Memorandum of Understanding (Republic of the Philippines)

MEMORANDUM OF UNDERSTANDING

BETWEEN

THE NATIONAL PRIVACY COMMISSION OF THE REPUBLIC OF THE PHILIPPINES

AND

THE PRIVACY COMMISSIONER OF CANADA

In the field of Cooperation in the Regulation of Laws Protecting Personal Data

This Memorandum of Understanding (the “MOU”) is entered into today, the 16th day of October the year of 2023, by and between:

The National Privacy Commission of the Republic of the Philippines (hereinafter referred to as “NPC”), established under chapter II of the Data Privacy Act of 2012 (Republic Act No. 10173), represented herein by Atty. John Henry D. Naga, Privacy Commissioner and the Privacy Commissioner of Canada, Philippe Dufresne (hereinafter referred to as “PCC”), established under the Privacy Act, R.S.C. 1985, c. P-21.

The NPC and PCC shall hereinafter be referred to individually as “Participant” and collectively as “Participants”.

The Participants recognise the importance of data governance and cross border data flows to global trade in a digital economy, the increase in circulation and exchange of personal data across borders, the growing complexity of information technologies, and the resulting need for cross-border cooperation in the area of data protection with the aim of providing consistency and certainty;

The Participants acknowledge that as participants in the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Enforcement Arrangement (CPEA), which is an integral part of the Cross Border Privacy Rules System, they share a common interest in sharing information and cooperating in relation to privacy enforcement with a view to protecting data privacy whilst maintaining information flows across economies;

The Participants recognise that Section 7 (o) Data Privacy Act of 2012 of the Philippines grants the National Privacy Commission the ability to negotiate and contract with other data privacy authorities of other countries for cross-border application and implementation of respective privacy laws and facilitate cross-border enforcement of data privacy protection;

The Participants recognise that s. 23.1 of the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, authorizes the PCC to share information with authorities from other countries that have responsibilities relating to the protection of personal information in the private sector;

The Participants acknowledge the importance of keeping each other informed of their respective regulatory activity in order to protect the rights and freedoms of the citizens of the Philippines and of Canada and support businesses in compliance with laws protecting personal data;

The Participants reaffirm their intent to deepen their existing relations and to promote exchanges of information to assist each other in the regulation of laws and personal data protection;

The Participants acknowledge the importance of ensuring harmonisation in their regulatory approaches by addressing similar issues to the benefit of industry, consumers, and other stakeholders in their respective countries. Whilst having regard to the different laws and regulations of their respective countries as well as their statutory independence, this MOU intends to promote the consistent application of similar data protection or privacy laws;

The Participants confirm that this MOU sets out the framework for the sharing of information which shall not include personal data. Noting the non-compulsory nature of any information exchange between the Participants under this MOU, it is for each Participant to determine for themselves that any proposed disclosure is compliant with the law applicable to them; and

The Participants confirm that nothing in this MOU shall be interpreted as imposing a legal requirement on the Participants to cooperate with each other. In particular, there shall be no requirement to cooperate in circumstances which would place either Participant in breach of their legal responsibilities.

The Participants have reached the following understanding:

PARAGRAPH 1

DEFINITIONS

For the purposes of this Memorandum,

1. “Applicable Privacy Law” shall refer to the laws and regulations of the Participant’s country the enforcement of which have the effect of protecting personal information. In the case of the PCC, “Applicable Privacy Law” shall refer to Part 1 of the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (“PIPEDA”) and, in the case of the National Privacy Commission of the Philippines, it shall refer to the Data Privacy Act of 2012 also known as Republic Act No. 10173. This includes any amendments to the Participants’ Applicable Privacy Laws, and such other laws or regulations as the Participants may from time to time jointly decide in writing to be an Applicable Privacy Law for purposes of this Memorandum.
2. “Covered Privacy Contravention” means conduct that would be in contravention of the Applicable Privacy Laws of one Participant’s country and that is the same or substantially similar to conduct that would be in contravention of the Applicable Privacy Laws of the other Participant’s country.
3. “Request” means a request for assistance under this Memorandum.
4. “Requested Participant” means the Participant from which assistance is sought under this Memorandum, or which has provided such assistance.
5. “Requesting Participant” means the Participant seeking or receiving assistance under this Memorandum.

PARAGRAPH 2

SCOPE OF COLLABORATION

1. The Participants will collaborate and cooperate in personal data protection in accordance with this Memorandum of Understanding (hereinafter referred to as “MOU”) which will be carried out in accordance with and subject to each Participant’s respective national security, domestic laws, regulations, and competence. For this purpose, the Participants may jointly identify one or more areas or initiatives for cooperation to lead in the region and beyond, which may include but is not limited to:
   1. The exchange of information involving potential or on-going investigations of organisations in their respective jurisdictions in relation to a suspected contravention of either Participant’s privacy and data protection legislation, provided that it is not in contravention of national security and other relevant domestic laws of Participants. In case of sharing of information, Participants agree that there is no transfer of ownership or rights in connection with the shared information;
   2. Provision of mutual assistance to facilitate investigations in the respective jurisdictions in relation to potential contraventions of either Participant’s privacy and data protection legislation, provided that such assistance is not in contravention of national security and other relevant domestic laws of Participants;
   3. Co-ordination and provision of mutual assistance in joint investigations into cross border personal data incidents or breaches in relation to potential contraventions of data protection legislation in both jurisdictions, subject to laws of each Participant;
   4. Knowledge sharing, training, and education on current and emerging privacy and data protection issues and trends, provided that it is not in contravention of national security and other relevant domestic laws of Participants;
   5. Exploring the potential of a cross-jurisdictional sandbox to test innovative data sharing cases; and
   6. Any other areas of cooperation as mutually decided upon by the Participants within their respective mandates.

PARAGRAPH 3

PROCEDURES RELATING TO MUTUAL ASSISTANCE

1. Each Participant will designate a primary contact for the purposes of requests for assistance and other communications under this Memorandum.
2. In requesting assistance in procedural, investigative and other matters involved in the enforcement of Applicable Privacy Laws across borders, Participants will perform a preliminary enquiry, where appropriate and practicable, to identify which entity in the other participant’s economy has front-line responsibility with respect to the contemplated Request for Assistance, to identify if the other will have and accept jurisdiction over the contemplated Request for Assistance and to ensure that the request is consistent with the scope of this MOU and does not impose an excessive burden on the Requested Participant.
3. The Participant making a Request for assistance shall include sufficient information to enable the Requested Participant to determine whether a request relates to a Covered Privacy Contravention and to take action in appropriate circumstances. Such information may include a description of the facts underlying the request and the type of assistance sought, as well as an indication of any special precautions that should be taken in the course of fulfilling the request.
4. Requests for assistance shall specify the purpose for which the information requested will be used.
5. Prior to requesting assistance, Participants shall perform a preliminary inquiry to ensure that the request is consistent with the scope of this Memorandum and does not impose an excessive burden on the Requested Participant.
6. Participants intend to communicate and cooperate with each other, as appropriate, about matters that may assist ongoing investigations.
7. The Participants will notify each other without delay, if they become aware that information shared under this Memorandum is not accurate, complete, and up-to-date.
8. Subject to paragraph 4, Participants may, as appropriate and subject to their Applicable Privacy Laws, refer complaints to each other, or provide each other notice of possible Covered Privacy Contraventions of the Applicable Privacy Laws of the other Participant’s country.
9. Participants will ensure their best efforts to resolve any disagreements related to co-operation that may arise under this Memorandum through the contacts designated under paragraph 13. A, and, failing resolution in a reasonably timely manner, by discussion between the heads of the Participants.

PARAGRAPH 4

LIMITATIONS ON ASSISTANCE AND USE

1. The Requested Participant may exercise its discretion to accept or decline the request for assistance, or limit its cooperation, under the following circumstances:
   1. The matter is inconsistent with domestic law or policy;
   2. The matter is not within the Participant’s scope of authority or jurisdiction;
   3. The matter is not an act or practice of a kind that both Participants are authorized to investigate or enforce against under their Privacy Laws;
   4. There are resource constraints;
   5. The matter is inconsistent with other priorities;
   6. There is an absence of mutual interest in the matter in question;
   7. The matter is outside the scope of this MOU;
   8. Another body is a more appropriate body to handle the matter; or
   9. Any other circumstances that render a Participant unable to cooperate.
2. The Requested Participant may notify the basis of these circumstances in writing. The Requesting Participant may request in writing the reasons for which the Requested Participant declined or limited its assistance.
3. Participants will only share personal information pursuant to this Memorandum to the extent that it is necessary for fulfilling the purposes of this Memorandum, and will, wherever possible, use best efforts to obtain the consent of the individual(s) concerned before doing so.
4. For greater certainty, the PCC will not share confidential information unless

   1. it is for the purpose of sharing information that a Participant believes would be relevant to ongoing or potential investigations or proceedings in respect of Covered Privacy Contraventions of the Applicable Privacy Laws of the other Participant’s country;

      or

   2. it is necessary for making a request for assistance from the other Participant regarding information that may be useful to an ongoing or potential investigation or audit under Part 1 of PIPEDA.

5. NPC will not disclose confidential information unless the processing of this information is not in contravention of sections 12 and 13 of the Data Privacy Act of 2012 (Republic Act No. 10173).
6. Participants shall not use any information obtained from the Requested Participant for purposes other than those for which the information was originally shared.

PARAGRAPH 5

SPECIFIC ARRANGEMENTS

1. In implementing this MOU, each Participant may, within the limits of its respective laws, regulations, and competence, enter into separate written arrangements with the other Participant, for the execution of projects or activities within the scope of this MOU through diplomatic channels.
2. Upon the execution of this MOU, the Participants will jointly develop a collaboration plan to implement the provisions of this MOU.

PARAGRAPH 6

FINANCIAL ARRANGEMENTS

Without prejudice to any separate written arrangement under Paragraph 5, or unless otherwise mutually decided upon in writing by the Participants, each Participant will bear its own costs and expenses in implementing this MOU.

PARAGRAPH 7

AMENDMENTS

Either Participant may request in writing a revision or amendment of any provision of this MOU. Any revision or amendment that has been mutually decided upon in writing by the Participants will take effect on such date as may be mutually decided upon by the Participants, consonant with the provisions of the Paragraph 10 hereof.

PARAGRAPH 8

CONFIDENTIALITY AND DATA BREACH REPORTING

In the execution of this MOU and any other arrangements entered into pursuant thereto:

1. Information shared under this Memorandum is to be treated as confidential and shall not be further disclosed without the consent of the other Participant.
2. Each participant shall use best efforts to safeguard the security of any information received under this MOU and respect any safeguards agreed to by the Participants. In the event of any unauthorized access or disclosure of the information, the originating Participant shall be informed within seventy-two (72) hours from becoming aware of the unauthorised disclosure. All necessary measures shall be taken to mitigate or remediate the unauthorised disclosure. The Participants shall take all reasonable steps to prevent a recurrence of the event.
3. The Participants shall oppose, to the fullest extent possible consistent with their countries’ laws, any application by a third party for disclosure of confidential information or materials received from Requested Participants, unless the Requested Participant consents to its release. The Participants who receive such an application shall notify forthwith the Participant that provided it with the confidential information.

PARAGRAPH 9

RETENTION OF INFORMATION

Information received under this Memorandum shall not be retained for longer than is required to fulfill the purpose for which it was shared or than is required by the Requesting Participant’s country’s laws. The Participants shall use best efforts to return any information that is no longer required if the Requested Participant makes a written request that such information be returned at the time it is shared. If no request for return of the information is made, the Requesting Participant shall dispose of the information using methods prescribed by the Requested Participant or if no such methods have been prescribed, by other secure methods, as soon as practicable after the information is no longer required.

PARAGRAPH 10

EFFECTIVITY, REVIEW, AND TERMINATION

1. The Participants agree that upon any substantial change to the regulatory framework for which the Participants are respectively responsible, the Participants shall start a consultation process to determine whether this MOU shall be retained as is, amended or terminated. In case the Participants do not find an agreement after six (6) months from the commencement of the consultation process, this MOU shall be terminated ex officio.
2. This MOU shall take effect upon signature, for an indefinite period, and may be terminated on 30 days written notice by either Participant. However, prior to providing such notice, each Participant shall use best efforts to consult with the other Participant.
3. The Participants will monitor the implementation of this MOU and conduct periodic reviews. The termination of this MOU will not affect the validity, duration, implementation, or completion of any project or activity undertaken or decided upon under this MOU prior to the date of termination unless the Participants otherwise mutually decide in writing and through diplomatic channels.

PARAGRAPH 11

LEGAL STATUS

Nothing in this MOU is to be construed as establishing or implying a partnership, joint venture, agency, or other legal relationship between the Participants. Nothing in this MOU creates or is intended to create any legally enforceable rights or binding obligations on either Participant.

PARAGRAPH 12

SETTLEMENT OF DIFFERENCE

1. The Participants shall settle any difference or dispute relating to or arising from this MOU amicably through consultations and negotiations in good faith without reference to any international court, tribunal, or other forum.
2. Any issues arising in relation to this MOU shall be promptly notified to the designated contact point of each Participant as provided under Paragraph 13.

PARAGRAPH 13

DESIGNATED CONTACT POINTS  

1. The following persons will be the designated contact points for the Participants for matters under this MOU:

   National Privacy Commission of the Republic of the Philippines

   Name: Lee Anne L. Santos-Javier
   Designation: Executive Assistant IV
   Email Address: lee.javier@privacy.gov.ph

   The Privacy Commissioner of Canada

   Name: Miguel Bernal-Castillero
   Designation: Director of International, Provincial and Territorial Relations
   Email Address: Miguel.Bernal-Castillero@priv.gc.ca

2. The above individuals will maintain an open dialogue between each other in order to ensure that the MOU remains effective and fit for purpose. They will also seek to identify any difficulties in the working relationship, and proactively seek to minimise the same.
3. Each Participant may change its designated contact point for the purposes of this MOU upon written notice to the other Participant within a reasonable period.
4. Signed in duplicate originals in the English language, in Bermuda, on the 16th day of October 2023.

Signatories