On 13 October 2025, the National Privacy Commission (NPC) issued a statement reaffirming its role as the Philippines’ independent data protection authority under the Data Privacy Act of 2012. The statement clarified that registration with the Commission does not imply approval or confirmation of lawful data processing. It stressed that organisations remain responsible for compliance and safeguarding personal data. The NPC also stressed its exclusive authority to determine the legality of data processing activities and stated that only formal issuances, including decisions or orders.
On 23 September 2025, the National Privacy Commission (NPC) issued a cease-and-desist order (CDO) against Tools for Humanity (TFH), the entity operating the World App and Orb verification system. The order prohibits making the World App available, conducting Orb device verification, and transferring or sharing any previously collected personal data. TFH is also required to submit the total number of Filipino registrants and its operating locations. The NPC found that TFH's data processing practices violated the Data Privacy Act of 2012 (DPA), its Implementing Rules and Regulations, and other NPC issuances. The CDO was issued on the grounds of invalid consent, as monetary incentives provided by TFH in exchange for iris scanning constituted undue influence. The CDO was also issued on grounds of a lack of transparency for data subjects regarding the purpose, scope, extent, and duration of data processing, as well as the excessive collection of immutable biometric identifiers. Furthermore, the NPC determined that the continued processing of such biometric data exposed Filipino data subjects to risk of identity theft, fraud, and reputational harm.
On 8 September 2025, the Open Access in Data Transmission Act enters into force. The Act mandates that the data transmission sector remain open and accessible to all qualified participants. The National Telecommunications Commission (NTC) shall adopt a technology-neutral framework and promote fair and open competition across all network segments in accordance with the Philippine Competition Act. The Act also requires transparency in pricing, mandates interconnection to prevent market dominance, encourages distributed local solutions, and directs the NTC to define and regulate entities with substantial market power. It also prohibits anti-competitive practices, including refusal to interconnect, anti-competitive cross-subsidisation, throttling, and paid prioritisation.
On 8 September 2025, the Open Access in Data Transmission Act enters into force. The Act requires all segments of the data transmission network to be competitive and open, and all industry participants must register with the National Telecommunications Commission (NTC). The NTC, in coordination with the Department of Information and Communications Technology (DICT) and the Philippine Competition Commission (PCC), shall develop criteria for qualifying participants to encourage broad participation. Operators of international cable landing stations must secure a legislative franchise, and operators of nationwide backbone networks must obtain a permit from the NTC and submit proposed routes and construction plans. All other participants are not required to secure a legislative franchise or certificate of public convenience and necessity (CPCN) but must meet registration criteria. Registered participants must comply with national and international cybersecurity standards, undergo network audits, and obtain third-party cybersecurity certification after three years of operation.
On 8 September 2025, the Open Access in Data Transmission Act, including data protection regulation, enters into force. The Act embeds data protection by requiring providers to safeguard the confidentiality, integrity, and security of transmitted information. It also mandates full compliance with the Data Privacy Act and related cybersecurity laws under the oversight of the National Privacy Commission. It guarantees end users' rights to privacy and non-discriminatory access, prohibits unlawful interception, blocking, or throttling that may compromise data. The Act also establishes penalties, including fines and suspension for violations affecting data security or user rights.
On 27 August 2025, the Philippines' National Privacy Commission adopted an Advisory establishing guidelines on privacy engineering in systems life cycle processes. The Advisory applies to all personal information controllers and personal information processors engaged in processing personal data through data processing systems. The Advisory emphasises privacy-by-design and privacy-by-default implementation across five system development stages, including planning and requirements gathering, designing and development, testing and evaluation, deployment and integration, and operation and maintenance. The Advisory also highlights conducting Privacy Impact Assessments, implementing data minimisation architectures and security measures, including encryption and access controls. The Advisory also stressed regular monitoring and audits, providing clear privacy notices, ensuring default settings provide maximum privacy protection, and training personnel on secure processing.
On 24 August 2025, the Open Access in Data Transmission Act was enacted into law, following being sent to the President for approval on 24 July 2025. In accordance with Section 27 of Article 6 of the Philippine Constitution, if the President does not sign a bill within 30 days of receipt, it automatically becomes law. The Act mandates that the data transmission sector remain open and accessible to all qualified participants. The National Telecommunications Commission (NTC) shall adopt a technology-neutral framework and promote fair and open competition across all network segments in accordance with the Philippine Competition Act. The Act also requires transparency in pricing, mandates interconnection to prevent market dominance, encourages distributed local solutions, and directs the NTC to define and regulate entities with substantial market power. It also prohibits anti-competitive practices, including refusal to interconnect, anti-competitive cross-subsidisation, throttling, and paid prioritisation.
On 24 August 2025, the Open Access in Data Transmission Act was enacted into law, following being sent to the President for approval on 24 July 2025. In accordance with Section 27 of Article 6 of the Philippine Constitution, if the President does not sign a bill within 30 days of receipt, it automatically becomes law. The Act requires all segments of the data transmission network to be competitive and open, and all industry participants must register with the National Telecommunications Commission (NTC). The NTC, in coordination with the Department of Information and Communications Technology (DICT) and the Philippine Competition Commission (PCC), shall develop criteria for qualifying participants to encourage broad participation. Operators of international cable landing stations must secure a legislative franchise, and operators of nationwide backbone networks must obtain a permit from the NTC and submit proposed routes and construction plans. All other participants are not required to secure a legislative franchise or certificate of public convenience and necessity (CPCN) but must meet registration criteria. Registered participants must comply with national and international cybersecurity standards, undergo network audits, and obtain third-party cybersecurity certification after three years of operation.
On 24 August 2025, the Open Access in Data Transmission Act was enacted into law, following being sent to the President for approval on 24 July 2025. In accordance with Section 27 of Article 6 of the Philippine Constitution, if the President does not sign a bill within 30 days of receipt, it automatically becomes law. The Act embeds data protection by requiring providers to safeguard the confidentiality, integrity, and security of transmitted information. It also mandates full compliance with the Data Privacy Act and related cybersecurity laws under the oversight of the National Privacy Commission. It guarantees end users' rights to privacy and non-discriminatory access, prohibits unlawful interception, blocking, or throttling that may compromise data. The Act also establishes penalties, including fines and suspension for violations affecting data security or user rights.
Last updated: 13/10/2025