Cybercrime Prevention Act of 2012

Policy, purpose, and national approach

Section 2 recognizes the vital role of information and communications industries (including content production, telecommunications, broadcasting, electronic commerce, and data processing) in the nation’s social and economic development.
Section 2 directs the State to adopt an environment conducive to the development, acceleration, and rational application and exploitation of ICT for free, easy, and intelligible access to exchange and/or delivery of information.
Section 2 mandates safeguarding the integrity and confidentiality of computer systems, networks, databases, and information/data stored therein from misuse, abuse, and illegal access.
Section 2 requires the State to adopt sufficient powers to prevent and combat cybercrime by facilitating detection, investigation, and prosecution at both domestic and international levels, including fast and reliable international cooperation.

Key definitions for cybercrime

Section 3(a) defines “Access” as instruction, communication with, storing data in, retrieving data from, or otherwise making use of resources of a computer system or communication network.
Section 3(b) defines “Alteration” as modification or change, in form or substance, of existing computer data or program.
Section 3(c) defines “Communication” as transmission of information through ICT media, including voice, video and other forms of data.
Section 3(d) defines “Computer” as an electronic, magnetic, optical, electrochemical, or other data processing or communications device (or grouping of such devices) capable of performing logical, arithmetic, routing, or storage functions, including storage/communications equipment directly related to or operating in conjunction with such device, and including devices with data processing capabilities like mobile phones, smart phones, computer networks, and other internet-connected devices.
Section 3(e) defines “Computer data” as any representation of facts, information, or concepts in a form suitable for processing in a computer system, including a program to cause the system to perform a function, and including electronic documents and/or electronic data messages whether stored locally or online.
Section 3(g) defines “Computer system” as any device or group of interconnected or related devices (one or more performing automated processing of data pursuant to a program), including hardware/software components with input/output/storage, connected standalone or in a network, and including computer data storage devices or media.
Section 3(h) defines “Without right” as conduct undertaken without or in excess of authority, or conduct not covered by established legal defenses, excuses, court orders, justifications, or relevant principles under law.
Section 3(i) defines “Cyber” as a computer or a computer network, the electronic medium in which online communication takes place.
Section 3(j) defines “Critical infrastructure” as computer systems and/or networks (physical or virtual) and/or programs, computer data and/or traffic data so vital that incapacity/destruction/interference would have a debilitating impact on security, national or economic security, national public health and safety, or any combination of those matters.
Section 3(k) defines “Cybersecurity” as the collection of tools, policies, risk management approaches, actions, training, best practices, assurance technologies, and technologies to protect the cyber environment and organization and user’s assets.
Section 3(m) defines “Interception” as listening to, recording, monitoring or surveillance of the content of communications (including procuring content of data), directly or indirectly through electronic eavesdropping or tapping devices, at the same time the communication is occurring.
Section 3(n) defines “Service provider” as (1) any public or private entity providing users the ability to communicate by means of a computer system; and (2) any other entity processing or storing computer data on behalf of such communication service or users.
Section 3(o) defines “Subscriber’s information” as information in the form of computer data held by a service provider, relating to subscribers other than traffic or content data, by which identity can be established (including service type, technical provisions, period of service; subscriber identity and addresses and access numbers; network address; billing/payment information; and information on site of installation of communication equipment).
Section 3(p) defines “Traffic data” or “non-content data” as computer data other than the content of communication, including origin, destination, route, time, date, size, duration, or type of underlying service.

Punishable cybercrime acts

Section 4 makes the following acts constitute cybercrime punishable under the Act, grouped into offenses against confidentiality, integrity and availability of computer data and systems, computer-related offenses, and content-related offenses.
Section 4(a)(1) prohibits Illegal Access, meaning access to the whole or any part of a computer system without right.
Section 4(a)(2) prohibits Illegal Interception, meaning interception by technical means without right of any non-public transmission of computer data to, from, or within a computer system (including electromagnetic emissions carrying such computer data).
Section 4(a)(3) prohibits Data Interference, meaning intentional or reckless alteration, damaging, deletion, or deterioration of computer data, electronic document, or electronic data message without right, including introduction/transmission of viruses.
Section 4(a)(4) prohibits System Interference, meaning intentional alteration or reckless hindering/interference with functioning of a computer or computer network by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data or program, electronic document, or electronic data message without right or authority, including introduction/transmission of viruses.
Section 4(a)(5) prohibits Misuse of Devices by criminalizing: (i) use/production/sale/procurement/importation/distribution/making available without right of a device (including computer program) designed/adapted primarily for committing any offenses under this Act, or a computer password/access code/similar data enabling access with intent to commit offenses; and (ii) possession of such items with intent to use them to commit offenses under this section.
Section 4(a)(6) prohibits Cyber-squatting, meaning acquisition of a domain name in bad faith to profit, mislead, destroy reputation, and deprive others of registering it, when the domain name is: (i) similar/identical/confusingly similar to an existing trademark registered at the time of registration; or (ii) identical or similar to the name of a person other than registrant (personal name); and (iii) acquired without right or with intellectual property interests in it.
Section 4(b)(1) prohibits Computer-related Forgery, by (i) input/alteration/deletion of computer data without right resulting in inauthentic data with intent it be considered/acted upon for legal purposes as if authentic (even if not directly readable/intelligible); or (ii) knowingly using computer data that is the product of computer-related forgery to perpetuate a fraudulent or dishonest design.
Section 4(b)(2) prohibits Computer-related Fraud, by unauthorized input/alteration/deletion of computer data or program or interference with functioning of a computer system causing damage with fraudulent intent, with the proviso that if no damage has yet been caused, the imposable penalty is one (1) degree lower.
Section 4(b)(3) prohibits Computer-related Identity Theft, by intentional acquisition, use, misuse, transfer, possession, alteration, or deletion of identifying information belonging to another (natural or juridical) without right, with the proviso that if no damage has yet been caused, the penalty is one (1) degree lower.
Section 4(c)(1) prohibits Cybersex, meaning willful engagement, maintenance, control, or operation (directly or indirectly) of any lascivious exhibition of sexual organs or sexual activity with the aid of a computer system for favor or consideration.
Section 4(c)(2) prohibits Child Pornography acts defined and punishable under Republic Act No. 9775, committed through a computer system, and imposes a penalty one (1) degree higher than the penalty under Republic Act No. 9775 when committed through a computer system.
Section 4(c)(3) prohibits Unsolicited Commercial Communications transmitted using a computer system that seek to advertise, sell, or offer for sale products/services unless one of these applies: (i) there is prior affirmative consent from the recipient; or (ii) the primary intent is for service and/or administrative announcements to existing users/subscribers/customers; or (iii) the commercial communication: (aa) contains a simple, valid, reliable way to reject further messages (opt-out) from the same source; (bb) does not purposely disguise the source; and (cc) does not purposely include misleading information to induce recipients to read the message.
Section 4(c)(4) criminalizes Libel: unlawful or prohibited libel acts under Article 355 of the Revised Penal Code, as amended, committed through a computer system or any similar means devised in the future.
Section 5(a) provides liability for Aiding or Abetting cybercrime: any person who willfully abets or aids in the commission of any offense enumerated in the Act is held liable.
Section 5(b) provides liability for Attempt: any person who willfully attempts to commit any offense enumerated in the Act is held liable.
Section 6 makes all crimes defined and penalized by the Revised Penal Code (as amended) and special laws covered when committed by, through and with the use of ICT, with the penalty imposed being one (1) degree higher than provided under the Revised Penal Code or special laws, as the case may be.
Section 7 provides that prosecution under this Act is without prejudice to liability for violation of the Revised Penal Code (as amended) or special laws.

Imprisonment and fines for cybercrime

Section 8 imposes penalties depending on which subsection of Section 4(a), Section 4(c), or Section 5 applies.
For offenses under Section 4(a) (except Section 4(a)(5)): a guilty person is punished with prision mayor or a fine of at least PHP 200,000 up to a maximum amount commensurate to the damage incurred, or both.
For offenses under Section 4(a)(5) (Misuse of Devices): a guilty person is punished with prision mayor or a fine of not more than PHP 500,000, or both.
For offenses under Section 4(a) committed against critical infrastructure: the penalty is reclusion temporal or a fine of at least PHP 500,000 up to a maximum amount commensurate to the damage incurred, or both.
For offenses under Section 4(c)(1) (Cybersex): a guilty person is punished with prision mayor or a fine of at least PHP 200,000 but not exceeding PHP 1,000,000, or both.
For offenses under Section 4(c)(2) (Child Pornography through a computer system): penalties follow Republic Act No. 9775, with the penalty to be imposed being one (1) degree higher if committed through a computer system.
For offenses under Section 4(c)(3) (Unsolicited Commercial Communications): a guilty person is punished with arresto mayor or a fine of at least PHP 50,000 but not exceeding PHP 250,000, or both.
For offenses under Section 5 (Aiding/abetting and attempt): a guilty person is punished with imprisonment one (1) degree lower than the prescribed penalty for the offense, or a fine of at least PHP 100,000 but not exceeding PHP 500,000, or both.

Corporate liability rules

Section 9 imposes criminally relevant corporate liability when punishable acts under the Act are knowingly committed on behalf of or for the benefit of a juridical person.
Section 9 requires that the act be committed by a natural person acting individually or as part of an organ of the juridical person who holds a leading position within the juridical person, based on any of these: (a) a power of representation where the act falls within authority; (b) authority to take decisions where the act falls within scope; or (c) authority to exercise control within the juridical person.
Section 9 states the juridical person is liable for a fine equivalent to at least double the fines imposable under Section 7, up to a maximum of PHP 10,000,000.
Section 9 adds that when the commission is made possible due to lack of supervision or control by the natural person under the preceding paragraph, the juridical person is liable for a fine equivalent to at least double the fines imposable under Section 7, up to a maximum of PHP 5,000,000.
Section 9 provides corporate liability is without prejudice to criminal liability of the natural person who committed the offense.

Law enforcement duties and investigative powers

Section 10 designates the National Bureau of Investigation (NBI) and the Philippine National Police (PNP) as responsible for efficient and effective law enforcement under the Act.
Section 10 requires the NBI and PNP to organize a cybercrime unit or center manned by special investigators exclusively handling cases involving violations of the Act.
Section 11 requires law enforcement authorities—especially computer or technology crime divisions/units responsible for investigating cybercrimes—to submit timely and regular reports to the Department of Justice (DOJ), including pre-operation, post-operation, investigation results, and other documents required for DOJ review and monitoring.
Section 12 authorizes law enforcement authorities, with due cause, to collect or record traffic data in real-time associated with specified communications transmitted by a computer system.
Section 12 limits traffic data to origin, destination, route, time, date, size, duration, or type of underlying service, expressly excluding content and identities.
Section 12 requires a court warrant for any other data to be collected, seized, or disclosed.
Section 12 requires service providers to cooperate and assist law enforcement authorities in collecting or recording traffic data.
Section 12 mandates that the court warrant for real-time traffic data collection requires: (1) written application and examination under oath/affirmation of applicant and witnesses; (2) reasonable grounds that a crime enumerated in the Act has been committed, is being committed, or is about to be committed; (3) reasonable grounds that evidence to be obtained is essential for conviction, solution, or prevention of the crime; and (4) showing that no other means readily available for obtaining evidence exist.

Data preservation, disclosure, and forensic process

Section 13 requires preservation of integrity of traffic data and subscriber information for a minimum period of six (6) months from the date of the transaction.
Section 13 requires preservation of content data for six (6) months from the date of receipt of the order from law enforcement authorities requiring preservation.
Section 13 allows law enforcement authorities to order a one-time extension for another six (6) months.
Section 13 provides that once preserved data is used as evidence, furnishing the transmittal document to the Office of the Prosecutor is deemed notification to preserve the computer data until termination of the case.
Section 13 requires the service provider ordered to preserve to keep the order and its compliance confidential.
Section 14 authorizes, upon securing a court warrant, an order requiring any person or service provider to disclose or submit subscriber’s information, traffic data, or relevant data within seventy-two (72) hours from receipt of the order, in relation to a valid complaint officially docketed and assigned for investigation and necessary and relevant for investigation.
Section 15 empowers law enforcement authorities, within the time period specified in the search and seizure warrant, to: (a) conduct interception as defined in the Act; (b) secure a computer system or data storage medium; (c) make and retain a copy of secured computer data; (d) maintain integrity of relevant stored data; (e) conduct forensic analysis or examination; and (f) render inaccessible or remove the computer data in the accessed computer/network.
Section 15 authorizes law enforcement authorities, under these powers, to order any person with knowledge about the functioning of the computer system and measures protecting/preserving data to provide, as is reasonable, necessary information to enable the search, seizure, and examination.
Section 15 limits forensic examination extensions: law enforcement authorities may request extension of time to complete examination and make return, but no extension may exceed thirty (30) days from the date of court approval.
Section 16 requires custody procedures: all examined computer data (content and traffic) must be deposited with the court in a sealed package within forty-eight (48) hours after expiration of the period fixed in the warrant, accompanied by an affidavit stating dates/times covered, the law enforcement authority who may access, and certifying no duplicates/copies were made (or if made, that all are included).
Section 16 bars use of deposited evidence absent court authority: the sealed package may not be opened, recordings replayed, used in evidence, or contents revealed except upon a court order granted only upon motion with due notice and opportunity to be heard to persons whose communications were recorded.
Section 17 commands destruction: upon expiration of periods in Sections 13 and 15, service providers and law enforcement authorities must immediately and completely destroy the computer data subject of preservation and examination.
Section 18 establishes an exclusionary rule: any evidence procured without a valid warrant or beyond the authority of the same is inadmissible in any proceeding before any court or tribunal.
Section 19 allows restriction/blocking: when computer data is prima facie found to violate the Act, the DOJ shall issue an order to restrict or block access to such computer data.

Noncompliance penalties

Section 20 punishes failure to comply with Chapter IV provisions, specifically failure to comply with law enforcement orders, as a violation of Presidential Decree No. 1829.
Section 20 imposes prision correctional in its maximum period or a fine of PHP 100,000 or both, for each and every noncompliance with an order issued by law enforcement authorities.

Jurisdiction and trial courts

Section 21 grants the Regional Trial Court jurisdiction over any violation of the Act.
Section 21 provides jurisdiction includes violations committed by a Filipino national regardless of the place of commission.
Section 21 provides jurisdiction lies if any element is committed within the Philippines, or committed with use of any computer system wholly or partly situated in the country, or when damage is caused to a natural or juridical person who, at time of the offense, is in the Philippines.
Section 21 requires designation of special cybercrime courts manned by specially trained judges to handle cybercrime cases.

International cooperation framework

Section 22 commands that all relevant international instruments on international cooperation in criminal matters, arrangements based on uniform or reciprocal legislation, and domestic laws receive full force and effect to the widest extent possible for investigations or proceedings involving cybercrime offenses and for collecting electronic evidence.

Competent authorities and coordinating structures

Section 23 creates an Office of Cybercrime within the DOJ, designated as the central authority in matters related to international mutual assistance and extradition.
Section 24 creates, within thirty (30) days from the Act’s effectivity, the Cybercrime Investigation and Coordinating Center (CICC) under the administrative supervision of the Office of the President.
Section 24 assigns the CICC policy coordination among concerned agencies and formulation and enforcement of the national cybersecurity plan.
Section 25 provides CICC composition: Chairperson as the Executive Director of ICTO-DOST, Vice Chairperson as Director of the NBI, members including the Chief of the PNP, Head of the DOJ Office of Cybercrime, and one (1) representative from the private sector and academe.
Section 26 grants CICC powers and functions including: formulating a national cybersecurity plan and extending immediate assistance through a computer emergency response team (CERT); coordinating prevention and suppression measures; monitoring cybercrime cases among participating agencies; facilitating international cooperation for intelligence, investigations, training, and capacity building; coordinating support/participation of business sector, LGUs, and NGOs in cybercrime prevention programs/projects; recommending enactment of laws/issuances/measures/policies; calling on government agencies for assistance in accomplishing CICC tasks; and performing other matters related to cybercrime prevention and suppression, including capacity building.

Implementing rules, appropriations, and final clauses

Section 27 appropriates PHP 50,000,000.00 annually for implementation of the Act.
Section 28 requires the ICTO-DOST, DOJ, and DILG to jointly formulate necessary rules and regulations within ninety (90) days from approval of the Act for effective implementation.
Section 29 provides separability: invalidity of any provision does not affect the other provisions’ continued full force and effect.
Section 30 provides a repealing/modification clause for laws, decrees, or rules inconsistent with the Act, and modifies Section 33(a) of Republic Act No. 8792 (Electronic Commerce Act) accordingly.