An interview with Calleja Law discussing privacy & cybersecurity in the Philippines

1 What were the key regulatory developments in your jurisdiction over the past year concerning cybersecurity standards?

The past year saw the appointment of a full-fledged secretary of the new Department of Information and Communications Technology (DICT) in the person of former senator Gregorio Honasan who took over from acting secretary Eliseo Rio. Under Republic Act No. 10844, the DICT is tasked, among other duties, to formulate a national cybersecurity plan; to provide countermeasures to address and anticipate all incidents affecting Philippine cyberspace and cybersecurity threats to the country; and to monitor cybercrime cases handled by agencies under its supervision. The DICT exercises oversight function over the National Privacy Commission (NPC), the National Telecommunications Commission, and the Cybercrime Investigation and Coordination Centre (CICC).

On 12 September 2019, the privacy commissioner supported the institutionalisation of code of ethics and adoption of a code of conduct by the fintech industry. This will lead fintech companies to be more prudent and responsible in processing their clients’ personal data.

On 6 March 2020, the NPC extended until 31 August 2020 the validity of registration of personal information controllers (PICs) and personal information processors (PIPs) to make way for a new automated system to be launched in July 2020.

Recognising the challenges facing the nation due to the covid-19 pandemic, the NPC issued PHE Bulletin No. 3 on 19 March 2020. The purpose of the guidelines was to support the health system frontliners to properly and effectively use personal data to ensure the safety and security of everyone. The principles behind the guidelines were ‘collect what is necessary’ and ‘disclose only to the proper authority’.

To prevent unauthorised disclosures of sensitive personal information, the NPC issued PHE Bulletin No. 10 on 25 April 2020. It provided guidelines for health institutions and their data protection officers (DPOs) to strengthen the protection of patient data.

Seeking to protect personal data under a work-from-home (WFH) arrangement, the NPC issued PHE Bulletin No. 12 on 15 May 2020. The NPC provided guidelines on general security measures that organisations operating under a WFH setup and individuals working on their own can take, not only during the pandemic but whenever a telecommuting arrangement is implemented.

Recognising the importance of effective contact tracing as part of the government’s strategy and plan of action against covid-19, the NPC issued PHE Bulletin No. 13 on 22 May 2020. The NPC coordinated with the Department of Health (DOH) to ensure that its guidelines are consistent with the Data Privacy Act (DPA). Through this collaborative effort, the DOH released Department Memorandum No. 2020-0189, which contained provisions on how to properly conduct effective contact tracing of close contacts of confirmed covid-19 cases while being mindful of data privacy and the rights of data subjects.

Almost seven years ago, the DPA was enacted by Congress but is now in need of an upgrade. At present, there are two pending bills in Congress seeking to amend the DPA: House Bill No. 1188, which seeks to impose stiffer penalties on violations of the law, and House Bill No. 5612 covers a wide range of issues and is poised to have a tremendous impact on the implementation of the law.

The NPC was tasked to lead the newly formed covid-19 task force of the Global Privacy Assembly, instituted to guide 134 jurisdictions around the world in enabling effective government response to the pandemic while continuing to protect citizens’ personal data and privacy. Privacy commissioner Raymund Enriquez Liboro commenced his chairmanship of the task force in an inaugural meeting on 26 May, coinciding with the Privacy Awareness Week 2020. The task force aims to drive practical responses to privacy issues emerging from the pandemic, as well to assist its membership with insight and best practices. Initially, it will train its focus on two strategic fronts: data protection for contact tracing applications, and privacy in a post-crisis landscape where countries begin to ease their covid-19 restrictions.

In this regard, personal data and technology have become essential in helping governments respond to the covid-19 pandemic. From contact tracing and disease surveillance applications, to covid-19 testing as people start going back to the workplace, data protection and privacy have never been more important.

2 When do data breaches require notice to regulators or consumers, and what are the key factors that organisations must assess when deciding whether to notify regulators or consumers?

Notification, within 72 hours, to the regulator (NPC) or the data subjects is required upon knowledge of or when there is reasonable belief by the personal information controller or personal information processor that a personal data breach has occurred. Notification is required when these key factors are present:

The personal data involves sensitive personal information or other information that may be used to enable identity fraud. For this purpose, ‘other information’ shall include, but not be limited to: data about the financial or economic situation of the data subject; usernames, passwords and other login data; biometric data; copies of identification documents, licences or unique identifiers such as Philhealth, social security, government service insurance or tax identification numbers; or other similar information, which may form the basis of decisions concerning the data subject, including the grant of rights or benefits.
There is reason to believe that the information may have been acquired by an unauthorised person.
The personal information controller or the Commission believes that the unauthorised acquisition is likely to give rise to a real risk of serious harm to any affected data subject.
In case of doubt regarding the need for notification, the personal information controller should consider: the likelihood of harm or negative consequences on the affected data subjects; and how notification, particularly of the data subjects, could reduce the risks arising from the personal data breach reasonably believed to have occurred. The personal information controller should also consider if the personal data reasonably believed to have been compromised involves: (i) information that would likely affect national security, public safety, public order, or public health; (ii) at least 100 individuals; (iii) information required by applicable laws or rules to be confidential; or (iv) personal data of vulnerable groups.

Moreover, a discovery of any vulnerability in the data processing system that would allow access to personal data should prompt the personal information controller or the personal information processor, as the case may be, to conduct an assessment and determine if a personal data breach has occurred. Notification may be delayed only to the extent necessary to determine the scope of the breach, to prevent further disclosures, or to restore reasonable integrity to the information and communications system.

The data breach notification should contain the following information:

nature of the breach, including: a description of how the breach occurred and the vulnerability of the data processing system that allowed the breach; a chronology of the events leading up to the loss of control over the personal data; approximate number of data subjects or records involved; description or nature of the personal data breach; description of the likely consequences of the personal data breach; and name and contact details of the data protection officer or any other accountable persons;
personal data possibly involved, including description of sensitive personal information involved; and description of other information involved that may be used to enable identity fraud; and
remedial measures taken by the legal entity to address the breach, including: description of the measures taken or proposed to be taken to address the breach; actions being taken to secure or recover the personal data that were compromised; actions performed or proposed to mitigate possible harm or negative consequences, and limit the damage or distress to those affected by the incident; action being taken to inform the data subjects affected by the incident, or reasons for any delay in the notification; and the measures being taken to prevent a recurrence of the incident.
3 What are the biggest issues that companies must address from a privacy perspective when they suffer a data security incident?

As soon as the cause of the data breach is determined, the most important issue that companies must address is that of damage control or seeking to reduce the harm or the negative effects of the data breach. Appropriate security measures must be implemented in order to contain the damage to the company or individual at the time the data breach is discovered. Depending on the company involved, such measures could include putting up a crisis management team. A public relations consultant should be made part of the crisis management team, as occurred in the ‘unauthorised breach’ of Cebu Pacific’s website database to assure the travelling public that their personal data had not been compromised. After a thorough investigation, the data protection officer (DPO) of Cebu Pacific determined and reported to the NPC that the extent of the breach was limited to passengers during a specific period. Through the efforts of the crisis management team, the affected data subjects of the breach were duly informed and were provided with specific precautions and other measures they may take to protect themselves. Without such action, loss of trust and confidence of the data subjects could have readily resulted from the data breach especially if sensitive personal information is stolen.

Secondly, it is imperative that the affected company or individual must investigate how the data breach occurred and then identify relevant measures to make their computer networks impregnable. The Philippines has seen a surfeit of hacking incidents since the effectivity of the DPA in 2012. Foremost among these was the Commission on Elections (COMELEC) data breach on 27 March 2016: hackers under the banner Anonymous Philippines hacked into the website of the COMELEC and defaced it 43 days before the 9 May 2016 national elections. The hacking affected the precinct finder, video demonstration and search function of the website. The website’s interface changed and it was found that every registered voter in the Philippines became susceptible to fraud and other risks. The COMELEC spokesperson admitted that the security of the website was not high. However, it was pointed out that the automated voting system (AVS) ran on a different, more secure network and that the recent hack would not affect the machines. The COMELEC expressed its confidence regarding the security features of the AVS and reassured the public that things would go smoothly during the elections. However, further investigation revealed that massive records of personal identifiable information (PII), including fingerprint data, were leaked. With 55 million registered voters in the Philippines, this leak could turn out as one of the biggest government-related data breaches in history, surpassing the Office of Personnel Management hack in 2015 that leaked PII, including fingerprints and social security numbers, of 20 million US citizens.

Even though the 9 May 2016 national elections took place and resulted in the election of the current president, Rodrigo Duterte, the COMELEC was not off the hook for the massive data breach. On 5 January 2017, the NPC recommended the filing of criminal charges against COMELEC chairman Andres Bautista in the aftermath of the ‘Comeleak’ incident. According to the NPC, the chairman’s culpability lied in his failure to take adequate measures to secure the COMELEC’s voter registration databases, which contains what the law defines as personal and sensitive personal information. The lack of a clear data governance policy, particularly in collecting and further processing of personal data, unnecessarily exposed personal and sensitive information of millions of Filipinos to unlawful access. The willful and intentional disregard of his duties as head of agency, which he should know or ought to know, is tantamount to gross negligence. The negligence was so glaring that despite the effectivity of the Data Privacy Act, the COMELEC didn’t have a DPO as mandated by law.

Thirdly, the affected government agency, company or individual must undertake remedial measures to eliminate the possibility of a future recurrence of the data breach. In the case of the COMELEC, the first order of the day was to appoint a DPO. A DPO should monitor the PIC’s or the PIP’s compliance with the DPA, its Implementing Rules and Regulations (IRR), issuances by the NPC and other relevant laws. The DPO should also ensure the conduct of a privacy impact assessment (PIA) relative to an agency or company. The DPO is also tasked to ensure data subjects’ rights are respected; ensure proper breach management; cultivate internal awareness of data privacy; advocate a privacy-by-design approach; serve as contact person for privacy matters; and serve as conduit with the NPC.

If the COMELEC had appointed its DPO as early as 2013 and conducted a PIA, its data breach could have been prevented. The PIA is used to assess and manage privacy impacts in planned or existing systems technology. The PIA will enable the DPO to identify, evaluate and mitigate the risks associated with the personal data processing; assist the PIC and PIP in preparing the records of the processing activities; aid PICs and PIPs in maintaining the privacy management programme; promote compliance by the PIC of PIP with the DPA and related laws; and assist the PIC or PIP in addressing privacy risks by allowing it to establish a control framework. In effect, a PIA is an effective means of preventing or reducing the occurrence of a personal data breach in any organisation. The organisation must resolve whatever risks are determined by the PIA by investing in appropriate data privacy security measures.

4 What best practices are organisations within your jurisdiction following to improve cybersecurity preparedness?

Data privacy consciousness and cybersecurity preparedness should begin from the top. The CEO should drive within the organisation to comply with the DPA. All those who are handling personal data should be properly trained and issued with security clearance. Learning from the COMELEC data breach, the CEO (or head of agency) should designate a DPO and ensure that he or she has access to top management. It is important that the DPO is up to date on strategic issues and change drivers that are impacting his or her company or agency. The CEO needs to form a data protection task force and crisis committee. The crisis committee must be made up of the DPO’s team and external personnel such as cybersecurity consultants, legal counsel and a public relations practitioner. This allows DPO skills, expertise and tasks to be distributed across the entire DPO team. But it should be clear who holds overall responsibility and accountability.

The CEO should send an announcement throughout the organisation that the DPO is the ‘Privacy Champion’ and the point of contact within the organisation for anything related to compliance with the DPA. Compliance with the DPA should be made part of the performance bonus criteria of divisions of the organisation that are involved with privacy compliance such as HR, legal, IT and security. The CEO can ensure that all service provider contracts and job orders are compliant. For example, all service providers must have their own DPO.

The DPO should take the lead by using the results of the PIA to begin drawing up his or her organisation’s control framework for privacy and data protection. He or she should initiate an IT security audit and review the audit results with top management. The DPO can establish a breach management framework for the organisation and conduct breach management drills prioritising those processes with the highest privacy risk. The goal of the framework is to clearly define how a data breach incident will be managed in such a way that minimises damage to the organisation and reduce down time and related expenses. Finally, he or she should also coordinate the strategies to mitigate privacy risks identified within the organisation.

5 Are there special data security and privacy concerns that businesses should consider when thinking about moving data to a cloud hosting environment?

Yes, there are special data security and privacy concerns that companies should consider when moving personal data to the cloud. Cloud computing exposes organisations to substantial new security risks, which often means taking a new approach to cloud security. Given the challenges and risks, it is no surprise that security and data protection remain the chief concerns for cybersecurity professionals in moving to the cloud. Organisations must analyse these risks against the benefits of lower costs and greater flexibility. There are ways to mitigate these risks and reduce these concerns. In addition, it is important to work with a provider that is not only focused on security, but also takes extra steps to strengthen protections against data loss, threats to data privacy and breaches of confidentiality.

As companies continue to transform their businesses with technology, the cloud has become a vital platform for data management. In leveraging the cloud as a data management platform, organisations should use providers that are focused on security. Personal data is particularly important to risk, and the impact of a breach or compliance event can have a devastating impact on a company’s business.

In the Philippines, companies are reluctant to fully utilise third-party cloud hosting even if their own data centres may be compromised. However, many companies feel that they lose control and privacy if they entrust their data to a cloud hosting environment. Because the cloud handles enormous amounts of data, local companies are wary that the cloud may be subject to hacking. Moreover, the company must remember that in the case of a data breach, accountability belongs to it rather than the cloud host provider. This is why it is imperative to have an outsourcing agreement to enable the client company to claim damages against the cloud host provider in the event of misuse, alteration or negligence in handling the data.

6 How is the government in your jurisdiction addressing serious cybersecurity threats and criminal activity?

Stemming from its status as a leading player in the business processing outsourcing industry, the Philippine government has been proactive in addressing cybersecurity threats and criminal activity. Since the enactment of the Data Privacy Act on 20 March 2012 the NPC has been consistent in the enforcement of the DPA as exemplified in its investigation and decision in the COMELEC data breach (see question 3), which occurred in 2016; and in compliance checks with many companies engaged in the handling of consumer data such as banks, public utilities and transport companies that were involved in data breaches. The NPC is also very active in its efforts to create greater awareness by the general public on data privacy as evidenced by the NPC’s conduct of seminars, conferences and webinars, including a bi-monthly forum for data protection officers. The NPC’s plethora of activities clearly shows its commitment to building an upward trend towards data privacy awareness and enforcement in the country. In the light of the COMELEC data breach, the government has committed to invest 5 billion pesos to enhance cybersecurity and train the national police and prosecutorial system to enforce the DPA and the Cybercrimes Act.

On 18 February 2014, President Benigno Aquino III signed the Cybercrime Prevention Act (CPA). This law contributes additional protection to data within the Philippines by adding protection against illegal access and interception of data, and also incorporates online libel punishments. The implementing rules and regulations of the Cybercrime Prevention Act of 2012 were issued by the Department of Justice, the Department of Science and Technology, and the Department of Interior and Local Government. The Office of Cybercrime within the Department of Justice was designated as the central authority in all matters relating to international mutual assistance and extradition.

The number of cybercrime cases investigated by the Philippine National Police (PNP) went up by almost 80 per cent last year, according to the PNP’s Anti-Cybercrime Group (PNP-ACG). The PNP-ACG investigated 4,103 cybercrime cases in 2018, which is 79.64 per cent higher than the 2,284 cases probed in 2017. In 2013, when the ACG was created, there were only 149 cases reported, the agency said. Of the 4,103 cases, 1,041 were online libel, the most prevalent cybercrime in 2019. This was followed by online scams (1,012), photo and video voyeurism (415), identity theft (395) and online theft (364). The remaining 876 cases were of various offences. Since its inception six years ago, the ACG has investigated 10,109 cybercrime cases. With the help of foreign counterparts and stakeholders, the ACG, which is in the process of modernising through extensive training process and equipment, will continue to expand its role as the vanguard of cybersecurity.

Republic Act No. 10844 or the Department of Information and Communications Technology Act of 2015 (DICT Act) was signed into law on 23 May 2016. It created the DICT, which is mandated to be the primary policy, planning, coordinating, implementing and administrative agency of the executive branch of the Philippine government, and is tasked to plan, develop and promote the national information and communications technology (ICT) development agenda.

The DICT Act abolished all of the agencies and units of the former Department of Transportation and Communications dealing with communications such as the National Computer Centre, the National Telecommunications Training Institute, the Information and Communications Technology Office, the Telecommunications Office and the National Computer Institute. The powers, functions, appropriations, personnel and property of these agencies are transferred to the DICT. Existing agencies pertaining to ICT were also attached to the DICT for policy and programme coordination, such as the National Telecommunications Commission, the NPC and the CICC.

The CICC further underscores the Philippine government’s commitment to mitigate cyberthreats by means of enhanced monitoring and response capabilities. The CICC is responsible for all functions related to cybersecurity including the formulation of the Philippines National Cybersecurity Plan, the establishment of the National Computer Emergency Response Team, and the facilitation of international cooperation on intelligence regarding cybersecurity matters. Some of the crucial powers of the CICC include: (i) to coordinate the preparation of appropriate and effective measures to prevent and suppress cybercrime activities under the CPA; (ii) to monitor cybercrime cases being handled by participating law enforcement and prosecution agencies; and (iii) to facilitate international cooperation on intelligence, investigations, training and capacity building related to cybercrime prevention, suppression and prosecution.

The holistic, inter-agency approach being utilised by the Philippine government illustrates its commitment to and focus on the importance of cybersecurity and will certainly lead to the enhancement of regulatory developments in the future. In 2017, the DICT launched the National Cybersecurity Plan 2022 (NCP 2022) designed to protect internet users from cyberthreats. The plan maps the cyberthreat landscape, envisions strategic solutions, identifies key areas to address, and promotes a whole-of-society approach to the problem. In a message for the unveiling event, President Duterte cited the DICT’s ‘crucial role in the government’s effort to address the challenges brought about by global inter-connectivity’. He lauded the DICT for coming up with the cybersecurity plan that ‘aims to deal with these challenges and improve our people’s confidence in the ICT sector’.

It is the intention of the NCP 2022 to shape the policy of the government on cybersecurity and the crafting of guidelines that will be cascaded to all levels of a government. The plan is crucial in fulfilling the DICT’s mandate to ensure ‘the rights of individuals to privacy and confidentiality of personal information’, and their ability to provide guidance to agencies governing and regulating the ICT sector. The key pillars of the plan are consumer protection and welfare, data privacy and security, the fostering of healthy competition in the sector and the growth of the ICT sector.

7 When companies contemplate M&A deals, how should they factor risks arising from privacy and data security issues into their decisions?

While a merger or acquisition may make sense for the companies involved, in today’s knowledge economy it would be fatal not to give due importance to risks from privacy and data security issues. The operative word is protection of data. In fact, an M&A transaction can be a cybersecurity challenge. Taking into consideration that a company’s greater inherent value lies in its intangible assets, this underscores the vulnerability of companies to data breaches and cyberattacks. It is then the responsibility of the company’s management to ensure that its most valuable assets are protected and that its cybersecurity is as ironclad as possible. The risks may be far-reaching but with proper planning and research, these may be overcome by making the process smoother and seamless.

When we are consulted by selling shareholders of data-laden concerns such as banks, hospitals, schools, retailers, telecommunications companies and even restaurants, we strongly recommend legal due diligence to be undertaken by certified information privacy experts. In doing so, said experts can scrutinise with a fine-toothed comb from the perspective of the acquiring party. By segregating potential non-compliance with the DPA and its IRR at the outset of the transaction, common mistakes can be avoided and remedial action can be made in advance. The primary objective here is to preclude the acquiring party from undervaluing the stock purchase price upon discovery by the acquiring party’s legal counsel of any discrepancy.

With the advent of ASEAN unification in 2015, cross-border M&A activities increased as Philippine companies sought opportunities to establish a presence in other South East Asian countries. Companies engaged in the retail of financial or investment instruments will certainly be involved in processing of clients’ personal data. It is increasingly important for legal experts to have a working knowledge of data protection laws of other countries where their clients may set up their businesses. While most data privacy laws in ASEAN countries have similar definitions of personal data, sensitive personal data, the concept of consent and the principle of accountability, the senior management of companies pursuing a merger should ensure that a comprehensive legal due diligence is done by certified information privacy experts who have a deep understanding of the prevailing data privacy and security laws. Only then will they be able to provide relevant advice that can lead to sound business judgement.

The Inside Track

When choosing a lawyer to help with cybersecurity, what are the key attributes clients should look for?

Clients have come to require and demand individualised representation of the highest quality from their legal counsel. This can only come from extensive training, experience and wide-ranging expertise in handling all legal aspects of ICT. These attributes are most crucial in the context of cybersecurity incidents, where inexperience can lead to wasted time and resources.

What issues in your jurisdiction make advising on cybersecurity and privacy complex or interesting?

The emergence of fintech and competition from technology firms venturing into consumer finance have made data privacy and cybersecurity more interesting indeed. Consequently, this has necessitated the implementation of internationally recognised data management framework. The importance of data privacy is growing across the Asia-Pacific region, as people are increasingly immersed in a digital world. Smart city initiatives are aiming to improve citizen safety, fuel economic growth and enhance quality of life.

How is the privacy landscape changing in your jurisdiction?

Compared to its ASEAN neighbuors, the NPC set a high bar for data privacy, when the DPAs implementing rules and regulations went into effect in September 2016. The law requires consent, accompanied by data subject disclosures, for any private-sector data sharing. Organisations must appoint a data protection officer. There are two pending bills in Congress seeking to amend the DPA: House Bill No. 1188, which seeks to impose stiffer penalties on violations of the law; and House Bill No. 5612, which covers a wide range of issues and is poised to have a tremendous impact on the implementation of the law.

What types of cybersecurity incidents should companies be particularly aware of in your jurisdiction?

There has been a noticeable increase in ransomware attacks, phishing, hacking and identity theft in the past year.

Calleja Law - Anthony B Peralta

Also available at