Data Privacy & Security

Philippine Government Issues Implementing Rules under Cybercrime Law - Part II

In Part I of this series, we introduced the Philippine Government’s Implementing Rules of the Cybercrime Law and outlined certain requirements that now apply to “service providers”, as that term is defined under the Cybercrime Law.  Click here to view Part I of the series. Below we examine some additional provisions of the Implementing Rules. 

Service Providers' Exemption from Liability

The Implementing Rules carve out an exemption from liability for service providers in the offense of "illegal interception." Under the exemption, service providers, their officers, employees, and agents cannot be held liable for interception, disclosure, and use of communication transmitted through their facilities, when such activities transpire in the normal course of the performance of the lawful objectives of the service provider.

Also, service providers, their officers, employees, and agents who provide access to computer data cannot be held liable for giving such access when the service provider:

  • has a contractual duty to provide such access;
  • has no knowledge that the computer data shall be used for an unlawful activity; and
  • has no financial benefit directly attributable to the unlawful activity.

The exemption does not affect any other obligation that a service provider may have under contract, any applicable licensing or regulatory regime, or law.

Cybercrimes and Corresponding Penalties

The Implementing Rules clearly enumerate the criminal offenses punishable under the Cybercrime Law and their corresponding penalties.

When cybercimes are knowingly committed on behalf of, or for the benefit of a juridical person, the organization shall be liable to pay a fine of up to PHP 10 million (approximately USD 216,000). This civil corporate liability is in addition to the liability of the individual who so acted and occupies a leading position within the organization based on a power of representation of the organization, or an authority to take decisions on behalf of the organization, or an authority to exercise control within the organization.

The following is a table outlining the cybercrimes set forth in the Implementing Rules and their corresponding penalties:

Excluded Certain Cybercrimes

The Implementing Rules exclude at least three provisions of the original Cybercrime Law that the Supreme Court nullified on Constitutional grounds in a 2014 landmark ruling.  In particular, the Supreme Court nullified:

  • a provision that penalizes posting of unsolicited commercial communications or "spam;"
  • a provision that authorizes the collection or recording of traffic data in real-time; and
  • a provision that authorizes the Department of Justice to restrict or block access to suspected Computer Data.

In the same ruling, the Supreme Court declared that: (a) persons who receive a defamatory online post and react to it cannot be held liable for online libel; and (b) persons guilty of online libel and online child pornography cannot be held liable under both the Cybercrime Law and certain other Philippine laws on similar matters on account of double jeopardy.

Contributors: Bienvenido Marquez III and Tristan Matthew Delgado