Working in regulatory compliance with a client from a major financial institution to implement a call center in the Philippines is somewhat akin to walking through a minefield. When it comes to regulatory compliance in the Philippines, "Ignorantia juris non excusat." Ignorance of the law is no excuse. Any person who is unaware of a law may not escape liability for violating that law merely because he or she was unaware of its content. Nowhere is this more applicable than in the Philippines. But this premise also assumes the law in question is published, distributed, and regulated, with "regulated" being a key word. Clearly, if a law or regulation is in place, it must be easy to ensure a company can implement controls for compliance. This is not so in the Philippines; government is chosen through a popularity contest, in which many of the government members are former movies stars. And once they are chosen, they bring in family members to play key roles in the government. So while the Philippines is currently one of the most active places overseas for information technology, call centers, and manufacturing, it also has a confusing legal system and practices.
There are numerous ill-defined laws recently implemented that affect corporations and individuals. One example is the Cybercrime Act. Over 95 million people live in the Philippines, and over one quarter of them use the Internet. Filipinos are some of the most social online users with over 25 million users on Facebook and close to 10 million on Twitter. But users beware: if a Filipino "likes" a friend's post on Facebook or re-tweets someone else's tweet, they very may well land in jail. Thanks to the Cybercrime Act, if one "likes" something on Facebook, that person can be sued and if they "share" they can be sued. According to one Filipino Senator, "Even Mark Zuckerberg can be charged with cyber-libel". The way the law is worded, the Filipino police could actually charge one with simply criticizing them or the government in a way they deem "malicious" - a standard very much open to interpretation.
At issue is the broad and vague provision around libel and the internet. And if one is found guilty, it can mean up to 12 years in jail. Nobody understands what libel is, and if the one who made the original post is the libeler - or the one who shares that post is the libeler - or if one posts they agree to something - does that constitute libel? There is no answer. Apparently, hackers have defaced government websites in protest to the act, and several petitions to declare the law unconstitutional have been filed. There is increasing pressure from the public to repeal or replace the law but so far, but there is little sign that the government is backing down. Implications for corporations around this act could be far-reaching and pose a risk to doing business in the Philippines.
The Cybercrime Act is one example of how broad and vague Philippines legislation can be. But there is another broad and vague act that will affect implementation of the financial institution call center previously mentioned: the Data Privacy Act. Clearly, if a law or regulation is in place, it must be easy to ensure a control is in place. But in reality, it is not easy at all. The Data Privacy Act (DPA), enacted late in 2012, says that corporate entities cannot process information except in accordance with the laws, and they must have consent from that person. This involves anything relative to personal information that can be linked to an identity (such as a form with data that can be linked to a person.) Automated and computerized information kept about workers by employers is covered by the Act. It also covers personal information put on paper or microfiche and held in any relevant filing system. It applies to personal information that is subject to processing. For example, any information about:
- Details of a worker's salary and bank account held on an organization's computer system
- Email about an incident involving a named worker
- Individual worker's personnel file
So the law would allow imposing obligations on this financial institution as a personal information controller. The Act aims to substantially raise the profile of the Philippines in the data privacy (and business in the data processing) sphere by mandating that all personal information controllers ('Controller'), being persons who control the collection, holding, processing or use of the personal information of others (defined in the Act as 'Data Subjects'), comply with many requirements before any such collecting, holding, processing or use may take place.
There are rights of data subjects, including the right to inquire what information this financial institution client has about them. If this client violates the law, it must be reported to the National Privacy Commission – which has yet to be formed! Therein lays one of the issues this financial institution's Compliance group must determine: If there is currently no active regulation, what risk exists to not following the already vague act that was enacted? If someone wanted to sue this financial institution relative to their personal information, there are no restrictions as to how much one can claim or receive. While adherence to the code is supposed to help employers protect themselves from challenges against their data protection practices, the lack of rigor around it currently is no guarantee. It is supposed to encourage Philippines workers to treat customer data with respect and to help ensure that information about customers is treated properly. Employers may have alternative ways of meeting these requirements, but if they do nothing, they risk breaking the law. While the code provides "good practice recommendations" how far they are applicable and what is needed to achieve them has not been totally determined. The issue then becomes: since there are no real specifics, how does an organization put in the proper controls to be compliant? Would you want to be the Chief Privacy Officer in the Philippines for this financial institution? The penal provisions are strict: a person (most probably a Compliance or Privacy Officer) will have to personally accept the risk that if criminal charges are brought against this firm, that person (employee) could go to jail. The Act is one of the toughest data privacy legislations in the region, in terms of sanctions imposed on offenders. Specifically, the Act introduces:
- Fines and prison sentences for first time breaches of the Act
- Ongoing liability of Controllers for personal information sent offshore/provided to third party processors
- Significant rights of Data Subjects.
Companies that breach the Act may be prevented from processing personal information and individual foreigners who breach the Act could be deported. The Act offers no second chances, and breaches of the Act are automatic offences. Depending on the nature of the breach, Data Controllers may be penalized by imprisonment for between 3 and 6 years and fines between PHP 500,000 and PHP 4 million (approximately USD 12,000 to USD 96,000) for individual breaches. Multiple breaches of the Act may also be penalized by imprisonment for between 3 and 6 years and fines of between PHP 1 million and PHP 5 million (approximately USD 24,000 to USD 120,000). Furthermore, any breaches where 100 or more persons are harmed or affected will be subject to the maximum penalties.
Any company that is found to have breached the Act (such as to constitute an offence) may also have its right to process personal information revoked. In addition, of note for foreign individuals dealing with personal information in the Philippines, if the person who breaches the Act is an alien he/she will be deported from the Philippines without further proceedings after serving any prison term and/or paying any penalties levied.
The current DPA "hodge podge" forces many companies to be ill-prepared to establish compliance controls. The general consensus is that the act will be changed, but nobody knows exactly what will change. The financial services client can model compliance controls around an existing model that is used in the UK, but there is no guarantee that would protect the client either. Interestingly, Government and business leaders originally believed that the implementation of the law would help maintain the competitiveness of the Philippines and boost investments in its information technology-business process outsourcing (IT-BPO) sector and support healthy information and communications technology (ICT) industry. But that type of thinking could backfire if a tidal wave of litigation begins against major corporations that are setting up business in the Philippines. While companies wait for the government to provide further guidance on the act by enacting new rules and implementing rules and regulations (IRR's), and existing businesses must determine how to implement controls that will make them compliant. There is a transitory period of one year, which will begin when the IRR's come into effect. New businesses will not get the benefit of the transition period, so the financial client is pushing hard to implement the call center by October 1, 2013 before the IRR's are determined. In this short timeframe, being in or out of control is a guessing game. Taking active measures to prepare data collection, handling and processing and practices for compliance is paramount, and project work to update data collection, review contracts and processes, put controls in place, and development of internal data privacy guidelines and protocols is underway. But the determination of whether corporations are in or out of compliance is still left to the whims of the movie stars in government: and that is a risk that some may not want to take.