R.A. No. 10173 or the Data Privacy Act of 2012


An acute observer of the social scene, Carmen Guerrero-Nakpil, once said: “Privacy? What’s that? There is no precise word for it in Filipino, and as far as I know any Filipino dialect and there is none because there is no need for it. The concept and practice of privacy are missing from conventional Filipino life. The Filipino believes that privacy is an unnecessary imposition, an eccentricity that is barely pardonable or, at best, an esoteric Western afterthought smacking of legal trickery.”



The right to privacy is well-entrenched in the 1987 Constitution, particularly in the Bill of Rights and safeguarded by several provisions of the Civil Code, the Revised Penal Code, and certain laws which provide penalties for their violation in the form of imprisonment, fines, or damages.

Pertinent provisions of the Bill of Rights provides:

“Sec. 1. No person shall be deprived of life, liberty, or property without due process of law, nor shall any person be denied the equal protection of the laws.”

“Sec. 2. The right of the people to be secure in their persons, houses papers, and effects against unreasonable searches and seizures of whatever nature and for any purpose shall be inviolable, and no search warrant or warrant of arrest shall issue except upon probable cause to be determined personally by the judge after examination under oath or affirmation of the complainant and the witnesses he may produce, and particularly describing the place to be searched and the persons or things to be seized.”

“Sec. 3. (1) The privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise as prescribed by law.”

“Sec. 6. The liberty of abode and of changing the same within the limits prescribed by law shall not be impaired except upon lawful order of the court. Neither shall the right to travel be impaired except in the interest of national security, public safety, or public health as may be provided by law.”

“Sec. 8. The right of the people, including those employed in the public and private sectors, to form unions, associations, or societies for purposes not contrary to law shall not be abridged.”

Sec. 17. No person shall be compelled to be a witness against himself.”

Similarly, the Civil Code provides that “[e]very person shall respect the dignity, personality, privacy and peace of mind of his neighbors and other persons” and punishes as actionable torts several acts by a person of meddling and prying into the privacy of another.1 It also holds a public officer or employee or any private individual liable for damages for any violation of the rights and liberties of another person,2  and recognizes the privacy of letters and other private communications.3  

In like manner, the Revised Penal Code makes a crime the violation of secrets by an officer,4  the revelation of trade and industrial secrets,5  and trespass to dwelling.6  Invasion of privacy is an offense in special laws like the Anti-Wiretapping Law,7 the Secrecy of Bank Deposits Act8  and the Intellectual Property Code.9  

Also, the Rules of Court on privileged communication likewise recognize the privacy of certain information.10 



Republic Act No. 10173, also known as the Data Privacy Act of 2012, is an act protecting individual personal information in information and communications systems in the government and the private sector, creating for this purpose a national privacy commission, and for other purposes.

The Data Privacy Act of 2012 aims to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. It also aims to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected.

This Act was approved by President Benigno S. Aquino III on August 15, 2012. It contains nine (9) chapters and forty five (45) sections. It was published on August 24, 2012. it took effect on September 8, 2012, which was 15 days after its publication in at least two (2) national newspapers of general circulation. An independent body known as National Privacy Commision was created to administer and implement the provisions of this Act and to monitor and ensure compliance of the country with international standard set for data protection.

This Act is based on standards set by the European Parliament and at par with the Asia Pacific Economic Cooperation (APEC) Information Privacy Framework standards. The Data Privacy Act of 2012 mandates the public and private institutions to protect and preserve the integrity and confidentiality of all personal data that they might gather, in compliance with international data security standards.

The enactment of this law hopes to maintain the competitiveness of our country and boost investments in the information technology-business processing outsourcing (IT-BPO) sectors and support a healthy information and communications technology (ICT) industry.

At the outset, it is worthy to enumerate the prominent characteristics of which may be summarized as follows:

  1. Principally deals with the processing of Personal Information (Sec. 3g) and Sensitive Personal Information (Section 3l);

  1. It paved the way for the creation of the National Privacy Commission which has yet to promulgate the Implementing Rules and Regulations (Sec. 7).

  1. The Processing of Personal Information is lawful under the following circumstances:

a. there is consent of the data subject;

b. necessary  to the fulfillment of  a contract or of a legal obligation;

c. in response to national emergency,  public order and safety;

d. when the life and health, or other vital interests of the data subject are involved;

e. in pursuit of legitimate interests by the personal information controller or by a third party to whom the data is disclosed provided that the fundamental rights and freedoms of the data are not violated.

  1. On the other hand, processing of Companies who subcontract processing of personal information to 3rd party shall have full liability and can’t pass the accountability of such responsibility (Sec. 14).

  1. Data subject has the right to know if their personal information is being processed. The person can demand information such as the source of info, how their personal information is being used, and copy of their information. One has the right to request removal and destruction of one’s personal data unless there is a legal obligation that required for it to be kept or processed. (Secs. 16 and 18)

  1. If the data subject has already passed away or became incapacitated (for one reason or another), their legal assignee or lawful heirs may invoke their data privacy rights. (Sec. 17)

  1. Personal information controllers must ensure security measures are in place to protect the personal information they process and be compliant with the requirements of this law. (Secs. 20 and 21)

  1. In case a personal information controller systems or data got compromised, they must notify the affected data subjects and the National Privacy Commission. (Sec. 20)

  1. Heads of government agencies must ensure their system compliance to this law (including security requirements). Personnel can only access sensitive personal information off-site, limited to 1000 records, in government systems with proper authority and in a secured manner. (Sec. 22)

  1. Contracts, which involve the access of sensitive personal information from one thousand (1,000) or more individuals, shall register their Personal Information Processing System with the Commission (Sec. 24).

  1. Penalties of imprisonment ranging from three (3) years to six (6) and a fine not less than One Million Pesos (Php1,000,000.00) but not to exceed Five Million Pesos (Php5,000,000.00) shall be imposed on the processing of personal information and sensitive personal information based on the following acts:

             a. Unauthorized Processing (Sec. 25);

             b. Accessing due to Negligence (Sec. 26);

             c. Improper disposal (Sec. 27);

             d. Processing for Unauthorized Purposes (Sec. 28);

             e. Unauthorized Access or Intentional Breach (Sec. 29);

             f. Concealment of Security Breaches (Sec. 30);

             g. Malicious Disclosure (Sec. 31); and

            h. Unauthorized Disclosure (Sec. 32).

  1. An accessory penalty consisting in the disqualification to occupy public office for a term double the term of criminal penalty imposed shall he applied if the offense is committed by a public officer (Sec. 36).



Section 4 of Republic Act No. 10173 or the Data Privacy Act of 2012 provides that this Act shall apply to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines.

However, this Act does not apply to the following:

  1. Information about any individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual;

  2. Information about an individual who is or was performing service under contract for a government institution that relates to the services performed, including the terms of the contract, and the name of the individual given in the course of the performance of those services;

  3. Personal information processed for journalistic, artistic, literary or research purposes;

  4. Information necessary in order to carry out the functions of public authority which includes the processing of personal data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions. Nothing in this Act shall be construed as to have amended or repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise known as the Credit Information System Act (CISA);

  5. Information necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act and other applicable laws; and

  6. Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.


Is the Disclosure of Someone’s Mobile Number to a third person without the owner’s consent a Violation of R.A. No. 10173?

At the outset, it must be born in mind that the Data Privacy Act of 2012 principally regulates the processing of personal information and sensitive personal information of an individual. 

Processing refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.

Personal Information is defined as any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.

Data subject refers to an individual whose personal information is processed.

Firstly, the mobile number alone cannot be considered a personal information pursuant to the above-definition considering that the identity of an individual may not be reasonably ascertained by the entity holding such information. Hence, even if the mobile number is put together with other information,  it would not serve the purpose of direct identification of the person who owns said mobile number. 

Secondly, the mere act of A in disclosing the mobile number of B to a third person does not fall within the definition of Processing considering it does not involve the use of data. In other words, a mobile number alone can hardly be considered “data.” 

In relation thereto, Commonwealth Act. No. 591 penalizes the disclosure by any person of data furnished by the individual to the NSO with imprisonment and fine. Republic Act. No. 1161 prohibits public disclosure of SSS employment records and reports. These laws, however, apply to records and data with the NSO and the SSS. In the instant scenario, there is no “processing” nor “data” to speak of.

In fine, there being no data nor any personal information to be processed in the given problem, A’s act did not violate the Data Privacy Act.



At any rate, even if the National Privacy Commission has not yet come out with its Implementing Rules and Regulations, a plain reading of the  provisions of the Data Privacy Act of 2012 clearly shows the legislature’s continuing concern to the protection of the right to privacy consistent with the continuing advancement in technology.  As succinctly explained in Whalen vs. Roeis:11

“We are not unaware of the threat to privacy implicit in the accumulation of vast amounts of personal information in computerized data banks or other massive government files. The collection of taxes, the distribution of welfare and social security benefits, the supervision of public health, the direction of our Armed Forces and the enforcement of the criminal laws all require the orderly preservation of great quantities of information, much of which is personal in character and potentially embarrassing or harmful if disclosed. The right to collect and use such data for public purposes is typically accompanied by a concomitant statutory or regulatory duty to avoid unwarranted disclosures.”

In Ople vs. Torres,12 the Supreme Court underscored in no uncertain terms, that the right to privacy does not bar all incursions into individual privacy. The right is not intended to stifle scientific and technological advancements that enhance public service and the common good. It merely requires that the law be narrowly focused and a compelling interest justify such intrusions. Intrusions into the right must be accompanied by proper safeguards and well-defined standards to prevent unconstitutional invasions. Any law or order that invades individual privacy will be subjected by the Court to strict scrutiny.13


1 Article 26 of the Civil Code provides:

“Art. 26. Every person shall respect the dignity, personality, privacy and peace of mind of his neighbors and other persons. The following and similar acts, though they may not constitute a criminal offense, shall produce a cause of action for damages, prevention and other relief:

(1) Prying into the privacy of another’s residence;

(2) Meddling with or disturbing the private life or family relations of another;

(3) Intriguing to cause another to be alienated from his friends;

(4) Vexing or humiliating another on account of his religious beliefs, lowly station in life, place of birth, physical defect, or other personal condition.”

2Article 32, Civil Code.

3Article 723, Civil Code.

4Article 229, Revised Penal Code.

5Articles 290-292, Revised Penal Code.

6Article 280, Revised Penal Code.

7R.A. 4200.

8R.A. 1405.

9R.A. 8293.

10Section 24, Rule 130 [C], Revised Rules on Evidence.

11429 U.S. 589 (1977).

12G.R. No. 127685, July 23, 1998.



2 thoughts on “R.A. No. 10173 or the Data Privacy Act of 2012

  1. Pingback: Students’ Take: Contacts viz RA 10173 | Berne Guerrero

  2. Pingback: On Privacy | Ruined for Life: Phoenix Edition

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s