Last review date: 30 December 2023

☒ omnibus – all personal data

☐ sector-specific — e.g., financial institutions, governmental bodies

☐ constitutional

Last review date: 30 December 2023

The following are the key data privacy and security laws and regulations in the Philippines:

• Data Privacy Act
• Implementing Rules and Regulations of the Data Privacy Act
• National Privacy Commission Circulars
• National Privacy Commission Advisories
• Decisions of the NPC, Supreme Court, Court of Appeals, and other government bodies

Last review date: 30 December 2023

The following are the key cybersecurity laws and regulations in the Philippines:

• Internet Transactions Act
• Implementing Rules and Regulations of the Expanded Anti-Trafficking in Persons Act
• Cybercrime Prevention Act
• Implementing Rules and Regulations of the Cybercrime Prevention Act
• Rule on Cybercrime Warrants
• Budapest Convention on Cybercrime
• Electronic Commerce Act
• Implementing Rules and Regulations of the Electronic Commerce Act
• Anti-Online Sexual Abuse or Exploitation of Children and Anti-Child Sexual Abuse or Exploitation Materials Act
• Access Devices Regulation Act
• Anti-Photo and Video Voyeurism Act
• Subscriber Identity Module (SIM) Registration Act
• Mobile Number Portability Act
• Philippine Central Bank Circular No. 1019, series of 2018 on Technology and Cyber-Risk Reporting and Notification Requirements
• Philippine Central Bank Circular No. 808, series of 2013 on Guidelines on Information Technology Risk Management for All Banks And Other BSP Supervised Institutions
• Philippine Department of Information and Communications Technology (DICT) Memorandum Circular No. 005 on Prescribing the Policies, Rules and Regulations on the Protection of Critical Infrastructure (CII) Stipulated in the National Cybersecurity Plan (NCSP) 2022
• DICT Memorandum Circular No. 006 on Prescribing the Policies, Rules and Regulations on the Protection of Government Agencies Stipulated in the National Cybersecurity Plan (NCSP) 2022
• DICT Memorandum Circular No. 007 on Prescribing the Policies, Rules and Regulations on the Protection of Individuals Stipulated in the National Cybersecurity Plan (NCSP) 2022
• DICT Department Circular No. 2017-002 on Prescribing the Philippine Government's Cloud First Policy

Last review date: 30 December 2023

Yes.

There are pending bills before the Philippine Congress that seek to amend the Philippine Data Privacy Act (DPA). Please note that all the pending amendatory bills are currently in the first reading (initial stage) and have not been certified as urgent by the Philippine President to date.

Some of the notable changes sought to be introduced by these amendatory bills include:

• Excluding from the scope of the DPA any processing of personal data that are necessary to address a health crisis upon a declaration of a national health emergency or pandemic.
• Including biometric data for the purpose of uniquely identifying a natural person in the definition of sensitive personal information.
• Defines the digital age of consent to process personal information to more than 15 years, applicable where information society services are provided and offered directly to a child (as children more than 15 years old under Philippine laws may already act with discernment).

A draft Executive Order (EO) on Policy Guidelines on Data localization of Data Stored on the Cloud is also pending before the Department of Information Communications and Technology (DICT) for deliberations. The draft EO imposes data residency requirements for intermediaries and private entities with transactions, contracts, or data related to, in connection with or arising from the rendition of cloud computing services for:

1. The Philippine government
2. Private entities processing sensitive personal information
3. Private entities processing subscriber’s information
4. Health care providers, and
5. Private entities processing confidential information as declared under law.

Under the draft EO, the covered private entities must comply with the following requirements: 

1. Identifying the subscriber information, personal information, and sensitive personal information declared to be confidential that are in their possession
2. Adhering to cybersecurity and data protection policies issued by their respective regulatory bodies
3. Submission to their respective regulatory agencies monthly updates regarding their compliance or to the National Privacy Commission, if unregulated.

From previous statements of the DICT, it appears that they are against the data localization stating, that they support the cross-border data flow and maintenance of an open and enabling policy on data governance.