What is AI regulation in the Philippines?
AI regulation: countries and regions
AI regulation in the Philippines is currently a hybrid model, not a single AI Act. The main binding rules come from the Data Privacy Act of 2012, its implementing rules and National Privacy Commission guidance whenever AI systems process personal data. Around that, the government is building a broader governance framework through the National AI Strategy for the Philippines, emerging public sector guidance and ASEAN's voluntary AI governance instruments. As of 6 June 2026, it remains a privacy-centred, governance-led system.
What this means
In the Philippines, AI is regulated first through existing law rather than a dedicated horizontal AI statute. If an AI system collects, trains on, analyses or uses personal data, the Data Privacy Act and National Privacy Commission rules are usually the starting point. That means the legal questions are often about lawful basis, transparency, proportionality, security, data subject rights and human review, not just whether a tool is labelled "AI".
The framework is broader than privacy, though. The government has approved a national AI strategy through 2028, and public authorities have been consulting on ethical and trustworthy AI rules for government use. At regional level, the Philippines also sits inside ASEAN's soft-law AI framework, which encourages common governance principles without replacing domestic law.
For most organisations, the practical question is not "Is AI allowed?" but "What kind of AI is this, what data does it use, what decision does it influence, who is accountable, and what evidence can we show if a regulator, customer or procurement team asks?"
Why it matters
This matters because the Philippine model already creates real compliance duties for many common AI uses. Customer service assistants, employee copilots, fraud tools, scoring systems, recommendation engines, biometric tools, model training pipelines and public-facing government systems can all trigger privacy duties if personal data is involved.
It also matters because the country is building the paperwork and governance layer that often becomes the basis for later regulation. Privacy impact assessments, lawful basis analysis, notices, records for automated decision-making or profiling, security controls, retention rules, human review routes and challenge mechanisms are not abstract governance ideals. They are the kinds of evidence an organisation may need to satisfy regulators, buyers, internal audit, public procurement teams and counterparties.
The Philippine approach is therefore practical and cumulative. It does not yet look like the EU AI Act, but it can still materially affect how AI systems are sourced, trained, deployed and monitored.
How it works
Binding law starts with the Data Privacy Act
The core legal anchor is the Data Privacy Act of 2012, together with its implementing rules. The Act is technology-neutral, so it applies to personal data processing whether the tool is manual, software-based or AI-enabled. Its basic principles are transparency, legitimate purpose and proportionality. It also sets the lawful bases for processing, special rules for sensitive personal information, data subject rights, security obligations, breach notification duties, criminal penalties and the powers of the National Privacy Commission.
That matters because many AI deployments are really data processing systems in practice. If a business uses AI to sort candidates, support client interactions, flag fraud, personalise offers or generate summaries from personal records, the first legal question is usually whether the processing complies with the Data Privacy Act.
The National Privacy Commission is the main regulator where personal data is involved
The National Privacy Commission, or NPC, is the Philippines' specialist privacy regulator. It administers the Data Privacy Act, issues circulars and advisories, receives complaints, investigates and can enforce compliance through administrative and other measures. In AI matters, the NPC is currently the most important national body whenever personal data is part of the system.
This is why Philippine AI regulation often appears narrower than it is. The country does not yet rely on one sweeping AI law, but it does have an active privacy regulator applying existing law to new technologies. For many organisations, that is the real regulatory touchpoint today.
AI-specific privacy guidance adds practical duties
In late 2024, the NPC issued guidance specifically on AI systems processing personal data. The advisory applies where personal data is involved in the development or deployment of AI systems, including training and testing. It makes clear that ordinary privacy duties still apply, but it also adds more AI-specific expectations.
In practice, the advisory pushes organisations to explain more and document more. It expects transparency about the nature and purpose of the processing, the factors and inputs considered by the AI system, the risks, the expected output, the impact on data subjects and available dispute mechanisms. It also expects governance measures such as privacy impact assessments, privacy-by-design and privacy-by-default, security standards, ongoing monitoring, retraining and scrubbing, and ways for humans to intervene and review AI-generated results.
The same advisory also addresses fairness. It expects organisations to identify and monitor bias, limit harmful bias and avoid "AI washing", meaning overstating AI capability or involvement in a way that harms or misleads data subjects. It also stresses data minimisation, meaning personal data should be excluded by default if it is unlikely to improve the AI system.
Automated decision-making and profiling have extra safeguards
Philippine privacy rules are especially important when AI is used for profiling or automated decision-making. The implementing rules say data subjects have the right to be informed about automated decision-making and profiling, including meaningful information about the logic involved and the significance and envisaged consequences for them. They also have rights to object, access, rectification and erasure or blocking, subject to legal limits.
The rules are particularly cautious where automation becomes the sole basis for significant decisions. The implementing rules state that no decision with legal effects concerning a data subject shall be made solely on the basis of automated processing without the data subject's consent. The newer AI advisory adds another layer by expecting meaningful human intervention and a route to question or contest automated decisions when the effect poses a significant risk to rights and freedoms.
This does not amount to a total ban on AI-assisted decisions. It does mean organisations should distinguish between AI used as support for a human decision and AI used as the operative basis for a significant determination.
Registration and notification rules can catch AI systems
The NPC has also set operational rules on registration of data processing systems, designation of data protection officers and notification regarding automated decision-making or profiling. Those rules matter because some AI deployments are not just general data processing. They may fall into specific registration or notification channels.
A data processing system involving automated decision-making or profiling must, in all cases, be registered with the Commission under the relevant NPC circular. The same framework also requires organisations to record information about the lawful basis, logic and effects of the automated processing. For operators, this makes AI governance partly an evidential exercise. If you cannot describe the system well enough to register, defend or explain it, you may already have a compliance problem.
Publicly available data is not a free pass
A major practical point for model training and data acquisition is that public availability does not cancel privacy protection. The AI advisory states that publicly available personal data does not lose the protection of the Data Privacy Act simply because it is public. In April 2026, the NPC reinforced that position with separate guidance on data scraping of publicly available personal data.
That newer guidance is especially relevant for AI development. It says public availability is not consent for broader processing, requires an appropriate lawful basis, expects privacy notices where required, calls for proportionality and privacy impact assessments, and warns against excessive or indiscriminate scraping. It also says scraping sensitive personal information is prohibited unless strict conditions are met, and it treats unauthorised scraping, including bypassing technical restrictions, as a possible source of administrative, civil and criminal liability.
For organisations building or fine-tuning models, this is a durable point: "public" does not mean "unregulated".
National AI policy is broader than hard law
Alongside privacy law, the Philippines is building a broader AI governance architecture through national strategy. DOST has said that the National AI Strategy for the Philippines, or NAIS-PH, was approved by the President in May 2025. Official materials describe a framework running through 2028 and organised around five core strategies: infrastructure, workforce, innovation, ethics and policy, and deployment.
That is important because NAIS-PH is not just a vision statement. It signals how the state intends to organise capability, governance, skills, public infrastructure and institutional ownership. It also points to a whole-of-government model rather than a single dedicated AI ministry. Official materials refer to coordination across DOST, DICT, DTI, education and training bodies, labour authorities and statistics agencies.
This still differs from a hard-law regime with system categories, fines by default or pre-market conformity duties. But it can shape procurement expectations, public funding, infrastructure build-out, inter-agency coordination and future rulemaking.
Public sector AI governance is still developing
For government use of AI, the position is still emerging. DICT and the Civil Service Commission have publicly consulted on a draft Joint Memorandum Circular on the principles and guidelines for an ethical and trustworthy use of AI in government. The draft is framed around the idea that AI use should be justified, appropriate in context, necessary and proportionate to legitimate aims.
That is a meaningful signal, but it is not the same as a final, comprehensive cross-government AI code. As of 6 June 2026, the key point is that government-use AI governance is moving forward, but still through drafts, consultations, strategy work and capacity building rather than a fully settled national rulebook.
ASEAN provides the regional frame
The Philippines' national approach sits inside ASEAN's AI governance framework. The ASEAN Guide on AI Governance and Ethics is a voluntary guide, not binding legislation. It is designed to encourage alignment and interoperability across ASEAN jurisdictions and is meant to help organisations and governments design, develop and deploy AI responsibly. Its principles include transparency and explainability, fairness and equity, security and safety, human-centricity, privacy and data governance, accountability and integrity, and robustness and reliability.
ASEAN later added an expanded guide for generative AI, again on a voluntary basis. Philippine official materials refer to these ASEAN instruments as part of the country's developing AI governance landscape. In practical terms, ASEAN guidance is best understood as a regional benchmark and navigation tool. It helps shape expectations, but Philippine domestic law remains the binding layer.
What the Philippine model is, and what it is not
The Philippine model is best described as governance-led and privacy-led. It relies on an existing personal data regime, regulator guidance, registration and notification rules, strategic policy work, public sector consultation and ASEAN soft law. It is strongest where AI systems process personal data or affect people in a way that requires explanation, fairness, lawful basis and human review.
It is not yet a single omnibus AI regime with one statute, one AI regulator, one national classification system and one cross-sector licensing architecture. That gap matters, especially for non-personal-data risks such as model safety, misinformation, intellectual property, competition or labour effects. Those issues may still be addressed through other laws or sector rules, but not through one settled horizontal AI code.
Examples
A Civil Service Commission use case shows how the current model works in practice. In 2024, the NPC said it saw no manifest conflict in using AI, including ChatGPT, to improve the Civil Service Commission's correspondence. But it did not treat that as a blanket approval. It said the user must still comply with the Data Privacy Act, follow privacy principles, rely on a lawful basis when personal data is processed, uphold data subject rights and assess the use through a privacy impact assessment.
A model training or data collection workflow is another clear example. If an organisation scrapes publicly available personal data from websites or platforms for AI training, Philippine privacy law still applies. Public availability is not enough on its own. The organisation must identify a lawful basis, limit collection to what is necessary, take account of the data subject's reasonable privacy expectations, document the activity through a privacy impact assessment and avoid circumvention or deceptive collection practices.
A third example is an AI scoring or profiling system used by an employer, lender, insurer or platform. Under current rules, the operator should ask whether the system is doing profiling or automated decision-making, whether any decision significantly affects the person, whether the AI is operating as the sole basis for a decision, whether notification or registration is required, and how a person can obtain explanation, object, seek correction and obtain meaningful human review where the risk is serious.
Common misunderstandings
"Philippines has no AI regulation at all." Not quite. The country does not yet have a single omnibus AI law in force, but AI systems that process personal data are already regulated through the Data Privacy Act, its implementing rules and NPC issuances.
"Only AI developers need to worry." Wrong. In the Philippine framework, deployers, controllers and processors using AI with personal data usually carry the main operational duties.
"If personal data is public, it is free to scrape for training." No. Publicly available personal data remains protected, and scraping still requires a lawful basis and proportionate handling.
"The NPC AI advisory created a full AI statute." No. It is guidance on how existing privacy law applies to AI systems processing personal data. It is important, but it is not a general AI Act.
"ASEAN's AI guide is automatically binding in the Philippines." No. It is voluntary regional guidance. Philippine domestic law and regulator issuances are the binding layer.
Risks and boundaries
The present framework has real force, but it is partial. Its strongest and clearest application is where AI involves personal data. If an AI system does not process personal data, or if the main issue is competition, copyright, deepfakes, consumer deception, labour effects or frontier model safety, the legal picture becomes more distributed and less settled.
There is also an important difference in legal force. The Data Privacy Act, its implementing rules and applicable circulars are binding. NPC advisories are guidance, not a new statute. National strategy documents are policy instruments, not a blanket authorisation to deploy any AI system. ASEAN guides are voluntary and do not override domestic law.
As of 6 June 2026, the Philippines still appears to be between stages. National strategy has advanced, public sector AI guidance has been publicly consulted on, and broader AI legislation has been proposed, but the country is still not operating under a single comprehensive horizontal AI code. That means organisations should avoid over-claiming certainty, especially for high-risk or public-facing systems.
A final boundary is that privacy compliance is necessary but not always sufficient. An AI system can be privacy-compliant and still raise procurement, consumer protection, discrimination, safety, employment, sector supervision or reputational issues.
What to do next
Start by inventorying AI uses rather than debating AI in the abstract. Identify which systems touch personal data, which ones involve profiling or automated decisions, which ones affect staff or customers in a significant way, and which ones rely on data gathered from public sources or foreign vendors.
Then build the Philippine evidence file for each material use case: lawful basis, privacy notice position, privacy impact assessment, system description, data map, retention logic, security controls, human review design, challenge route for affected individuals, and registration or notification analysis under the NPC rules where relevant. If a vendor cannot help you explain the system, its inputs, its logic or its review path, treat that as a governance problem.
At leadership level, track three moving layers at once: binding privacy law and NPC enforcement, implementation of NAIS-PH and related public infrastructure, and new public sector or legislative developments that could harden the framework. In the meantime, align internal governance with ASEAN-style principles such as transparency, accountability, privacy, fairness and robustness, because those are already echoed in Philippine policy and practice.
FAQs
Does the Philippines already have a general AI Act in force?
Not as a single omnibus national statute. As of 6 June 2026, the main binding rules still come from the Data Privacy Act, its implementing rules and related NPC issuances where AI processes personal data.
Which regulator matters most today for AI deployment?
If personal data is involved, the National Privacy Commission is the most important regulator. Other agencies matter for strategy, procurement, sector supervision and public administration, but the NPC is the clearest current legal touchpoint.
Are public datasets free to use for AI training?
No. Philippine guidance makes clear that publicly available personal data remains protected. Public availability is not the same as consent, and scraping or reuse still needs a lawful basis and proportionate handling.
Do AI systems have to be registered with the NPC?
Some do. The key question is whether the system is a covered data processing system and whether it involves automated decision-making or profiling. In those cases, NPC registration and related notification duties can apply.
Can an organisation let AI make important decisions on its own?
Philippine privacy rules are cautious here. Significant decisions that rely only on automated processing need especially careful handling, and AI uses that pose serious risk to rights and freedoms should include meaningful human review and a route to question or contest the result.
Is ASEAN AI guidance legally binding in the Philippines?
No. ASEAN guidance is voluntary. It is useful as a regional benchmark and governance reference, but it does not replace Philippine law.
What is most likely to change next?
The most likely shifts are further implementation of NAIS-PH, additional operational guidance for government use, and possible movement toward broader AI legislation or sector-specific rules.