Philippines AI Note

Philippines –

• Data Privacy Act of 2012 [IN FORCE]

This is the core framework governing personal data processing, including AI-enabled processing.

• Cybercrime Prevention Act of 2012 [IN FORCE]

This applies to AI-enabled conduct where such systems are used to commit or facilitate cybercrimes (e.g., computer-related fraud, identity theft, cyber libel, illegal access, or data interference). It also provides the legal basis for investigation, collection of electronic evidence, and prosecution of offenses involving automated or AI-assisted activities, with enforcement supported by agencies such as the Cybercrime Investigation and Coordinating Center (CICC) and law enforcement units.

• E-Governance Act [IN FORCE]

This governs AI-enabled systems only insofar as they fall within “emerging technologies” and are deployed as part of E-Government programs. It does not establish AI-specific rules, but requires that such systems comply with the E-Government Master Plan (EGMP) and the Philippine Government Interoperability Framework (PGIF), as well as applicable data privacy, cybersecurity, and information security standards, with the DICT responsible for issuing technical standards and ensuring interoperability and system integration across government ICT systems.

• Internet Transactions Act of 2023 [IN FORCE]

This applies to AI-enabled systems only to the extent they are used in covered internet transactions, digital platforms, e-marketplaces, e-retailers, or online merchants. It does not provide AI-specific rules, but regulates e-commerce activities, imposes consumer protection and platform obligations, and requires compliance with applicable data privacy and information security standards.

• NPC Circular No. 2022-04 [IN FORCE]

This imposes registration of data processing systems and mandatory notification of automated decision-making or profiling, including disclosure of logic, lawful basis, and potential impact on data subjects.

• COMELEC Resolution No. 11064 (as amended by 11064-A) [NO LONGER IN FORCE]

This regulates AI use in elections by requiring registration of official digital platforms, disclosures for AI-generated content, and providing enforcement mechanisms (including takedown coordination and election offense proceedings).

• Supreme Court A.M. No. 25-11-28-SC [IN FORCE]

This establishes a governance framework for AI in the judiciary, including prior authorization, risk assessment, auditability, monitoring, and incident reporting requirements.

• DepEd Order No. 003, s. 2026 [IN FORCE]

This requires Privacy Impact Assessments, registration of AI systems in a centralized registry, and adoption of a risk-based approach for AI deployment in education.

• Konektadong Pinoy Act IRR [IN FORCE]

This imposes cybersecurity-related obligations relevant to AI systems, including impact assessments, audits, certification mechanisms, and reporting of material incidents to DICT (including coordination with national CERT structures).

• BSP Circular No. 1153 [IN FORCE]

This applies to artificial intelligence/machine learning (AI/ML) use in financial services by requiring controlled testing (regulatory sandbox), risk identification, safeguards, and supervisory oversight before broader deployment.

In the Philippines, there is no comprehensive AI-specific statute governing the development or use of artificial intelligence, although there are a number of pending bills seeking to establish a national AI framework. At present, AI systems are regulated through the application of existing legal frameworks, with legal assessment focused on the effects and outcomes of AI-enabled conduct rather than the technology itself.

In practice, AI use is evaluated under established areas of law such as data privacy, cybercrime, consumer protection, and sector-specific regulation. These frameworks apply to AI in the same manner as other digital or automated tools, with AI treated as a means by which regulated activities are carried out rather than as a distinct legal category. Notably, some recent issuances adopt a structured, risk-based approach similar to the EU AI Act. The Supreme Court, through A.M. No. 25-11-28-SC, classifies AI systems into prohibited, high-risk, limited-risk, and minimal-risk categories, with corresponding consequences such as prohibition for unacceptable uses and stricter safeguards for higher-risk systems. The Department of Education, through DepEd Order No. 003, s. 2026, adopts a similar tiered classification and ties each category to differentiated obligations, including mandatory safeguards and human oversight.

Attribution of AI outputs, decisions, or errors is not addressed through AI-specific liability rules. Responsibility continues to attach to natural or juridical persons under existing legal principles, such as control, negligence, or contractual obligation.

Overall, the Philippine approach remains grounded in existing legal frameworks, supplemented by sector-specific developments that introduce risk-based classification and governance measures, rather than a single, comprehensive AI regulatory regime.

Philippines

Enacted law

There is currently no dedicated statute specifically governing artificial intelligence. AI-related conduct continues to be regulated through existing sectoral laws, such as data privacy, cybercrime, and financial regulation, supplemented by administrative issuances.

Proposals, drafts, or consultations

Several bills have been filed in the 20th Congress proposing the establishment of a comprehensive national AI framework. These include House Bills Nos. 13, 1920, 2827, 3195, 5158, 6920, 658, 659, 598, 6028, 2323, and 3462, which generally seek to create a Philippine Artificial Intelligence Council or Commission, adopt standards for ethical and accountable AI use, and regulate high-risk AI systems. All of these measures remain pending and have not been enacted into law. This legislative activity is situated within broader policy discussions reflected in the Congressional Policy and Budget Research Department’s Discussion Paper, Global Trends in the Regulation and Governance of Artificial Intelligence (Issue No. 2, February 2025), which surveys international approaches and informs ongoing legislative efforts.

Other pending bills, including House Bills Nos. 57, 1484, 3480, 3905, and 7627, reflect alternative or complementary approaches, such as rights-based regulation, sector-specific controls, and institutional oversight mechanisms. The House Committee on Information and Communications Technology has also convened a Technical Working Group (TWG) on the proposed Artificial Intelligence Development and Regulation Act, consolidating multiple House Bills on the subject. The TWG held its first meeting on March 12, 2026, to discuss the proposals, indicating that legislative deliberations are ongoing.

At the regulatory level, the Draft BSP Amendments to Regulations on Information Technology Risk Management to Implement Section 6 of the Anti-Financial Account Scamming Act (AFASA) remains under consultation and proposes enhancements to IT risk management rules, including requirements for automated fraud monitoring systems that may rely on machine learning or similar technologies.

Similarly, the DICT–CSC Draft Joint Memorandum Circular on Ethical and Trustworthy AI in the Government sets out principles for responsible AI use in government, such as fairness, accountability, and transparency, but remains in draft form since April 18, 2024 and has not been formally adopted.

On the policy side, the DOST Artificial Intelligence Roadmap outlines national priorities and strategic directions for AI development and adoption, but it is not a binding legal instrument.

Finally, the NPC–Insurance Commission Joint Advisory on PETs provides guidance on the use of privacy-enhancing technologies in the insurance sector; however, it is advisory in nature and does not impose binding legal obligations.

Sources:

• https://www.bsp.gov.ph/Media_And_Research/Publications/EN25-01.pdf

• https://www.bsp.gov.ph/Media_And_Research/Special%20Publications/BSP_Thematic_Review_on_the_Use_of_AI_and_ML_in_Financial_Services.pdf

• https://www.bsp.gov.ph/Sites/researchsite/Publications/BSP-Economic-Newsletter/EN21-03.pdf

• https://www.bsp.gov.ph/Regulations/Issuances/2022/1153.pdf

• https://www.bsp.gov.ph/Regulations/Issuances/2023/M-2023-013.pdf

• https://www.bsp.gov.ph/Regulations/Issuances/2024/M-2024-029.pdf

• https://www.bsp.gov.ph/Regulations/Issuances%20of%20Policy%20Exposure%20Drafts/Exposure-Draft_Amendments-to-Regulations-on-IT-Risk-Management-to-Implement-Section-6-of-the-Anti-Financial-Account-Scamming-Act.pdf

• https://sc.judiciary.gov.ph/wp-content/uploads/2026/03/AM-No.-25-11-28-SC.pdf

• https://lawphil.net/administ/comelec/comres2024/comres_11064a_2024.pdf

• https://lawphil.net/administ/comelec/comres2024/comres_11064_2024.pdf

• https://www.deped.gov.ph/wp-content/uploads/DO_s2026_003r-1.pdf

• https://ictstatistics.dict.gov.ph/wp-content/uploads/2024/05/DRAFT-COPY_JMC-on-the-Principles-for-an-Ethical-and-Trustworthy-Use-of-Artificial-Intelligence-AI-in-Government.pdf

• https://privacy.gov.ph/wp-content/uploads/2025/03/NPC-IC-Joint-Advisory-2025.03.11-Considerations-on-the-Use-of-PETs-in-the-Insurance-Industry-w-SGD.pdf

• https://www.deped.gov.ph/wp-content/uploads/DO_s2025_013.pdf

• https://pcieerd.dost.gov.ph/wp-content/uploads/2026/01/Artificial_Intelligence_Roadmap_Dec15.pdf

• https://cpbrd.congress.gov.ph/wp-content/uploads/2025/02/DP2025-02-Global_Trends_in_the_Regulation_and_Governance_of_Artificial_Intelligence.pdf

The Philippines is the highest applicable legal level and is not subject to any overarching federal or supranational AI regime. There is likewise no binding higher-level AI framework applicable to it, as regional instruments to which it is a participant, such as ASEAN Guide on AI Governance and Ethics, are expressly non-binding and serve only as guidance, while the APEC/Global CBPR system, to which it also participates, operates as a voluntary certification mechanism rather than supranational law.

Philippine law does not provide AI-specific rules on extraterritorial reach, but existing statutes expressly extend to cross-border conduct.

Under Section 6 of the Data Privacy Act of 2012, the law applies even to processing done outside the Philippines if it relates to personal information of Philippine citizens or residents, or where the entity has a link to the Philippines, such as doing business, maintaining a local presence, or collecting data in the country. This allows AI systems developed or operated abroad to fall within scope where they process personal data of users who are Philippine citizens or residents or otherwise establish a sufficient local nexus.

Similarly, Section 21 of the Cybercrime Prevention Act of 2012 provides that jurisdiction attaches where any element of the offense is committed in the Philippines, where a computer system is located in the country, or where damage is caused to a person in the Philippines, regardless of where the act was carried out. It also covers offenses committed by Filipino nationals abroad and provides for designated cybercrime courts with specially trained judges.

Where multiple jurisdictions are involved, Philippine law does not set out detailed allocation rules for cross-border AI systems. In such cases, the extent of application and potential overlap with foreign laws would be resolved through general principles of jurisdiction and conflict of laws, including considerations of territoriality, effects, and the parties’ connections to the Philippines.

In the Philippines, AI-related issues are not typically framed as “AI cases” but are instead pursued under existing legal regimes depending on the harm involved. In practice, a significant portion of matters arise in the context of fraud, scams, and online misconduct, where AI tools such as deepfakes or automated messaging are used as enabling mechanisms. These are commonly addressed under the Cybercrime Prevention Act of 2012, particularly in relation to computer-related fraud, identity theft, illegal access, and online libel, often in conjunction with the Revised Penal Code provisions on estafa and unlawful publications. Prosecution of these offenses falls within designated cybercrime courts, which are Regional Trial Courts specially assigned and trained to handle cybercrime cases, including those involving digital evidence and technology-enabled conduct. In these cases, AI does not change the nature of the offense but may affect how intent, authorship, or participation is proven.

Recent incidents illustrate how authorities are applying these frameworks to AI-enabled conduct. In one instance, complaints were filed before the Philippine National Police Anti-Cybercrime Group involving the alleged dissemination of a deepfake video falsely depicting President Ferdinand Marcos Jr. issuing a military directive. Liability was anchored on existing penal provisions on unlawful publications and similar offenses, with the AI-generated nature of the content forming part of the factual basis. In a separate matter, the National Bureau of Investigation summoned a vlogger for allegedly circulating fabricated medical records of PBBM, which were reportedly enhanced using generative AI tools. These matters remain under investigation, indicating that while existing criminal laws are being used to address AI-generated disinformation, there is as yet no settled jurisprudence on how courts will ultimately treat such conduct.

Data protection is another primary legal basis, especially where AI systems process personal data. The Data Privacy Act of 2012 is commonly invoked in cases involving unlawful processing, unauthorized access, or data breaches involving automated systems, with oversight and enforcement exercised by the National Privacy Commission. In practice, the Commission tends to focus on whether the entity can demonstrate compliance with the principles of transparency, legitimate purpose, and proportionality, including the existence of a clear lawful basis for processing. There is also close scrutiny on the adequacy of organizational, physical, and technical security measures, as well as the entity’s ability to document and explain its processing activities. Where automated decision-making or profiling is involved, the focus is on compliance with the notification and disclosure requirements under NPC Circular No. 2022-04, including disclosure of the existence of such processing, the methods and logic used, the lawful basis, and the possible decisions that may significantly affect the data subject’s rights and freedoms.

There is, as yet, no settled jurisprudence in the Philippines specifically addressing civil liability arising from AI systems. In the absence of precedent, liability would likely be assessed under existing frameworks, particularly quasi-delict under the Civil Code, where the elements of fault, damage, and causation remain controlling. AI would primarily affect how these elements are established in practice, especially in tracing causation or identifying the responsible actor, rather than introducing a distinct liability regime. In commercial settings, liability is also likely to be addressed contractually, with outcomes turning on agreed obligations, representations, and allocation of risk between parties involved in the development or deployment of AI systems.

In the Philippines, as there is currently no comprehensive AI-specific liability law, the legal framework is a patchwork of the Civil Code, the Consumer Act, and emerging administrative issuances from the NPC and DICT.

The allocation of liability when an AI system causes harm follows the concept of quasi-delict under Art 2176 of the Civil Code, strict liability on manufacturers for defective products under the Consumer Act (if an AI system is to be classified as a “consumer product”), and data privacy liability under the DPA.

Under Article 2176 of the Civil Code, whoever causes damage through fault or negligence is liable, if there are no pre-existing contractual relations. Developers may, therefore, become liable if the harm stems from a design flaw or coding negligence. The challenge here is proving a specific act of negligence in an autonomous system. How can the plaintiff prove proximate cause when the AI’s decision-making logic is opaque and non-linear? Deployers may be held liable under vicarious liability (Art 2180 of the Civil Code), such that if a company deploys an AI agent that causes harm while performing tasks for the company’s benefit, the company is presumed negligent in its selection or supervision of the AI agent. A corporate structure may not be used as a shield for AI misconduct (See piercing discussion in Toledo vs. Toledo Construction). Users may also be liable if they misuse the system or if they fail to exercise human oversight, following the recent issuance of the SC (A.M. No. 25-11-28-SC, 2026).

On strict liability under the Consumer Act, the developer may be held liable for the injuries/harm caused by the AI system’s imperfections, regardless of intent or fault. Deployers may be solidarily liable if they fail to identify the developer or if they significantly modify the AI system in a way that caused the defect. However, the Consumer Act only applies to products, so what if an AI is provided as an SaaS without a physical component?

Under the DPA, the deployer, as a PIC, bears the primary burden of “accountability,” such that if an AI systems leaks data or makes biased, automated decisions without a legal basis, following NPC Advisory No. 2024-04, the deployer may be liable for administrative fines, even if the “bug” was created by a third-party developer.

As for contractual allocation of liability between the parties, contractual shifting of liability is recognized but strictly limited. The Internet Transactions Act generally prohibits clauses that exempt a developer from gross negligence or willful misconduct for being against public policy.

A most significant unresolved question is who becomes liable if an AI system causes harm through unpredictable emergent behavior that was not present at the time of its deployment?

In the Philippines, soft law plays a meaningful role in shaping AI-related compliance, particularly where binding rules remain fragmented or sector-specific. Relevant guidance is issued by bodies such as the Department of Information and Communications Technology (DICT), the National Privacy Commission (NPC), and the Bangko Sentral ng Pilipinas (BSP), often in the form of advisories, memoranda, and thematic publications rather than enforceable regulations.

While these instruments do not create enforceable obligations on their own, they are treated in practice as persuasive benchmarks for compliance. For instance, NPC-IC Joint Advisory No. 2025-001 on the Use of Privacy Enhancing Technologies (PETs) in the insurance industry informs how regulators assess compliance with accountability and security obligations under the Data Privacy Act. Similarly, BSP issuances such as Memorandum No. M-2023-013 (Guidance Paper on Transaction Monitoring Systems) and Memorandum No. M-2024-029 (reiterating risk management controls under the Anti-Financial Account Scamming Act) set out supervisory expectations on risk-based monitoring, governance, audit trails, and the use of automated or machine learning tools in detecting suspicious or fraudulent activity. In this sense, adherence to such guidance may not operate as a formal safe harbour, but it is often a relevant factor in regulatory assessment, audits, and potential enforcement.

Overall, these non-binding issuances function as de facto compliance frameworks. They guide how organizations structure governance, risk management, and documentation around AI, and are often considered by regulators in audits and enforcement in assessing whether an entity has exercised sufficient diligence under existing law.

Philippine law does not provide a separate regime for AI data, inferences, or automated decision-making (ADM), but addresses these within existing rules on personal data processing.

Under the IRR of the Data Privacy Act and NPC Circular No. 2022-04, “profiling” refers to any form of automated processing of data consisting of the use of personal data, such as an individual’s economic situation, political or religious beliefs, behavioral or marketing activities, personal preferences, electronic communication data, location data, and financial data, among others, in order to evaluate, analyze, or predict his or her performance, qualities, and behavior, among others. As such, data used to train or operate AI systems, as well as the resulting inferences or profiles, are treated as part of personal data processing and are subject to existing requirements on transparency, lawful basis, and accountability.

Also under NPC Circular No. 2022-04, a personal information controller or processor that carries out automated decision-making or profiling must indicate this in its registration record and identify the data processing system involved. It must also include the lawful basis for processing, retention period, methods and logic utilized, and the possible decisions relating to the data subject, particularly if such decisions would significantly affect the data subject’s rights and freedoms. The Circular further provides that notification is required where automated processing becomes the sole basis for making decisions about a data subject and such decision would significantly affect the data subject.

In the judicial context, A.M. No. 25-11-28-SC of the Supreme Court of the Philippines provides that AI tools must not serve as the sole, primary, or determinative basis of any adjudicatory outcome, and that all outputs must be reviewed and approved by human beings. It also requires that the use of AI tools be disclosed and explained, and that responsibility remains with the user of the AI tool.

Sector-specific guidance likewise reflects a cautious approach. For instance, DepEd Order No. 003, s. 2026 discourages the use of AI as a substitute for human authority, including in automated decision-making affecting learners or personnel, and classifies certain AI applications (e.g., emotion recognition tied to decision-making) as posing unacceptable risks absent safeguards. While not a general law, it signals a broader policy direction favoring human oversight in AI-assisted decisions.

These rules reflect that automated processing, including profiling and automated decision-making, is subject to specific requirements where it significantly affects the data subject, particularly in relation to disclosure, notification, and human involvement.

Philippine law does not yet regulate workplace AI through a distinct statutory regime. AI-assisted hiring, performance management, monitoring, and termination are governed by existing labor law and data protection rules. In all cases, employers remain responsible for decisions affecting employees. AI outputs cannot replace compliance with due process and lawful cause under labor law, particularly in disciplinary action or termination.

The most developed constraints arise from data protection law under the Data Privacy Act of 2012, as interpreted by the National Privacy Commission. In NPC Advisory Opinion No. 2024-003 (Re: random surveillance of telecommuting employees and recording of virtual meetings), the NPC states that monitoring software constitutes processing of personal data requiring a lawful basis, and must comply with transparency, legitimate purpose, and proportionality, with employees informed of the nature, purpose, and extent of processing. In NPC Advisory Opinion No. 2024-005 (Re: use of AI in call analysis and monitoring of call center employees), the NPC recognizes that AI-based scoring and analysis may be used for performance management under legitimate interest, provided that the purpose is specific, the processing is necessary, and it does not override the rights and freedoms of employees. These principles apply across hiring, evaluation, and monitoring, and serve as the main source of heightened scrutiny.

Employees have enforceable rights under this framework. These include the right to be informed of processing, the right to object where processing is based on legitimate interest, and the right to have their personal data processed only to the extent necessary for a declared purpose. In the employment context, the NPC also recognizes that consent is generally not the appropriate basis due to the imbalance in the employer-employee relationship, reinforcing the need for proper legal basis and safeguards. Labor law protections continue to apply in parallel, particularly the requirement of due process and just cause in termination, regardless of whether AI tools are used.

There are no sector-specific workplace AI regulations or collective bargaining frameworks that materially alter this position. Policy direction instead focuses on workforce adaptation. The Department of Labor and Employment 2023–2028 Labor and Employment Plan recognizes the need to ensure workforce readiness to cope with advances in technology, including “new work processes, robotization, automation, digitalization and artificial intelligence,” and emphasizes promoting gainful employment opportunities and human resource development through skills development and training systems. Findings of the Institute for Labor Studies (2024) note limited displacement but increased demand for AI-related skills, with employers encouraged to support retraining and alternative employment pathways. Overall, AI use in employment is assessed under existing legal standards, with closer scrutiny where it involves monitoring, profiling, or decision-making affecting workers.

AI use exposes strain in Philippine legal frameworks that are built on assumptions based on human actors and tangible processes. A structural tension arises when the law’s internal logic is challenged by AI, which has a non-human, autonomous, and opaque nature.

In intellectual property law, authorship is limited to natural or juridical persons, creating ambiguity where AI systems generate outputs without direct human intervention. This raises uncertainty as to ownership and protection, particularly where only the human-created components of AI-assisted works may qualify. In such cases, it is unclear whether authorship should be attributed to the developer, the user, or neither, especially where the level of human contribution is minimal. Even if authorship may be determined, where multiple parties are involved in the creation process, ownership may be contested. Furthermore, AI systems are often trained on vast datasets, often including copyright material. This raises questions about fair use and potential infringement.

Additional strain arises in liability and decision-making contexts, especially since the existing legal framework assumes a direct, traceable line between human intent and harmful action.

Civil law on quasi-delicts requires proof of fault, but harm caused by AI systems may involve multiple actors and some AI systems make decisions through processes that are not visible or easily explainable to humans, making attribution difficult.

These tensions arise because AI introduces automated, data-driven, and often opaque processes that do not align with frameworks designed for human-led, transparent decision-making.