Philippines: NPC releases new guidelines on artificial intelligence and child-oriented transparency

30 Dec 2024    6 minute read

In brief

The Philippine National Privacy Commission (NPC) recently issued Advisory No. 2024-03 titled "Guidelines on Child-Oriented Transparency" ("Advisory on Child-Oriented Transparency"), which expounds on how personal information controllers (PICs), either on their own or through their personal information processors (PIPs), should comply with the transparency principle whenever they process personal data of children in the context of their products or services that are specifically intended for, or likely to be accessed by, children.

Additionally, the NPC also recently released Advisory No. 2024-04 titled "Guidelines on the Application of the Data Privacy Act of 2012 (DPA), its Implementing Rules and Regulations (IRR), and the issuances of the NPC to Artificial Intelligence (AI) Systems Processing Personal Data" ("AI Advisory"), which provides guidance on the responsible development and deployment of AI systems that process personal data.

Contents

Recommended actions

Clients offering products or services that are specifically intended for, or likely to be accessed by, children are strongly encouraged to take the following steps to meet the requirements under the Advisory on Child-Oriented Transparency:

  • Review existing privacy notices to ensure that it meets the "child-friendly" standards.
  • Incorporate a Child Privacy Impact Assessment (CPIA) portion in their Privacy Impact Assessment (PIAs).
  • Address privacy risks identified in PIAs by implementing appropriate measures like age assurance mechanisms and privacy controls.
  • In case of a personal data breach that requires mandatory notification, notify both the child and their parents or guardians.

Moreover, clients that develop or deploy AI systems should be mindful of their obligations under the AI Advisory, including the following:

  • Providing appropriate privacy notices to apprise data subjects of AI systems that involve the processing of personal data.
  • Implementing and documenting effective policies and procedures, including governance mechanisms to ensure the responsible and ethical processing of personal data.
  • Ensuring that processing is fair and accurate and complies with the data minimization principle.
  • Determining the most appropriate lawful basis prior to the processing of personal data.
  • Implementing mechanisms to ensure the proper exercise of data subject rights.

Non-compliance with any of the above requirements may lead to the imposition of administrative penalties by the NPC, such as compliance/enforcement orders, administrative fines of up to PHP 5 million (approximately USD 86,2001) for a single violation, and cease and desist orders or temporary or permanent bans on personal data processing. In addition, affected data subjects may recover damages through civil indemnity claims for violations of their data privacy rights, specifically the right to be informed. Finally, if the violation amounts to a criminal offense under the DPA, such as Unauthorized Processing of Personal Data, criminal penalties may be imposed upon the responsible officer(s) who participated in, or by their gross negligence, allowed the commission of the crime.

In more detail

Advisory on Child-Oriented Transparency

A PIC that is processing personal data of children, whether on its own or through its PIP, in relation to its products or services that are specifically intended for, or likely to be accessed by, children, must ensure compliance with the following requirements:

  • Provide children with a child-friendly privacy notice that is simple and can be easily understood by children, taking into consideration the age range of the intended or likely users.
  • Follow a layered approach when presenting the child-friendly privacy notice to children.
  • Not use deceptive methods or any form of coercion, compulsion, threat, intimidation or violence when processing children's personal data.
  • Incorporate a CPIA in their PIA before launching products or services intended or likely to be accessed by children and thereafter, as may be necessary.
  • Implement appropriate measures to address any risks identified in the PIA to ensure the protection of the child's personal data. This includes, but is not limited to, the following:
    • Age assurance mechanisms: a PIC may implement age assurance mechanisms or solutions to determine the age range of its users as a tool to adopt age-appropriate practices when processing children's personal data.
    • Privacy controls: a PIC must adopt a risk-based approach to determine and implement appropriate and enhanced privacy controls when processing children's personal data, while ensuring that (1) children's accounts have privacy settings set to the highest level by default, and (2) children are fully aware of the available privacy settings and how to adjust them.
  • Notify both the child and their parents or guardian in the event of a personal data breach requiring mandatory notification.

AI Advisory

This advisory reinforces the following privacy principles and obligations that apply whenever a PIC, either on its own or through its PIP, processes personal data when developing or deploying AI systems:

  • Transparency: PICs shall inform their data subjects of the nature, purpose and extent of the processing of personal data when it involves the development or deployment of AI systems. PICs must explain the purpose for processing, factors and inputs considered by such AI systems, associated risks, expected output of the AI systems, impact of the AI systems on data subjects, and any applicable dispute mechanisms available to data subjects.
  • Accountability: PICs remain accountable for the processing of AI systems and the outcomes and consequences of such processing, including cases when processing is outsourced to PIPs.
    • PICs and PIPs must implement and document effective policies and procedures to comply with the DPA, its IRR and issuances of the NPC.
    • PICs must institute appropriate and effective governance mechanisms, including monitoring the implementation and effectiveness of such mechanisms in order to ensure responsible and ethical processing of personal data in the development or deployment of AI systems.
      Where AI systems involve automated decision making that can pose a significant risk to the rights and freedoms of data subjects, PICs must implement mechanisms that allow for meaningful human intervention.
  • Fairness: PICs must ensure that personal data is processed in a manner that is neither manipulative nor unduly oppressive to data subjects. PICs must implement mechanisms to identify and monitor biases in the AI systems, and limit such biases and their impact on data subjects.
    PICs shall not utilize AI washing, a practice where PICs overstate the involvement of AI systems to the detriment of their data subjects, and other deceptive practices.
  • Accuracy: PICs shall implement appropriate measures to ensure that personal data utilized in the AI systems is correct and kept up to date.
  • Data minimization: PICs shall exclude, by default, any personal data that is unlikely to improve the development or deployment of AI systems.
  • Lawful basis for processing: PICs shall determine the most appropriate lawful basis under the DPA prior to the processing of personal data in the development or deployment of AI systems.
  • Data subject rights: PICs must implement mechanisms to ensure the proper exercise of data subject rights before, during and after the development or deployment of AI systems.
    Under the AI Advisory, the fact that personal data has been incorporated into data sets does not automatically make the exercise of data subject rights unreasonable. A PIC's inaction towards providing mechanisms allowing for the meaningful exercise of data subject rights negates any claim that fulfilling such requests is unreasonable.

Non-compliance

Non-compliance with any of these requirements may lead to the imposition of administrative penalties by the NPC, such as compliance/enforcement orders, administrative fines of up to PHP 5 million (approximately USD 86,2002) for a single violation, and cease and desist orders or temporary or permanent bans on personal data processing. In addition, affected data subjects may recover damages through civil indemnity claims for violations of their data privacy rights, specifically the right to be informed. Finally, in case the violation amounts to a criminal offense under the DPA, such as Unauthorized Processing of Personal Data, criminal penalties may be imposed upon the responsible officer(s) who participated in, or by their gross negligence, allowed the commission of the crime.

1 Based on an exchange rate of USD 1: PHP 58.

2 Based on an exchange rate of USD 1: PHP 58.

*****

LOGO Philippines_QuisumbingTorres_Manila

© 2024 Quisumbing Torres. All rights reserved. Quisumbing Torres is a member firm of Baker & McKenzie International, a Swiss Verein. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.

Please contact QTInfoDesk@quisumbingtorres.com for inquiries.

VISIT QUISUMBING TORRES SITE

Contact Information
Bienvenido A. Marquez III
Partner
Manila
Read my Bio
bienvenido.marquez@quisumbingtorres.com
Divina Pastora V. Ilas-Panganiban
Partner
Manila
Read my Bio
divina.ilas-panganiban@quisumbingtorres.com
Jose Angelo C. Tiglao
Associate
Manila
Read my Bio
joseangelo.tiglao@quisumbingtorres.com
Berenice Joanna G. Dela Cruz
Associate
Manila
Read my Bio
berenicejoanna.delacruz@quisumbingtorres.com

Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.