Republic Act 10173 – Data Privacy Act of 2012

 As the saying goes, “The only thing that is constant is change”, which can be found everywhere and in any aspect of our lives. One of the most sudden changes was brought about by Information Technology. In today’s wide ranging and often complicated world of technologies, how does our present society cope with the sudden changes especially in a developing country like the Philippines?

Information technology is constantly changing and improving nowadays. For some it is already considered to be the backbone of every activity in today’s society, thus it has a great impact in one’s daily life. It is shown by the use of mobile phones, smart phones, computers, internet and the fact that we will find the use of technology in many companies and institutions. Everything that used to be done manually several years ago is now done by these different machines which make every work easier, efficiently and faster making the companies benefit more in terms of profits because the number of manpower that needs to be employed is reduced and this can result to increase productivity. For an individual, the use of mobile phones, computers and internet made communication easier and cheaper. Technology allows us to be accessible with almost everything. Information is easily gathered and disseminated in the tip of fingertips, it is easy for anyone to access valuable information to be processed, handled, manipulated at any single time and can even share it anywhere in the world. This gives everyone of us a power over all the information available.

The Right to Privacy

The right to be left alone or the right of a person to be free from undesired publicity or disclosure and as the right to live without unwarranted interference by the public in matters with which the public is not necessarily concerned is the best ways to describe the right to privacy.

The right to privacy is a basic right given to any Filipino. It is well-entrenched in the Article III – Bill of Rights of the 1987 Philippine Constitution. It is also safeguarded by several provisions of the Civil Code, the Revised Penal Code, the Rules of Court and some Special Laws.

            Article III, Section 3, of the 1987 Philippine Constitution states that:

           “Section 3. (1) The privacy of communication and correspondence shall be inviolable except upon lawful order of the court,                  or when public safety or order requires otherwise as prescribed by law. (2) Any evidence obtained in violation of this or the                preceding section shall be inadmissible for any purpose in any proceeding.”

The Civil Code provides that “every person shall respect the dignity, personality, privacy and peace of mind of his neighbors and other persons” and some similar acts, though they may not constitute a criminal offense, shall produce a cause of action for damages, prevention and other relief for prying into the privacy of another’s residence and meddling with or disturbing the private life or family relations of another.[i] Any public officer or employee, or any private individual can be also held liable if in any manner impedes or impairs the right and liberty of another person to its privacy of communication and correspondence,[ii] and also it recognizes the privacy of letters and other private communications in writing and it cannot be published or disseminated without the consent of the writer or his heirs.[iii]

Similarly, the Revised Penal Code is violated when: any public officer who shall reveal any secret known to him by reason of his official capacity[iv]; there is trespass to dwelling[v]; and there is discovery and revelation of secrets.[vi] The privacy of an individual is also protected by some special laws like the Intellectual Property Code,[vii] Anti-Wiretapping Law,[viii] and the Secrecy of Bank Deposits Act.[ix] And lastly, the privacy of certain information is also protected by the Rules of Court under the rule on privileged communication.[x]

Data Privacy Act of 2012

With the advances in information technology, privacy in personal data has become illusory. For the right price or with good connections, private information disclosed in confidence to companies or government offices can be made available to or accessed by interested parties. With these, how can we say that our privacy is protected? Do the specific laws mention above are enough to protect our privacy considering the sudden changes in information technology. This is the problem that is sought to be minimized, if not eliminated, by Republic Act 10173.

Republic Act 10173, otherwise known as the Data Privacy Act of 2012, was signed by President Benigno S. Aquino III on August 15, 2012. It was published on August 24, 2012, and took effect 15 days after its publication, on September 8, 2012. The rules and regulations implementing the Act are expected to be issued within 90 days from the law’s entry into force.

Basically, this act protects the integrity and confidentiality of individual personal information in information and communication systems in the government and the private sector. The new law penalizes the unauthorized disclosure of personal information. To wit, “It is the policy of the State to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. The State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected.”[xi]

As stated in Section 4 of RA 10173:

SEC. 4. Scope. – This Act applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines subject to the immediately succeeding paragraph: Provided, That the requirements of Section 5 are complied with.

This Act does not apply to the following:

(a) Information about any individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual, including:

(1) The fact that the individual is or was an officer or employee of the government institution;

(2) The title, business address and office telephone number of the individual;

(3) The classification, salary range and responsibilities of the position held by the individual; and

(4) The name of the individual on a document prepared by the individual in the course of employment with the government;

(b) Information about an individual who is or was performing service under contract for a government institution that relates to the services performed, including the terms of the contract, and the name of the individual given in the course of the performance of those services;

(c) Information relating to any discretionary benefit of a financial nature such as the granting of a license or permit given by the government to an individual, including the name of the individual and the exact nature of the benefit;

(d) Personal information processed for journalistic, artistic, literary or research purposes;

(e) Information necessary in order to carry out the functions of public authority which includes the processing of personal data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions. Nothing in this Act shall be construed as to have amended or repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise known as the Credit Information System Act (CISA);

(f) Information necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act and other applicable laws; and

(g) Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.

 “Personal information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.”[xii]

Republic Act 10173 also provides for the protection afforded to journalists and their sources and has extraterritorial application. An independent body known as National Privacy Commission was created to administer and implement the provisions of this Act and to monitor and ensure compliance of the country with international standard set for data protection. It was patterned on standards set by Directive 95/46/EC of the European Parliament and aligned with Asia Pacific Economic Cooperation Information Privacy Framework, which protect the integrity of personal data. The boost investment in the fast-growing information technology and business process outsourcing (IT-BPO) industries is expected upon the passage of this new law. Hailing its enactment, the Business Processing Association of the Philippines said the new law brings the Philippines to international standards of privacy protection as much of IT-BPO work involves confidential personal and company information of local and foreign clients.

Understanding some provisions of RA 10173


  1. Section 3 (h) and (i) in relation to Section (14)

Section 3 (h) provides that, Personal information controller refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf. The term excludes:

(1) A person or organization who performs such functions as instructed by another person or organization; and

(2) An individual who collects, holds, processes or uses personal information in connection with the individual’s personal, family or household affairs.

As stated also in Section 3 (i) Personal information processor refers to any natural or juridical person qualified to act as such under this Act to whom a personal information controller may outsource the processing of personal data pertaining to a data subject.

SEC. 14. Subcontract of Personal Information. – A personal information controller may subcontract the processing of personal information: Provided, That the personal information controller shall be responsible for ensuring that proper safeguards are in place to ensure the confidentiality of the personal information processed, prevent its use for unauthorized purposes, and generally, comply with the requirements of this Act and other laws for processing of personal information. The personal information processor shall comply with all the requirements of this Act and other applicable laws.

In applying the above provisions, the handling and the control of all the personal information is the responsibility of a personal information controller and the same information can be outsourced or subcontracted to a personal information processor for processing, with this procedure how can we sure that these people are faithfully adhering to their jobs of not disclosing at least a bit of information they know to their family, friends and other people they know especially if the personal information they know is owned by a celebrity or a controversial person perhaps. They are still human like us and knowing us Filipinos, most of us are very vocal on what we know and even on those things that are out of our business. And also the problem in subcontracting, the involvement of more persons the greater risk of intrusion of privacy.

  1.  Section 5

SEC. 5. Protection Afforded to Journalists and Their Sources. – Nothing in this Act shall be construed as to have amended or repealed the provisions of Republic Act No. 53, which affords the publishers, editors or duly accredited reporters of any newspaper, magazine or periodical of general circulation protection from being compelled to reveal the source of any news report or information appearing in said publication which was related in any confidence to such publisher, editor, or reporter.

This provision of the law affords greater protection in favour of reporters, publishers and media personnel against being compelled to reveal the source of any information included in their reports or news. With this, people will not be hesitant to share their information to these people in case of interviews and in matters of public concerns, however, we must also think of a situation where in the information is controversial and very interesting to public, the media men tends to do everything just to obtain the information regarding this matter, and just to do their jobs some of them resorted to not reasonable means such as bribing the person who handled or controls the information just to obtain it. And with this provision as his defense, can we consider it fair that he cannot be compelled to reveal the source of information he obtained, which in the first place must be very confidential and must be kept, handled and controlled only by those authorized person? This provision will likely invite abuse of right on the part of the media men. The provision may be used as a cloak to protect their evil intent in reporting libelous, false or fraudulent information.

  1. Section 11

SEC. 11. General Data Privacy Principles. – The processing of personal information shall be allowed, subject to compliance with the requirements of this Act and other laws allowing disclosure of information to the public and adherence to the principles of transparency, legitimate purpose and proportionality. [xiii]

This section further states that personal information must be, “collected for specified and legitimate purposes determined and declared before or as soon as reasonably practicable after collection, and later processed in a way compatible with such declared, specified and legitimate purposes only.” But the question is, does this provision of the law is faithfully adhered? Considering that in everywhere we go our personal information such as our name, mobile phone numbers, email addresses and other social media account name are always asked even in boutiques at malls, different websites in the internet, restaurants, and other institutions and facilities to be able them to send you some promotional advertisements. Does this provision also apply in the given scenario and does their reason of obtaining information can be considered as a legitimate purpose?

  1. Section 12

SEC. 12. Criteria for Lawful Processing of Personal Information. – The processing of personal information shall be permitted only if not otherwise prohibited by law, and when at least one of the following conditions exists: ……..[xiv]

This section provides for the criteria for lawful processing of personal information, and which enumerates the six instances where the processing of personal information shall be permitted. It includes that the data subject must give its consent to process his personal information. Furthermore, the processing of information is also permitted if it is necessary to the fulfilment of a contract entered by the data subject, its compliance to a legal obligation and if the information is important to protect the life and health of the data subject and for other legitimate purposes pursued by personal information controller or by other authorized person.

The common scenario I’m thinking of is when a person (A) gives away personal information such as mobile phone number for example to another person (B) without its, does this provision is violated? Does the act of giving away mobile phone numbers without the consent of the owner is within the purview of this section or this law? To answer this, I’ve read several articles and blogs regarding their stand on the matter and all of them have their different opinion depending on how they appreciate the law and how they apply it in a way it will be more favourable to them. But in adhering to the letters of the law, the scenario given is not a violation of the law if A gave away the mobile phone number of B, as long as A is not a personal information controller. With this, the problem now would lie if the act of A would result in a situation where B’s life is endangered, what is now the relief of B? Does B have a cause of action against A?



The advances and changes in information and technology are generally beneficial to our society. It promotes a positive change, a development as what would describe it best, which benefits society and in which the government itself is adapting to. Information technology is an inevitable invasion to our society, may someone be conservative to this change and development, has succumbed to its great benefit and possibility of greater advancement in the future.

Republic Act 10173 is a way of our government to adapt the advances and changes in information technology at the same time to provide for the protection of one of the fundamental rights of the Filipinos as provided by the Philippine Constitution, which is the right to privacy. This will serve as an assurance for everyone that their personal information will not be used in unlawful purposes. Also the business sector would be greatly benefited by this law that can result to further boost our economy perhaps; and leaving the challenge now to our government officials is to ensure that the law is being complied with.

Republic Act 10173 is only a new law and there is no jurisprudence yet to be able to appreciate its application well, and for us to be able to identify the real intentions of the lawmakers in crafting this law, which means that there are still many loopholes to consider and be mindful for. But looking on the other side, this is only the beginning and therefore can always be improved to be able to adapt with the ever changing technology.

[i] Article 26 of the Civil Code:

“Art. 26. Every person shall respect the dignity, personality, privacy and peace of mind of his neighbours and other persons. The following and similar acts, though they may not constitute a criminal offense, shall produce a cause of action for damages, prevention and other relief:

(1)     Prying into the privacy of another’s residence;

(2)     Meddling with or disturbing the private life or family relations of another;

(3)     Intriguing to cause another to be alienated from his friends;

(4)     Vexing or humiliating another on account of his religious beliefs, lowly station in life, place of birth, physical defect, or other personal condition.”

[ii] Article 32 of the Civil Code

[iii] Article 723 of the Civil Code

[iv] Article 229 & 230 of the Revised Penal Code

[v] Article 280 of the Revised Penal Code

[vi] Article 290 – 292 of the Revised penal Code

[vii] Republic Act 8293

[viii] Republic Act 4200

[ix] Republic Act 1405

[x] Section 24, Rule 130 [C]. Revised Rules on Evidence.

[xi] Republic Act 10173, Data Privacy Act of 2012, Sec. 2, Official Gazette of the Philippines

[xii] Republic Act 10173, Data Privacy Act of 2012, Sec. 3 (g), Official Gazette of the Philippines

[xiii] Republic Act 10173, Data Privacy Act of 2012, Sec. 11, Official Gazette of the Philippines

[xiv] Republic Act 10173, Data Privacy Act of 2012, Sec. 12, Official Gazette of the Philippines


One thought on “Republic Act 10173 – Data Privacy Act of 2012

  1. Pingback: Students’ Take: MCPIF (SB 53), Data Privacy Act (RA 10173) | Berne Guerrero

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s