On 13 October 2025, the National Privacy Commission (NPC) issued a statement reaffirming its role as the Philippines’ independent data protection authority under the Data Privacy Act of 2012. The statement clarified that registration with the Commission does not imply approval or confirmation of lawful data processing. It stressed that organisations remain responsible for compliance and safeguarding personal data. The NPC also stressed its exclusive authority to determine the legality of data processing activities and stated that only formal issuances, including decisions or orders.
On 23 September 2025, the National Privacy Commission (NPC) issued a cease-and-desist order (CDO) against Tools for Humanity (TFH), the entity operating the World App and Orb verification system. The order prohibits making the World App available, conducting Orb device verification, and transferring or sharing any previously collected personal data. TFH is also required to submit the total number of Filipino registrants and its operating locations. The NPC found that TFH's data processing practices violated the Data Privacy Act of 2012 (DPA), its Implementing Rules and Regulations, and other NPC issuances. The CDO was issued on the grounds of invalid consent, as monetary incentives provided by TFH in exchange for iris scanning constituted undue influence. The CDO was also issued on grounds of a lack of transparency for data subjects regarding the purpose, scope, extent, and duration of data processing, as well as the excessive collection of immutable biometric identifiers. Furthermore, the NPC determined that the continued processing of such biometric data exposed Filipino data subjects to risk of identity theft, fraud, and reputational harm.
On 8 September 2025, the Open Access in Data Transmission Act enters into force. The Act mandates that the data transmission sector remain open and accessible to all qualified participants. The National Telecommunications Commission (NTC) shall adopt a technology-neutral framework and promote fair and open competition across all network segments in accordance with the Philippine Competition Act. The Act also requires transparency in pricing, mandates interconnection to prevent market dominance, encourages distributed local solutions, and directs the NTC to define and regulate entities with substantial market power. It also prohibits anti-competitive practices, including refusal to interconnect, anti-competitive cross-subsidisation, throttling, and paid prioritisation.
On 8 September 2025, the Open Access in Data Transmission Act enters into force. The Act requires all segments of the data transmission network to be competitive and open, and all industry participants must register with the National Telecommunications Commission (NTC). The NTC, in coordination with the Department of Information and Communications Technology (DICT) and the Philippine Competition Commission (PCC), shall develop criteria for qualifying participants to encourage broad participation. Operators of international cable landing stations must secure a legislative franchise, and operators of nationwide backbone networks must obtain a permit from the NTC and submit proposed routes and construction plans. All other participants are not required to secure a legislative franchise or certificate of public convenience and necessity (CPCN) but must meet registration criteria. Registered participants must comply with national and international cybersecurity standards, undergo network audits, and obtain third-party cybersecurity certification after three years of operation.
On 8 September 2025, the Open Access in Data Transmission Act, including data protection regulation, enters into force. The Act embeds data protection by requiring providers to safeguard the confidentiality, integrity, and security of transmitted information. It also mandates full compliance with the Data Privacy Act and related cybersecurity laws under the oversight of the National Privacy Commission. It guarantees end users' rights to privacy and non-discriminatory access, prohibits unlawful interception, blocking, or throttling that may compromise data. The Act also establishes penalties, including fines and suspension for violations affecting data security or user rights.
On 27 August 2025, the Philippines' National Privacy Commission adopted an Advisory establishing guidelines on privacy engineering in systems life cycle processes. The Advisory applies to all personal information controllers and personal information processors engaged in processing personal data through data processing systems. The Advisory emphasises privacy-by-design and privacy-by-default implementation across five system development stages, including planning and requirements gathering, designing and development, testing and evaluation, deployment and integration, and operation and maintenance. The Advisory also highlights conducting Privacy Impact Assessments, implementing data minimisation architectures and security measures, including encryption and access controls. The Advisory also stressed regular monitoring and audits, providing clear privacy notices, ensuring default settings provide maximum privacy protection, and training personnel on secure processing.
On 24 August 2025, the Open Access in Data Transmission Act was enacted into law, following being sent to the President for approval on 24 July 2025. In accordance with Section 27 of Article 6 of the Philippine Constitution, if the President does not sign a bill within 30 days of receipt, it automatically becomes law. The Act mandates that the data transmission sector remain open and accessible to all qualified participants. The National Telecommunications Commission (NTC) shall adopt a technology-neutral framework and promote fair and open competition across all network segments in accordance with the Philippine Competition Act. The Act also requires transparency in pricing, mandates interconnection to prevent market dominance, encourages distributed local solutions, and directs the NTC to define and regulate entities with substantial market power. It also prohibits anti-competitive practices, including refusal to interconnect, anti-competitive cross-subsidisation, throttling, and paid prioritisation.
On 24 August 2025, the Open Access in Data Transmission Act was enacted into law, following being sent to the President for approval on 24 July 2025. In accordance with Section 27 of Article 6 of the Philippine Constitution, if the President does not sign a bill within 30 days of receipt, it automatically becomes law. The Act requires all segments of the data transmission network to be competitive and open, and all industry participants must register with the National Telecommunications Commission (NTC). The NTC, in coordination with the Department of Information and Communications Technology (DICT) and the Philippine Competition Commission (PCC), shall develop criteria for qualifying participants to encourage broad participation. Operators of international cable landing stations must secure a legislative franchise, and operators of nationwide backbone networks must obtain a permit from the NTC and submit proposed routes and construction plans. All other participants are not required to secure a legislative franchise or certificate of public convenience and necessity (CPCN) but must meet registration criteria. Registered participants must comply with national and international cybersecurity standards, undergo network audits, and obtain third-party cybersecurity certification after three years of operation.
On 24 August 2025, the Open Access in Data Transmission Act was enacted into law, following being sent to the President for approval on 24 July 2025. In accordance with Section 27 of Article 6 of the Philippine Constitution, if the President does not sign a bill within 30 days of receipt, it automatically becomes law. The Act embeds data protection by requiring providers to safeguard the confidentiality, integrity, and security of transmitted information. It also mandates full compliance with the Data Privacy Act and related cybersecurity laws under the oversight of the National Privacy Commission. It guarantees end users' rights to privacy and non-discriminatory access, prohibits unlawful interception, blocking, or throttling that may compromise data. The Act also establishes penalties, including fines and suspension for violations affecting data security or user rights.
On 2 July 2025, the Artificial Intelligence Regulation Act (AIRA/SBN-25), which includes data protection regulation, was introduced to the Senate. AIRA creates a regulatory regime for the development and use of AI, including artificial general intelligence (AGI), artificial superintelligence (ASI), and AI foundation models, and applies to all AI developers and deployers in the Philippines. Under AIRA, one of the conditions for mandatory registration of AI systems under section 12 would be the provision of information regarding data sources, the intended use of data, safeguards used in training and development, as well as the status or date of data collection and processing. Further, AI systems classified as high-risk under section 16 of AIRA would be required to undergo data privacy reviews before being certified for use.
On 2 July 2025, the Artificial Intelligence Regulation Act (AIRA/SBN-25), which includes user/subject rights, was introduced to the Senate. AIRA creates a regulatory regime for the development and use of AI, including artificial general intelligence (AGI), artificial superintelligence (ASI), and AI foundation models, and applies to all AI developers and deployers in the Philippines. Section 17 of AIRA would require AI developers and deployers to conduct algorithmic audits testing for bias, security, and privacy, as well as clearly disclosing to users when they are interacting with AI systems, while developers or deployers of high-risk AI systems would also need to undertake an algorithmic impact assessment under section 16. The protection of user/subject rights is further enshrined in section 20, which sets out the enforcement regime of AIRA. Failure to provide disclaimers for AI-generated content would be classed as particularly egregious in sensitive contexts, such as political, medical, educational, or legal contexts. Platforms and publishers would also liable for failing to implement monitoring or compliance protocols in this respect. Further prohibited acts would include using AI to manipulate public opinion and misrepresenting AI content as human-made.
On 2 July 2025, the Artificial Intelligence Regulation Act (AIRA/SBN-25), which includes a design requirement, was introduced to the Senate. AIRA creates a regulatory regime for the development and use of AI, including artificial general intelligence (AGI), artificial superintelligence (ASI), and AI foundation models, and applies to all AI developers and deployers in the Philippines. AIRA also contains a number of design requirements for developers and deployers. Section 12 would require the registration of all AI systems. One of the preconditions for registering an AI system is a certification that the system has built-in mechanisms and filters preventing its use for facilitating crime, fraud, or harm. Further, section 17 would require the provision of a clear mechanism for immediately disabling an AI system if it behaves unpredictably, exceeds its intended function autonomously, causes harm, or commits a crime or fraud.
On 2 July 2025, the Artificial Intelligence Regulation Act (AIRA/SBN-25), which includes a business registration requirement, was introduced to the Senate. AIRA creates a regulatory regime for the development and use of AI, including artificial general intelligence (AGI), artificial superintelligence (ASI), and AI foundation models, and applies to all AI developers and deployers in the Philippines. Section 11 of AIRA would require the National AI Commission (NAIC) to establish the National Registry of AI system. Registration would be mandatory for all persons intending to develop, deploy, operate, import, sell, or provide access to AI systems in the Philippines. Registration would require the provision of certain information about an AI system, such as intended purpose, information about training data, risk classification according to AIRA's three-tiered system, and redress mechanisms. Registration with NAIC would be a prerequisite for obtaining licenses or government authorisation.
On 2 July 2025, the Artificial Intelligence Regulation Act (AIRA/SBN-25), which includes artificial intelligence authority governance provisions, was introduced to the Senate. AIRA creates a regulatory regime for the development and use of AI, including artificial general intelligence (AGI), artificial superintelligence (ASI), and AI foundation models, and applies to all AI developers and deployers in the Philippines. Section 5 of the Act establishes the National AI Commission (NAIC) as an agency attached to the Department of Science and Technology. NAIC would have exclusive jurisdiction in relation to AI, with the duty to maintain a national AI registry, issue AI guidelines, implement a risk-based regulatory framework, create and manage a complaints system on AI, and oversee enforcement. Further, under section 15, NAIC would be required to establish an AI Ethics Review Board, which would issue implementing guidelines, sanctions for non-compliance, and review risks related to AI applications. Section 18 would give NAIC additional powers in relation to employment and labour protection, which may include requiring employers intending to integrate AI in ways that could affect the labour rights of employees to submit advance notification and impact assessments. Finally, section 20 specifies AIRA's enforcement regime, outlining prohibited practices, which include failure to register, the use of AI systems to commit crimes, violations of AIRA safeguards, failure to disclose or misrepresentation of AI-generated content, negligent operation of AI systems, and the use of AI to manipulate public opinion. Sanctions include mandatory compliance training, license suspension, monetary penalties, and imprisonment.
Last updated: 13/10/2025