IT has been about three and a half years since the National Privacy Commission (NPC) hit the ground running to implement Republic Act 10173, or the “Data Privacy Act of 2012” (DPA). While the regulatory measure was passed into law in August 2012, the NPC was convened only in March 2016, or roughly three and a half years after. Among the NPC’s first tasks was to investigate the data breach incident at the Commission on Elections. Dubbed the “ComeLeak,” the incident occurred just a month before the 2016 national and local elections.