In the Philippines, the gaming industry has seen an unprecedented surge, with millions of Filipinos engaging in mobile, PC, and console gaming. While these platforms offer entertainment, they also collect vast amounts of personal data—ranging from real names and birthdates to credit card information and precise geographic locations.
When these platforms fail to protect this data or process it unlawfully, they run afoul of Republic Act No. 10173, also known as the Data Privacy Act of 2012 (DPA). This article outlines the legal framework and the step-by-step process for Filipinos to hold online gaming platforms accountable.
I. Understanding Your Rights as a Data Subject
Under the DPA, every gamer is considered a Data Subject. Online gaming platforms are generally categorized as Personal Information Controllers (PICs). As a data subject, you possess specific rights that platforms must respect:
- Right to be Informed: You must be told if your data is being processed, for what purpose, and who has access to it.
- Right to Object: You can refuse the processing of your data (e.g., for direct marketing or profiling).
- Right to Access: You can demand a copy of the personal data the platform holds about you.
- Right to Rectification: You have the right to dispute and correct inaccuracies in your data.
- Right to Erasure or Blocking: You can request the removal or destruction of your data if it is no longer necessary or was unlawfully processed.
- Right to Data Portability: You can obtain your data in a format that allows you to transfer it to another platform.
- Right to Damages: You are entitled to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of personal data.
II. Common Privacy Violations in Online Gaming
Before filing a report, it is essential to identify the specific violation. Common infractions include:
- Unauthorized Processing: Collecting data (like your contacts or microphone access) without explicit consent.
- Accessing Sensitive Personal Information: Handling government IDs or health info without a legitimate purpose or proper security.
- Data Breach: Failure to secure the platform, resulting in the leak of passwords or payment details.
- Failure to Appoint a Data Protection Officer (DPO): Every platform operating in the PH must have a designated point person for privacy concerns.
- Improper Disposal: Discarding user data in a way that allows unauthorized third parties to retrieve it.
III. The Reporting Process: Step-by-Step
The National Privacy Commission (NPC) is the central regulatory and quasi-judicial body tasked with enforcing the DPA.
Step 1: Exhaust Internal Remedies
Before the NPC will entertain a formal complaint, you must first attempt to resolve the issue with the gaming platform.
- Action: Contact the platform’s Data Protection Officer (DPO). Most platforms list their DPO contact information in their "Privacy Policy."
- Requirement: Send a formal written request or complaint.
- Timeline: The platform typically has fifteen (15) days to respond. If they ignore you or provide an unsatisfactory resolution, you may proceed to the NPC.
Step 2: File a Formal Complaint with the NPC
If internal efforts fail, you can file a complaint for Adjudication.
| Requirement | Description |
|---|---|
| Complainant's Info | Your full name, address, and contact details. |
| Respondent's Info | The name of the gaming company and its registered office address. |
| Statement of Facts | A clear narrative of what happened and which rights were violated. |
| Evidence | Screenshots of the privacy settings, emails to the DPO, or notifications of a data breach. |
| Relief Sought | What you want (e.g., deletion of data, a fine against the company, or damages). |
Step 3: Mediation
The NPC often encourages Alternative Dispute Resolution. A mediator will facilitate a discussion between you and the gaming platform to reach an amicable settlement. If a settlement is reached, the case is closed.
Step 4: Summary Hearing and Decision
If mediation fails, the case proceeds to adjudication. The NPC will review the position papers and evidence from both sides. If the platform is found liable, the NPC may issue:
- Cease and Desist Orders.
- Orders for Correction or Deletion of Data.
- Recommendations for Prosecution.
IV. Penalties for Violations
The DPA imposes heavy penalties to ensure compliance. These apply to both the corporation and the specific officers responsible.
Note on Criminal Liability: Under the DPA, unauthorized processing of personal information can lead to imprisonment ranging from one (1) to three (3) years and a fine of up to Php 2,000,000.00. If "Sensitive Personal Information" is involved, the penalties increase to up to six (6) years imprisonment and a Php 4,000,000.00 fine.
V. Special Considerations for International Platforms
Many popular games (e.g., Mobile Legends, Genshin Impact, Valorant) are operated by foreign companies. However, the DPA has Extraterritorial Application. If the platform:
- Processes data of Philippine citizens or residents; and
- Has a "link" to the Philippines (e.g., it enters into contracts here or has a Philippine-specific version of the app),
Then it is subject to the jurisdiction of the NPC. The NPC can coordinate with international privacy bodies to enforce its mandates against foreign entities.
VI. Summary Checklist for Gamers
- Read the Privacy Policy: Check what data is being collected before clicking "I Accept."
- Limit Permissions: Go to your device settings and disable microphone, camera, or location access if they aren't essential for gameplay.
- Document Everything: Save screenshots of suspicious prompts or data leaks.
- Check for the DPO: If a game doesn't list a DPO, that is an immediate red flag.
- Report Breaches Immediately: If you suspect your account was compromised due to a platform-wide leak, notify the NPC even if the platform hasn't.