The Data Privacy law: A story of forsaken opportunities

July 27, 2015 News

The Data Privacy Act of 2012, or Republic Act 10173, that became law on September 8, 2012, is the Philippines’s first data privacy law. The law protects individual personal information in information and communications systems in the government and private sector. It mandates the creation of a National Privacy Commission (NPC) to administer and implement the provisions of law, and to monitor and ensure compliance with international standards for data protection.

Its major proponent, Sen. Edgardo J. Angara, said the law establishes a policy framework thatprotects Internetfreedoms, while making sure the Internet remains safe. Angara noted that the law was patterned after the European Parliament and Council’s Directive 95/46/EC and the AsiaPacific Economic Cooperation’s Information Privacy Framework standard. Champions of the Data Privacy Act see this landmark piece of legislation as key to securing urgently needed investments in the Philippines’s still booming information technology¬business¬process outsourcing¬knowledge and process management (IT­BPO­KPM) industry by addressinginvestor concerns about the lack of protection of personal data.

Its major beneficiary is the country’s IT¬BPO-KPM industry, the main driver of growth in the services industry. The IT­BPO­KPMindustry was worth $19 billion in 2014, posting an 18¬percent growth over 2013. It accounted for 7 percent of the Philippines’s total gross domestic product in 2014. The country remains as the global leader in contact centers since 2010. The IT­BPO­KPM industry, which employs some 1.2 million Filipinos, is expected to earn ’$21.3 billion in 2015.

The Information Technology and Business Process Association of the Philippines (Ibpap) promptly welcomed the new law, describing it as an "important step to increasing confidence among foreign investors." It also said the law brings the Philipr pines to "international standards of privacy protection." Ibpap is the umbrella organization of the IT­BPO­KPM industry, whose mission is to make the Philippines the No 1 destination for voice and nonvoice services worldwide.

The laudable impacts of the law on the country and the IT­BPO­KPM industry, however, have been nullified because the government has been either unable or unwilling to issue the vital implementing rules and regulations (IRR) needed for the law to take effect. The IRR is needed to provide clear guidelines on dealing with data breaches; establishing data¬breach policies and response protocols; and crafting safety standards, among others. Without the IRR; the law remains a piece of paper. It has remained in this sad state since September 8, 2012.

What is clear, however, is the main reason the Aquino administration is sitting on its hands as regards the IRR. The IRR will have to be implemented by the new NPC. This commission was to have drawn up the IRR within 90 days from the passage of the law, or by December 2012. Its main task was to monitor the implementation of the Data Privacy law. That’s all well and good, but the only thing wrong is this NPC is supposed to be a unit of the Department of Information and Communications Technology (DICT) that the Aquino administration has chosen not to create since it took office in 2010.

The law also provides that if the DICT is not in place, the Office of the President can create the NPC -  which has not happened also. Meanwhile, the Senate has approved a new DICT legislation. Unfortunately, the House bill is still resting in "committee." It is hoped that once the House moves, the DICT can be formed this time, as business needs the implementation of the Data Privacy law so that data privacy can become more secure to allow big data to come to the Philippines, creating new revenue streams, new jobs and more investors.

For IT­BPO­KPM to move forward, the administration’s resistance to the DICT must end. There is clearly much to be gained by issuing the IRR needed to enforce the law, even if this means establishing the DICT. The Aquino administration has to understand, too, that the creation of the DICT is not expanding the bureaucracy. On the contrary, quite a number of government agencies involved in the IT and telecom sector can be dissolved once the DICT gets active.

Erick Moeller Nielsen is vice president of the board of directors, European Chamber of Commerce of the Philippines.

Source: Business Mirror - Opinion Section