Understanding NPC Advisory Opinion No. 2024-016: Disclosure of Personal Data Pursuant to a Mission Order by the Bureau of Internal Revenue

National Privacy Commission (“NPC”) Advisory Opinion No. 2024-016 provides critical guidance on the disclosure of personal data in response to a Mission Order (“MO”) from the Bureau of Internal Revenue (“BIR”). The advisory addresses concerns regarding the disclosure of sensitive personal information during a Tax Compliance Verification Drive (“TCVD”), ensuring that tax compliance efforts do not violate the Data Privacy Act (“DPA”).

The inquiry involved a verbal request from BIR officers for specific data on residential units being leased out. As part of their tax compliance checks, the BIR sought information such as: (a) a list of residential units being leased out, (b) the names and contact information of unit owners, and (c) copies of notarized lease contracts. While the purpose of these requests was related to verifying tax compliance in relation to rental income, concerns were raised about the potential violation of data privacy rights under the DPA, especially given the verbal nature of the request and the lack of specificity regarding the relevant tax compliance activities.

The NPC explained that under the DPA and its Implementing Rules and Regulations, there are specific exemptions related to public authorities conducting activities pursuant to their constitutional or statutory mandates. The BIR, as a government body tasked with ensuring compliance with the National Internal Revenue Code (“NIRC”), is legally empowered to request data for purposes related to tax compliance. However, these exemptions must be interpreted strictly. The collection, use, or disclosure of personal data by public authorities must be limited to the minimum necessary information required to carry out their specific regulatory function. It must also adhere strictly to constitutional and statutory processes and safeguard data subject rights. 

The BIR has clear authority under the NIRC to collect information necessary for tax audits and investigations. In the case of TCVD, Section V.1.2 of Revenue Memorandum Order No. 9-2006 outlines the types of data the BIR can access, including lists of registered taxpayers, business permits, and professional tax receipts. The BIR’s role is to ensure that taxes are properly reported and paid, which may involve accessing personal data to verify tax liabilities. However, while the DPA does not prohibit the BIR from processing personal data for tax-related investigations, it does require that the BIR adhere to the core principles of data privacy, such as legitimacy, necessity, and proportionality.

The advisory emphasized the principle of proportionality—entailing that the data requested must be necessary and relevant to the tax verification process. In this case, the BIR requested contact numbers of unit owners and copies of notarized lease contracts without explicitly justifying how these details were necessary to the tax compliance objectives. Such broad and unspecific requests could potentially be seen as excessive or intrusive, going beyond what is needed to meet tax compliance requirements. The NPC recommended that the BIR clearly outline the need for each requested piece of information and assess whether it directly supports the purpose of the TCVD. To ensure compliance with both tax obligations and data privacy laws, the NPC recommended that those subject to BIR’s TCVD request clarification from the BIR regarding the necessity of each piece of requested information. Moreover, the NPC pointed out that it does not have the jurisdiction nor authority to dictate the form or documentation the BIR should provide. The responsibility lies with the BIR to establish the proper format and regulatory guidelines for tax compliance processes.