SUMMARY: NPC CIRCULAR No. 2023-04 – GUIDELINES ON CONSENT

Posted byrolandhomeresPosted inLawful Processing, Privacy Principle, Privacy Rights, Privacy TipsTags:,

On November 7, 2023, the National Privacy Commission (NPC) issued and published the NPC Circular No. 2023-04 providing the guidelines on consent.

The scope and purpose of the Circular shall applicable only to all personal information controllers (PICs) engaged in the processing of personal data based on the consent of the data subject. Furthermore, it provides guidance on what constitutes valid consent, and how it shall be properly obtained and managed in compliance with the DPA and its IRR.

The Circular is limited to the requirement of the consent in relation to the processing of personal data. The Circular shall not be construed as modifying the existing general legal framework on obligations and contracts under the Civil Code of the Philippines and other applicable laws and regulations. Overall, the Circular laid down specific general data privacy principles concerning transparency, legitimate purpose, proportionality, fairness, elements of consent, obtaining consent, withdrawal of consent and the guidelines on specific processing activities.

Transparency

The Circular requires PICs to ensure that data subject is aware of the nature, purpose, and extent of processing of their personal data, including the risks and safeguards involved, the identity of the PIC, the rights of the data subject and how can they be exercised. Transparency empowers the data subject to make informed choices, and where applicable, to have a reasonable control over the processing of the data and the power to hold the PIC accountable based on the information provided at the time of the giving of consent. For transparency to exist, the following must be provided:

  • Specific information
  • Timing
  • Clarity
  • Forms which clearly clarifies and distinguishes privacy statement, privacy policy and privacy notice, consent form.

Legitimate Purpose

The circular requires PIC prior to the commencement of the processing activity to identify at the outset all purposes for the processing of personal data which must not be contrary to law, morals, or public policy. However, in case a PIC revises its terms and conditions, retaking of consent is not necessary if the purpose, scope, method, and extent of processing remains to be the same as that disclosed to the data subject at the time consent was given.

Proportionality

All PICs must ensure that the proposed processing of personal data is adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose. As provided for by the Circular, as a general rule, personal data shall be processed only if the purpose could not be reasonable fulfilled by other less intrusive means and a PIC may only process additional personal data if the data subject validly consents to the additional processing prior to the collection of the personal data or as soon as practicable and reasonable.

Fairness

In determining fairness in processing of personal data based on consent, the following factors must be considered:

  • The purpose of the processing;
  • The amount of personal data collected;
  • The specific processing to be conducted on the personal data;
  • How the information on the processing is conveyed to the data subject;
  • The manner of collection of the personal data;
  • The free will of the data subject when providing consent;
  • How the data subject gives their consent and
  • The retention period of the personal data processed.

Elements of Consent

A data subject must have a genuine choice and control over their decision to consent to the processing of their personal data, as provided for, the following elements must be present to obtain consent:

  1. Freely given;
  2. Consent is not freely given in instances where there is any element of pressure, intimidation, possibility of adverse consequences for refusal to give consent, or any other inability to exercise free will by the data subject. The use of deceptive design patterns or any form of coercion, compulsion, threat, intimidation or violence shall not be use in obtaining the consent of the data subject.
  3. Generally, consent is not necessary if public authorities process personal data based on the applicable provisions of Sec. 4 on special cases, and Secs. 12 (c), (d), (e) and 13 (b), (c), (f) of the DPA which relate to the performance of their public functions, or the provision of public services based on law or regulation.
  4. A contract of adhesion is valid for processing if all of the following conditions are complied with:
  5. The contract of adhesion must contain all the information necessary to demonstrate transparency;
  6. The processing of personal data must be necessary and for a legitimate purpose;
  7. The processing should not be excessive in relation to the fulfillment of obligations contemplated in the contract; and
  8. The manner of the processing is fair and lawful
  • Specific
  • PICs must ensure that the data subject provides specific consent to the specific and declared purposes of the processing of personal data.
  • The consent given must be granular. In cases, where the personal data is processed for multiple but unrelated purposes, the PIC shall present to the data subject the list of purposes and allow the data subject to select which purposes they consent to, instead of requiring an all-inclusive consent to the processing for multiple purposes.
  • Vague or blanket consent is prohibited.
  • Informed
  • PUC should provide to the data subject all relevant information that is necessary for the data subject to make an informed decision by providing (a) appropriate information, considering the most suitable language or dialect for the intended data subject and explaining in detail if the same is unclear and (b) avoiding consent fatigue by properly identifying the legal basis for processing prior to the collection of personal data.
  • The use of just-in-time and layered notices in presenting relevant information to the data subject shall be the default format.
  • Indication of will
  • Consent must be expressly given through a clear assenting action that signifies agreement to the specific purposes of the processing of personal data as conveyed to the data subject at the time consent was given.
  • Non-response or implied consent does not constitute valid consent.
  • Provided that all elements of consent are present, and the PIC provides the data subject with information on the processing of personal data for a specific service, the continued use of the PIC’s specific services is an assenting action signifying consent.
  • Evidenced by written, electronic, or recorded means
  • A PIC must ensure that the consent obtained from a data subject is evidenced by a written, electronic, or recorded means. Any of the three (3) formats may be adopted by a PIC. There is no preference among the different formats.

Obtaining Consent

A PIC shall be able to demonstrate with sufficient evidence that the data subject has consented to the processing of personal data for the particular purpose either from the data subject himself or through lawful representative or an agent specifically authorized for that specific purpose.

Withdrawal of Consent

Consent may be withdrawn at any time and without cost to the data subject, subject to certain limitations as may be provided for by law, regulation, or contract. The PIC shall ensure that withdrawing consent is as easy as, if not easier than, giving consent. The PIC shall avoid utilizing or switching to another interface for the sole purpose of consent withdrawal since this would require effort from the data subject unless it will result in an easier manner.

Guidelines on Specific Processing Activities

  1. Direct Marketing

Consent is required in processing for direct marketing in the following instances:

  1. Conduct an assessment whether direct marketing falls under legitimate interest;
  2. Obtain consent of the data subject in cases where the nature of the processing would significantly affect the rights and freedoms of the data subject; and
  3. If the basis for processing is consent and the consent is withdrawn, a PIC cannot claim legitimate interest to continue processing.
  • Data Sharing

A PIC shall ensure that the data subject is provided with specific information regarding the data sharing arrangement and that the data subject specifically and knowingly consents to such data sharing and the purpose of the data sharing arrangement.

  • Research

Processing of personal data for research purposes shall comply with the requirements of applicable laws, regulations, and ethical standards, including but not limited to, obtaining an informed consent from the data subject, unless the processing may be justified by other lawful criteria provided under the DPA or as a special case under Sec. 4 of the DPA. However, the conduct of research does not always require obtaining of consent in the following instances:

  • Research conducted through observation of public behavior does not require consent unless the research will disclose the personal data of the observed research subjects
    • Conduct of research where the end results will be anonymized and will only disclose the general demographic of the research subjects does not require the consent of the data subject
  • Publicly available information

Any processing of publicly available information must still find basis under Sec. 12 and 13 of the DPA.

  • Profiling and automated processing

Data subjects shall be informed of the PIC of the existence and specific details of the profiling or automated processing of personal data before its entry into the processing system of the PIC, or at the next practical opportunity.

Miscellaneous Provisions

  1. A waiver by a data subject of his or her data privacy rights, including the right to file a complaint, is void.
  2. Consent remains valid as long as the information communicated in relation to the scope, purpose, nature, and extent of the processing remains and still holds true.

Leave a comment