Fines for data privacy breach capped at P5 million

The NPC presented its revised schedule of administrative fines set under the updated Circular on Administrative Fines and the scope of the data controllers liable to pay fines for violations.
STAR / File

MANILA, Philippines — The National Privacy Commission (NPC) has set a ceiling of P5 million on fines imposed on data privacy violators, following a revision of its penalty system based on public consultations.

The NPC presented its revised schedule of administrative fines set under the updated Circular on Administrative Fines and the scope of the data controllers liable to pay fines for violations.

As a result of the public consultations, the NPC revised the scope of liable parties to include all personal information controllers (PICs) or personal information processors (PIPs) under the jurisdiction of the Data Privacy Act of 2012 (DPA).

Privacy Commissioner John Henry Naga said the updated draft circular provides a fair and reasonable system of fines.

“The National Privacy Commission has consistently issued proactive measures for personal information controllers and personal information processors to comply with the law,” Naga said.

“By now, we expect PICs and PIPs to have incorporated in their respective processes and implemented necessary measures, to protect data subjects and uphold data privacy rights,” he added.?The circular aims to promote organizational accountability and compliance with the DPA by providing an optimal deterrence, as further explained by the economic study of the University of the Philippines Law Center.

Specifically, an administrative fine may be imposed based on the annual gross income of PICs or PIPS within the range of 0.25 percent to 3 percent for grave violations and 0.25 percent to 2 percent for major violations.

With the ceiling on imposable fines set at P5 million, the NPC said this applies whether the infraction results in single or multiple violations arising from a single act of PICs and PIPs.

The NPC clarified that the single act pertains to a per processing activity basis and not per data privacy principle or data subject right violated.

Show comments