What is the legal status of foreign persons personal data under the Act?

On this point, Disini stated "As a general rule, the Act protects all personal information regardless of its source or the citizenship of the data subject. The [Act] will provide protection if the personal information controller or processor is located in the Philippines even though the information may have come from a foreign source or the data subject is not a Philippine citizen or resident."

However, Section 4(g) of the Act establishes that 'The Act does not apply to personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.'

In addition, Section 5(f) of the IRRs provides further details on the exclusion of residents from foreign jurisdictions, highlighting that '[…] Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines. The burden of proving the law of the foreign jurisdiction falls on the person or body seeking exemption. In the absence of proof, the applicable law shall be presumed to be the Act and these Rules'.

What are the legal requirements regarding the processing of foreign persons personal data under the Act?

However, concerning the provision provided in Section 4(g) of the Act which appears to exclude foreign persons personal data, Disini outlined "[T]his provision was intended to serve the interests of the business process outsourcing ('BPO') sector which regularly collects and processes the data of foreign nationals coming from countries whose laws governing such information may conflict with each other. The law was therefore designed to remove the protection of the Philippine statute and provide space for the parties to agree on which legal regime to adopt. In short, a controller from the European Union can agree with a Philippine BPO that the governing law of their agreement is the GDPR while an American controller may choose to impose a different legal regime."

Nonetheless, Disini added "In the absence of an agreement, however, such data is not protected by the Data Privacy Act. But this is not to say that no protection is afforded under Philippine law. The Cybercrime Prevention Act (Republic Act No. 10175) ('the Cybercrime Act') provides hefty criminal penalties for the crime of 'Identity Theft' which includes the processing of personal information without right. Indeed, the prison term under the Cybercrime Act exceeds that provided under the Data Privacy Act."

In addition, the NPC has provided various Advisory Opinions on the subject of processing of personal information from foreign jurisdictions in specific instances. In particular, the NPC highlighted in NPC Advisory Opinion No. 2017-045 'Issues Concerning Personal Information Obtained from Foreign Jurisdictions under Implementing Rules and Regulations of Republic Act No. 10173' ('Advisory Opinion 2017-045'), that BPOs, by the very nature of their operations, process volumes of personal data as a core activity'. Nonetheless, the NPC held, in Advisory Opinion 2017-045, that 'A government agency or a private company involved in the processing of personal data, as a general rule, must be within the scope of the Act, subject to provisions of the law on extraterritorial application.'

Likewise, the NPC solidified this approach in NPC Advisory Opinion No. 2018-022 'Scope and Coverage of the Data Privacy Act', providing that the Act 'and its rules and issuances apply to entities involved in the processing of personal data that are found established or in the Philippines and when such processing is done in the country. Accordingly, the nationality and/or residence of the data subjects are immaterial.'

Further, regarding the applicability of foreign jurisdictions personal data laws, Disini commented "Also, it should be stressed that if the personal information was collected from the foreign national in violation of the law where he resides, the Act will apply, and the data subject's privacy rights [will be] fully protected under the [Act]. This means that foreign victims of unauthorised processing and collection of their personal information can avail of the remedies under the Act and also the Cybercrime Act."

Conclusion

In line with the information provided above, Disini concluded that, "[...] it is incorrect to say that the personal information of foreign nationals in the Philippines is not protected. It is more accurate to say that the law provides for space for the parties to select the legal regime that will govern the processing of the information in the Philippines. This provides the most flexibility for local BPO companies as they can adopt different standards as may be demanded by their clients. On the off chance the parties do not come to an agreement to apply an alternative legal regime, then the Cybercrime Act steps in to provide criminal remedies to the foreign data subjects."

Harry Chambers Privacy Analyst
[email protected]

Comments provided by:

JJ Disini Managing Partner
[email protected]
Disini & Disini Law Office, Quezon City