heirs and assigns may invoke the rights of the data subject upon death or incapacity
or incapability
 Sec. 18 – data subject has a right to obtain from PI controller a copy of data in an electronic or
structured format
 Sec. 19 – not applicable if used only for the needs of scientific and statistical research

Security of personal information

(a) PI controller must implement reasonable and appropriate measures for protection of PI against (a)
accidental or unlawful destruction, alteration and disclosure, unlawful processing
(b) …natural and human dangers
(c) Appropriate level of security – nature of PI, risks, size and complexity, best practices, costs of
security implementation
a. Safeguards against unlawful or unauthorized usage
b. Security policy with respect to processing of personal information
c. Process for identifying and accessing reasonably foreseeable vulnerabilities
d. Regular monitoring; preventive, corrective and mitigating action
(d) Third parties shall implement security measures
(e) Operate and hold PI under strict confidentiality
(f) PI controller shall promptly notify NPC and affected data subjects when sensitive personal
information or other information (identity fraud) are reasonably believed to have been acquired by
an unauthorized person, risk of serious harm (describe nature, SPI possibly involved, measures to
address)
a. If notification unwarranted – compliance, good faith
b. Exempt PI controller from notification – not in interest of public/data subjects
c. Postponement of notification – hinder progress of criminal investigation

 Accountability for transfer of personal information

o Each PI controller is responsible for PI under its control or custody
 PI controller accountable for complying with requirements, comparable level of
protection
 PI controller designate individual/s accountable for compliance

Security of sensitive personal information in the government

 All SPI secured with the use of the most appropriate standard recognized by ICT industry
o Head responsible for complying with security requirements mentioned
o Commission shall monitor compliance, may recommend necessary action
 On-site and online access – no employee shall have access to SPI
 Offsite access – SPI may not be transported or accessed from a location off government property
unless a request is submitted and approved by head of agency
o Deadline for approval or disapproval – approve/disapprove request within 2 business days
o Limitation to 1,000 records
o Encryption – most secure encryption standard
  Requirements implemented not later than 6 months after enactment

Penalties for violation

Violation Imprisonment Fine
Unauthorized processing of PI 1-3 years 500K-2M
Unauthorized processing of SPI 3-6 years 500K-4M
Accessing PI due to negligence 1-3 years 500K-2M
Accessing SPI due to negligence 3-6 years 500K-4M
Improper disposal of PI 0.5-2 years 100-500K
Improper disposal of SPI 1-3 years 100K-1M
Processing of PI for unauthorized purposes 1.5-5 years 500K-1M
Processing of SPI for unauthorized purposes 2-7 years 500K-2M
Unauthorized access or intentional breach 1-3 years 500K-2M
Concealment of security breaches involving SPI 1.5-5 years 500K-1M
Malicious disclosure 1.5-5 years 500K-1M
Unauthorized disclosure (PI) 1-3 years 500K-1M
Unauthorized disclosure (SPI) 3-5 years 500K-2M
Combination or series of acts 3-6 years 1-5M
Extent of liability
 Juridical person – responsible officers, court may suspend or revoke any of its right
 Alien – penalties + deported without further proceedings
 Public official or employee (Sec. 27/28) – penalties + perpetual or temporary absolute
disqualification from office
Large-scale – Maximum penalty when PI of at least 100 persons is harmed, affected or involved
Offense committed by public officer – disqualification to occupy public office for a term double the term
of criminal penalty
Restitution – new Civil Code

Electronic Commerce Act

1. In general (3-5)
2. Legal recognition of electronic documents (6-8)
a. Presumption (9)
b. Confidentiality (32)
c. Lawful access (31)
3. Communication of electronic documents (16-24)
4. Application
a. In carriage of goods (25-26)
b. In government (27-29)
5. Penalties for violation (33)

In general
 Objective – facilitate transactions and contracts through electronic medium and technology to
recognize authenticity and reliability of electronic documents, promote universal use of electronic
transaction in the government and general public
 Sphere of application – any kind of data message and electronic document used in the context of
commercial and non-commercial activities
  Addressee – person intended by originator to receive EDM/ED
 Computer – any device capable of producing information according to logical rules
 Electronic Data Message (EDM) – information generated, sent, received or stored by electronic,
optical, or similar means
 Information and Communications System – system capable of generating, sending, receiving,
storing, processing EDM/ED
 Electronic Signature (ES) – any distinctive mark, characteristic and/or sound in electronic form,
representing the identity of a person, attached to or logically associated with the EDM/ED
 Electronic Document (ED) – information or representation of information, data, figures, symbols or
other modes of written expression
 Electronic Key – secret code which secures and defends sensitive information
 Intermediary – in behalf of another person
 Originator – a person to whom electronic document purports to have been created, generated,
and/or sent
 Service provider – provider of
o On-line services or network access or the operator of facilities therefor
o Necessary technical means by which electronic documents by which electronic documents
of an originator may be stored

Legal recognition of electronic documents

 Sec. 6 – Legal recognition (EDM) – information shall not be denied legal effect, validity or
enforceability
 Sec. 7 – Legal recognition (ED) – ED = legal effect, validity, or enforceability
o Where law requires document to be in writing, that requirement is met by ED – integrity and
reliability, can be authenticated so as to be usable for subsequent reference (complete and
unaltered, reliable)
o Where law requires document to be presented or retained in its original form, that
requirement is met by ED – reliable assurance (integrity), capable of being displayed
 Sec. 8 – Legal recognition (ES) – electronic signature = signature on written document if proved by
showing that a prescribed procedure existed under which (a) a method is used to identify the party
sought to be bound (b) said method is reliable and appropriate (c) necessary for the party sought
to be bound (d) other party is authorized and enabled to verify the electronic signature
a. Presumption – signature of the person, affixed by that person with the intention of signing
or approving the electronic document
b. Confidentiality – shall not convey or share with other person except for purposes authorized
c. Lawful access – shall only be authorized and enforced in favor of individual or entity having
a legal right

Communication of electronic documents

 Sec. 16 – Formation of validity of electronic contracts
o Offer, acceptance, etc. may be expressed in EDM/Eds
o Electronic transactions made through networking among banks deemed consummated upon
actual dispensing of cash or debit/credit
 Sec. 17 – Declaration of will or other statement shall not be denied legal effect, validity, or
enforceability solely on the ground that it is in the form of an EDM
 Sec. 18 – Attribution of EDM
 o Sent by originator himself – originator
o As between originator and addressee, by a person who had the authority to act on behalf of
the originator, or by an information system – originator
o As between originator and addressee, addressee properly applied procedure previously
agreed to by the originator or enabled that person to gain access to a method used by the
originator – addressee entitled to regard an EDM/ED as being that of the originator, and
act on the assumption [does not apply when addressee receives notice that EDM/ED is not
that of the originator, 3b – reasonable care that EDM/ED was not that of the originator]
o When any of the first three bullets apply, addressee entitled to regard EDM/ED as
received as being what the originator intended to send, and act on that assumption
o Entitled to regard each EDM/ED as separate, except if duplicate
 Sec. 19 – Refer to paragraph in bold. Unless the addressee knew or should have known that (a)
transmission resulted in any error, or (b) EDM/ED is sent to information system not designated for
the purposes
 Sec. 20 – Rules to apply when originator requested that receipt of ED/EDM acknowledged
o Not agreed in a particular form or method – communication or conduct of addressee
o Effect or significance of EDM/ED is conditional on receipt of acknowledgement – never sent
until acknowledgement is received
o Not stated that effect or significance conditional, acknowledgement not received or no time
specified – originator may give notice that no acknowledgement has been received,
reasonable time by which acknowledgement must be received, after, may treat as never been
sent or exercise any right
 Sec. 21 – Dispatch of EDM/ED occurs when it enters an information system outside control of
originator
 Sec. 22 – Time of receipt
o Designated information system – when EDM/ED enters designated information system
o Not the designated information system – when EDM/ED retrieved by the addressee
o No designated information system – when EDM/ED enters information system of addressee
 Sec. 23 – Dispatched at place where the originator has its place of business and received at the
place where the addressee has its place of business
o More than one place of business – closest relationship to underlying transaction or the
principal place of business
o No place of business – habitual residence
o Usual place of residence – incorporation
 Sec. 24 – Parties to any electronic transaction shall be free to determine the type of level of
electronic data message and electronic document security methods

Application
In carriage of goods
 Sec. 25 – applies to:
o marks, number, quantity, weight of goods; nature/value, receipt, confirming (loaded)
o terms and conditions, instructions (carrier)
o delivery, release, notice of loss or damage of goods
o notice/statement – performance of contract
o deliver goods to named person
o granting, acquiring, renouncing, surrendering, transferring or negotiating rights in goods
 o acquiring or transferring rights and obligations under the contract
 Sec. 26: (1) any action (carriage), writing/paper document – one or more data messages or electronic
documents. (2) applies whether obligation or consequences (3) requirement (one person and no
person, conveyed by transfer or use of paper document) met if right or obligation conveyed by using
one or more EDM/EDs (4) standard of reliability required shall be assessed (5) no paper document
used to effect such action is valid unless the use of EDM/ED has been terminated and replaced by
the use of paper documents (6) rule not inapplicable to contract of carriage of goods evidenced by
one or more EDM/ED

In government
 Sec. 27 – Accept creation, filing or retention of such documents in the form of EDM/EDs; issue
permits, licenses, or approval in the form of EDM/EDs; require and/or accept payments, and issue
receipts acknowledging such payments through systems using EDM/EDs; transact government
business/perform government functions using EDM/EDs
 Sec. 28 – Install electronic online network in accordance with RPWEB to facilitate open, speedy,
and efficient electronic online transmission, conveyance and use of EDM/EDs
 Sec. 29 – DTI shall direct supervise the promotion and development of E-commerce

Penalties for violation

 Sec. 33
o Hacking/Crackling (100K+, 0.5-3 years)
o Piracy (100K+, 0.5-3 years)
o Violations of Consumer Act (same penalties as provided)
o Other violations (max 1M, 6 years)

Bill of Rights Presentation on Wednesday (November 20)

TOPICS
1. Due process (White Light Corporation v. Manila)
2. Non-impairment clause (Republic v. Pagadian City Lumber)
3. Equal protection clause (Biraogo v. Philippine Truth Commission)
4. Search and seizure (Terry v. Ohio – facts and doctrine, People v. Marti)
5. Privacy of communication and correspondence (Belo Hernandez v. Guevarra)
6. Right against self-incrimination (Sabio v. Gordon)
7. Custodial investigation (Miranda v. Arizona) – Miranda rights
8. Writ of Amparo (Sec. of National Defense v. Manalo) – Palparan
9. Liberty of abode and travel (Marcos v. Manglapus)
10. Freedom of speech (Diocese of Bacolod v. COMELEC)
11. Access to information (Chavez v. PCGG)
12. Freedom of religion (Estrada v. Escritor)
6 groups, 6 people each. Each group will present on 2 topics.
Read and present – do NOT present on procedural matters. Go to the substance.