Philippines: TMT

Republic Act No. 10844 created the Department of Information and Communications Technology (“DICT”) to be the primary policy, planning, coordinating, implementing, and administrative entity of the government that plans, develops, and promotes the national information and communications technology development agenda. There are several laws which regulate the different aspects of the technology industry of the country, such as the Public Telecommunications Policy Act (“PTPA”), Public Service Act, as amended (“PSA”), the Data Privacy Act of 2012 (“DPA”), Cybercrime Prevention Act (“CPA”), Electronic Commerce Act, and the Intellectual Property Code of the Philippines (“IP Code”).

The regulatory regime for technology in the Philippines is primarily implemented by the DICT. The DICT has various attached agencies which regulate specific aspects of information and communications technology in the country. For instance, the National Telecommunications Commission (“NTC”) is the primary regulatory entity which manages the radio spectrum, regulates radio and television broadcast stations, and the provision of public telecommunications services. The National Privacy Commission, on the other hand, is the main regulatory body which ensures compliance with data protection laws. Finally, the Cybercrime Investigation and Coordinating Center is the primary administrative agency which deals with the enforcement of cybercrime laws.

The Securities and Exchange Commission (“SEC”) and the Bangko Sentral ng Pilipinas (“BSP”) also regulate businesses engaged in the financial technology (“Fintech”) industry. The SEC, as the primary regulatory body for corporate entities, supervises financing and lending companies through their registration, which includes those operating through online lending platforms (“OLP”). The SEC is currently drafting guidelines for the registration of OLPs and has imposed a moratorium on any new registrations regarding the same. On the other hand, the BSP regulates Fintech related to payment platforms, digital banks, Virtual Asset Service Providers (“VASP”) and similar electronic operations, among others. The BSP has imposed a three-year moratorium on the granting of licenses to new VASPs starting 01 September 2022 in view of recent market developments.

The main law which regulates communications networks and services in the Philippines is the PTPA. In particular, the PTPA governs the development of telecommunications and the delivery of public telecommunications services in the country, and mandates the NTC to be the primary governmental agency tasked to administer the provisions of the Act.

To promote the accessibility and development of reliable information and communications technology throughout the country, the DICT has issued the Policy Guidelines on the Co-Location and Sharing of Passive Telecommunications Tower Infrastructure for Macro Cell Sites (the “PTTI Policy”). The PTTI Policy governs the co-location and sharing of Passive Telecommunications Tower Infrastructures by Independent Tower Companies (“ITCs”) and Mobile Network Operators (“MNOs”). The PTTI Policy is the latest department circular issued by the DICT which, among others, regulates the construction of Telecommunication Towers by MNOs.

Telecommunications networks are also undoubtedly involved in the processing of personal data, and as such, are covered by the DPA.

Under Philippine law, “telecommunications” is a process whereby all types of communication, including voice, words, and pictures, whether written or electronic, among others, are relayed or transmitted through various technological means.

Before any public telecommunications entity is allowed to install, operate, and maintain public telecommunications facilities and services in the Philippines, it must first incorporate as a domestic corporation with the Securities and Exchange Commission. Subsequently, it must be awarded a franchise by Congress and secure a Certificate of Public Convenience and Necessity from the NTC. Further, if the entity wishes to engage in Value-Added Services (“VAS”), it will need to apply for and acquire a VAS license from the NTC. A “VAS provider” is defined as an entity which, relying on the transmission, switching, and local distribution facilities of the local exchange and inter-exchange operators, and overseas carriers, offers enhanced services beyond those ordinarily provided for by such carriers.

Aside from the foregoing, a public telecommunications entity must also obtain various other permits and licenses, some of which are dependent on the site and nature of their operations. In general, the entity must obtain clearances and licenses from both the national and local level of government for the operation of their business, such as business permits, locational clearances, and registrations with the Bureau of Internal Revenue and Department of Labor and Employment.

Depending on the entity’s intended project activities and operations, it may also be required to obtain specific permits and licenses from other government agencies, such as a Philippine Contractors Accreditation Board License for the construction of a telecommunications tower, an Environmental Compliance Certificate in case of environmentally critical projects or sites, and a Philippine Economic Zone Authority registration in case the entity’s towers and operations will be located in an established economic or freeport zone.

The NTC is the primary regulatory entity which regulates the provision of public telecommunications services pursuant to the PTPA, which is the main law governing the development of telecommunications and the delivery of public telecommunications services in the Philippines.

The NTC is not independent of government control. The NTC is an attached agency of the DICT, which is part of the executive branch of the Philippine government. The NTC is headed by a Commissioner and two Deputy Commissioners, all of whom are appointed by the President of the Philippines.

Although the Philippines has consistently ranked among the top counties in the world in terms of social media use, there is no specific law therein which regulates platform providers. However, such platform providers, along with its users, are still subject to several related laws, such as the DPA and the CPA, and may be penalized by the state in the event of their violation.

Further, Fintech entities engaged in the operation of payment platforms and VASPs are regulated by the BSP, the central monetary authority in the Philippines. The BSP has recently imposed a three-year moratorium on the licensing of new VASPs starting 01 September 2022.

Related laws such as the DPA which may affect both platform providers and their users specifically provides for its extraterritorial application.

Yes, a telecommunications operator must be domiciled in the Philippines. Under the PSA, certificates authorizing the operation of a public service, such as telecommunications, within the Philippines shall only be issued to corporations, partnerships, associations, or joint stock companies that are constituted and organized under the laws of the Philippines.

In general, there are no restrictions on foreign ownership of telecommunications operators. This is pursuant to Republic Act No. 11659, which amended the PSA. Through the amendment the telecommunications industry is no longer a “public utility, which is limited to 40% foreign ownership under the Philippine Constitution.

Notwithstanding the foregoing, the amendment provides that an entity controlled by or acting on behalf of a foreign government or foreign state-owned enterprise, which has already invested capital in a public utility or critical infrastructure, prior to its effectivity is prohibited from investing additional capital upon its effectivity. Foreign nationals are not allowed to own more than 50% of the capital of entities engaged in the operation and management of critical infrastructure unless the country of such foreign national accords reciprocity to Philippine nationals as may be provided by foreign law, treaty, or international agreement.  Thus, in instances where reciprocity is not established, nationality restrictions continue to be applicable to telecommunications entities.

The Philippines has a declared national policy of pursuing the growth and development of telecommunications services in the country, and for this purpose, has mandated interconnection between all public telecommunications entities. Pursuant to such policy, the NTC has issued various regulations regarding the interconnection between operators, which include general guidelines, competitive wholesale charging, and charging for various types of telecommunications services, among others.

The regulations issued by the NTC has several provisions which apply only to operators with market power. The NTC defines a major supplier as a public telecommunications entity who has the ability to materially affect the market, directly or indirectly, for basic and/or enhanced telecommunications services as a result of its control over essential facilities and the use of its position in the market. These major suppliers, among others, are prohibited from committing acts constituting anti-competitive practices and are mandated, if they are a local exchange carrier, to interconnect with all inter-exchange carriers.

In addition, and with respect to anti-competitive practices in general, the Philippine Competition Commission is the primary agency tasked to oversee and prevent anti-competitive practices, including but not limited to those in relation to the telecommunications market.

The NTC has issued a Memorandum Circular known as the Consumer Protection Guidelines, which apply specifically to services provided by the telecommunications industry. These guidelines provide for consumer protection regarding equal treatment, data privacy, disclosure rights, service charges, and notification rights, among others. The guidelines also provide for the procedure of filing complaints with the NTC and access to information in relation thereto.

Consumers of telecommunications services (i.e., telecommunications subscribers) are also protected by the DPA with regard to their personal information processed through the data systems of telecommunication entities.

Creators of computer software are offered protection by the IP Code. Particularly, a computer software or program is considered a “literary or artistic work” which is protected from the moment of creation. A copyright provides the owner thereof with economic and moral rights over the protected work, among others.

Yes, data/databases are copyrightable, provided that there must be some arrangement, selection or any creative process applied in the database. Without such creative process, the data/databases cannot be protected by copyright.

The Philippines has a specific law that protects personal data, which is the DPA. The DPA protects personal data in three (3) ways:

First, there must be lawful basis to use or process personal data. Before any entity or company may be able to collect or use personal data, the data subject must either give express consent or there must be some legal obligation the information is going to be used for.

Second, entities that maintain personal data have certain obligations such as confidentiality and integrity of such data. Such entities are required to have appropriate and reasonable measures to prevent data breaches or possible loss of data. They are also required to notify data subjects in case there is any data breach.

Lastly, data subjects have certain rights with respect to their personal data, such as the rights to access and erasure of their personal data, and right to damages for any violation of their rights.

Any person that violates the provisions of the DPA would face monetary penalties and imprisonment.

Yes. Even if the personal data of Filipinos or Philippine residents are to be used or processed in foreign countries, there must still be some lawful basis for the entity to legally use such personal data. The rights under the DPA still apply as long as the data subject is a Filipino, a Philippine resident or the entity has a link with the Philippines. In these cases, general principles for data sharing also apply.

Data sharing or the disclosure or transfer of personal information of one person to a third party shall only be allowed if it is expressly authorized by law or the data subject consents, and he is informed of its purpose. Other forms of data sharing such as for commercial purposes and between government agencies shall be covered by a data sharing agreement. Thus, companies must still obtain the express consent of the data subject for a transfer of personal data overseas to be legal.

The maximum fine for breach of the DPA is PhP5 million for a combination or series of violations of the DPA. For a single act, the maximum penalty of PhP4 million may be imposed for the unauthorized use or processing of sensitive personal information such as the race, criminal history, sexual life, or government-issued identifiers of a data subject.

The DPA provides for the “transmissibility of rights” of a data subject. This allows the lawful heirs and assigns of the data subject to invoke his/her rights if the said data subject passes away or becomes incapacitated.

The DPA imposes additional restrictions on the use of sensitive personal information of data subjects. “Data which are manifestly made public by the data subject” is not one of the exceptions to using or processing sensitive personal information. Thus, under the DPA, sensitive personal information of data subjects, even if available to the public, still cannot be used or processed without any lawful basis. Furthermore, personal data used for needs of scientific and statistical research shall be held under strict confidentiality and shall be used only for the declared purpose.

Yes, there are guidelines or restrictions that are applicable to cloud-based services. Under Section 4 of the DPA, its provisions apply to the processing of all types of personal information processing including those, although not found or established in the Philippines, use equipment that are in the Philippines, or those who maintain an office, branch or agency in the Philippines. Thus, the DPA applies to cloud-based services, which may involve storage and collection of personal data.

Furthermore, there are industry-specific regulations regarding cloud adoption such as those issued by the BSP and the DICT. Under relevant BSP regulations, financial institutions that outsource functions through cloud service providers must provide adequate oversight, security, and risk management processes over such providers. The DICT has also referred to cloud computing as the preferred technology for delivering government services, provided that sufficient data security is maintained.

Yes, the Rules on Electronic Evidence provides that an authenticated electronic signature is considered the functional equivalent of the signature of a person on a written document.  An electronic signature may be authenticated in the following manner: (1) By evidence that a method or process was utilized to establish a digital signature and verify the same; (2) By any other means provided by law; or (3) By any other means satisfactory to the judge as establishing the genuineness of the electronic signature.

An outsourcing of IT services will not necessarily involve the automatic transfer of employees, assets, or third-party contracts. Implementation of such transfers will depend on the contractual stipulations between the parties, as well as relevant regulations for separation and transfer of employment under Philippine employment law.

Contractual and tort laws would govern in determining upon whom the liability of A.I. malfunction would be imposed.  Under Philippine tort law, whoever by act or omission causes damage to another, through negligence, is obliged to pay damages to the injured party. If the injured party proves that the owner of the software program has been negligent, the owner shall indemnify the injured party.

(a) obligations as to the maintenance of cybersecurity; and

The DPA and the CPA are the laws that contain specific obligations on the maintenance of cybersecurity. Under the DPA, entities that maintain personal data have certain obligations, such as confidentiality and integrity of such data. Such entities are required to have appropriate and reasonable measures to prevent data breaches or possible loss of data, as well as any other unlawful processing. Under the CPA, there is an Office of Cybercrime within the Department of Justice which is tasked to formulate and enforce a national cybersecurity plan.

(b) the criminality of hacking/DDOS attacks?

Hacking/DDOS attacks are considered crimes under the CPA. They are within the meaning of illegal access or interception, and data or system interference. The penalties under the CPA may go up to a maximum amount commensurate to the damage incurred.

Although the BSP has announced its intent to conduct a pilot program to adopt central bank digital currencies (“CBDC”) in the Philippines, actual implementation may require amendments to existing laws, including the New Central Bank Act which limits currency to notes and coins. Depending on the model adopted, it will also require amendments to the legal framework to address issues concerning data privacy, taxation, cybercrime, and disintermediation of the commercial banking sector. Enactment of the necessary legislation for this purpose will ultimately depend on whether or not there is sufficient political and popular support for the required measures.

Nationality laws in the Philippines (as summarized in the Foreign Investment Negative List) imposing foreign equity restrictions on certain activities such as mass media and advertising restrict commerce to some extent.

The Philippines has adopted quickly to technological/digital changes, especially during the pandemic. The Electronic Commerce Act was in place to support these transactions and the regulators much earlier on allowed Electronic Money Issuers, Virtual Asset Service Providers, and Online Lending Platforms, aside from the traditional credit cards. The BSP has also regulated digital banks through licensing requirements. With the rapid growth of these digital services, what we see now is a closer supervision from the regulators, to ensure that consumer rights are protected.

The Philippine legal system does not have a legal framework that specifically regulates artificial intelligence yet. However, there are a number of bills pending in Congress aiming to increase research on A.I. and its potential in helping improve Filipinos’ lives. While there are no specific laws currently governing this matter, the general doctrines of contract, civil and tort laws still cover liabilities for stipulated obligations and negligence. If the A.I. also violates civil rights, such as the right to privacy, the injured party will have the right to indemnification. Artificial intelligence software are also copyrightable and patentable works that our protected by Intellectual Property laws.