Search for:

Divina Pastora V. Ilas-Panganiban

Divina Ilas-Panganiban, CIPM is a partner and the head of Quisumbing Torres’ Intellectual Property, Data and Technology Practice Group and co-heads the Technology, Media & Telecommunications (TMT) Industry Group. She participates in initiatives of Baker & McKenzie International of which Quisumbing Torres is a member firm. She is a member of Baker & McKenzie International's Asia Pacific TMT, and the Asia Pacific Intellectual Property Steering Committees.
Divina is a Certified Information Privacy Manager by the International Association of Privacy Professionals (IAPP). She currently serves as the Vice-President and Director of the Philippine Chapter of the Licensing Executives Society International, the Regional Vice-chair of the LESI's Education Committee, the Co-chairperson of the Committee on Intellectual Property Rights of The American Chamber of Commerce of the Philippines, and the Chairperson of the IAPP KnowledgeNet Chapter for the Philippines.
Divina was recently appointed to be a member of the Advisory Council for Intellectual Property (ACIP) of the Intellectual Property Office of the Philippines (IPOPHL). The ACIP is an advisory board composed of a select group of people from different sector to which IP is of great value. She was recently recognized in the Hall of Fame for Best External Lecturers by the IP Academy of the IPOPHL.
Divina just finished her stint as the chair the Unreal Campaign of the International Trademarks Association (INTA) for East Asia and the Pacific and continues to organize anti-counterfeiting activities in schools and universities around the country, educating the youth about the importance of intellectual property protection.
Divina is a multi-awarded lawyer with a stellar track record in the IP, data and technology fields. She has garnered numerous awards and accolades, including the Woman Lawyer of the Year by the ALB Philippine Law Awards 2023. She has been cited as leading lawyer for intellectual Property and TMT by The Legal 500 Asia Pacific, Chambers Asia Pacific, Managing IP, World Trademark, Asialaw and IAM Patent 1000, among others. Known for her exceptional legal expertise and unwavering commitment to her clients, Divina has established herself as a leader in her profession.

The Data Privacy Act provides that a personal information controller (PIC) must implement reasonable and appropriate organizational, physical and technical measures intended for the protection of personal information against accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing. The PIC shall also protect personal information against natural dangers and human dangers. For this purpose, the National Privacy Commission (NPC) recently issued NPC Circular No. 2023-06 (“Circular”), which sets out the updated minimum requirements for the security of personal data.

The National Privacy Commission (NPC) recently issued NPC Circular No. 2023-05, which sets out the prerequisites for certification under the Philippine Privacy Mark Certification Program.
The NPC Privacy Mark, obtained through the PPM Certification Program, offers the highest level of assurance on data privacy compliance and secure cross-border data transfers of personal information controllers and personal information processors. It helps data subjects identify organizations they can entrust their personal data with.
The Circular took effect on 15 March 2024.

The National Privacy Commission (NPC) recently issued NPC Circular No. 2024-01 (“Circular”), which amends certain provisions of the 2021 Rules of Procedure. The Circular aims to further streamline the process of receiving complaints and instituting investigations on matters affecting any personal information. The amendments impose certain requirements in case of privacy violation complaints by minors or persons alleged to be incompetent.

The National Privacy Commission (NPC) formally announced through its official website that the Annual Security Incident Report for the year 2023 must be filed by 31 March 2024.
Any natural and juridical person in the government or private sector processing personal data in or outside of the Philippines that are subject to the provisions of Republic Act No. 10173 or the Data Privacy Act of 2012 must submit the ASIR containing the following information:
• Summary of the number of security incidents encountered in a particular calendar year and categorized by type, i.e., theft, identity fraud, sabotage/physical damage, malicious code, hacking, misuse of resources, hardware failure, software failure, communication failure, natural disaster, design error, user error, operations error, software maintenance error, third-party service, and other analogous causes
• Summary of the number of personal data breaches encountered in a particular calendar year and classified based on the application of the breach notification obligations, i.e., mandatory and voluntary notification

Consent is not the only available lawful basis for processing personal information. Personal information controllers and other parties engaged in the processing of personal information may also use legitimate interest as a lawful basis for processing. However, these parties must be aware of the conditions and limitations for processing personal information based on legitimate interest. For this reason, the National Privacy Commission (“NPC”) recently issued NPC Circular No. 2023-07, which provides guidelines on the processing of personal information based on legitimate interest. The Circular takes effect on 14 January 2024.

The National Privacy Commission (NPC) recently issued NPC Circular No. 2023-03 (“Circular”), which sets out guidelines on the issuance of identification cards to data subjects. The Circular applies to all personal information controllers (PICs) that issue ID cards to data subjects, excluding government-issued ID cards. The Circular took effect on 30 November 2023.

On 7 November 2023, the National Privacy Commission issued Advisory No. 2023-01, which sets out guidance on the nature of deceptive design patterns and how their use by personal information controllers and personal information processors when securing consent vitiates the consent of the data subject and consequently renders the data processing to be without lawful basis.
This Advisory supplements the recently issued NPC Circular No. 2023-04, or the comprehensive guidelines on the use of consent as a lawful basis for processing data, which, among others, prohibits the use of deceptive design patterns.

Personal Information Controllers and Personal Information Processors that are covered by the registration requirement under NPC Circular No. 2022-04 have until 10 July 2023 to register their respective Data Protection Officers (DPOs) and Data Processing Systems (DPS) with the National Privacy Commission through its online registration portal.

The National Economic Development Authority has issued the implementing rules and regulations of the amended Public Service Act or Republic Act No. 11659, which took effect on 4 April 2023.