Close-up of letter tiles spelling PRIVACY on a red background, symbolizing data protection.
/ Uncategorized / By

How the Philippine Data Privacy Act Affects Court Evidence and Case Build-Ups

For foreign investors, expatriates, and international law firms operating in the Philippines, gathering evidence or tracing individuals for legal proceedings can be a major hurdle. A common strategy is to request records—such as a person’s registered address, immigration status, or police logs—directly from local government entities like the Bureau of Immigration (BI) or the Philippine National Police (PNP).

However, many foreigners are surprised when these agencies flatly deny their requests, even when backed by a court order or a notarized Special Power of Attorney (SPA).

To clarify the boundaries between legal discovery and data privacy, the National Privacy Commission (NPC) issued Advisory Opinion No. 2026-0021 on May 12, 2026. This critical opinion highlights that under the Data Privacy Act of 2012 (DPA), having a legal claim does not give you a blanket license to access someone else’s personal data from the Philippine government.

Here is what foreign litigants and businesses need to understand about this ruling.

1. What Counts as Protected Personal Data?

The DPA divides data into two main categories, both of which are tightly guarded by government agencies:

  • Personal Information: Data from which an individual’s identity is readily apparent. The NPC confirmed that a foreign national’s physical address and official immigration status fall under this definition.
  • Sensitive Personal Information: This includes higher-risk data such as marital status, age, tax returns, and records regarding offenses or alleged arrests. Criminal case records held by courts or police logs are strictly classified as sensitive personal information.

2. The Legal Basis for Court Cases: Section 12(f) and 13(f)

If you are building a case or executing a court decision, how do you legally request this information? The NPC notes that your request must rely on specific exceptions within the DPA:

  • For General Personal Information (Section 12(f)): The processing must be necessary for the “legitimate interests” of the third party, provided it doesn’t override the fundamental rights of the individual.
  • For Sensitive Personal Information (Section 13(f)): The data must be strictly “necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defense of legal claims.”

The Pre-Litigation Catch: The NPC noted that you can use Section 13(f) during the preparatory stages of a lawsuit (such as a case build-up); you do not need an active, open court case to invoke it. However, the data requested must still be completely necessary and directly linked to that potential claim.

3. The Deciding Factors: Proportionality and Legitimate Purpose

Even if you prove that you have a valid legal claim, the government agency will not simply hand over the files. Every request is filtered through the Principle of Proportionality.

This principle dictates that data processing must be adequate, relevant, suitable, and not excessive in relation to your stated purpose. You can only access the data if your legal goal cannot reasonably be fulfilled by any other less-intrusive means.

When submitting a request, you must:

  1. Precisely identify the specific data points you want.
  2. State the exact reason for the request.
  3. Explain exactly how that requested data is relevant to your legal claim.

4. Why the NPC Won’t Force an Agency to Give You Data

A common misconception among foreigners is that if an agency denies a data request, they can appeal to the NPC to force the agency’s hand.

Advisory Opinion No. 2026-0021 firmly refutes this. The NPC explicitly stated that it is outside its mandate to dictate what specific information an agency should disclose, or to compel any institution to release records.

The government agency holding the data acts as the Personal Information Controller (PIC). As the PIC, the agency retains the ultimate authority and responsibility to independently evaluate your request on a case-to-case basis, guided by its own unique charter, mandate, and internal security guidelines.

5. What to Expect If Your Request Is Approved

If a Philippine government agency decides to grant your request, expect strings attached. The NPC recommends that agencies protect themselves by:

  • Requiring you to provide extensive additional background info to verify your legal claim.
  • Mandating that you sign a formal written undertaking. This legal document binds you to use the records solely for the declared legal purpose and ensures proper disposal if the case falls through.
  • Enforcing a clause stating that by taking possession of the documents, you legally become a Personal Information Controller (PIC), meaning you assume full liability under Philippine law for safeguarding that data.

Frequently Asked Questions (FAQs)

Can a notarized Special Power of Attorney (SPA) override the Data Privacy Act?

No. While an SPA proves you have the authority to act on behalf of a client, it does not give you a blanket exemption to bypass the data privacy rights of a third party (such as your client’s spouse or an opposing litigant). The government agency must still independently evaluate if the disclosure meets the strict criteria of necessity and proportionality under the DPA.

What should a foreign investor include in a data request to a Philippine agency to avoid a denial?

Your request must be highly specific. Avoid broad phrases like “any and all records.” Instead, clearly outline the specific data points needed, establish your lawful basis (e.g., Section 12(f) or 13(f)), explicitly state your legal purpose, and write a detailed explanation demonstrating why this exact data is absolutely necessary to your case and cannot be found elsewhere.

If a Philippine court orders the release of information, can an agency still deny it?

Yes, in some instances. While a court order is a powerful legal mechanism, the government agency (as the Personal Information Controller) must still ensure that the scope of the data being released does not exceed what is proportionally required by that court order. If the order is too broad, the agency may limit the disclosure to only what is strictly relevant to the specific legal proceedings.

Do the DPA restrictions apply to information about foreign nationals?

Yes. The Data Privacy Act of 2012 applies universally to the processing of personal data of any natural person, regardless of their nationality or citizenship status, provided the processing takes place within the Philippines or involves an entity closely tied to the country. A foreigner’s local address and immigration history are fully protected.

Atty. Winston B. Chua

Request Appointment
Request Appointment