Data Protection in the Philippines

Online privacy in the Philippines

The Cybercrime Prevention Act of 2012 (“CPA”) is the first law in the Philippines which specifically criminalizes computer crimes. The law aims to address legal issues concerning online interactions. The CPA does not define, nor does it particularly refer to online privacy, however, it penalizes acts that violate an individual’s rights to online privacy, particularly those interferences against the confidentiality, integrity and availability of computer data and systems.

Section 4(c)(3) of the CPA, which provides that unsolicited commercial communications is generally a cybercrime offense punishable under the CPA, was struck down by the Supreme Court for violating the constitutionally guaranteed freedom of expression.

All data to be collected or seized or disclosed will require a court warrant. The court warrant shall only be issued or granted upon written application and the examination under oath or affirmation of the applicant and the witnesses he may produce showing that there are:

  • reasonable grounds to believe that any of the crimes penalized by the CPA has been committed, or is being committed, or is about to be committed; 
  • reasonable grounds to believe that evidence that will be obtained is essential to the conviction of any person for, or to the solution of, or to the prevention of, any such crimes; and 
  • no other means readily available for obtaining such evidence.

The integrity of traffic data shall be preserved for a minimum period of six months from the date of the transaction.

Courts may issue a warrant for the disclosure of traffic data if such disclosure is necessary and relevant for the purposes of investigation in relation to a valid complaint officially docketed.

No law in this jurisdiction currently deals with the subject of location data.

Philippine law, including the Act, presently do not define the term “cookies” nor regulate their use. The NPC, however, has opined that cookies, when combined with other pieces of information, may allow an individual to be distinguished from others and may, therefore, be considered as Personal Information. To the extent that cookies are considered as Personal information, the Act may be applicable and consent of the data subjects must be secured prior to (or as soon as practicable and reasonable) the collection and processing of Personal Information, subject to certain exceptions.

Continue reading

  • no results

Previous topic
Back to top