Personal information controllers or processors from the private sector found to be in violation of privacy laws may be penalized with fines between 0.5 percent and 5 percent of their annual gross income, the National Privacy Commission (NPC) said.
The privacy watchdog said on Thursday that fines to be imposed on erring personal information controllers or processors handling personal data are based on a draft circular containing guidelines on administrative fines.
Among the considerations in calculating the fines include the gravity of infraction, the number of data subjects affected, failure to notify the NPC and affected parties and negligent character of the offense, among others.
In determining the amount of the annual gross income, the data controller or processor should submit their latest financial statements, along with balance sheet and other relevant financial documents, for evaluation.
“The proposed circular considers the proportionality of the fine meted, its dissuasive effects, the costs of precaution, and other social, regulatory, and economic impacts that its adoption may create to all personal information controllers and processors,” Privacy Commissioner Raymund E. Liboro said.
In coming up with the appropriate range of fines, the NPC worked with the University of the Philippines (UP) Law Center and an expert from the UP School of Economics.
The parties studied the right amount of penalty fees that can deter companies from violating privacy laws, while promoting innovation and growth by ensuring free flow of information.
Deputy Privacy Commissioner Leandro Angelo Y. Aguirre quipped that fines should not be viewed as an additional financial burden to the private sector.
“The fines are incentives for companies to protect all of us. Because if we are all protecting the information we process, that benefits both the companies and data subjects,” Aguirre explained.
“It serves to incentivize the implementation of appropriate measures, while ‘disincentivizing’ the misuse of data,” he continued.
Among the potential infractions cited in the circular are violations of any general privacy principles in processing personal data, failure to comply with the conditions for consent, violation of data subject rights and failure to implement measures protecting the security of personal data.
Liboro said NPC hopes this “administrative circular will further enhance the culture of data privacy accountability in the Philippines, incentivize compliance for the DPA [Data Privacy Act], build maximum data privacy resilience by encouraging full accountability, compliance, and ethics from our data users.”
Last April 30, the NPC presented the draft circular to the concerned organizations and stakeholders.
Read full article on BusinessMirror