Title
Cybercrime Prevention Act of 2012
Law
Republic Act No. 10175
Decision Date
Sep 12, 2012
An act defining cybercrime, establishing penalties for offenses such as illegal access, data interference, and cybersex, while promoting the protection of information and communication systems to ensure national security and public safety.
cybercrime
prevention
investigation

Policy, purpose, and core objective

  • Section 2 recognizes the vital role of information and communications industries in the nation’s social and economic development.
  • Section 2 commits the State to an environment conducive to the development, acceleration, and rational application and exploitation of ICT for free, easy, and intelligible access to exchange and/or delivery of information.
  • Section 2 directs protection and safeguarding of the integrity of computer systems, networks, databases, and the confidentiality, integrity, and availability of stored information and data.
  • Section 2 authorizes adoption of sufficient powers to effectively prevent and combat cybercrime by facilitating detection, investigation, and prosecution at domestic and international levels.
  • Section 2 mandates arrangements for fast and reliable international cooperation.

Express definitions for legal use

  • Section 3(a) defines “Access” as instruction, communication with, storing data in, retrieving data from, or otherwise making use of resources of a computer system or communications network.
  • Section 3(b) defines “Alteration” as modification or change, in form or substance, of existing computer data or a program.
  • Section 3(c) defines “Communication” as transmission of information through ICT media, including voice, video, and other forms of data.
  • Section 3(d) defines “Computer” as any electronic, magnetic, optical, electrochemical, or other data processing or communications device (or grouping) performing logical, arithmetic, routing, or storage functions, including storage and communications facilities/equipment directly related to or operating in conjunction with it; it includes mobile phones, smart phones, computer networks, and other internet-connected devices.
  • Section 3(e) defines “Computer data” as any representation of facts, information, or concepts in a form suitable for processing in a computer system, including a program to cause a computer system to perform a function; it includes electronic documents and/or electronic data messages, whether stored locally or online.
  • Section 3(f) defines “Computer program” as a set of instructions executed by the computer to achieve intended results.
  • Section 3(g) defines “Computer system” as any device or group of interconnected or related devices, one or more performing automated processing of data pursuant to a program; it includes computers and mobile phones and includes input, output, and storage components, whether stand-alone or network-connected; it also includes computer data storage devices or media.
  • Section 3(h) defines “Without right” as conduct undertaken without or in excess of authority, or conduct not covered by established legal defenses, excuses, court orders, justifications, or relevant principles under the law.
  • Section 3(i) defines “Cyber” as a computer or computer network and the electronic medium where online communication takes place.
  • Section 3(j) defines “Critical infrastructure” as computer systems and/or networks (physical or virtual), and/or computer programs, computer data and/or traffic data so vital to the country that incapacity, destruction, or interference would have a debilitating impact on security, national or economic security, national public health and safety, or any combination.
  • Section 3(k) defines “Cybersecurity” as the collection of tools, policies, risk management approaches, actions, training, best practices, assurance and technologies protecting the cyber environment and organization and user assets.
  • Section 3(l) defines “Database” as a representation of information, knowledge, facts, concepts, or instructions prepared, processed, or stored in a formalized manner intended for use in a computer system.
  • Section 3(m) defines “Interception” as listening to, recording, monitoring, or surveillance of the content of communications—directly or indirectly, including procuring content via access/use of a computer system or via electronic eavesdropping/tapping devices—at the same time the communication occurs.
  • Section 3(n) defines “Service provider” as (1) any public or private entity providing users the ability to communicate by means of a computer system; and (2) any other entity processing or storing computer data on behalf of such communication service or users.
  • Section 3(o) defines “Subscriber’s information” as information in the form of computer data or other form held by a service provider, relating to subscribers other than traffic or content data, by which identity can be established, including communication service type, technical provisions, period of service, subscriber identity and addresses, telephone and access numbers, assigned network address, billing and payment info, and other available information on installation site of communication equipment.
  • Section 3(p) defines “Traffic data” or “non-content data” as any computer data other than the content of the communication, including origin, destination, route, time, date, size, duration, or type of underlying service.

Cybercrime offenses and prohibited conduct

  • Section 4 establishes that the following acts constitute cybercrime punishable under the Act.
  • Section 4(a) creates offenses against the confidentiality, integrity and availability of computer data and systems, including:
    • Illegal Access: access to the whole or any part of a computer system without right.
    • Illegal Interception: interception made by technical means without right of any non-public transmission of computer data to, from, or within a computer system, including electromagnetic emissions carrying such computer data.
    • Data Interference: intentional or reckless alteration, damaging, deletion, or deterioration of computer data, electronic documents, or electronic data messages without right, including introduction or transmission of viruses.
    • System Interference: intentional alteration or reckless hindering or interference with functioning of a computer or computer network by inputting, transmitting, damaging, deleting, deteriorating, altering, or suppressing computer data or program/electronic document/electronic data message without right or authority, including introduction or transmission of viruses.
    • Misuse of Devices: use, production, sale, procurement, importation, distribution, or otherwise making available without right of (aa) a device (including a computer program) designed or adapted primarily to commit any offense under the Act; or (bb) a computer password, access code, or similar data enabling access with intent to commit any offense under the Act; and possession of such item with intent to use it for committing offenses under Section 4.
    • Cyber-squatting: acquisition of a domain name in bad faith to profit, mislead, destroy reputation, and deprive others from registering, if the domain name is (i) similar/identical/confusingly similar to a registered trademark; (ii) identical or similar to the name of a person other than the registrant; and (iii) acquired without right or with intellectual property interests in it.
  • Section 4(b) creates computer-related offenses, including:
    • Computer-related Forgery: (i) input, alteration, or deletion of any computer data without right resulting in inauthentic data with intent that it be considered or acted upon for legal purposes as if authentic (even if not readable/intelligible); or (ii) knowingly using computer data that is the product of such forgery for perpetuating a fraudulent or dishonest design.
    • Computer-related Fraud: unauthorized input, alteration, or deletion of computer data or program or interference with a computer system causing damage with fraudulent intent, with a rule that if no damage has yet been caused, the penalty imposable is one (1) degree lower.
    • Computer-related Identity Theft: intentional acquisition, use, misuse, transfer, possession, alteration, or deletion of identifying information belonging to another (natural or juridical) without right, with a rule that if no damage has yet been caused, the penalty imposable is one (1) degree lower.
  • Section 4(c) creates content-related offenses, including:
    • Cybersex: willful engagement, maintenance, control, or operation (directly or indirectly) of a lascivious exhibition of sexual organs or sexual activity with the aid of a computer system for favor or consideration.
    • Child Pornography: unlawful or prohibited acts defined and punishable by Republic Act No. 9775, committed through a computer system, with a penalty rule that the penalty to be imposed is one (1) degree higher than that provided for Republic Act No. 9775.
    • Unsolicited Commercial Communications: transmission of commercial electronic communication using a computer system to advertise, sell, or offer for sale products and services is prohibited unless one of the allowed conditions is present:
      • there is prior affirmative consent from the recipient; or
      • the primary intent is for service and/or administrative announcements from sender to existing users/subscribers/customers; or
      • the commercial electronic communication contains a simple, valid, reliable way to reject further messages (opt-out) from the same source; does not purposely disguise the source; and does not purposely include misleading information to induce recipients to read the message.
    • Libel: unlawful or prohibited acts of libel under Article 355 of the Revised Penal Code, as amended, committed through a computer system or any similar means devised in the future.

Special modes of participation and related crimes

  • Section 5(a) punishes aiding or abetting in the commission of any cybercrime offense under the Act; any person who willfully abets or aids is held liable.
  • Section 5(b) punishes attempt in the commission of any cybercrime offense under the Act; any person who willfully attempts is held liable.
  • Section 6 covers all crimes defined and penalized by the Revised Penal Code, as amended, and special laws when committed by, through, and with the use of ICT: prosecution is handled under the relevant provisions of this Act, with a penalty rule that the penalty imposable is one (1) degree higher than that provided by the Revised Penal Code or special laws.
  • Section 7 states that prosecution under the Act is without prejudice to liability for violation of the Revised Penal Code, as amended, or special laws.

Penalties and corporate liability

  • Section 8 prescribes imprisonment and/or fines, depending on the category of offense:
    • For punishable acts in Sections 4(a) and 4(b): imprisonment of prision mayor or a fine of at least PHP 200,000 up to a maximum amount commensurate to damage incurred or both.
    • For punishable acts under Section 4(a)(5): imprisonment of prision mayor or a fine of not more than PHP 500,000 or both.
    • For punishable acts in Section 4(a) committed against critical infrastructure: imprisonment of reclusion temporal or a fine of at least PHP 500,000 up to a maximum amount commensurate to damage incurred or both.
    • For punishable acts under Section 4(c)(1): imprisonment of prision mayor or a fine of at least PHP 200,000 but not exceeding PHP 1,000,000 or both.
    • For punishable acts under Section 4(c)(2): penalties enumerated in Republic Act No. 9775, with the penalty to be imposed one (1) degree higher if committed through a computer system.
    • For punishable acts under Section 4(c)(3): imprisonment of arresto mayor or a fine of at least PHP 50,000 but not exceeding PHP 250,000 or both.
    • For punishable acts enumerated in Section 5: imprisonment one (1) degree lower than the prescribed penalty for the offense or a fine of at least PHP 100,000 but not exceeding PHP 500,000 or both.
  • Section 9 imposes corporate liability when punishable acts are knowingly committed:
    • on behalf of or for the benefit of a juridical person by a natural person acting individually or as part of an organ of the juridical person with a leading position, based on (a) power of representation within authority; (b) authority to take decisions within scope; or (c) authority to exercise control within the juridical person, with the act within the scope of authority.
    • The juridical person is held liable for a fine equivalent to at least double the fines imposable in Section 7 up to a maximum of PHP 10,000,000.
  • Section 9 further imposes corporate liability where commission was made possible due to lack of supervision or control by a natural person in a leading position acting under the juridical person’s authority, for the benefit of that juridical person; the juridical person is liable for a fine equivalent to at least double the fines imposable in Section 7 up to a maximum of PHP 5,000,000.
  • Section 9 provides that corporate liability is without prejudice to the criminal liability of the natural person who committed the offense.

Law enforcement powers and implementation mechanics

  • Section 10 designates the National Bureau of Investigation (NBI) and the Philippine National Police (PNP) as responsible for efficient and effective law enforcement of the Act.
  • Section 10 requires the NBI and PNP to organize a cybercrime unit or center manned by special investigators exclusively handling cases involving violations of the Act.
  • Section 11 requires law enforcement authorities—especially the computer or technology crime divisions/units responsible for investigating cybercrimes—to submit timely and regular reports including pre-operation, post-operation, and investigation results, and other required documents to the Department of Justice (DOJ) for review and monitoring.
  • Section 12 authorizes, with due cause, law enforcement authorities to collect or record traffic data associated with specified communications in real-time by technical/electronic means.
  • Section 12 restricts traffic data to origin, destination, route, time, date, size, duration, or type of underlying service, not content and not identities.
  • Section 12 requires a court warrant before collecting, seizing, or disclosing any other data beyond traffic data and provides that the warrant is issued only upon written application and examination under oath/affirmation showing:
    • reasonable grounds to believe any enumerated crime has been committed, is being committed, or is about to be committed;
    • reasonable grounds to believe the evidence is essential to conviction, solution, or prevention of such crimes; and
    • no other means readily available for obtaining such evidence.
  • Section 12 requires service providers to cooperate and assist law enforcement in collecting/recording the authorized traffic data.
  • Section 13 requires preservation of data:
    • traffic data integrity and subscriber information must be preserved for a minimum of six (6) months from the date of transaction; and
    • content data must be similarly preserved for six (6) months from the date of receipt of the order requiring preservation.
  • Section 13 allows a one-time extension of preservation for another six (6) months, and provides that once preserved data is used as evidence, furnishing the transmittal document to the Office of the Prosecutor is deemed notification to preserve until termination of the case.
  • Section 13 imposes confidentiality: the service provider ordered to preserve must keep confidential the order and its compliance.
  • Section 14 provides that, after securing a court warrant, law enforcement authorities shall issue an order requiring disclosure/submission of subscriber information, traffic data, or relevant data in possession/control within seventy-two (72) hours from receipt of the order, tied to a valid complaint officially docketed and assigned for investigation, and where disclosure is necessary and relevant.
  • Section 15 governs search, seizure, and examination of computer data pursuant to a properly issued search and seizure warrant:
    • law enforcement may, within the warrant’s time period, conduct interception as defined in the Act;
    • secure a computer system or storage medium;
    • make and retain a copy of secured computer data;
    • maintain integrity of relevant stored data;
    • conduct forensic analysis/examination; and
    • render inaccessible or remove computer data in accessed computer/network.
  • Section 15 authorizes law enforcement to order any person with knowledge about functioning of the system and measures protecting/preserving the data to provide, as reasonable, necessary information to enable the search, seizure, and examination.
  • Section 15 allows requests for extension of time to complete examination and make a return, but never beyond thirty (30) days from court approval.
  • Section 16 imposes custody and sealing:
    • all computer data examined under proper warrant must be deposited with the court in a sealed package within forty-eight (48) hours after expiration of the warrant period;
    • the package must be accompanied by an affidavit stating dates/times covered and identifying access and other relevant data;
    • the law enforcement authority must certify whether duplicates/copies were made and ensure they are included in the package.
    • the sealed package cannot be opened, recordings replayed, used in evidence, or contents revealed except upon a court order granted only upon motion with due notice and opportunity to be heard to the persons whose conversation/communications were recorded.
  • Section 17 requires immediate and complete destruction upon expiration of preservation and examination periods for both service providers and law enforcement authorities, as applicable, for the computer data subject of preservation/examination.
  • Section 18 establishes an exclusionary rule: evidence procured without a valid warrant or beyond warrant authority is inadmissible in any proceeding before any court or tribunal.
  • Section 19 provides that when computer data is prima facie found in violation, the DOJ issues an order to restrict or block access to such data.
  • Section 20 penalizes noncompliance with Chapter IV provisions, specifically orders from law enforcement authorities, as violation of Presidential Decree No. 1829 with imprisonment of prision correctional in its maximum period or a fine of PHP 100,000 or both, for each and every noncompliance with an order issued by law enforcement authorities.

Jurisdiction and special courts

  • Section 21 grants the Regional Trial Court jurisdiction over any violation of the Act, including violations committed by a Filipino national regardless of place of commission.
  • Section 21 provides jurisdiction when any element is committed within the Philippines, or committed with the use of any computer system wholly or partly situated in the Philippines, or when damage is caused to a natural or juridical person who, at the time of the offense, was in the Philippines.
  • Section 21 requires designation of special cybercrime courts manned by specially trained judges to handle cybercrime cases.

International cooperation and competent national authorities

  • Section 22 provides that all relevant international instruments on international cooperation in criminal matters, arrangements based on uniform or reciprocal legislation, and domestic laws must be given full force and effect to the widest extent possible for investigations/proceedings concerning criminal offenses related to computer systems and data, including collection of electronic evidence.
  • Section 23 creates an Office of Cybercrime within the DOJ designated as the central authority for international mutual assistance and extradition.
  • Section 24 requires creation of the Cybercrime Investigation and Coordinating Center (CICC) within thirty (30) days from effectivity, under administrative supervision of the Office of the President for policy coordination and for formulation and enforcement of the national cybersecurity plan.
  • Section 25 sets CICC composition:
    • Chairperson: Executive Director of ICTO-DOST;
    • Vice Chairperson: Director of NBI;
    • Members: Chief of the PNP, Head of DOJ Office of Cybercrime, and one (1) representative from the private sector and academe;
    • The CICC is manned by a secretariat of selected existing personnel and representatives from participating agencies.
  • Section 26 assigns CICC powers and functions including:
    • formulating a national cybersecurity plan and extending immediate assistance for suppression of real-time commission through a CERT;
    • coordinating preparation of appropriate measures to prevent and suppress cybercrime activities under the Act;
    • monitoring cybercrime cases handled by participating law enforcement and prosecution agencies;
    • facilitating international cooperation on intelligence, investigations, training, and capacity building;
    • coordinating support and participation of the business sector, local government units, and nongovernment organizations in prevention programs and related projects;
    • recommending enactment of appropriate laws, issuances, measures, and policies;
    • calling upon any government agency to render assistance for mandated tasks; and
    • performing other matters related to cybercrime prevention and suppression, including capacity building and other necessary duties.

Appropriations, implementing rules, and legal effect

  • Section 27 appropriates PHP 50,000,000.00 annually for implementation of the Act.
  • Section 28 requires ICTO-DOST, DOJ, and DILG to jointly formulate necessary implementing rules and regulations within ninety (90) days from approval of the Act.
  • Section 29 provides separability: invalidity of any provision does not affect other provisions’ full force and effect.
  • Section 30 provides repealing/modification: all laws, decrees, or rules inconsistent with the Act are repealed or modified accordingly, and Section 33(a) of Republic Act No. 8792 is modified accordingly.

Analyze Cases Smarter, Faster
Jur helps you analyze cases smarter to comprehend faster, building context before diving into full texts. AI-powered analysis, always verify critical details.

About Privacy Terms