NPC seeks to tighten personal data protection
Giving “consent” may no longer be relied upon as primary criteria in the lawful processing of personal information, but rather a specific “legitimate interest” as this fosters accountability in the use of individuals’ personal data, according to the National Privacy Commission (NPC).
This developed as the country’s data privacy protection authority is pushing for amendments in the Data Privacy Law, including the imposition of fines to violators, to tighten its powers to protect individuals against data privacy breaches.
NPC Commissioner Raymund Liboro told reporters at the press launch for the Data Privacy Asia conference in Makati slated on September 19-20 that “consent” fatigue has started to set in among individuals and “consent” has become a mere “default.”
“You give your consent but did you read it, it has become an automatic consent, there is consent fatigue and consent becomes superficial. So, there could be other ways to mitigate the risks and harms to individuals,” he explained.
As such, NPC would like to put a clear provision on “legitimate interest” as this would force a shift to the accountability to individuals and companies in the processing of personal information.
Liboro explained that if the processing of personal information is clearly a “legitimate interest,” then the burden is on the user or controller of the information given. This would be self-policing and processing becomes an accountability, which is different from mere compliance.
“We want to shift to accountability per organization wherein you recognize you are responsible to these personal data, but you have to think and implement specific measures so you can invoke and prove that the processing is a legitimate interest,” he said.
“As consent fatigue sets in, consent can no longer guarantee protection of data privacy. So we want organizations to take data privacy and security a responsibility, not some sort of a ticket to process personal information.”
Legitimate interest covers, for instance, contractual obligations of individuals to ensure companies like banks, telcos and insurance firms, among others as they engage “collection agencies” to ensure their customers comply with their obligations to pay their bills, loans and premiums.
A specific “legitimate interest” therefore is not absolute as the user will have to prove that the processing is legal and is used only for a legitimate objective.
“So the onus really now is because that is a privilege given, you have the responsibility to implement and employ the appropriate measures,” he said.
NPC would also seek to limit the processing of personal information to names, gender, among others, but not sensitive information like race, religion, personal data, medical care, and government issued ID numbers.
In addition, NPC would like to impose a provision for fines only among the penalties in the law.
Chapter 8, Sec. 25 of the RA 10173 provides for both jail terms and fines but no “fines only.” NPC would like a middle ground penalty depending on the case whether the violation involves unauthorized processing, improper disposal, concealment of security breaches, and malicious disclosure of personal and sensitive personal information.