On making requests for exemption, postponement, or to use alternative means of notification

On May 11, the National Privacy Commission (NPC) issued NPC Advisory No. 2026 – 02 with the subject “Clarification on the Submission of Personal Data Breach Notification Through Data Breach Notification Management System.”

Under Section 20(f) of Republic Act No. 10173 (the Data Privacy Act), personal information controllers (PICs) are obligated to quickly notify the NPC and data subjects who are affected when an unauthorized person acquires “sensitive personal information or other information that may, under the circumstances, be used to enable identity fraud” and the PIC or NPC believes that the acquisition “is likely to give rise to a real risk of serious harm to any affected data subject.”

The provision states that PICs “shall at least describe the nature of the breach, the sensitive personal information possibly involved, and the measures taken by the entity to address the breach.” Further, the provision also lists the acceptable reasons for delay: determining the breach’s scope, preventing additional disclosures, or restoring “reasonable integrity to the information and communications system.”

In 2016, pursuant to this provision in the Data Privacy Act, as noted in one of the preambular clauses, the NPC issued NPC Circular 16 – 03 regarding Personal Data Breach Management. Rule V of the Circular lays out, among others, the conditions that would trigger notification (Sec. 11), the guidelines on determining if there is a necessity to notify (Sec. 13), who is obligated to make such a notification (Sec. 15), the process and form of notification to the NPC (Sec. 17) and data subjects (Sec. 18), and some factors to consider in exempting a personal information controller from notification (Sec. 19).

Section 18 of the Circular requires that, when the PIC or personal information processor has knowledge or even a reasonable belief of the existence of a data breach, the notification of the data subjects must be done within 72 hours. The Circular provides that exemptions from notification requirements or postponements should be requested by the PIC from the NPC. (Sec. 18(B)). Further, the PIC may also ask the NPC for approval “to use alternative means of notification, such as through public communication or any similar measure through which the data subjects are informed in an equally effective manner[.]” (Sec. 18(D)).

Through the recent Advisory, the NPC has made clarifications to the procedure for submitting requests for postponement, exemption, the use of alternate means for notifying data subjects, and extension to submit documents required by the Circular (Sec. 2).

PICs are expressly prohibited from simultaneously making two pairs of requests: first, an exemption to notify affected data subjects request alongside a postponement of the notification request, or, second, an exemption to notify request and an alternative means of notification request (Sec. 2(A)). Intuitively, this can be explained by the fact that a request for postponement and/or alternative means of notification may presuppose that the PIC is obligated to notify in the first place. Thus, it may be contradictory to a request for exemption.

Meanwhile, the same provision permits concurrent requests for postponement and to use alternative means of notification. Compliance with these rules is important as the provision also states that invoking mutually exclusive requests may lead to any or all requests being denied.

In addition, the Advisory provides that requests must contain the supporting documents and “clearly state the most appropriate grounds for the justification of its requests.” (Sec. 2(B)).

It is further clarified by the Advisory that submitting “any request in relation to personal data breach notification to the Commission through the Data Breach Notification Management System (DBNMS) shall not relieve the PIC of its obligation pursuant to NPC Circular No. 16-03.” (Sec. 2(C)). In addition, inaction by the NPC is not equivalent to consent or approval of any request, which is required to be express and in writing the Commission. (Sec. 2(D)). In other words, if a PIC is unable to secure the approval of the NPC regarding any of its requests, its obligations under the Circular are still in force and the mere filing of a request does not stay such.

Ultimately, this Advisory not only clarifies but also tightens the procedure for Personal Data Breach Notification as provided by the Circular. Citing NPC Circular No. 2022 – 01, the Advisory also reiterates the possibility of administrative fines for violations of the Data Privacy Act, its Implementing Rules and Regulations and certain issuances of the NPC. (Sec. 2(E)).

The views and opinions expressed in this article are those of the author. This article is for general informational and educational purposes only and not offered as and does not constitute legal advice or legal opinion.

Ignacio Lorenzo D.c. Villareal is an associate of the Litigation and Dispute Resolution Department of the Angara Abello Concepcion Regala & Cruz Law Offices (ACCRALAW).

(632) 8830-800

ldvillareal@accralaw.com