A couple of days before Christmas, the National Privacy Commission (NPC) managed to release one more policy for 2020: NPC Circular 2020-03. The issuance basically sounds the death knell for Data Sharing Agreements (DSAs), which are a key feature of the Commission’s very own Data Privacy Accountability and Compliance Checklist.
For the uninitiated, DSAs are contracts between two or more entities sharing, transferring, or disclosing personal data to or between one another, while acting as personal information controllers (PICs). As PICs, they each determine the purpose and means of their respective data processing activities. They may agree on the general parameters of the data transfer, but no one really gets to tell the other what to do with the data. For this reason, DSAs are not used in transactions between principals and service providers.
When DSAs were first introduced in the implementing rules of the Data Privacy Act (DPA), and later reiterated in NPC Circular 2016-02, their primary purpose was to give life to the DPA directive stating that all PICs must “use contractual and other reasonable means to provide a comparative level of protection” while personal data under their care are being processed by a third party.
Their use recognized the fact that once you have at least two entities entering into an arrangement, a contract is the most direct (and perhaps best) way for one party to hold the other accountable should something go wrong with their transaction. This explains why contracts are such a huge part of our lives.
In data protection, a contract has a critical function because there are still plenty of places in the world unfamiliar with the concept of data protection. In those areas, there are usually no data protection laws. If there is one, it is usually poorly implemented. An organization that has to transfer personal data to those locations would find contracts an essential tool for exacting accountability from the recipient of its data.
This is the rationale behind the Standard Contractual Clauses introduced in the European Union (EU) and the Model Contractual Clauses recently adopted by the Association of Southeast Asian Nations (ASEAN).
In 2016, the NPC adopted the controller-controller contract template and adjusted it to respond to the needs of the domestic context. By requiring DSAs in most data transfer arrangements, especially in government, the Commission essentially compelled government agencies and their private sector peers to take data privacy seriously.
DSAs had twin objectives: (1) allow data sharing entities to comply with the requirements of the DPA; and (2) compel their contractual partners to do the same. As an added bonus, they also served as a transparency tool by offering those people whose data are affected by a data sharing arrangement a peek into the terms of such arrangement.
Through its newest Circular, the NPC has decided to do away with all of that. This is because the simplest way to explain the issuance is this: it makes DSAs completely optional or voluntary.
It doesn’t matter if we’re talking about intra-country or cross border data transfers, or if government agencies or private entities are involved.
From now on, any PIC that wants to share personal data with another PIC can do so, as long as it believes it has a lawful basis recognized by the DPA. That lawful basis includes any of the special cases identified in the law where the latter’s provisions do not apply. If people want to know if an organization is sharing their data with other PICs, and how, they will have to content themselves with whatever is inscribed in its privacy notice (or consent form, if there is one).
Whatever prompted the NPC to enforce such a major change, it does not say in its Circular. The most likely reason, though, would be a desire on its part to simplify the rules governing data transfers.
To a privacy advocate, this development is a notable setback. From a data transfer regime that actually offered greater protection compared to the EU’s—in the sense that it applied to intra-country data transfers—the country now has one that is manifestly inferior. Its new scheme aligns itself with that of the ASEAN and the APEC Cross Border Privacy Rules systems, both of which rely on voluntary initiatives and give greater weight to the free flow of information, especially in the context of trade. An odd choice, considering no one is out there heaping praises on these two for their effectiveness in providing data protection.
It’s also worth pointing out that this new setup presents a riskier data sharing framework for government-held personal data. The Circular simplifies the data sharing rules so much that it completely ignores the critical difference between personal data processing activities carried out by government entities and those done by private sector organizations.
Government wields immense power when it comes to data collection. It can coerce people into giving up their personal data in a way no private company ever could. Once it gets hold of such data, it has the resources to make it extremely difficult for an ordinary individual to assert his or her rights. Should it decide to make such data available to multiple entities—including private ones—it has a greater chance of keeping such activity secret and also has better odds at fending off any legal challenge.
It is why the DPA has an entire section dedicated to the security of sensitive personal information in government. And it was also why DSAs were supposed to be a fixture in data sharing arrangements involving government agencies.
Maybe the NPC is wholly convinced most organizations are already compliant with the DPA that egging them on through contracts has already outlived its use. Maybe it believes most of them already have data protection officers, working privacy programs, and effective grievance mechanisms, that they can just rely on these “other reasonable means” to make sure the data they share are sufficiently protected.
Given the state of data protection in the country, it’s unlikely any of that is true. One has to believe they are, though, in order to make sense of this new policy. Whether the NPC intended for it to be this way, its writing on the wall is clear: nobody really needs DSAs, except that they’re good for display.
The author is a lawyer, artist, photographer, and privacy advocate. Additional information and queries may be sent to firstname.lastname@example.org.