Extraterritorial enforcement of the Data Privacy Act of 2012
In November 2017, the San Francisco-based Uber Technologies, Inc. of the eponymous ride-sharing app disclosed that a massive breach of its systems had exposed the data of its 57 million users and drivers across the globe.1 The belated admission, made a year since the breach took place, caught data and privacy regulators off-guard. Justifying its failure to immediately disclose the incident, Uber noted that it had paid the hackers $100,000 to delete the stolen data and keep the entire timeline of the event under wraps.
In the aftermath of said disclosure, Uber Philippines, the ride-sharing app’s local subsidiary, wrote to the National Privacy Commission (NPC) to confirm that data of Filipino users were part of the massive data stolen in October 2016.2 NPC noted that notwithstanding Uber’s denial of an actual theft of data, the act of concealing a security breach involving sensitive personal information is by itself punishable under the Data Privacy Act of 2012.
Is Uber, a US-based entity, subject to the jurisdiction of Philippine regulators?
Section 6 of the Data Privacy Act provides that under certain circumstances, the Act may have an extraterritorial application. This means that the provisions of the Act, including those that render punitive sanctions for any violation thereof, may be enforced against entities stationed or living outside the Philippines.
Cross-border application of the DPA
The extraterritorial application of the Data Privacy Act may be resorted to in three instances. One of these is when an act done or practice engaged in by an entity relates to personal information of a Philippine citizen or resident.3 The entity pertains to any natural or juridical person in the government or private sector.4
Section 4 of Rule II of the Implementing Rules and Regulations (IRR) of the Act clarifies that “the act done or practice engaged in” by the entity subject of regulation need not be done outside the Philippines but may in fact even be done domestically. If done within the Philippines, it is qualified by any of the following conditions: (a) that the natural or juridical person involved in the processing of personal data is found or established in the Philippines; or (b) the act, practice or processing relates to personal data about a Philippine citizen or Philippine resident; or (c) the processing of personal data is being done in the Philippines.5
The second instance for extraterritorial application of the Data Privacy Act is when “the entity has a link with the Philippines, and the entity is processing personal information in the Philippines or even if the processing is outside the Philippines, so long as it is about Philippine citizens or residents.”6
What constitutes “link with the Philippines” may be inferred from the examples enumerated in the law, namely: (a) a contract is entered in the Philippines; (b) a juridical entity unincorporated in the Philippines but has central management and control in the country; and (c) an entity has a branch, agency, office, or subsidiary in the Philippines and the parent or affiliate of the Philippine entity has access to personal information.7 This listing is by no means exhaustive.
The third instance calling for the extraterritorial application of the Data Privacy Act is when the entity has other links in the Philippines.8 The law provides for examples of what constitutes “other links with the Philippines,” namely: (a) the entity carries on business in the Philippines; or (b) the personal information was collected or held by an entity in the Philippines that collects or holds personal data locally.9
Based on the foregoing, the NPC was well within its prerogative to assert the application of the Data Privacy Act against Uber’s failure to immediately disclose the alleged data breach when it warned that “if so qualified, those responsible for concealment of the breach and for the filtration of the data may face serious civil and criminal liability.”10 From the records, it is indisputable that Uber has a link with the Philippines on account of the presence of a domestic subsidiary with access to personal information collected and held in the Philippines from its ride-sharing app users.
In this highly globalized day and age where data, including sensitive personal information, have become the currency of even garden-variety transactions, it has become imperative for entities in both the public and private sectors to afford ample protection to such data. The extraterritorial application of the Data Privacy Act is necessitated by this same imperative, without which the Act would be reduced to a mere paper tiger.
# # #
1Uber concealed massive hack that exposed data of 57m users and drivers,
2Uber PH confirms data of Filipino users among those hacked – NPC,
3Sec. 6(a), R.A. No. 10173 (Data Privacy Act of 2012).
4Sec. 4, Rule II, Scope of Application, Implementing Rules and Regulations of Republic Act No. 10173, known as the “Data Privacy Act of 2012”
5Ibid.
6Sec. 6(b), R.A. No. 10173 (Data Privacy Act of 2012).
7Ibid.
8Sec. 6(c), R.A. No. 10173 (Data Privacy Act of 2012).
9Ibid.
10Uber PH confirms data of Filipino users among those hacked – NPC,
