Member Article

The Philippine National Privacy Commission (NPC), which administers the country’s Data Privacy Act (DPA), has recently made available to the public copies of its advisory opinions. These opinions had been issued in response to various queries regarding the proper application and interpretation of the provisions of the DPA and its implementing rules and regulations.

Issue of consent

Advisory Opinion No. 2017-42 (issued 14 August 2017) sets out the NPC’s view on what constitutes sufficient consent for the collection and processing of personal information.

Under the DPA, collection and processing of personal data must have a lawful basis. Consent is one of the acceptable criteria for lawful processing. Consent is defined as “any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of his or her personal, sensitive or privileged information.”

The opinion responded to the question of whether sufficient consent could be acquired through the following arrangements:

• the data subject would be given access to a privacy policy/notice
• the notice states that the continued use of the products and services of the company will be deemed as consent to collect, process, and share personal data, including processing for purposes of direct marketing, data analytics, and automated processing

The NPC opined that this was a form of implied or inferred consent and that this is not sufficient for purposes of the DPA.

In the privacy policy/notice subject of the advisory opinion, the NPC mentioned that all three requirements for the validity of consent are not present. The first requirement that consent be freely given is absent considering that the data subject is not required to perform any overt act before its consent is deemed to have been given. The second and third requirements, i.e., specific and informed indication of will, are also lacking since the privacy policy/notice uses blanket statements in authorizing related companies and third-party service providers to use, process, and share personal data and there is also no indication of the exact purpose/s, the retention period, and mode and means of destruction of data.

Finally, the NPC referred to Recital 32 of the REGULATION (EU) 2016/679 or the General Data Protection Regulation (GDPR) of the European Union for additional guidance on consent. The recital states:

xxx xxx. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. xxx xxx

Takeaways

Based on the advisory opinion, controllers with websites or other platforms that collect and process personal data should have on their sites/platforms:

1) a function where the data subject is asked to agree to the collection and processing of his or her data pursuant to the terms and conditions of a data privacy policy or privacy notice that the data subject can access and read, which can be a clickable button that can express agreement;

2) a data privacy policy or privacy notice or statement that sets out all the information needed to be advised to a data subject, particularly purposes for which personal data will be collected and used; and

3) a separate mechanism for data subjects to agree to data sharing and to processing involving automated decisionmaking.

Controllers and processors will need to continue to monitor how the NPC administers the DPA and its implementing rules. They should also take note that the NPC will tend to be guided by the GDPR and how this is being applied.