Regional Round-Up: Philippines Q3 2021

PCC Resumes Motu Proprio Review of M&As After 1-year Moratorium

Before the COVID-19 pandemic hit the Philippines, parties to mergers and acquisitions (“M&As“) had to notify the Philippine Competition Commission (“PCC“) of such M&A when these two thresholds are met: (i) the aggregate annual gross revenues in, into or from the Philippines, or value of the assets in the Philippines, of the ultimate parent entity (“UPE“) of at least one of the acquiring or acquired entities (including that of all entities that the UPE controls, directly or indirectly) exceed PhP6 billion, and (ii) when the value of the transaction exceeds PhP2.4 billion.  PCC also had the power to review, motu proprio, any M&A – including those that did not meet the foregoing thresholds – having a direct, substantial, and reasonably foreseeable effect on trade, industry, or commerce in the Philippines, based on factors deemed relevant by PCC.

To promote business continuity and capacity building during the pandemic, Philippine Congress passed the “Bayanihan to Recover as One Act”. This increased the thresholds for compulsory merger notification to PhP50 billion for a period of two years from the effectivity of the law on 15 September 2020, and suspended PCC’s power to review, motu proprio, any M&A for a period of one year, also from the effectivity of the law.

With the relaxation of the foregoing rules, merger notifications in 2020 decreased to 26 from the 46 notifications PCC received in 2019.  In 2021, PCC has thus far received only four notifications.

With the recent expiration of the one-year moratorium on motu proprio merger review on 15 September 2021, PCC is hopeful that parties to M&As will be discouraged to enter into M&As that are potentially anti-competitive.  PCC stressed that regulating M&As in the post-COVID-19 economic environment is critical to ensure that consolidation is not allowed to lead to highly concentrated markets.

Indeed, PCC’s motu proprio review powers (as well as the compulsory notification requirement) allows it to predict and prevent anti-competitive practices before these materialise.  The early determination of the merger’s impact provides PCC the opportunity to intervene and remedy or prohibit a merger when anti-competitive effects are determined to occur.

As of 14 September 2021, PCC has received a total of 225 M&A transactions with a combined transaction value of PhP 4.56 trillion. The top five sectors based on frequency of M&A notifications are manufacturing (50), financial and insurance (37), real estate (33), electricity and gas (27), and transportation and storage (18).

NPC Issues Advisories on Adoption of International Data Protection Standards on Security Techniques

In adopting to the fast-changing pace of the development of technology and communication globally, the National Privacy Commission (“NPC“) continues to advocate policies that will adopt generally accepted international principles and standards for personal data protection.

NPC’s Data Security and Compliance Office issued the following advisories on the adoption of the following sets of international standards. These international standards are approved for adoption as part of the Philippine National Standards by the Bureau of Philippine Standards.

    1. ISO/IEC 29100 – Privacy framework

      This international standard provides a privacy framework which (i) specifies a common privacy terminology; (ii) defines the actors and their roles in processing personally identifiable information; (iii) describes privacy safeguarding considerations; and (iv) provides references to known privacy principles for information technology.

    2. ISO/IEC 29151 – Code of practice for personally identifiable information protection

      This establishes objectives and guidelines for implementing controls to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (“PII“). The guidelines take into consideration the requirements for processing PII which may be applicable within the context of an organisation’s information security risk environment(s).

    3. ISO/IEC 24760 – A framework for identity management

      This International Standard defines the terms and core concepts of identity, identity management and their relationships. This serves as a guide for organisations to make identity-based decisions, which they may use to grant or deny access to applications or other organisational resources.

    4. ISO/IEC 29134 – Guidelines for privacy impact assessment

      This provides guidelines for the process on privacy impact assessments (“PIA“) and the structure and content of a PIA report. This is applicable to all types and sizes of organisations, including public companies, private companies, government entities and not-for-profit organisations.

According to NPC, the adoption of these international standards involves an organisation’s data protection efforts. Personal Information Controllers and Personal Information Processors adopting the international standards must implement these on top of their compliance with the Data Privacy Act of 2021, its implementing rules and regulations, and other issuances of the NPC.

NPC Highlights Privacy Protection in Anti-fraud Data Sharing Initiatives of Financial Industry

In response to the initiatives of the financial services industry on cybersecurity that aim to thwart fraud incidents and uphold customers’ confidence in digital payments systems, the National Privacy Commission (“NPC“) has issued Advisory Opinion 2021-26 to guide personal information controllers in protecting the privacy of shared databases through strict adherence to the basic data privacy principles of transparency, legitimate purpose, proportionality, and the conduct of privacy impact assessments (“PIAs“).

NPC recognises that data sharing for investigation and resolving fraud incidents is allowed under the Data Privacy Act of 2012. While the NPC Privacy Policy Office recognises that having a shared database for know-your-customer, enhanced due diligence, and anti-money laundering purposes may enhance the integrity of the financial system, there is a need to ensure that personal and sensitive personal information (collectively, “personal data“) is processed fairly and lawfully. In this particular context, the NPC Privacy Policy Office emphasised that personal data in such database must be accurate, relevant, and kept up to date. Consequently, inaccurate or incomplete data must be rectified, supplemented, destroyed or their further processing restricted. 

The NPC Privacy Policy also recommends the conduct of a PIA to identify, assess, evaluate, and manage the risks represented by the processing of personal data in the shared database.

Equally important to the rights of financial services industry are the rights of data subjects. In this regard, the NPC Privacy Policy Office has reminded the financial services industry that data subjects should be provided the mechanism to exercise their rights.

NPC Issues Advisory Opinion on Adoption of ASEAN Cross-border Tools to Boost Digital Competitiveness

The National Privacy Commission (“NPC“) has the mandate to ensure proper and effective coordination with data privacy regulators in other countries and private accountability agents, and participate in international and regional initiatives for data privacy protection, such as those undertaken by the Association of Southeast Asian Nations (“ASEAN“).

With the approval in January 2021 at the 1st ASEAN Digital Ministers’ Meeting of the ASEAN Model Contractual Clauses (“MCCs“) and ASEAN Data Management Framework (“DMF“), and in line with its mandate, NPC issued Advisory Opinion 2021-02 on 28 June 2021 (“Advisory Opinion“) as its first guidance on the adoption of MCCs and DMF which harmonise data management and cross-border transfer standards across different jurisdictions.

The MCCs are voluntary contractual terms and conditions that may be included in the binding legal agreements between parties or entities transferring personal information and/or sensitive personal information (collectively, “personal data“) across different jurisdictions. These are templates setting out the responsibilities, required personal data protection measures, and related obligations of the parties based on the ASEAN Framework on Personal Data Protection.

NPC considered the fact that there are different levels of development among ASEAN member states, and thus provided in the Advisory Opinion that companies are allowed to modify the MCCs in a way that does not contradict the clauses, as well as domestic laws on privacy and protection.

Meanwhile, the DMF is a voluntary and non-binding guidance for ASEAN businesses to establish a data management system and governance structure that appropriately safeguard different kinds of data. Organisations may adopt it to varying business needs in their own systems of managing data. It may serve as basis for sound data governance practices by helping organisations to organise datasets they have, assign it within the appropriate categories, manage their data, and protect it accordingly in compliance with relevant regulations.

With this initiative, NPC aims to promote the growth of trade and flow of information in the ASEAN internet economy, and promote the Philippines having a slice of the region growth aimed at $240 billion by 2025.

BIR Suspends Imposition of VAT on Local Purchases of RBEs

The Bureau of Internal Revenue (“BIR“) suspended the implementation of Revenue Regulation (“RR“) No. 9-2021, which would have imposed 12% VAT on the local purchases of Philippine Economic Zone Authority (“PEZA“)-registered business enterprises (“RBEs“). 

Previously, the National Internal Revenue Code (“Tax Code“) only imposed a 0% VAT on the sale of goods and services to RBEs. However, the Tax Reform for Acceleration and Inclusion (“TRAIN“) Law – which amended the Tax Code in 2018 – imposed 12% VAT on the local purchases of RBEs, after fulfillment of certain conditions in the TRAIN Law.

 The Tax Code was again amended through the Corporate Recovery and Tax Incentives for Enterprises (“CREATE“) Law, which reintroduced 0% VAT on local purchases of RBEs. To avail themselves of the 0% VAT, these local purchases must be directly and exclusively used in the RBEs’ registered projects or activities. 

Despite the effectivity of the CREATE Law in April 2021, the BIR still issued RR No. 9-2021 in June 2021 that would have implemented the 12% VAT on local purchases of RBEs under the TRAIN Law. 

PEZA and various RBEs pointed out the apparent conflict between the TRAIN Law and the CREATE Law to the Department of Finance (“DOF“), which oversees BIR. They pleaded with DOF to defer the implementation of RR No. 9-2021 until DOF and BIR finally reconcile the conflicting provisions of the TRAIN Law and the CREATE Law on the VAT on local purchases of RBEs.

Thus, BIR enacted RR No. 15-2021 to suspend the implementation of RR No. 9-2021 until it enacts another issuance on the matter.

Please note that whilst the information in this Update is correct to the best of our knowledge and belief at the time of writing, it is only intended to provide a general guide to the subject matter and should not be treated as a substitute for specific professional advice

Rajah & Tann Asia is a network of legal practices based in Asia.

Member firms are independently constituted and regulated in accordance with relevant local legal requirements. Services provided by a member firm are governed by the terms of engagement between the member firm and the client.

This website is solely intended to provide general information and does not provide any advice or create any relationship, whether legally binding or otherwise. Rajah & Tann Asia and its member firms do not accept, and fully disclaim, responsibility for any loss or damage which may result from accessing or relying on this website.

© 2024 Rajah & Tann Asia. All Rights Reserved. All trademarks are property of their respective owners.