REVENUE MEMORANDUM CIRCULAR NO. 66-2023 issued on June 9, 2023 circularizes the criminal penalties for violation of provisions of Republic Act (RA) No. 10173 (Data Privacy Act of 2012) and administrative penalties for violation of Information and Communication Technology (ICT) Security Infrastructure System under Revenue Memorandum Order (RMO) No. 67-2010.
PENALTIES UNDER THE DATA PRIVACY ACT OF 2012
| OFFENSE | KIND OF INFORMATION AFFECTED | |||||||
|---|---|---|---|---|---|---|---|---|
| PERSONAL INFORMATION | PERSONAL INFORMATION | |||||||
| Unauthorized Processing | Imprisonment from 1 year to 3 years AND fine of not less than ₱500K to ₱2.0 MillionProcessing | Imprisonment from 3 years to 6 years AND fine of not less than ₱50 | ||||||
| Accessing Information Due to Negligence | ||||||||
| Improper Disposal (knowingly or negligently dispose, discard, or abandon the personal information of an individual in an area accessible to the public or has otherwise placed the personal information of an individual in its container for trash collection). | Imprisonment from 6 months to 2 years AND fine of not less than ₱100K to ₱500K | Imprisonment from 1 year to 3 years AND fine of not less than ₱100K to ₱1.0 Million | ||||||
| Processing for Unauthorized Purposes | Imprisonment from 1 year 6 months to 5 years AND fine of not less than ₱500K to ₱1.0 Million | Imprisonment from 2 years to 7 years AND fine of not less than ₱500K to ₱2.0 Million | ||||||
| OFFENSE | KIND OF INFORMATION AFFECTED | |
|---|---|---|
| PERSONAL INFORMATION | SENSITIVE PERSONAL INFORMATION | |
| Unauthorized Access or Intentional Breach (violating data confidentiality and security systems, breaking in any way into system storage) | Imprisonment from 1 year to 3 years AND fine of not less than ₱500K to ₱2.0 Million | |
| Concealment of Security Breaches involving sensitive personal information | Imprisonment from 1 year 6 months to 5 years AND fine of not less than ₱100K to ₱1.0 Million | |
| Malicious Disclosure by PIP, PIC, or its agents, employees | Imprisonment from 1 year 6 months to 5 years AND fine of not less than ₱500K to ₱1.0 Million | |
| Unauthorized Disclosure | Imprisonment from 1 year to 3 years AND fine of not less than ₱500K to ₱1.0 Million | Imprisonment from 3 years to 5 years AND fine of not less than ₱500K to ₱2.0 Million |
| Combination or series of acts | Imprisonment from 3 years to 6 years AND fine of not less than ₱1.0 Million to ₱5.0 Million | |
Note that the maximum penalty in the scale of penalties respectively provided for the
preceding offenses shall be imposed when the personal information of at least one hundred (100) persons is harmed, affected or involved as the result of the abovementioned actions.
When the offender or the person responsible for the offense is a public officer, as defined
in the Administrative Code of the Philippines, in the exercise of his or her duties, an accessory penalty consisting in the disqualification to occupy public office for a term double the term of criminal penalty imposed shall be applied.
The penalties imposed are without prejudice to the filing of appropriate administrative case/s if the offender is a public official and employee.
The Penalties for ICT Security Infrastructure Offenses, and Additional Circumstances as Grounds for Administrative Disciplinary Action with their Corresponding Penalties under RMO No. 67-2010 are specified under Sections II and III, respectively, of the Circular.