Republic Act No. 10175 (Cybercrime Prevention Act of 2012)

September 12, 2012
Document type
(1) On Service Providers
(i) The law defines service provider as “any public or private entity that provides to users of its service the ability to communicate by means of a computer system” and “any other entity that processes or stores computer data on behalf of such communication service or users of such service” Section 3(n). Other relevant terms defined by the law include “computer data”, “subscriber’s information”, and “traffic data" Section 3(e), (o) and (p).
(ii) For law enforcement purposes, service providers are required to preserve computer data within a specified period. The mandatory retention period (6 months) may be extended pursuant to an order by a law enforcement authority (one-time extension for another 6 months) (Section 13).
(iii) Law enforcement authorities may thereafter compel the service provider to disclose such traffic data and subscriber information, as well as any other relevant data or information in its possession, pursuant to a court-issued warrant, within 72 hours from receipt of the order (Section 14).
(iv) To gain possession of and examine relevant computer data, law enforcement authorities also have the option of securing a search and seizure warrant, which may be then enforced against a computer user or service provider, as the case may be (Section 15).
(v) Once the mandatory data retention periods imposed by the law have expired, both service providers and law enforcement authorities are required to delete or destroy the computer data subject involved (Section 17).
(vi) A service provider’s failure to comply with an order issued by a law enforcement authority is punishable under the law. Section 20 is clear on this point:

"Noncompliance. — Failure to comply with the provisions of Chapter IV hereof specifically the orders from law enforcement authorities shall be punished as a violation of Presidential Decree No. 1829 with imprisonment of prision correctional in its maximum period or a fine of One hundred thousand pesos (Php100,000.00) or both, for each and every noncompliance with an order issued by law enforcement authorities." (PD No. 1829, as referred to in the foregoing provision, refers to an old law penalizing acts constituting obstruction to the apprehension of suspects in a criminal investigation, or the prosecution of criminal offenses.)

(2) Miscellaneous Provisions
(i) To date, there is no available data to suggest if any of the punishable acts (i.e., illegal access, illegal interception, etc.) treated by the law as constituting cybercrimes may be held against a service provider or any intermediary liability. There is, however, one particular offense cited in the law that could pose the greatest challenge: “aiding or abetting in the commission of a cybercrime”. Section 5(a) reads: "Aiding or Abetting in the Commission of Cybercrime. – Any person who willfully abets or aids in the commission of any of the offenses enumerated in this Act shall be held liable."
(ii) If and when a service provider is held liable for any of the offenses prescribed by the law, a key provision—other than those prescribing the corresponding penalties—is that which accounts for corporate liability. In this wise, Section 9 is instructive:

"SEC. 9. Corporate Liability. — When any of the punishable acts herein defined are knowingly committed on behalf of or for the benefit of a juridical person, by a natural person acting either individually or as part of an organ of the juridical person, who has a leading position within, based on: (a) a power of representation of the juridical person provided the act committed falls within the scope of such authority; (b) an authority to take decisions on behalf of the juridical person: Provided, That the act committed falls within the scope of such authority; or (c) an authority to exercise control within the juridical person, the juridical person shall be held liable for a fine equivalent to at least double the fines imposable in Section 7 up to a maximum of Ten million pesos (PhP10,000,000.00).

If the commission of any of the punishable acts herein defined was made possible due to the lack of supervision or control by a natural person referred to and described in the preceding paragraph, for the benefit of that juridical person by a natural person acting under its authority, the juridical person shall be held liable for a fine equivalent to at least double the fines imposable in Section 7 up to a maximum of Five million pesos (PhP5,000,000.00).

The liability imposed on the juridical person shall be without prejudice to the criminal liability of the natural person who has committed the offense."

(3) Relevant Provisions Declared Unconstitutional - In a recent decision by the country’s Supreme Court, Disini v Secretary of Justice (Febraury 11, 2014), Section 12 and 19 were stricken down and declared void for being unconstitutional (see below).
Topic, claim, or defense
Cyber Security
Document type
Issuing entity
Legislative Branch
Type of service provider
General or Non-Specified
Issues addressed
Trigger for OSP obligations
OSP obligation considered
Data Retention or Disclosure
Type of law