The National Privacy Commission (NPC) conducted an online public hearing on March 22 where the updated draft Circular on Administrative Fines was presented before its stakeholders.
The updated draft includes consolidated comments from previous hearings which started last April 2021. In consideration of the comments from the public, the NPC revised the scope to include all personal information controllers (PICs) or personal information processors (PIPs) under the jurisdiction of the Data Privacy Act of 2012 (DPA).
The circular aims to promote organizational accountability and compliance with the DPA by providing an optimal deterrence, as further explained by the economic study of the University of the Philippines Law Center.
Specifically, an administrative fine may be imposed based on the annual gross income of PICs or PIPS within the range of 0.25% to 3% for grave violations and 0.25% to 2% for major violations.
One of the notable changes in the current draft is the proposal to include a ceiling for the imposition of administrative fines. As such, the provision limiting the total imposable fine to not more than P5,000,000.00 was inserted. Such ceiling applies, whether the infraction results in single or multiple violations arising from a single act of PICs and PIPs.
The NPC clarified that the single act pertains to a per processing activity basis and not per data privacy principle or data subject right violated.
Privacy commissioner John Henry D. Naga told attendees of the public consultation that the draft circular provides a fair and reasonable system of fines.
“The Data Privacy Act was enacted in 2012 and upon the constitution of the Commission in 2016, it has been actively promoting, educating, and assisting the stakeholders in their common endeavor in complying with the law. By now, we expect PICs and PIPs to have incorporated in their respective processes and implemented necessary measures, to protect data subjects and uphold data privacy rights,” Naga explained.
In computing the imposable fine, the NPC will take into consideration the number of data subjects affected; the degree of negligence, or the intent of the PICs or PIPs that contributed or resulted in the violation; the categories of personal data affected; and the nature, duration, and severity of such infraction, among others.
Meanwhile, to determine the annual gross income of the erring PICs or PIPs, the NPC may review and require the submission of audited financial statements filed with the appropriate tax authorities for the immediately preceding year of the violation, the last regularly prepared balance sheet or annual statement of income and expenses, and such other financial documents as may be deemed relevant and appropriate for the purpose.
If a particular PIC and PIP has not been operating for more than one year, the base for computing administrative fines will be the entity’s total gross income at the time the violation was committed.
PICs and PIPs who refuse to pay the administrative fines may be subject to a cease-and-desist order, and other processes or reliefs the NPC is authorized to pursue as provided under the DPA or appropriate contempt proceedings under the Rules of Court.
The commission said it is open to receive comments from its stakeholders regarding the draft circular until April 6, 2022. Any comments may be sent to [email protected].