VICTIMS of personal data breaches may request cease-and-desist orders from the National Privacy Commission (NPC) if the breach violates their privacy rights and causes “irreparable injury.”

The NPC, in circular no. 20-02 signed on Oct. 6, said that it may issue such orders in the event of violations or threats to violate the Data Privacy Act.

The order will be issued if the privacy breach harms the public interest or an individual.

The aggrieved party can apply for the issuance of such an order, or NPC’s investigation arm can initiate proceedings. Applicants must submit evidence supporting their claim and put up a bond.

The NPC can issue an order without hearing after conducting an investigation. Hearings may proceed after the respondent submits its own comment.

Non-compliance with the order could result in fines and penalties, and possible contempt proceedings.

The commission has been seeking accountability from private and public organizations, including health institutions, collecting personal data during the pandemic.

The NPC has warned contact tracers and the makers of contact-tracing apps to limit their data collection to necessary information, and avoid collecting signatures. Earlier this month, the commission flagged the “dismal” privacy standards in the health sector, citing breaches caused by human error. — Jenina P. Ibañez