Philippine privacy regulator gearing up to impose new fines despite challenges

“I personally can't wait for the fines to be imposed,” a data privacy officer for a listed Philippine company told MLex.

The sentiment might come as a surprise, but the DPO, who asked not to be named, explained that the threat of fines would make his job easier.

“It’s going to help me with subsidiaries that don't necessarily process a lot of data,” he said.

This response is exactly what the National Privacy Commission, or NPC, is hoping for once it finalizes and issues its long-awaited circular on administrative fines. The latest draft lists penalties ranging from 0.25 to 3 percent of an erring company’s annual gross income in the year immediately preceding the violation, up to a maximum of 5 million pesos ($96,000) for a single act.

While the maximum fine is a fraction of the headline-grabbing data privacy penalties seen in other countries, deputy privacy commissioner Leandro Aguirre told MLex that they wanted companies to realize they can spend that amount on compliance instead of risking both a financial penalty and reputational damage.

“We wanted to come up with a figure that would incentivize compliance,” he told MLex in an interview in Manila. “With this, you can tell management that based on a cost-benefit analysis, it makes sense to spend on compliance.”

The circular, which has already been through two rounds of public consultations, could be issued by the end of May or early June.

Needed power

The administrative fines are expected to give the six-year-old regulator the power it needs to fully function as a quasi-judicial authority.

Currently, the NPC awards nominal damages, such as the 15,000-pesos (less than $300) East West Banking Corporation was ordered last February to give to a borrower who complained after being harassed by a third-party collection agency.

The commission also imposes penalties such as cease and desist orders or bans on the processing of personal data, or can even order the establishment of a helpdesk for affected data subjects such as in the case of a 2018 Facebook breach.

But Aguirre has argued that these remedies are not enough to cover the different kinds of violations of the law.

For major breaches, the commission can also recommend a person for criminal prosecution by the country’s justice department, which critics say targets individuals instead of the corporation.

“From the company perspective, it’s not the company that will be penalized but the individual, so there's a weird incentive that happens,” Aguirre said.

At the same time, it makes investigations more difficult, because determining which person is ultimately responsible for a company’s violation is a complicated task.

Besides, the country’s snail-paced justice system means no case has yet been prosecuted. Aguirre said they have three or four recommendations for prosecution — including one versus telecommunications company PLDT Enterprise dating back to December 2020, and the first versus an online-lending company involved in a spate of malicious disclosures of borrower information in 2018 and 2019 — currently being challenged before the appeals court.

Stronger incentive

With the administrative fines, can companies be expected to sit up straight and pay closer attention?

For multinational companies that already spend a substantial amount on data privacy compliance, these fines would hardly be noticed, according to data-protection advocate and former NPC director Jamael Jacob.

“For the big ones, the ones whose violations have a large impact, it might not be a sufficient deterrent,” he told MLex.

But some local companies — including a number of stubborn ones “who still insist on their own definition of the law, who think they’re big enough” — are at risk, according to another former NPC official.

And even though the maximum fine of 5 million pesos is relatively small, the listed company’s DPO told MLex “a recurring 5 million risk because of systemic failure can affect reputational risk” that can still put his job on the line.

“If the fine hits a subsidiary that's on life support, it can be fatal. Especially for an avoidable mistake, since most privacy initiatives cost way less than 5 million pesos over the life of the activity,” he said. 

Enforcement challenges

There’s widespread expectation, however, that the NPC will face a legal challenge over these fines.

“We are expecting it to be challenged,” Aguirre said.

The question — stemming from the fact that the power to issue fines is not expressly stated in the 2012 Data Privacy Act — has already been raised during the public consultations. But the commission has defended its decision by arguing that it had to be able to impose fines in order to effectively function as a quasi-judicial authority.

It’s therefore highly likely that the first NPC decision imposing a major fine will find itself before the appeals court again. And while the question over the legality of this power makes its way through the country’s judicial system, the commission might be constrained from imposing any further fines.

But that problem will have to wait until the NPC actually implements the circular, which brings up another enforcement challenge — the commission’s limited resources.

“Realistically, I think it will take a while before we start implementing this, especially since we’re looking at a prospective application,” Aguirre said. “We still have a lot of pending cases with us.”

The commission, now led by former deputy commissioner John Naga, is working on boosting and reorganizing its ranks to improve its enforcement efficiency. To date, Aguirre said they still only have three full-time lawyers, supported by contractual workers to help decongest the regulator’s caseload.

On top of this, the NPC is looking to amend outdated issuances and come up with positions on emerging technologies like artificial intelligence.

So even if the commission manages to issue the circular on administrative fines soon, it will likely be a while before its impact is felt.