E-Commerce-Data-Privacy-Act.pdf

Full Transcript

STUDY GUIDE:

E-Commerce Act

1. Understand the definition of terms used, the principles behind, and the application of the Electronic
Commerce Act;

2. Identify the legal recognition and communication of electronic data messages and documents; and

3. Applicability of the law on electronic commerce in carriage of goods, and in electronic transactions in
government.

Data Privacy Act

1. Understand the definitions, scope of application, data privacy principles in the Data Privacy Act;

2. Grasp the rules on processing of personal data, and the security measures for protection of personal
data;

3. Identify the rights of data subject, including but not limited to, data breach notification, and
accountability for transfer of information;

4. Learn the outsourcing and subcontracting agreements relating the personal data; and

5. Enumerate the registration and compliance requirements provided by law.v

OUTLINE

❖ Electronic Commerce Act of 2002
❖ Data Privacy Act of 2012
Electronic Commerce

Act of 2020

republic act no. 8792

DATA OUTSOURCING DATA SHARING
Refers to the disclosure or transfer of personal Refers to the disclosure or transfer to a third
data by a personal information controller to a party of personal data under the custody of a
personal information processor, in order for the personal information controller or personal
latter to process the data according to the information processor [upon instruction by the
instructions of the controller. controller
The processor does not have its own purpose for All parties are considered Controllers and each
processing, but merely carries out the party is with own reason for processing
instructions given by the controller
Personal Information Processor

DUTIES

1. Process the personal data only upon the documented instructions of the personal information
controller, including transfers of personal data to another country or an international organization,
unless such transfer is authorized by law;

2. Ensure that an obligation of confidentiality is imposed on persons authorized to process the personal
data;

3. Implement appropriate security measures and comply with the Act, these Rules, and other issuances
of the Commission;

4. Not engage another processor without prior instruction from the personal information controller:
Provided, that any such arrangement shall ensure that the same obligations for data protection under
the contract or legal act are implemented, taking into account the nature of the processing;

5. Assist the personal information controller, by appropriate technical and organizational measures and
to the extent possible, fulfill the obligation to respond to requests by data subjects relative to the
exercise of their rights;

6. Assist the personal information controller in ensuring compliance with the Act, these Rules, other
relevant laws, and other issuances of the Commission, taking into account the nature of processing and
the information available to the personal information processor;

7. At the choice of the personal information controller, delete or return all personal data to the personal
information controller after the end of the provision of services relating to the processing: Provided, that
this includes deleting existing copies unless storage is authorized by the Act or another law;

8. Make available to the personal information controller all information necessary to demonstrate
compliance with the obligations laid down in the Act, and allow for and contribute to audits, including
inspections, conducted by the personal information controller or another auditor mandated by the
latter; and

9. Immediately inform the personal information controller if, in its opinion, an instruction infringes the
Act, these Rules, or any other issuance of the Commission.

Applicability

any kind of data message and electronic document used in the context of commercial and non-
commercial activities to include domestic and international dealings, transactions, arrangements,
agreements, contracts and exchanges and storage of information
¹Originator - a person by whom, or on whose behalf, the electronic document purports to have been
created, generated and/ or sent
2Addressee - a person who is intended by the originator to receive the electronic data message or
electronic document
3Service Provider - provider of (1) on-line services or network access, or the operator of facilities
therefor, or (2) necessary technical means by which electronic documents of an originator may be stored
and made accessible to designated third party

Electronic Document

information or the representation of information, data, figures, symbols or other modes of written
expression, described or however represented, by which a right is established or an obligation
extinguished, or by which a fact may be prove and affirmed, which is receive, recorded, transmitted,
stored, processed, retrieved or produced electronically

Electronic Data Message

information generated, sent, received or stored by

electronic, optical or similar means

Digital Signed

an electronic document or electronic data message bearing a digital signature verified by the public key
listed in a certificate [electronic document issued to support a digital signature to confirm the identity of
the person who holds a particular key pair]
Electronic Signature

❖ Any distinctive mark, characteristic and/or sound in electronic form
❖ Represents the identity of a person
❖ Attached to or logically associated with the electronic data message or electronic document

Digital Signature

an electronic signature consisting of a transformation of an electronic document or an electronic data
message using an asymmetric or public cryptosystem [a system capable of generating a secure key pair:

(1) private key for creating a digital signature, and

(2) public key for verifying the digital signature]

Ephemeral Electronic Communication

telephone conversations, text messages, chatroom sessions, streaming audio, streaming video, and
other electronic forms of communication the evidence of which is not recorded or retained

Principle of LAWFUL ACCESS

Access to an electronic file shall only be authorized and enforced in favor of the individual or entity
having a legal right to the possession or the use of plaintext, electronic signature or file or solely for the
authorized purposes.

Principle of LAWFUL ACCESS

The electronic key for identity or integrity shall not be made available to any person or party without the
consent of the individual or entity in lawful possession of that electronic key.

ELECTRONIC KEY is a secret code which secures and defends sensitive information that cross over public
channels into a form decipherable only with a matching electronic key

Obligation of CONFIDENTIALITY

Any person who obtained access to any electronic key, electronic data message or electronic document,
book, register, correspondence, information, or other material, shall not convey to or share the same
with any other person.

COMMUNICATION of Electronic File*
 ❖ Attribution to Originator
❖ Time of Dispatch and Time of Receipt
❖ Place of Dispatch

LEGAL RECOGNITION of Electronic File*

1. Information shall not be denied legal effect, validity, enforceability sole on the ground that it is an
electronic data message.

2. Electronic documents shall have the same legal effect, validity or enforceability as any documents or
legal writing.

3. An electronic signature on the electronic document shall be equivalent to the signature of a person on
a written document.

4. Electronic signature is presumed to be the signature of the person to whom it correlates.

RULES ON ELECTRONIC EVIDENCE

A.M. No. 01-7-01-SC

Rules on Electronic Evidence: ELECTRONIC

DOCUMENT

1. Functional Equivalent of paper-based document

2. Admissible if it:

A. Complied with the Rules of Court

B. Authenticated in the manner prescribed herein

3. Confidential character of privilege communication

RULES ON ADMISSIBILITY:

Best Evidence Rule

1. An electronic document as the equivalent of an original document if it is a printout or output readable
by sight or other means, shown to reflect the data accurately.

2. Copies as equivalent of the originals.
RULES ON ELECTRONIC EVIDENCE:

Authentication of Evidence Rule

1. Digitally signed by the person purported to have signed the same,

2. Appropriate security procedures or devices for authentication of electronic documents were applied
to the document, OR

3. Integrity and reliability to the satisfaction of the judge

Rules on Electronic Evidence:

PROOF

❖ Affidavit Evidence
❖ Electronic Testimony
❖ Audio, Video, Photographic or Ephemeral Evidence

Rules on Electronic Evidence: BUSINESS RECORDS

❖ Include records of any business, institution, association, profession, occupation, and calling of
every kind, whether or not conducted for profit, or for legitimate or illegitimate purposes
❖ Exception to Hearsay Rule (overcome by evidence of the untrustworthiness of the source of
information or the method or circumstances of the preparation, transmission or storage thereof)

OTHER AREAS

❖ Electronic Commerce in Carriage of Goods
❖ Electronic Transaction in Government

Prohibited Acts

1. Hacking or Cracking - unauthorized access

2. Piracy - unauthorized copying

3. Violation of Consumer Act - violations of Fair and Reasonable Business Practices, and Fair Marketing
and Advertising Practices

Data Privacy Act of 2012
Republic Act 10173
Scope of Application

❖ any processing
❖ all types of personal information
❖ any person involved

Extraterritorial application

Exceptions:

1. Government employees & those under service contract with the government

2. Relating to any discretionary benefit of a financial nature like license/ permit

3. Processed for journalistic, artistic, literary or research purposes

4. Necessary for banks and other financial institutions under BSP

Personal Information

any information whether recorded in a material form or not, from which the identity of an individual is
apparent or can be reasonably and directly ascertained by the entity holding the information, or when
put together with other information would directly and certainly identify an individual.

SENSITIVE Personal Information

+ Race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliation

+ Health, education, genetic or sexual life of a person, or any criminal proceeding

* Government-issued security numbers, health records,

Privileged Information

❖ Any and all forms of data which under the Rules of Court and other pertinent laws constitute
privileged communication.

Definition of Terms

DATA SUBJECT - individual whose personal information is processed

CONSENT - any freely given, specific, informed indication of will, - whereby the data subject agrees to
the collection and processing of personal information about and/or relating to him or her. Consent shall
be evidenced by written, electronic or recorded means.
PROCESSING - any operation (collection, recording, organization,

National Privacy Commission

FUNCTIONS: to administer and implement the Act, and to monitor and ensure compliance of the country
with international standards set for data protection

STRUCTURE: Privacy Commissioner and Deputy Commissioner for Data Processing Systems, and Policies
and Planning; attached to DICT SECRETARIAT: majority with 5 years experience at SSS, GSIS, LTO,

BIR, PhilHealth, COMELEC, DFA, DOJ, Philpost

Data Privacy Principles

1. CONFIDENTIALITY: All personal information are confidential

2. SECURITY: Disclosure of information with adherence transparency, legitimate purpose and
proportionality

3. ACCOUNTABILITY: Penalties for violations

Information Processing Principles

❖ Transparency
❖ Legitimate purpose
❖ Proportionality

The processing of sensitive personal information and privileged information shall be prohibited.

Exceptions:

❖ Data subject consented
❖ Fulfillment of a contract with the data subject
❖ Compliance with the legal obligation of the controller
❖ Protection of important interests of the data subject, including life and health
❖ Response to national emergency, compliance with the requirements of public order and safety,
or fulfillment of the functions of public authority
❖ Necessary for the purposes of the legitimate interests pursued by the controller or by a third
party
Exception to the Exception

Where such interests are overridden by fundamental rights and freedoms of the data subject which
require protection under the Philippine Constitution

Criteria for Lawful Processing

1. Consent of data subject

2. Necessity

A. Contract or legal obligation

B. Protection of data subject interest

C. National emergency response

Data Subject RIGHTS

1. To be informed

2. To be furnished

3. To have reasonable access upon demand

4. To dispute the inaccuracy or error in the personal information and have the personal information
controller correct it immediately and accordingly

5. To Suspend, withdraw or order the blocking, removal or destruction of hi or her personal information
from the personal information controller's filing system

6. To be indemnified

7. To transmit / transfer the rights of the data subject

8. To data portability

Personal Information Controller

A person or organization who controls the collection, holding, processing or use of personal information,
including a person or organization who instructs another person or organization to collect, hold, process,
use, transfer or disclose personal information on his or her behalf.

Except: (1) A person who performs such function as instructed, (2) Individual's personal, family or
household. affairs.
Personal Information Controller

RESPONSIBILITIES

1. Security of personal information.

2. Accountability for transfer of personal information

Prohibited Acts

1.) Processing

A. Unauthorized Processing

B. Processing for Unauthorized Purposes

2.) Access

A. Unauthorized Access or Intentional Breach

B. Access due to Negligence

C. Concealment of Security Breaches

3.) Disclosures

A. Malicious Disclosure

B. Unauthorized Disclosure

4.) Improper Disposal

5.) Combination or Series of Acts

6.) Large Scale

Outsourcing and Subcontracting Agreements

A personal information controller may subcontract or outsource the processing of personal data [to a
personal information processor]: Provided, that the personal information controller shall use
contractual or other reasonable means to ensure that proper safeguards are in place, to ensure the
confidentiality, integrity and availability of the personal data processed, prevent its use for unauthorized
purposes
Registration and Compliance Requirements

To ensure compliance by the Personal Information Controller [and the Personal Information Processor]
with the obligations under the law

1. Registration of Personal Data Processing Systems - not applicable when the PIC/PIP employs
fewer than two hundred fifty (250) persons shall not be required to register unless the
processing it carries out is likely to pose a risk to the rights and freedoms of data subjects, the
processing is not occasional, or the processing includes sensitive personal information of at least
one thousand (1,000) individuals
2. Notification of Automated Processing Operations - when the automated processing becomes the
sole basis for making decisions about a data subject, and when the decision would significantly
affect the data subject
3. Annual report of the summary of documented security incidents and personal data breaches