Microsoft Office User

[COMPANY NAME]  [Company address]

2
Data Privacy Act and Philippine Competition Act
DATA PRIVACY ACT
PART I
Right to privacy – constitutional and
legislative origin
Ople vs Torres – the contours of one’s
right to information on privacy is
something that will require legislative
intervention
Data privacy involves the right to
regulate or control the manner by which
third persons/parties utilize or make use
of personal information referring to us
Constitutional right to privacy may
essentially be arrested only against the
government = fundamental right
Legislative right to privacy may be
asserted both to the government and
private individuals
In case of violation:
a. constitutional right = render the
evidence obtained in violation of this
right as inadmissible
b. legislative (data privacy act) = does
not render the evidence inadmissible
except if what was violated is the
confidentiality imposed upon the
national privacy commission and its
officials/employees
Who may invoke?
a. constitutional right = purely personal
in nature
b. legislative = may be asserted by a 3rd
party because it is transmissible
Violation of the right to privacy
(constitutional/legislative) may entitle
the person to recover damages
Data Privacy Act
- seeks to regulate the processing
activities or conducts of essentially two
types of persons: natural or juridical =
personal information controller and
processor
1. actors: (active) = may be a
natural/juridical person
a. processor
b. controller
data subject (passive) = always a
natural person
Who is not a controller:
a. a person to whom the controller
outsourced or subcontracted a
processing activity (processor)
b. a person who processes or uses
personal information in connection with
that individual’s personal family or
household affairs
Independent contractors are not
considered as personal information
controller
Reason: the decisive element should be
the level of control, not on the activity
referring to an independent control but
level of control with regard to the
processing of personal information
2. regulated activity = processing
special processing activities:
a. data sharing
b. outsourcing
Data sharing – sharing, disclosure, or
transfer to a third party of personal data
under the custody of a personal
information controller to one or more
other personal information controller/s
3
Data Privacy Act and Philippine Competition Act
a. private sector
- for purposes of
historical/scientifical/statistical – consent
will not be required
- for commercial purposes – should have
data sharing agreement/consent
b. public sector
- data sharing must be carried out for a
public function/service
Data sharing agreement is not
mandatory but is very much advisable
because the execution of the same
demonstrates the entities adherence or
compliance

Outsourcing (subcontracting) –
assignment or delegation of the
processing or personal data by a
personal information controller to a
personal information processor

Processing by a personal information

processor shall be governed by a
contract or other legal act that binds the
personal information processor to the
personal information controller
4
Data Privacy Act and Philippine Competition Act
Data sharing
Disclosure or transfer to a third party of
personal data under the custody of a
personal information processor
Entity sharing the personal information
and the entity receiving the same are
both PICs
Since both entities are controllers, each
may determine their respective
purposes for processing the personal
information
Consent is required if other legitimate
basis for processing is absent because
there will be two (or more) PICs which
shall have separate and distinct
purposes for processing personal data,
to which the data subject must provide
his consent to
3. object:
a. personal information – identity of
the individual is apparent or may not
be apparent but the information can
be ascertained therefrom by the entity
holding the information or when put
together with other information can
identify an individual
b. sensitive personal information
Personal Sensitive
information personal
information
legitimate legitimate
grounds under grounds under
Section 12 Section 13
Penalty: lower Penalty: much
higher
Section 12 – criteria for lawful
processing of personal information:
a. data subject has given his or her
consent;
Outsourcing
Disclosure or transfer of personal data
by a personal information controller to a
personal information processor in order
for the latter to process the data
according to the instructions of the
controller
Entity transferring the personal
information is the PIC and the one
receiving the same is merely a
processor
Since one party is merely a processor,
only the other party determines the
purpose of the processing
No separate consent is necessary before
the PIC may outsource as the purpose
of the processing remains to be the
same and the PIC remains to be the
same
b. processing of personal information
is necessary and is related to the
fulfillment of a contract with the data
subject or in order to take steps at the
request of the data subject prior to
entering into a contract;
c. processing is necessary for
compliance with a legal obligation to
which the personal information
controller is subject;
d. processing is necessary to protect
vitally important interests of the data
subject, including life and health;
e. processing is necessary in order to
respond to national emergency, to
comply with the requirements of public
order and safety, or to fulfill functions
of public authority which necessarily
includes the processing of personal
data for the fulfillment of its mandate;
or
f. processing is necessary for the
purposes of the legitimate interests
5
Data Privacy Act and Philippine Competition Act
pursued by the personal information
controller or by a third party or parties
to whom the data is disclosed, except
where such interests are overridden by
fundamental rights and freedoms of
the data subject which require
protection under the Philippine
Constitution
Section 13 – sensitive personal
information and privileged Information
GR: not allowed/prohibited
EX: following cases
a. data subject has given his or her
consent, specific to the purpose prior
to the processing, or in the case of
privileged information, all parties to
the exchange have given their consent
prior to processing;
b. processing of the same is provided
for by existing laws and regulations:
Provided, That such regulatory
enactments guarantee the protection
of the sensitive personal information
and the privileged information:
Provided, further, That the consent of
the data subjects are not required by
law or regulation permitting the
processing of the sensitive personal
information or the privileged
information;
c. processing is necessary to protect
the life and health of the data subject
or another person, and the data
subject is not legally or physically able
to express his or her consent prior to
the processing;
d. processing is necessary to achieve
the lawful and noncommercial
objectives of public organizations and
their associations: Provided, That such
processing is only confined and related
to the bona fide members of these
organizations or their associations:
Provided, further, That the sensitive
personal information are not
transferred to third parties: Provided,
finally, That consent of the data
subject was obtained prior to
processing;
e. processing is necessary for purposes
of medical treatment, is carried out by
a medical practitioner or a medical
treatment institution, and an adequate
level of protection of personal
information is ensured; or
f. processing concerns such personal
information as is necessary for the
protection of lawful rights and
interests of natural or legal persons in
court proceedings, or the
establishment, exercise or defense of
legal claims, or when provided to
government or public authority.
Anonymization
a. If anonymous = not covered under
the data privacy law
b. Does not relate to an identified or
identifiable natural person
c. Data subject is no longer identifiable
Pseudonymisation
a. considered personal information =
covered under the data privacy law
d. individual can still be identified
Data privacy law applicable to dead
person? Yes because the law grants
rights to the heirs of the deceased to
exercise his/her privacy rights
4. extraterritorial application –
section 4 IRR = in an outside of the
Philippines
a. natural or juridical person involved
in the processing of personal data is
found or established in the Philippines;
b. act, practice or processing relates to
personal data about a Philippine citizen
or Philippine resident;
c. processing of personal data is being
done in the Philippines; or
d. act, practice or processing of
personal data is done or engaged in by
an entity with links to the Philippines,
6
Data Privacy Act and Philippine Competition Act
with due consideration to international
law and comity
5. non-applicability of the
DTA/Special Cases
a. anonymous
b. only to the minimum extent of
collection, access, use, disclosure or
other processing necessary to the
purpose, function or activity concerned
c. does not extend to personal
information processors, who remain
subject to the requirements of
implementing security measures for
personal data protection
special cases:
- information on matters of public
concern
- information necessary for
journalistic/artistic/literary/research
purposes
- information necessary to carry out
functions of public authority
- information necessary for tax and
financial institution in accordance to
the anti-money laundering law
- similarly information originally
collected from residents of foreign
jurisdiction
6. publicly available information
- not expressly provided under the law
that is exempted therefore still
covered
- does not authorize any
processor/controller to process a
personal information in any manner
that it may fit (not a blanket authority)
7. technological advances,
automated processing, profiling,
automated decision-making
Automated processing:
a. should notify the data subject with
the existence of automated processing
b. must notify the national privacy
commission (NPC) that automated
processing is the sole basis of decision
making about the data subject that
would significantly affect the data
subject
Profiling
- form of automated processing
- use of personal data to evaluate
certain personal aspects relating to a
natural person
- personalize or predict aspects
concerning that person
a. subject data should be informed
b. gives the data subject the right to
object the processing his personal data
Automated decision-making
a. no automated decision would be
made based on the personal
information if that decision would have
legal effects without the consent of the
data subject
b. subject data should be notified
PART 2
Data privacy law does not prohibit the
processing of personal information,
what it seeks is to regulate the
processing of information in order to
balance one’s right to data privacy
with other equally compelling state
interest
1. data privacy principles
- transparency
- legitimate purpose
- proportionality = should be
adequate, relevant, suitable, necessary
and not excessive in relation to the
declared and specified purpose
- principle of lawfulness =
anchored/based on lawful causes
- principle of fairness
- data quality principle
- principle of accountability
7
Data Privacy Act and Philippine Competition Act
How long can a personal information
be retained in light of the
proportionality principle?
- only for as long as necessary to
achieve the specified purpose
- up until the accomplishment of the
said purpose
- retain the data for the purpose of
establishing/exercising/in defense of
one’s legal claims
- instances authorized by law
Principle of data minimization – collect
minimal personal information as
possible to be able to accomplish its
declared purpose/s
Personal information collected may be
processed for historical, scientific and
research purposes which can be stored
in longer periods
Principle of lawfulness:
a. consent = freely given, specific and
uninformed manner (granular and not
blanket consent)
b. contract
c. legal obligation
d. vitally important interests
e. national emergency, public
order/safety, fulfill functions of public
authority
f. legitimate interest
What if the data subject withdraws
his/her consent? Any processing
activity prior will not be affected by the
withdrawal
3-tier test to determine legitimate
interest test
1. purpose test
2. necessity test
3. balancing test = does not override
the freedom/fundamental rights of the
data subject
For sensitive personal information it
should be anchored/justified by the
following:
a. consent
b. law and regulation
c. necessary to protect the life and
health
d. necessary to achieve the lawful and
noncommercial objectives
e. medical treatment
f. necessary for the protection of
lawful rights and
interests/establishment, exercise or
defense of legal claims
There is not legitimate interest ground
when you are processing sensitive
personal information
Data privacy rights of the subject
a. right to be informed
b. right to object
c. right of access
d. right to rectify
e. right to erasure/blocking
f. right to data portability
g. right to damages
Privacy notice vs consent
privacy notice
- implements the data privacy principle
of transparency
- acknowledges the data subject’s right
to be informed
- required all the time
consent
- just one of the grounds for
processing personal information
(ordinary or sensitive)
- not required all the time because it is
only one of the grounds provided by
law
Privacy notice vs privacy policy
Privacy policy
8
Data Privacy Act and Philippine Competition Act
- internal statement of the company
addressed essentially to the users of
personal information
Privacy notice
- outward facing document addressed
to the data subject telling them how
the company would use their personal
information
GR: Right to be informed
EX:
a. collected/needed pursuant to
subpoena
b. collection and processing are for
obvious purposes
c. legal obligation
Right to object – can be exercise if the
basis of the processing is consent and
legitimate interest
Right to access
Limitations:
a. publicly available
b. in cases of repeated request
c. reasons as to the safety of the data
subject
Effects for the right to object/access
GR: cease further processing
EX:
a. collected/needed pursuant to
subpoena
b. collection and processing are for
obvious purposes
c. legal obligation
d. justify the processing on other
grounds other than consent/legitimate
interest (controller has the burden of
proof to justify)
Right to rectify may be applied when it
is manifestly vexatious
Right to erasure/blocking – right to
request suspension, withdrawal,
removal or destruction of personal
information:
a. if the personal data is incomplete,
outdated, false or unlawfully obtained
b. unauthorized purposes or unlawful
c. previously obtained for a different
purpose and no longer necessary for
the purpose
d. concerns private information that is
prejudicial to the data subject
Right to data portability
- to be given a copy of his/her
personal information
Requisites:
a. should be electronically processed
and structured in commonly used
format
b. processing is based on consent or
contract
PART 3
Five pillars of data privacy
accountability and compliance:
1st – commit to comply: appoint a data
protection officer (DPO)
Data Protection Officer (DPO)
- should be independent
- should not be in the position where
he may have conflict of interest
- not required to be an employee of
the company
- not required to be a Filipino
- 2 years term
Privacy by design – approach by which
privacy policies are
incorporated/integrated in the
implementation of projects/program
2nd – know your risks: conduct a
privacy risk or impact assessment
- controller undertakes to evaluate the
privacy impacts/risks for a particular
project or process
GR: conduct of a privacy assessment is
mandatory
9
Data Privacy Act and Philippine Competition Act
EX: if the controller determines that
the particular activity entails minimal
risks
Responsibility of the controller
himself/itself
3rd – be accountable: develop a privacy
management program and privacy
manual
4th – demonstrate your compliance:
implement privacy and data protection
measures
The requirement to register entities
data processing systems applies only
in the entity and its data processing is
conducted here in the Philippines;
otherwise: no need
Registration of entities as to their
processing system: (mandatory)
1. controller/processor employs at
least 250 employees
2. processing activities includes
processing of sensitive personal
information that is 1000 individuals
3. processing poses a risk to the rights
and freedom of the data subject
4. processing is not occasional in
nature
Processing poses a risk:
1. information affects the security,
public safety, public health
2. information required by law as a
rule is confidential
3. vulnerable data subjects
4. in cases of automated processing
5. in cases of profiling
5th – prepare for breach: regularly
exercise your breach reporting
procedure
Security incident vs data breach
Security incident
- event/occurrence that affects data
protection includes incidents that
would have resulted in personal data
breach where it not for the security
measures of the controller
- no need of certification/reported but
it has to be documented
Data breach
- breach of security leading to
accidental/unlawful destruction or loss
- requires certification
Kinds of breaches:
a. availability breach – destruction or
loss of personal information
b. integrity breach – unlawful or
unauthorized alteration of the data
c. confidentiality breach –
unauthorized disclosure or access of
data
The obligation to notify is lodged with
the personal information controller
notwithstanding if it is outsourced or
not
Conditions where notification or report
of breach would arise:
1. personal data involves sensitive
personal information
2. reason to believe that the
information if acquired by
unauthorized person
3. acquisition of the data would give
rise to serious harm or risk that would
affect the data subject
When made? Within 72 hours upon
knowledge or reasonable belief that a
breach requiring notification has
occurred
72 hours absolute?
GR: there should be no delay
EX:
a. notification to the commission
10
Data Privacy Act and Philippine Competition Act
- if the purpose is to determine the
scope of the breach
- to prevent further disclosure
- to further restore integrity to the
system
Exemption to exemption:
a. if the breach involves at least 100
data subjects
b. the disclosure involves sensitive
personal information
b. notification to the data subject
- if it is not reasonably possible to
notify the data subject
- exemption to notify is allowed
COMPETITION LAW
The state shall regulate or prohibit
monopolies when the public interest so
required. No combinations in restraint
of trade or unfair competition shall be
allowed. – Sec 19 Art XII, 1987
Constitution
Monopoly – form of market structure
in which one or only a few firms
dominate the total sales of a product
or service
GIOS-SAMAR Inc vs DOTC – elements
before a monopoly may be regulated
or prohibited:
1. there in fact exists a monopoly or
an oligopoly
2. public interest requires its regulation
or prohibition
Combinations in restraint of trade –
agreement or understanding between
two or more persons, in the form of a
contract, trust, pool, holding company,
or other form of association, for the
purpose of unduly restricting
competition, monopolizing trade and
commerce in a certain commodity,
controlling its production, distribution
and price, or otherwise interfering with
freedom of trade with statutory
authority
Unfair competition
1. confusing similarity in the general
appearance of the goods
2. intent to deceive the public and
defraud a competitor
Illegal Acts of price manipulation:
a. hoarding
b. profiteering
c. cartel
RA1067
Statutory policy – “market competition
as a mechanism for allocating goods
and services is a generally accepted
precept”
2 assumptions:
1st – self-interest = economic activity
2nd – unlimited wants but limited
resource
If economic actors act according to
self-interest, what ensures that that
self-interest will not lead to
abuse/greed? Market Competition
Elements of the national competition
policy (NCP)
1. pro-competitive policies and
government intervention
2. competitive neutrality
3. enforcement of competition related
laws and issuances by PCC
Applicability: any person engaged in
trade, industry and commerce in the
Philippines
Non-applicability: does not apply to
labor related matters/activities
Types of anti-competitive conduct:
1st = anti-competitive agreements (Sec
14)
11
Data Privacy Act and Philippine Competition Act
- per se standard (US influence)
- object or effect standard (EU
influence)
Horizontal agreement = between
competitors (par a and b)
Vertical agreement = peers of the
different stages of production,
distribution or marketing shares (par
c)
Price-fixing – competitors collude with
one another to fix prices of goods or
services, rather than allow prices to be
determined by market forces
Cover bidding – occurs when
competitors agree to submit bids that
involve either submitting a bid that
contains terms that are known to be
unacceptable to the purchaser
Bid-suppression schemes –
agreements among competitors in
which one or more companies agree to
refrain from bidding or to withdraw a
previously submitted bid so that the
designated winner’s bid will be
accepted
Output-limitations – agreements
which, among others, limit output or
control production by fixing production
levels or setting quotas, or agreements
which deal with structural overcapacity
or coordination of future investment
plans
Market-sharing – producers restrict
their sales of goods and services to
certain geographic areas, developing
local monopolies
Agreement – any type or form of
contract, arrangement, understanding
or concerted action whether formal or
informal, explicit or tacit, written or
oral
A genuinely unilateral measure, taken
without the express or implied
participation of another undertaking is
not an agreement under competition
law
Object or effect: anti-competitive
effect is measured against the
procompetitive justification/s if any
Efficiency gains – those which
contributes to improving the
production or distribution of goods and
services or to promoting technical or
economic progress, while allowing
consumers a fair share of the resulting
benefits, may not necessarily be
deemed a violation of this Act
Improvement cannot be subjective to
the parties involved. Improvement
must in particular show appreciable
objective advantages of such a
character as to compensate for the
disadvantage which they cause in the
field of competition
2nd = abuse of dominance
2 concepts:
a. dominant position – position of
economic strength that an entity or
entities hold which makes it capable of
controlling the relevant market
independently
b. abuse
relevant market:
1. product market
2. geographic market
Relevant product market factors:
1. reasonable (as opposed to limited)
interchangeability of the offerings to
consumers
2. significant cross-elasticity of
demand, such that a price change in
one party’s goods or services will lead
12
Data Privacy Act and Philippine Competition Act
to a price change in the other party’s assets; or
goods or services b. gross revenue
generated here
National Federation of Hog Farmers vs by said assests
Board of Investments – to determine
whether products are “available 2nd
substitutes” or “reasonably Assets outside BOTH >
interchangeable”, one factor the Philippines: threshold
considered should be the consumer a. aggregate
response or cross-elasticity or value of assets
tendency or lack of tendency of here of the
consumers to switch from the acquiring entity;
plaintiff’s products to the defendant if and
it were to raise its prices or vice versa b. gross revenue
generated in or
Relevant geographic market – into Philippines
comprises the area in which the entity by those assets
concerned is involved in the supply outside the
and demand of goods and services in Philippines
which the conditions of competition
are sufficiently homogenous 3rd
Assets inside and BOTH >
There is a presumption of market outside the threshold
dominant position if the market share Philippines:
of an entity in the relevant market is at a. aggregate
least 50% unless a new market share value of assests
threshold is determined by the here of the
commission for that particular sector acquiring entity;
and
Abuse: conduct/s that substantially b. gross revenue
prevent, restrict or lessen competition: generated in or
a. exclusionary into Philippines
b. exploitative by:
1. assets
3rd = prohibited mergers and acquired in the
acquisitions Philippines and
Compulsory notification 2. assets
2 tests: acquired outside
a. size of party test – exceeds 6 billion the Philippines
b. size of transaction test – exceeds 2
billion 4 hundred million 4th – proposed acquisition of (i) voting
shares of a corporation or of (ii) an
Proposed mergers and acquisitions: interest if a non-corporate entity
1st a. aggregate > threshold
Assets in the > threshold value of the
Philippines: assets in the
a. aggregate Philippines
value of said
13
Data Privacy Act and Philippine Competition Act
owned by; or
b. gross
revenues from
sales in into or
from the
Philippines of the
acquired entity
c. acquisition of > 35% of
voting shares outstanding
(corporate) / voting shares (if
interest (non- corporate) or
corporate) will aggregate
result in the interest entitling
acquiring entity the acquirer to
owning 35% profits or
assets (if non-
corporate)
d. 50% if > 35% before
acquiring entity the acquisition
already owns

Acquisition – purchase of securities or

assets, through contract or other
means, for the purpose of obtaining
control

An agreement consummated in
violation of the requirement to notify
the Commission shall be considered
void and subject the parties to an
administrative fine of 1% to 5% of the
value of the transaction

Can a party who consummated the

agreement but failed to notify the
Commission invoke Sec 20? No.
Agreement be considered void and
independent from Sec 20.

Criminal consequences, PCA:

Anti-competitive agreements: per se
(Section 14a) and object/effect
(Section 14b) = imprisonment