A Guide to NPC Circular No. 2023-04: Understanding the Guidelines on Consent

The National Privacy Commission (NPC) Circular No. 2023-04, issued on November 7, 2023, provides clear guidelines on using consent as a legal basis for processing personal data and emphasizes the importance of NPC registration.

This guide simplifies the circular key provisions, helping organizations and individuals better understand their rights and responsibilities under the Data Privacy Act of 2012 (DPA).

• What is the Purpose and Scope of this Circular?
• What are the General Data Privacy Principles?
• What are the Five Elements of Valid Consent?
• How is Consent Obtained and Managed?
• What are the Special Considerations for Specific Activities?
• What are the Penalties and Compliance Requirements?
• Frequently Asked Questions

What is the Purpose and Scope of this Circular?

This circular applies to all Personal Information Controllers (PICs) that rely on a data subject’s consent for processing personal data. Its primary objective is to define the criteria for valid consent and offer practical guidance on obtaining and managing consent in compliance with the DPA.

What are the General Data Privacy Principles?

The circular emphasizes the fundamental principles of Philippine data privacy that must guide any data processing activity based on consent. These principles serve as the foundation for ensuring that personal data is handled responsibly, ethically, and in compliance with the law. By adhering to these core tenets, organizations can foster trust and accountability in their data processing practices. The principles include:

• Transparency. Data subjects must be fully informed about the nature, purpose, and scope of the processing. This includes providing clear information about any associated risks, the safeguards to mitigate such risks, the identity of the Personal Information Controller (PIC), the rights of the data subjects, and the mechanisms available to exercise those rights.
• Legitimate Purpose. The purpose of processing personal data must be specific, clearly stated in advance, and must not be contrary to law, morals, good customs, public order, or public policy.
• Proportionality. The data collected should be adequate, relevant, suitable, and strictly necessary for the declared and specified purpose. Organizations must avoid gathering excessive or unnecessary information.
• Fairness. Data processing practices must be free from manipulation or undue pressure. The methods employed should uphold the data subject’s rights and dignity.

By reinforcing these principles, the circular aims to ensure that consent-based data processing is conducted with respect for an individual’s privacy.

What are the Five Elements of Valid Consent?

Consent as a lawful basis for processing personal data must fulfill certain elements outlined in the circular.

Such elements are designed to protect the rights of data subjects and promote accountability among organizations handling personal data. By adhering to these regulations, organizations can demonstrate their commitment to ethical data practices and compliance with the law.

For consent to be considered valid, it must satisfy all five of the following elements:

1. Freely Given. The data subject must have a genuine choice. Consent obtained through coercion, intimidation, or deceptive practices is invalid and undermines the principle of voluntary agreement.
2. Specific. Consent must be granular where a list of all purposes by which data is collected and processed is presented to the data subject. If data is being processed for multiple purposes, individuals must have the option to consent to each purpose separately. Vague or blanket consent is not acceptable.
3. Informed. All necessary information must be provided in a clear, simple, and accessible format, ensuring that the data subject fully understands what they are agreeing to.
4. Indication of Will. Consent must be expressed through a clear and explicit affirmative action. Non-response, inaction, or pre-ticked boxes do not constitute valid consent.
5. Evidenced. Organizations must maintain proof of consent, documented in a written, electronic, or recorded format, to demonstrate compliance and accountability.

By being guided by these five elements, organizations can ensure that the consent they obtain is not only valid but is also aligned with the principles of transparency, fairness, and respect for individual autonomy.

How is Consent Obtained and Managed?

Effectively managing consent is not a one-time task but an ongoing responsibility that requires transparency, proportionality, and accountability. Organizations must ensure that consent is not only valid at the time it is given but also remains meaningful and actionable throughout the data processing lifecycle.

This involves implementing systems and processes that respect the rights of data subjects while maintaining compliance with legal requirements. Key aspects of effective consent management include:

• Demonstrable Consent: Organizations must maintain adequate records that can prove valid consent was obtained for each specific processing activity. These records serve as evidence of compliance and accountability.
• Withdrawal of Consent: Data subjects must have the ability to withdraw their consent as easily as they gave it. The process should be straightforward and executed without undue delay. Once consent is withdrawn, all processing activities based on that consent must cease unless another lawful basis applies.
• Active Management: Consent is a dynamic mechanism, not a static agreement. Organizations should provide means that allow data subjects to review, update, or modify their consent preferences over time, ensuring that their choices remain relevant and respected.

What are the Considerations for Specific Processing Activities?

The circular offers detailed guidance for specific processing activities, emphasizing the importance of aligning these practices with the principles of consent and the broader requirements of the DPA.

These provisions ensure that organizations handle personal data responsibly, even in complex or nuanced scenarios:

• Direct Marketing: When personal data processing is limited to personal information, the Personal Information Controller may use legitimate interest as a lawful basis for direct marketing, and thus, will not require the consent of the data subject. The PIC must assess if direct marketing is part of its legitimate interest, otherwise, they may conduct processing based on consent.
• Data Sharing: When sharing personal data with third parties based on consent, it is essential to provide the data subject with clear and specific information. This includes identifying the third parties involved, the purpose of data sharing, and any potential implications for the data subject.
• Research: Consent is often a prerequisite for research activities, particularly when personal data is involved. However, exceptions may apply, such as when the data is anonymized to remove any identifiable elements or when it is collected through the observation of public behavior that is critical to nation-building and serves public interest.
• Publicly Available Information: The fact that information is publicly accessible does not grant organizations blanket consent to process it for any purpose. A lawful basis under the DPA is still required, and organizations must ensure that their processing activities respect the rights and expectations of the individuals concerned.
• Profiling and Automated Processing: A PIC must have controls in place to prevent outcomes that cause discrimination against and infringement on a data subject’s right to fair treatment. Where automated decision-making processes are solely used as a basis of decision involving a data subject, the PIC must inform the individual of such a case especially if the said processing may result in legal repercussions or may substantially affect the individual.

What are the Penalties and Compliance Requirements?

Non-compliance with the guidelines outlined in this circular can result in serious repercussions. Violations may lead to criminal, civil, and administrative liabilities as prescribed under the DPA, underscoring the importance of adhering to these regulations.

Personal Information Controllers have been granted a 180-day period from the circular’s effectivity date to align their practices with its requirements. During this time, it is imperative for organizations to thoroughly review and update their consent mechanisms to ensure full compliance. Taking proactive steps now will not only mitigate legal risks but also reinforce trust and accountability in data processing practices.