The Philippines Consults on Draft Consent and Private Identification Cards Guidelines
The Philippines’ National Privacy Commission (NPC) has released for public comment two sets of draft guidelines on:
Consent as a basis for processing personal data (Consent Guidelines)
The issuance and use of identification cards by private organizations (ID Cards Guidelines)
Consent is acknowledged as the most common criterion for processing personal data. Hence, the NPC has determined the need to provide further guidance to the industry on the concept and usage of consent as a lawful basis for processing personal data.
Data Privacy Principles
The Consent Guide sets out the following data privacy principles that must be adhered to:
There is a minimum level of information that must be provided to data subjects in a clear and concise manner. This includes the purpose, nature, extent, duration and scope of processing, the identity of the organization, the existence of data subject rights, and how these can be exercised.
Where there is further processing of personal data for additional purposes beyond what the data was initially collected for, a compatibility assessment should first be done to establish:
A clear and reasonable link between the original and new purposes of the processing
The context in which the data was collected, and any reasonable expectations on further use based on the parties’ relationship
The nature of the data and the impact of its further processing on the data subject
The existence of appropriate security measures accorded to the processing
Where the additional purpose goes beyond what a data subject might reasonably expect, then consent is required.
Elements of Consent
The elements to valid consent are as follows: it must be freely given, specific, informed, an indication of will, and evidenced by written, electronic or recorded means.
Public bodies – The use of consent by processing by public authorities is permitted where the processing activity is unrelated to what is required by law or regulation.
Contracts of adhesion – Where a party imposes a ready-made form of contract on the other party (known as a contract of adhesion in the Philippines), consent is only valid if the contract of adhesion contains all the necessary information to demonstrate transparency, and the processing is necessary and for a legitimate purpose, is not excessive and is fair and lawful.
Quality of consent – Consent must be granular and not bundled. However, organizations must avoid consent fatigue by properly identifying the lawful basis for processing prior to any data collection. If another lawful basis applies, then a request for consent is unnecessary and does not need to be made. Implied consent is not valid. On the other hand, if all the elements of consent are present, then it is possible that a data subject’s continued use of a specific service is an assenting action that signifies consent.
Format of consent – There is no differentiation among different formats or media for capturing consent. An organization must, however, keep evidence of the consent, including the date it was obtained, the method of obtaining it, who obtained it, and what information was given to the data subject. Deceptive design or dark patterns and other forms of coercion will void any manner of obtaining consent, and the NPC will consider such determination on a case-by-case basis.
Withdrawal of consent – Consent may also be withdrawn at any time and without cost to the data subject, subject to any limitations prescribed by law or contract. It must be as easy as giving consent. When consent is withdrawn, an organization must stop processing without undue delay, and delete the personal data if there is no other lawful basis to justify its continued processing. The data can still be retained post-withdrawal, but only for a reasonable period based on industry standards and other relevant considerations.
Direct marketing – Consent is required for direct marketing where this would significantly affect the rights and freedoms of a data subject. The guidelines list the following as examples: analyzing or predicting personal preferences, behavior and attitudes of the data subject to inform subsequent decision-making, tracking and profiling for direct marketing, behavioral advertisement, data brokering, location-based advertising, tracking-based digital market research, and other analogous activities. However, it is possible to consider direct marketing as a legitimate interest for which consent is not required, but this must be determined on a case-by-case basis.
Data sharing – Where data sharing is based on consent, the data subject must be given specific information about the sharing arrangement.
Research – Research is recognized as important to nation-building and in the public interest. Consent can be obtained within a reasonable time after the conclusion of the data gathering, if obtaining consent prior to collection will affect the research results. Where research is done only through observing public behavior, or where the results will be fully anonymized, consent is not required.
Publicly available information – Significantly, the guidelines clarify that the fact that personal data is provided by a data subject on a publicly accessible platform does not mean that blanket consent has been given for its use for any purpose whatsoever. Ultimately, organizations bear the responsibility of finding and proving that its processing is pursuant to a lawful basis under Philippines data privacy law as applicable.
Profiling and automated processing – Data subjects must be informed of any profiling or automated processing of their personal data. There must be safeguards against discriminatory outcomes affecting, or unfair treatment of, data subjects. Consent must be obtained for automated processing that solely determines any decision that has legal ramifications or a significant impact on a data subject.
Miscellaneous provisions – The processing of sensitive personal data through a contract between an organization and a data subject will be regarded as one that is based on consent. Hence, the requirements for consent must be complied with. Further, any waiver by a data subject of their privacy rights, including the right to file a complaint, will be void.
ID Cards Guidelines
This set of guidelines will apply to any private organization that issues an identification card to a data subject. Such cards may be in a physical or digital format, and include company IDs, school IDs, insurance cards, membership cards, and even rewards or loyalty cards.
The requirements imposed for these ID cards are:
They must only capture personal data as is necessary for the purpose of identifying the data subject. However, other personal data may be included if explicitly required by law.
The organization that issues the ID cards must implement appropriate safeguards to protect personal data on these cards, which must be on par with technological advancements, best practices and industry standards.
The organization issuing the cards bears the ultimate burden of demonstrating that the inclusion of any personal data is proportionate to a legitimate purpose.
Violation of the above carries criminal, civil and administrative liability as set out in the Philippines’ data privacy law.
Each set of the guidelines will take effect 15 days after it is published in a newspaper or a gazette, and affected organizations have 90 days from such effective date to comply with it.
Comments on either of these guidelines must be submitted to [email protected] no later than June 9, 2023, with the subject: “Public Consultation – Consent” or “Public Consultation – ID Cards,” as the case may be.
 Language used must not be confusing or complex.