Are online sellers required to register with National Privacy Commission?
Everyone with a mobile number has received unsolicited text messages at one time or another. These messages could be offering the recipient a job for P5,000 per day, congratulating the recipient on being approved for a loan, or a notice about winning a million pesos with an invitation to click a link to claim the prize.
Lately, the messages have taken a more personal tone including the name of the recipient, which makes one wonder how and where the sender could have obtained the information.
Because of the pandemic, people have gotten used to online transactions. There is a huge amount of information uploaded and submitted online.
There are chat groups with thousands of members on apps such as Viber, WhatsApp, or Telegram, selling different things managed or controlled by their administrators. Depending on your settings, the names and cellphone numbers as well as other personal information disclosed in the thread may be visible to members of the group and the administrator.
There are also other online marketplaces like Facebook Marketplace, Shopee and Lazada with sellers both local and abroad who have accounts are given access to the personal information of their buyers.
Facebook users can also buy and sell items on Facebook Marketplace. The sellers are able to click on the chat Settings to see the full name of the buyer who messaged them and, from there, locate the person’s Facebook profile, where they can obtain personal information about the buyer. Sellers and buyers also exchange personal details such as full name, cellphone number, address, and bank details, or payment information via FB Messenger to complete their transaction.
For Shopee, sellers on the site are given the names, addresses and cellphone numbers of their buyers. Other online marketplaces would likely provide the same information to sellers. (https://seller.shopee.ph/edu)
A 2021 Pulse Asia survey found that 99 percent of internet users in the Philippines own a Facebook account.
On the other hand, as of late 2018 Shopee already had over 300,000 active sellers. It was also reported that in the first quarter of 2022 Shopee and Lazada have had 77 and 39 million monthly web visitors, respectively. (https://news.abs-cbn.com/ancx/culture/spotlight/02/12/19/want-to-be-an-e-commerce-seller)
There are also other sellers online using different platforms that collect their own set of personal information from their customers.
Enter the Data Privacy Act of 2012 or Republic Act No. 10173, which declares that it is the policy of the state to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected. Further, that processing of personal information shall be allowed but must adhere to the principles of transparency, legitimate purpose and proportionality.
Those who perform unauthorized processing of personal and sensitive personal information as well as those who allow this to happen are sanctioned with imprisonment and a substantial monetary fine. (Chapter VIII of the Data Privacy Act)
The law defines a Personal Information Controller (PIC) as one that controls the processing of personal data, or instructs another to process personal data on its behalf and a Personal Information Processor (PIP) as one that a PIC may outsource or instruct the processing of personal data pertaining to a data subject.
Accordingly, a chat administrator or an online seller that controls and processes personal information is a PIC. On the other hand, a seller in an online marketplace that is given access to a buyer’s information such as name, address and cellphone number and arranges with a courier or delivery service for the sending of the item purchased by the buyer is a PIP.
Are these PIC’s and PIPs required to register with the National Privacy Commission? The answer is it depends if the PIC or PIP fall under the parameters for mandatory coverage under the law.
The Data Privacy Act makes it mandatory for PICs or PIPs to register with the NPC when:
a.) It employs at least 250 employees
b.) It processes sensitive personal information of at least 1,000 individuals
c.) Processing of information is likely to pose a risk to the rights and freedoms of data subjects. For example, the processing:
1.) will affect national security, public safety, public order, or public health
2.) involves information required by laws or rules to be confidential
3.) involves vulnerable data subjects like minors, the mentally ill, asylum seekers, the elderly, patients, those involving criminal offenses, or in any other case where an imbalance exists in the relationship between a data subject and a PIC or PIP
4.) involves automated decision-making
5.) amounts to profiling
d.) The processing constitutes a core activity of the PIP or PIC and is not occasional in nature
e.) By the government, banks and non-bank financial institutions, pawnshops, telecommunications companies, business process outsourcing companies, schools, hospitals, pharmaceuticals, insurance companies, direct marketing & networking companies, data processing systems involving automated decision making. (Section 5, NPC Circular 17-01)
Given the foregoing, PICs and PIPs who process personal information and employ 250 people must register. Those that process sensitive personal information of at least 1,000 data subjects are also required to register.
Sensitive personal information refers to information about a person’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person in court, issued by government agencies peculiar to an individual such as social security numbers, licenses, tax returns, and those specifically established by an executive order or an act of Congress to be kept classified. (Sec. 3, Data Privacy Act)
In the event that a PIC or PIP does not fall under any of the first two categories, mandatory registration is still required if (a) the information processing is a core activity of the controller or processor; (b) the information is used for profiling (processing consisting of using personal data to predict a person’s performance, quality and behavior), or (c) the processing operations pose a risk to data subjects or would likely affect national security, public safety, public order, or public health (NPC Circular 17-01).
Lastly, aside from the registration requirements, it must also be emphasized that the unauthorized use or processing is punishable with imprisonment and a heavy monetary fine.
(The author, Atty. John Philip C. Siao, is a practicing lawyer and co-managing partner of Tiongco Siao Bello & Associates Law Offices, a professor at the MLQU School of Law, and an arbitrator of the Construction Industry Arbitration Commission of the Philippines. He may be contacted at [email protected]. The views expressed in this article belong to the author alone.)
