The Philippines places a significant emphasis on privacy and consent, rooted in constitutional rights. In Ople v. Torres, the Supreme Court expressly recognized the right to privacy as a fundamental right guaranteed by the Constitution, identifying in the process several constitutional provisions that protect different facets of such right.
To fortify this commitment, the National Privacy Commission (“NPC”) recently issued Circular No. 2023-04, which delineates comprehensive guidelines on obtaining valid consent.
Published on 7 November 2023, NPC Circular No. 2023-04 specifically applies to personal information controllers (“PICs”) engaging in the processing of personal data based on the consent of the data subject. The Circular serves as a roadmap, offering detailed insights into the elements and procedures constituting valid consent in adherence to the Data Privacy Act (“DPA”) and its Implementing Rules and Regulations (“IRR”).
Elements of Consent (Sec. 7)
The Circular explicitly defines the essential elements of valid consent, emphasizing that it must be freely given, specific, informed, an indication of will, and evidenced by written, electronic, or recorded means. It further underscores that consent cannot be considered freely given in situations involving pressure, intimidation, adverse consequences, or any impairment of the data subject’s free will. Genuine choice and control over the decision to consent are paramount. A data subject must have a genuine choice and control over their decision to consent to the processing of their personal data. (Sec. 7)
Provided that all the elements of consent are present, and the PIC provides the data subject with information on the processing of personal data for a specific service, the continued use of the PIC’s specific service is an assenting action signifying consent. (Sec. 10, C)
Furthermore, the circular provides that Consent must be expressly given through a clear assenting action that signifies agreement to the specific purposes of the processing of personal data as conveyed to the data subject at the time consent was given. (Sec. 10) Hence, Consent can never be assumed and that non-response or implied consent does not constitute valid consent. (Sec. 10, A)
Transparency (Sec. 3)
Because transparency is a cornerstone of the Circular, PICs shall ensure that the data subject is aware of the nature, purpose, and extent of the processing of personal data. This includes the risks and safeguards involved, the identity of the PIC, the rights of the data subject, and how these rights can be exercised. Transparency empowers the data subject to make informed choices, and where applicable, to have reasonable control over the processing of their personal data, and to hold a PIC accountable based on the information provided at the time the data subject gave their, is aware of the nature, consent.
Specific information. At the minimum, the following information should be provided in a concise statement: description of the personal data to be processed, the purpose, nature, extent, duration, and scope of processing for which consent is used as basis, the identity of the PIC, the existence of the rights of the data subject, and how these rights can be exercised. (Sec. 3, A)
Timing. Such concise information should be provided at the moment when consent is obtained (e.g., at set-up, just-in-time, context-dependent). Further information or additional details should be made available to the data subject by means of a Layered Privacy Notice (i.e., use of a link to the detailed information on the processing). (Sec. 3, B)
Clarity. A PIC shall use clear, plain, consistent, and straight-forward language when providing information to the data subject. A PIC must not use vague or blanket wording, convoluted information, technical jargon, confusing terminologies, double negatives, and deliberately providing information in a circuitous manner. Providing the data subject with information that is difficult to understand, long-winded, or complex is inconsistent with informed consent. (Sec. 3, C)
Withdrawal of Consent (Sec. 13)
Consent, as a dynamic process, can be withdrawn at any time without cost to the data subject, subject to certain limitations as may be provided for by law, regulation, or contract. Should a data subject choose to exercise the right to withdraw consent to the processing and if there is no other lawful basis justifying the continued processing, a PIC is obliged to stop the processing without undue delay, terminate any processing activity including the provision of services relying on that consent, and delete the personal data.
To ensure this, a PIC shall ensure that withdrawing consent is as easy as, if not easier than, giving consent. A PIC is obliged to implement simple procedures to enable the data subject to exercise the right to erasure, including to suspend, withdraw or order the blocking, removal, or destruction, of personal data from the PIC’s repository. (Sec. 13, A)
Additionally, a PIC should refrain from utilizing or switching to another interface for the sole purpose of consent withdrawal since this would require undue effort from the data subject unless it will result in an easier manner to withdraw consent. (Sec. 13, B). Moreover, a PIC shall also provide the data subject with adequate information on the scope and consequences of the withdrawal of consent at the beginning of the processing and at that point when the consent is to be withdrawn. This includes informing the data subject of any further processing of personal data, its purposes, and the corresponding lawful bases relied on for those other purposes. (Sec. 13, C)
Importantly, when consent is withdrawn by the data subject, the withdrawal shall not affect the lawfulness of the processing before the withdrawal of such consent.
Overall, the legal foundations and regulatory initiatives outlined in NPC Circular No. 2023-04 serve to promote accountability, transparency, and respect for individual privacy while balancing societal interests. The legal foundations and regulatory initiatives encapsulated in this Circular reflect the Philippines’ proactive stance in addressing contemporary challenges related to data protection and privacy rights. This approach reaffirms the goal of navigating the complexities of the digital age while safeguarding the fundamental rights and privacy expectations of every citizen.
The views and opinions expressed in this article are those of the author. This article is for general information and educational purposes, and is not offered as, and does not constitute, legal advice or legal opinion.
John Joshua R. Carillo is an Associate of the Litigation and Dispute Resolution Department of the Angara Abello Concepcion Regal Cruz Law Offices.