NPC releases further updated draft circular on administrative fines

The National Privacy Commission (“Commission”) has further updated its draft Circular on the Guidelines on Administrative Fines (“Draft Guidelines”). As compared to the previous draft released in 2021, the Draft Guidelines changed the nomenclature of the range of violations from “Tiers 1 to 4” to “Grave”, “Major”, and “Other” violations (collectively, “Violations”).

The proposed fines for each of the Violations are the following:

  1. For “Grave” violations, the proposed range of penalty is 0.5% to three percent (3%) of the violating entity’s annual gross income for the year immediately preceding the violation. “Grave” violations are the following:
    • For each violation of any of the general privacy principles in the processing of personal data, pursuant to Section 11 of the Data Privacy Act (“DPA”), where the total number of affected data subject exceeds one thousand (1,000);
    • For each violation of any of the data subject’s rights enumerated in Section 16 of the DPA;
    • Repeating the same violation/infraction, including violations/infractions of lesser violations (i.e., “Major” and “Other” violations). Thus, any repetition of the “Major” and “Other” violations shall automatically be considered as a “Grave” violation.
  1. For “Major” violations, the proposed range of the penalty is 0.25% to two percent (2%) of the annual gross income of the violating entity’s annual gross income for the year immediately preceding the violation. “Major” violations are the following:
    • For each violation of any of the general privacy principles in the processing of personal data pursuant to Section 11 of the DPA where the total number of affected data subjects does not exceed one thousand (1,000);
    • For each violation of any of the data subject rights pursuant to Section 16 of the DPA, where the total number of affected data subjects does not exceed one thousand (1,000);
    • Any failure by a Personal Information Controller (“PIC”) to implement reasonable and appropriate measures to protect the security of personal information, pursuant to Section 20 (a) (b) (c) (e) of the DPA;
    • Any failure by a PIC to ensure that third parties processing personal information on their behalf shall implement security measures, pursuant to Section 20 (c)(d) of the DPA; and
    • Any failure by a PIC to notify the Commission and affected data subjects of personal data breaches pursuant to Section 20 (f) of the DPA.
  1. The “Other” violations are the following:
    • Failing to register the true and updated information with the Commission the identity and contact details of the PIC, the data processing system, and information on automated decision making, pursuant to Sections 7(a), Section 16, and 24 of the DPA and its corresponding implementing issuances.

The proposed range of the penalty is a fine not less than fifty thousand pesos (PhP50,000.00) but not exceeding two hundred thousand pesos (PhP200,000.00).

    • Failing to comply with any order of the Commission, including orders of any of its duly authorized officers, pursuant to Section 7 of the DPA and its corresponding implementing issuances. The fine to be imposed as a result of this infraction shall be in addition to the fine-imposed for the original infraction/s subject of the Order of the NPC.

The proposed range of penalty shall be a fine not exceeding fifty thousand pesos (PhP50,000.00). However, if the order pertains to the implementation of security measures, a maximum fine of PhP50,000.00 shall be added to the fine for that infraction.

A copy of the Draft Guidelines may also be accessed at the Commission’s website via this link: https://www.privacy.gov.ph/wp-content/uploads/2022/03/DRAFT-Guidelines-on-Administrative-Fines-For-Public-Hearing.pdf.

The Commission is also inviting concerned organizations, stakeholders, and other interested parties to submit their comments, suggestions, and opinions on the Draft Guidelines.