NPC releases Draft Circular on Administrative Fines

The National Privacy Commission (Commission) has released a draft Circular on administrative fines to be imposed by the Commission for violations of the Data Privacy Act of 2012 (DPA), its Implementing Rules and Regulations (IRR), and other issuances and orders of the Commission. The draft Circular remains subject to comments, suggestions, and opinions from concerned organizations, stakeholders, and other interested parties.

The Draft Circular enumerates the following infractions and corresponding penalties, as follows:

  • for violation of any of the general privacy principles in the processing of personal data, pursuant to Section 11 of the DPA; failure to comply with the conditions for consent, pursuant to Section 3 (b) of the DPA; violation of any of the data subject rights pursuant to Section 16 of the DPA; violation of any of the data subject rights pursuant to Section 16 of the DPA; failure to implement reasonable and appropriate measures to protect the security of personal information, pursuant to Section 20 (a) (b) (c) (e) of the DPA; or failure to notify the Commission and affected data subjects of personal data breaches pursuant to Section 20 (f) of the DPA, unless otherwise punishable by Section 30 of the DPA – the proposed fine is between 1% to 5% of the annual gross income;
  • for failure to ensure that third parties processing personal information on their behalf shall implement security measures, pursuant to Section 20 (c)(d) of the DPA – the proposed fine is between 0.5% to 4% of the annual gross income;
  • for failure to comply with any order by the Commission, or of any of its duly authorized officers, pursuant to Section 7 of the DPA – the proposed fine is an amount not exceeding Php 50,000 in addition to the fine imposed for the infraction subject of the Order of the Commission (e.g. if Order pertains to implementation of security measures, fine for that infraction will be added to Php 50,000);
  • for failure to register true and updated information with the Commission the identity and contact details of the personal information controller, the data processing system, and information on automated decision making – the proposed fine is not less than Php 50,000 but not exceeding Php 100,000.

The draft Circular also provides that administrative fines will be imposed only after notice and hearing. For purposes of assessing the fines, the NPC may require personal information controllers and processors to submit its latest audited financial statements filed with the appropriate tax authorities, the last regularly prepared balance sheet or annual statement of income and expenses, and such other financial documents as may be deemed relevant and appropriate.

Under the draft Circular, the NPC has the discretion to decrease the imposed fines upon demonstrable financial hardship that the PIC or PIP may sustain if the basic fine is imposed. If the Commission finds that a decrease is appropriate, it may take into account the gravity, the duration of the violation, and the presence or absence of intent to violate in determining the appropriate amount of the fine.

Lastly, the draft Circular provides that refusal to pay the adjudged administrative fine may result in contempt proceedings under the Rules of Court, cease and desist orders, temporary or permanent bans on the processing of personal information, and other processes or reliefs as the Commission may be authorized to initiate under the DPA.

The NPC is inviting comments, suggestions, opinions, and other inputs on the draft Circular until 14 May 2021.