Labour Outsourcing and Technology-Based Crimes in the Philippines

Emerico O. De Guzman, a former managing partner of Angara Abello Concepcion Regala & Cruz (ACCRALAW) and now of counsel at the firm, and Jose-Mari H. Roco, a senior associate, discuss several key pieces of legislation aimed at preventing and/or prosecuting tech crime in the outsourcing space in the Philippines.

Published on 17 October 2022
Emerico O De Guzman, ACCRALAW of counsel, Chambers Expert Focus contributor
Emerico O. De Guzman
Eminent practitioner in Asia-Pacific 2022
View profile
Jose Mari H Roco, senior associate ACCRALAW, Chambers Expert Focus contributor
Jose-Mari H. Roco

The Philippines is an ever-growing outsourcing destination for foreign businesses and investors. Not only is its workforce relatively affordable, but it is also technologically adept. Nonetheless, it is an unfortunate truth that some enterprising individuals will abuse their knowledge of and/or exploit loopholes in technological assets to hatch nefarious schemes to injure other persons, unlawfully obtain financial gain, and/or sow discord to disrupt business operations.

Fortunately, the Philippines has enacted several laws aimed at preventing and/or prosecuting the commission of technology-based crimes that are peculiar to the business process outsourcing industry.

The Cybercrime Prevention Act of 2012 (Republic Act No 10175)

The Cybercrime Prevention Act (the “Anti-cybercrime Law”) is intended to regulate access to and use of cyberspace. In fact, Section 4 of the Anti-cybercrime Law defines and penalises cybercrime offences such as illegal access to computer systems, illegal interception of computer data, data and system interference, misuse of devices, cyber-squatting, computer-related offences (eg, forgery, fraud and identity theft), and cyber libel.

"Pursuant to the Anti-cybercrime Law, law enforcement agencies have created special divisions specifically dedicated to cybercrime."

Significantly, Section 6 of the Anti-cybercrime Law contains a catch-all provision which allows the prosecution of crimes and/or offences defined and punished in other penal laws of the Philippines if said crimes and/or offences are committed by, through, and/or with the use of information and communication technologies. For instance, crimes punishable under the Philippines’ general penal law — the Revised Penal Code — such as swindling, theft, or threats may also be prosecuted under the Anti-cybercrime Law.

In relation to the foregoing, pursuant to the Anti-cybercrime Law, law enforcement agencies in the Philippines have created special divisions or units specifically dedicated to the investigation, handling, and prosecution of cybercrime-related offences.

Furthermore, liability under the Anti-cybercrime Law is not limited to natural persons considering that Section 9 thereof makes it possible for juridical persons to be held liable for violating the said law. Should liability be established, responsible persons may be subjected to imprisonment and/or fines of up to PHP10 million.

The Data Privacy Act of 2012 (Republic Act No 10173)

The Data Privacy Act ensures the protection of personal information and regulates how such information is processed. Section 3 of the Data Privacy Act defines “processing” as any operation or set of operations performed upon personal information including the collection, recording, organisation, storage, updating or modification, retrieval, consultation, blocking, erasure, or destruction of data.

For this purpose, the Data Privacy Act enshrines the rights enjoyed by data subjects or individuals whose personal information is processed. Generally, these are the rights to be informed, to object, to access, to rectify, to erase, and to be indemnified for any damages arising from violations of the Data Privacy Act.

"An important feature of the Data Privacy Act is that it has extraterritorial reach."

Moreover, the Data Privacy Act obliges controllers of personal information to implement reasonable and appropriate organisational, physical, and technical measures intended for the protection of personal information against any accidental or unlawful processing, disclosure, alteration, and destruction.

Another important feature of the Data Privacy Act is that it has extraterritorial reach. According to Section 6 thereof, the law applies to acts done in and outside of the Philippines if it relates to personal information about citizens or residents of the Philippines, and/or if the entity performing the act has substantial links or contacts with the Philippines through its contracts or how it operates.

Accordingly, Sections 25 to 32 of the Data Privacy Act define and punish crimes related to the improper processing of personal information such as unauthorised processing, access due to negligence, improper disposal, intentional breach of security systems, and malicious disclosure.

"In accordance with the Data Privacy Act, a privacy watchdog, the National Privacy Commission, was established."

Much like the Anti-cybercrime Law, liability under the Data Privacy Act may extend to both natural and juridical persons wherein persons found responsible for violating the law may be subjected to imprisonment and/or fines of up to PHP5 million.

Finally, in accordance with the Data Privacy Act, a privacy watchdog in the form of the National Privacy Commission was established to administer and implement the provisions of the law, and to monitor and ensure the compliance of the Philippines with international standards set for data protection.

The Access Devices Regulation Act of 1998 (Republic Act No 8484, as amended by the Republic Act No 11449)

The Access Devices Regulation Act (the “Access Devices Law”) is geared towards the protection of parties in commercial transactions that use access devices. Pertinently, Section 3 of the Access Devices Law defines an “access device” as any card, plate, code, account number, electronic serial number, personal identification number, or other telecommunications service equipment, or instrumental identifier, or other means of account access that can be used to obtain money, goods, services, or any other thing of value, or to initiate a transfer of funds. This includes credit cards, debit cards, automated teller machine cards, and the like.

Relevantly, Section 9 of the Access Devices Law enumerates specific acts that constitute access device fraud. These include the use of counterfeit access devices, credit card “skimming”, and hacking.

"These laws help maintain the integrity of the outsourcing industry and promote public confidence."

Persons found liable for violating the Access Devices Law may be subjected to imprisonment and/or a fine which is dependent on the aggregate value of the amount involved.

While the Philippines has legal safeguards in place against the commission of technology-based crimes, these do not preclude the existence of challenges in the prosecution thereof especially since conviction requires proof that the crime was committed beyond reasonable doubt. Nevertheless, the aforementioned laws help maintain the integrity of the business process outsourcing industry in the Philippines and promote the public’s confidence in the same.

Angara Abello Concepcion Regala & Cruz (ACCRALAW)

ACCRALAW logo, Chambers Expert Focus contributor
8 ranked departments and 15 ranked lawyers
Learn more about the firm’s ranking in Chambers Asia-Pacific
View firm profile

Chambers Global Practice Guide White-Collar Crime 2021

Learn more about global legal developments in white-collar crime