Prospectus

Last year, I wrote about the National Telecommunication Commission’s approval of Globe and Smart’s co-use agreement covering BellTel’s 700mhz frequencies. In its letter approving the deal, the NTC laid down the following requirements:

Immediately commence and implement this co-use agreement;

Increase capacity, i.e. broadband and internet access speed, within one (1) year and submit a progress report on the matter on a quarterly basis;

Submit within sixty (60) days a roll-out plan to cover at least ninety (90%) of the cities and municipalities in three (3) years to address the growing demand for broadband infrastructure and internet access;

Pay the Spectrum User’s Fee and other required fees and charges;

Secure from the Commission separate permits and licenses for radio stations owned and operated by each company; and

Allow the Commission access to the base stations or cell sites for monitoring purposes.

I noted then that it would be quite difficult for the NTC to evaluate whether the telcos held up their end of the bargain since the NTC did not set measurable standards for the increase in capacity. As written, it would seem that even a miniscule or incremental improvement would mean that the telcos are compliant with the NTC’s requirements.

A Google search of Globe’s or Smart’s roll-out plan for the 700 mhz frequencies yields nothing but press releases on how each telco is successfully doing the roll-out (here’s Globe’s and Smart’s press releases). The NTC website also does not appear to have the roll-out plans available.  

Items 4 and 5 are pretty straightforward so it is reasonable to conclude that these have been done by the telcos. As for number 6, we also have no idea whether the NTC has had access to the base stations and cell sites for monitoring. This deliverable is as much the NTC’s as the telcos’ however.

Currently reading up on the GDPR, in particular on how consent from the data subject may be obtained via a website or app. Based on the opinion of experts (I am basing the conclusion on the fact that they have IAPP certifications, so their “expertise” is qualified by that fact), it seems that a note saying “By clicking the link, you consent to the collection and processing of your information” might not be enough. It appears that consent under the GDPR requires an affirmative action. Expert opinion is that there should be a separate button or clickable element through which the user can explicitly signify consent. Just the “enter” or “continue to content” or similar would not suffice.

Last week, I attended the primer on compliance with the Data Privacy Act organized by Quisumbing Torres. Lawyers from the law firm and representatives from the National Privacy Commission gave presentations and answered questions from the attendees. Here’s a quick run-down of my notes on the forum:

QT’s introduction to the DPA included a discussion on the actors under the DPA. I thought this was a useful approach since the law was presented in a manner that is simple and a bit easier to understand. 

QT’s lawyer presented the exceptions to the consent requirement as “not covered by the DPA”. I thought this was confusing because the exception was only with respect to the consent of the data subject on the processing and not the rest of the DPA. The DPA also has portions on the data protection. These provisions apply regardless of whether consent on the processing was obtained from the data subject. 

One of the attendees brought up the issue of data retention, noting that neither the law nor the rules prescribe a definite period for data retention. QT said that the personal information controller may consider basing the retention period on the Civil Code and Labor Code provisions on the prescription of claims.

An important point: knowledge by the personal information processor of the data breach or security incident will also be considered as knowledge of the PIC thereof. Thus, the 72-hours reporting period will start to be counted from the time the PIP learns of the breach/security incident. This makes it all the more important for companies to have clear reporting mechanisms with vendors and service providers.

A number of questions centered on the qualifications of the person to be appointed as a data protection officer. The NPC said that it would not recommend a person holding a position with inherent conflict of interest as the data protection officer. Pressed for more clarity, the NPC said that they could recommend that a company change its DPO if they see an inherent conflict of interest in the position. This comment resulted in even more questions, with some attendees challenging the NPC’s right to do so. Some attendees emphasized that small companies would not have the capacity to hire a person who would exclusively perform DPO functions. Further confusing matters, the NPC stated that there will be no sanctions imposed even if the company does not follow the NPC’s recommendation on the DPO. It is important to note here that the law and the rules merely require companies to appoint a DPO. There is no requirement (as far as I can remember) for a company to submit a form or report to the NPC on the DPO’s designation. Thus, I fail to see when the opportunity for NPC to “recommend” a DPO would arise.

According to the NPC, there is no citizenship or residence requirement for the DPO. This means that a company may appoint as DPO someone who is not located in the Philippines. The NPC however underscored that the designated DPO should be able to perform his/her functions even if he/she is based outside the country.

The NPC has no DPO certification process at the moment. However, the companies must ensure that the DPO appointed has adequate training to guide the company in its compliance efforts. What’s interesting to note is that the NPC said that a DPO certification process may be put in place 2-3 years down the line.

I asked a question on the development of data processing system by iteration. Will companies be required to re-register the data processing system gets new functions or features? According to the NPC, the online registration platform for the data processing systems will allow companies to amend their registration to reflect new functions or features added. Thus, there will be no need to re-do the registration.

Pleased to be in The #Philippines with our long-time partners @FMA_PH. Follow their work at https://t.co/4rw2WIb2dz. pic.twitter.com/R8o3JMviEC

Another photo from today's session. Thanks to our fabulous hosts and partners! @jamjacob @FMA_PH pic.twitter.com/QudPewCJ8l

Have you been to the National Privacy Commission’s website lately? If you haven’t, you’d be pleasantly surprised to know that the NPC has revamped its website. It is now so much easier to get practical and usable information on how to comply with the Date Privacy Act (DPA).

NPC officials have been going around the country, conducting road shows for government, local government, and private corporations, encouraging everyone to comply with the DPA. This is important and gruelling work but it’s not like the NPC has a choice in the matter. After all, once September 9, 2017 comes, it’s all systems go for compliance with the DPA. The NPC will not be able to reach every corner of the country before the deadline comes, so the website will be a big help in guiding people on what to do.

The NPC has created such a useful guide that you may be tempted to ask: do we really need to engage a lawyer to help us get ready for compliance? My answer is a definite yes.

While the requirements may now be a bit easier to understand, everyone will still have to anticipate the ramifications of the law and its impact on their operations. The way each company does business is different and so a template Privacy Policy will not work for everyone. Also, while a company may have succeeded in designating an officer with sufficient knowledge of the DPA as the Data Protection Officer, a lawyer would still serve as an invaluable guide for the DPO and Management. Remember that even template contracts with service providers and other third parties within whom the company may be sharing data will have to be reviewed. This is not only to comply with the DPA but, more importantly, to ensure that the company’s ass is sufficiently covered in case it becomes the subject of a security incident or a data breach.

If you are processing personal data, you are covered. There are no ifs or buts about that. And this is true whether your business is conducted in or out of the Philippines.

Just what exactly is “processing personal data”? The Implementing Rules (the “Rules”) define it as any operation or set of operations performed on personal data. Here are some examples: collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction. As you can see, this covers virtually anything that you can think of doing to personal data.

Moreover, if you are thinking that “processing” requires the use of computers or other information technology devices, you are wrong. The Rules apply both in the digital and analog world. You are processing data even if you’re writing them in pieces of paper and stuffing these papers in brown envelopes.

Just to be sure though, you can use these guide questions to know if your business is covered:

Is your business found or set up in the Philippines?

Is the personal data processed that of a Philippine citizen or Philippine resident?

Is the processing being done in the Philippines?

Is the processing done by an entity with links to the Philippines?

“Links”, in this case, means any of the following:

equipment for processing data is located in the Philippines

maintains an office, branch, or agency in the Philippines for processing personal data

contract is entered in the Philippines

central management or control is in the Philippines

has a branch, agency, office, or subsidiary in the Philippines and the parent/affiliate to personal data, - carries on business in the Philippines

collects or holds personal data in the Philippines.