How are data and cybersecurity laws/regulations implemented?
Last review date: 7 January 2025
☒ omnibus – all personal data
☒ sector-specific — e.g., financial institutions, governmental bodies
What are the key data privacy laws and regulations?
Last review date: 7 January 2025
- Data Privacy Act
- Implementing Rules and Regulations of the Data Privacy Act
- National Privacy Commission Circulars
- National Privacy Commission Advisories
- Decisions of the NPC, Supreme Court, Court of Appeals, and other government bodies
What are the key cybersecurity laws and regulations?
Last review date: 7 January 2025
- Anti-Financial Account Scamming Act (AFASA)
- Internet Transactions Act
- Implementing Rules and Regulations of the Internet Transactions Act
- Implementing Rules and Regulations of the Expanded Anti-Trafficking in Persons Act
- Cybercrime Prevention Act
- Implementing Rules and Regulations of the Cybercrime Prevention Act
- Rule on Cybercrime Warrants
- Budapest Convention on Cybercrime
- Electronic Commerce Act
- Implementing Rules and Regulations of the Electronic Commerce Act
- Anti-Online Sexual Abuse or Exploitation of Children and Anti-Child Sexual Abuse or Exploitation Materials Act
- Access Devices Regulation Act
- Anti-Photo and Video Voyeurism Act
- Subscriber Identity Module (SIM) Registration Act
- Mobile Number Portability Act
- Philippine Central Bank Circular No. 1019, series of 2018 on Technology and Cyber-Risk Reporting and Notification Requirements
- Philippine Central Bank Circular No. 982, series of 2017 on Enhanced Guidelines on Information Security Management
- Philippine Central Bank Circular No. 808, series of 2013 on Guidelines on Information Technology Risk Management for All Banks And Other BSP Supervised Institutions
- Philippine Department of Information and Communications Technology (DICT) Memorandum Circular No. 005 on Prescribing the Policies, Rules and Regulations on the Protection of Critical Infrastructure (CII) Stipulated in the National Cybersecurity Plan (NCSP) 2022
- DICT Memorandum Circular No. 006 on Prescribing the Policies, Rules and Regulations on the Protection of Government Agencies Stipulated in the National Cybersecurity Plan (NCSP) 2022
- DICT Memorandum Circular No. 007 on Prescribing the Policies, Rules and Regulations on the Protection of Individuals Stipulated in the National Cybersecurity Plan (NCSP) 2022
- DICT Department Circular No. 2017-002 on Prescribing the Philippine Government's Cloud First Policy
What are the key laws and regulations relating to non-personal data?
Last review date: 7 January 2025
- Revised Penal Code
- Civil Code of the Philippines
- Intellectual Property Code
- Philippine Competition Act
- Implementing Rules and Regulations of the Philippine Competition Act
- Cybercrime Prevention Act
- Implementing Rules and Regulations of the Cybercrime Prevention Act
- Electronic Commerce Act
- Implementing Rules and Regulations of the Electronic Commerce Act
- Commission on Elections Resolution No. 11064 on Guidelines on the Use of Social Media, Artificial Intelligence, and Internet Technology, for Digital Election Campaign, and the Prohibition and Punishment of its Misuse for Disinformation, and Misinformation, in Connection with the 2025 National and Local Elections and the BARMM Parliamentary Elections
- NTC Memorandum Circular No. 02-05-2008 on Value Added Services
- NTC Memorandum Circular No. 03-03-2005-A on Broadcast Messaging
- FDA Administrative Order No. 2020-0010 on Regulations on the Conduct of Clinical Trials for Investigational Products
- FDA Circular No. 2020-03 on Guidelines for Pharmaceutical Industry for Pharmacovigilance
Are new or material changes to those key data and cybersecurity laws anticipated in the near future?
Last review date: 7 January 2025
Yes.
There are pending bills before the Philippine Congress that seek to amend the Philippine Data Privacy Act (DPA). Please note that all the pending amendatory bills are currently in the first reading (initial stage) and have not been certified as urgent by the Philippine President to date.
Some of the notable changes sought to be introduced by these amendatory bills include:
- Excluding from the scope of the DPA any processing of personal data that is necessary to address a health crisis upon a declaration of a national health emergency or pandemic
- Including biometric data for the purpose of uniquely identifying a natural person in the definition of sensitive personal information
- Defining the digital age of consent to process personal information to more than 15 years old, which will be applicable where information society services are provided and offered directly to a child (as children more than 15 years old under Philippine laws may already act with discernment).
In addition, the Philippine government, specifically the Department of Information and Communications Technology, is currently pushing the Philippine Congress to pass a comprehensive law on cybersecurity.
Finally, we anticipate that the Philippine government will release the implementing rules and regulations of the AFASA within the year.