Law: The Data Privacy Act of 2012 (Republic Act No. 10173) ('the Act')
Regulator: The National Privacy Commission ('NPC')
Summary: The Act came into effect in 2012 and is the first comprehensive data privacy law in the Philippines. The NPC was established in 2016 and supplemented the Act through the Implementing Rules and Regulations of Republic Act No. 10173 ('IRR'), which provides details on the requirements under the Act as well as sanctions for non-compliance. The NPC has also released over 100 advisory opinions in response to queries on topics such as data breach management, notifications regarding automated decision-making, the designation of data protection officers, Privacy Impact Assessments, and access to personal data. In addition, the Act Defining Cybercrime, Providing for the Prevention, Investigation, Suppression and the Imposition of Penalties therefore and for Other Purposes (Republic Act No. 10175) ('the Cybercrime Law'), which entered into effect in 2012, stipulates, among other things, requirements for service providers to maintain the security of computer data. The Philippines recently began the application process in order to participate in the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules ('APEC CBPR') system.