Data privacy violations of personal information controllers or processors from private and government sectors will be meted with administrative fines.
The National Privacy Commission (NPC) said in a statement the proposed fines are separate from the criminal penalties and fines provided under the Data Privacy Act (DPA) and its implementing rules and regulations.
The Commission said it has presented in an online public consultation last April 30 the draft circular on the guidelines on administrative fines to concerned organizations and stakeholders in the private sector.
A separate initiative for government agencies is also underway with the NPC holding consultations with the Civil Service Commission.
Depending on the infraction committed, the draft circular proposes fines ranging between 0.5 to 5 percent of the annual gross income of the personal information controller or processor handling the personal data.
Factors that influence the determination of the fines include the gravity of infraction, the number of data subjects affected, failure to notify the Commission and affected data subjects of personal data breaches, and the intentional or negligent character of the offense, among others.
“The proposed circular considers the proportionality of the fine meted, its dissuasive effects, the costs of precaution, and other social, regulatory, and economic impacts that its adoption may create to all personal information controllers and processors,” Privacy Commissioner Raymund Liboro told attendees of the public consultation.
Due process will also be observed.
The draft circular introduces to the NPC a new range of enforcement tools to ensure accountability from all organizations, businesses, and individuals when processing personal information.