Philippines: Online privacy
For many organisations, the first step towards compliance in a jurisdiction may involve ensuring that their online presence is in line with any locally applicable rules and regulations. OneTrust DataGuidance provides an overview of online privacy in the Philippines, with a focus on relevant topics such as cookies, emarketing, and privacy policies.
Given the conclusions of Advisory Opinion 63, the general rules on consent for the processing of personal data may be noted. This can be found in the Act and the Implementing Rules and Regulations of Republic Act No. 10173 ('the Data Privacy IRRs'). Section 12 of the Act and Section 21 of the Data Privacy IRRs provide that the processing of personal data may be permitted when the data subject has given their consent, as well as other alternative conditions for processing (e.g. for the fulfilment of a contract with the data subject). Moreover, Section 3 of the Data Privacy IRRs defines consent as any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of their personal, sensitive personal, or privileged information. Consent may be evidenced by written, electronic, or recorded means. It may also be given on behalf of a data subject by a lawful representative or an agent specifically authorised by the data subject to do so. In addition, Section 19 of the Data Privacy IRRs adds that consent must be collected for a declared, specified, and legitimate purpose. Such provision also requires consent must be obtained prior to the collection and processing of personal data, and that consent must be time-bound to the declared, specified, and legitimate purpose, highlighting that consent given may be withdrawn.
Although there is no definition of 'emarketing' or 'email marketing' in the Philippines, the Act does define direct marketing for these purposes as communication by whatever means of any advertising or marketing material which is directed to particular individuals. Furthermore, Advisory Opinion 2017-018 clarifies that the phrase 'directed to particular individuals' does not mean that the material addresses a particular person by name, as well as that a merchant and/or advertiser in possession of and using other types of personal data (e.g. email address, home address, mobile phone number, email, etc.) when sending out marketing materials directly to individuals are also covered under the Act.
Additionally, the Consumer Act of 1992 (Republic Act No. 7394) ('the Consumer Act') defines 'advertisement' as 'the prepared and through any form of mass medium, subsequently applied, disseminated or circulated advertising matter'. Moreover, 'advertising' in the Consumer Act is defined as the business of conceptualising, presenting, or making available to the public, through any form of mass media, fact, data, or information about the attributes, features, quality, or availability of consumer products, services, or credit. The Consumer Act also prohibits false, deceptive, or misleading advertisements and outlines certain requirements. With regards to B2C marketing, the Consumer Act will apply, with 'consumer' defined therein as a natural person who is a purchaser, lessee, recipient, or prospective purchaser, lessor, or recipient of consumer products, services, or credit.
Furthermore, the Implementing Rules and Regulations of Republic Act No. 7394 establish that where the sale or lease of a consumer product is conducted through direct marketing, the seller or leaser of the product or the operator of the service must indicate in its solicitations and communications:
- the business name and address of the seller, lessor, or operator;
- all mandatory requirements for product labelling;
- a photograph, picture, illustration, or detailed description of the product or service;
- terms and conditions of sale, lease, or availment of the service;
- a statement that the order may be cancelled before or upon delivery in the event the product is not in conformity with its representation in the solicitation/communication; and
- the manner and schedule of payment.
Advisory Opinion 2018-50 ('Advisory Opinion 50') addresses the topic of privacy in B2C emarketing specifically, outlining that direct marketing activities (e.g. collection of potential clients' names, contact details, email, and business or home address, storing such information, and calling and emailing by sales representatives) involve the processing of personal data. Thus, it is outlined that marketers, as controllers, will be required to observe data privacy law, including principles such as transparency, legitimate purpose, and proportionality. Accordingly, Advisory Opinion 50 then highlights that a legitimate purpose will be required for the processing of personal data, per the criteria in Sections 12 and 13 of the Act. Otherwise, the consent of the data subject should ideally be the basis of lawful processing of personal information for marketing purposes, which must have been given by the data subject prior to the collection, or if this was not obtained, it should be given as soon as practicable and reasonable. More generally, the consent requirements detailed above may also be noted in the context of emarketing where processing of personal data is involved.
Advisory Opinion 50 also notes some information obligations in this context such as that, when making emails, marketers must be apprised of the identity of the sales representative, the controller or company they represent, and the purpose of the call and email. The controller should also, through sales representatives, be able to communicate where contact details of potential customers were obtained. Direct marketers must also give individuals the choice to allow or object to the use of their personal data; if the individual objects to initial contact by the controller, any further marketing activities should be ceased as well as any further processing of the individual's personal data, the record of which should be destroyed.
Moreover, on 4 March 2021, the NPC issued Joint Administrative Order No. 2022-01 'Guidelines for Online Businesses Reiterating the Laws and Regulations Applicable to Online Businesses and Consumers' ('the Order'), which applies to all online businesses engaged in electronic transactions (e.g. e-commerce platforms, e-marketplaces, and online sellers. The Order outlines that all online businesses are expected to handle consumer personal data with the utmost care and respect, also providing that e-commerce businesses should inform consumers of their rights and mechanisms for redress. Specifically, upon collecting and processing personal data, online sellers shall inform consumers of their data privacy rights, namely:
- the right to information;
- the right to object;
- the right to access;
- the right to correct;
- the right to erase;
- the right to damages;
- the right to data portability; and
- the right to file a complaint.
The Order also notes that, upon request by public authorities pursuant to their respective mandates and in accordance with the Act, online sellers, merchants, or e-retailers may lawfully disclose personal information to said public authorities, provided that the request particularly describes the personal information being requested and indicates the relevance of such information to an ongoing investigation. Furthermore, online businesses must determine the most appropriate lawful criteria for processing prior to the collection of personal data.
Moreover, the NPC has issued various other Advisory Opinions regarding privacy policies, as well as related mechanisms such as privacy notices. For example, in Advisory Opinion 2018-031 ('Advisory Opinion 31'), it is noted that privacy notices are not equivalent to consent. It is emphasised that such documents are merely an embodiment of the observance of the data privacy principle of transparency and upholding the right to information of data subjects. Advisory Opinion 31 highlights that the principle of transparency requires the data subject to be aware of the nature, purpose, and extent of the processing of their personal data, including risks and safeguards involved, the identity of the controller, as well as their rights and how these may be exercised. Additionally, any information and communication relating to the processing of personal data should be easy to access and understand, using clear and plain language. In terms of the right to information of the data subject, Advisory Opinion 31 establishes that controllers must apprise data subjects of the following:
- description of the personal data to be processed;
- purposes for processing, including direct marketing, profiling, or historical, statistical, or scientific processing;
- basis of processing, when processing is not based on consent;
- scope and method of processing;
- recipient/classes of recipients to whom the personal data are or may be disclosed;
- methods utilised for automated access, if the same is allowed by the data subject, and the extent to which such access is authorised;
- identity and contact details of the controller/its representative;
- retention period; and
- existence of rights as data subjects (e.g. right to lodge a complaint before the NPC).
Troy Boatman Editor