The Philippines ranks among the fastest-growing digital economies in Southeast Asia. In 2023, the digital economy amounted to approx. USD 35.4 billion, contributing 8.4% of GDP, according to the Statistics Authority. According to the e-conomy report, the digital economy in the Philippines is projected to reach USD 150 billion in gross merchandise value by 2030. The e-commerce sector will mainly drive this growth. To empower this growth, the development plan 2023-2028 sets strategic initiatives to enhance digital infrastructure, address the digital divide, and promote digital inclusion.

But what do the Philippines’ digital policies stand for? Our Digital Digest provides a succinct overview of the latest policy and enforcement developments in major policy areas and Philippines-specific points of emphasis.

• Data governance: The Philippines implemented rules under the Data Privacy Act and pursued enforcement action against ride-hailing apps and social media platforms. 

• Content moderation: The Philippines adopted rules regarding political advertising and child sexual abuse or exploitation materials and is considering rules to address harmful content such as deepfakes, fake news, and online harassment.

• Competition policy: The Philippines proposed competition rules for the digital economy and issued guidelines on the applicability of its current frameworks to digital markets.

• Artificial intelligence: The Philippines proposed several bills regarding artificial intelligence, including on oversight, research and development, and the impact on the labour market.

• The Philippines’ points of emphasis include the taxation of the digital economy, crypto assets, and user identification.

Jump directly to the section that interests you most:

Discover the details of the Philippines' regulatory approach on our dedicated country page.

Remain up-to-date on new and upcoming developments with our free notification service. 

Written by Maria Buza, Saskia von Mutius, and Luc Zufferey. Edited by Tommaso Giardini.

The 2012 Data Privacy Act (DPA) and its 2016 implementing rules govern data protection in the Philippines. Personal data processing is permissible on various bases, including consent, contractual obligations, and legitimate interest. Entities must implement security measures and report data breaches involving sensitive or high-risk information within 72 hours. As of July 2023, data controllers and processors must also register with the NPC if they meet specific criteria.

The National Privacy Commission (NPC) implemented new rules under the DPA to further expand entities' obligations related to data processing. 

• The NPC’s rules on consent implemented in May 2024 mandate data controllers to provide clear information on the purpose, scope, and duration of data processing when obtaining consent. 

• The NPC’s rules on legitimate interest, implemented in April 2024, require controllers and third parties to demonstrate a genuine interest and meet specific criteria when processing data based on this legal basis. 

• The NPC’s updated requirements on data security mandate entities from March 2024 to register processing systems and conduct privacy impact assessments. 

Several Bills to amend the DPA were introduced since 2021 and are currently under deliberation. 

• House Bill No. 892 increases penalties for unauthorised data processing and data breaches, with fines of up to PHP 5 million (approx. USD 87,360) and imprisonment of 3 to 6 years. 

• House Bill No. 898 expands the definition of sensitive data to include biometric and genetic data and sets the age of consent at 15 years. 

• Senate Bill No. 1367 excludes the DPA’s applicability regarding personal information needed to manage a health crisis during a declared national emergency or pandemic.

• Bill No. 9651, passed by the House in August 2021 and currently in the Senate, establishes additional protections for sensitive data, expands coverage to data processed outside the Philippines, and clarifies legal bases for data processing.

Currently, the Philippines does not require data localisation. However, in September 2023, the government released a draft order to require local data storage for cloud service providers and intermediaries offering services to the Philippine government. This obligation would also apply to entities handling confidential or sensitive data.

Entities can transfer personal data to other jurisdictions with the data subject's consent, through a data sharing agreement, or by using a contract that ensures a comparable level of protection while third parties process the data. In May 2024, the NPC issued an advisory on seven model contractual clauses.

The NPC has the power to issue advisory guidelines to clarify the obligations under the DPA and enforce these obligations. 

• In August 2024, the NPC issued guidelines on sensitive personal data processing.

• In November 2023, the NPC published an advisory guide on deceptive design patterns, identifying techniques that invalidate consent. The guidelines also clarify the applicability of the principles of transparency, fairness, and accountability to the design of digital interfaces.

• In January 2021, the NPC adopted an advisory on data subject rights, outlining principles for handling personal data. 

The NPC regularly conducts privacy investigations:

• In September 2023, the NPC determined that the online lending app Pesopop unlawfully processed personal and sensitive data. The NPC recommended criminal prosecution of the officers responsible at Pesopop.

• In May 2023, the NPC concluded its investigation into the GCash app's data breach, confirming phishing attacks on vulnerable users caused via online gambling sites. The NPC required GCash to implement measures to prevent future incidents.

• In February 2022, the NPC required ride-hailing app Grab to conduct a privacy impact assessment for its in-vehicle audio recording due to non-compliance with privacy obligations. 

• The NPC is conducting several investigations into Facebook, including a probe launched in April 2021 regarding a breach that allegedly compromised 879,699 accounts. This investigation follows a previous inquiry from September 2020 into Facebook's actions against suspicious accounts threatening user privacy. Additionally, the NPC is investigating the Facebook-Cambridge Analytica data breach since April 2018.

The Philippines is currently deliberating several bills to address harmful online content:

• The Deepfake Accountability and Transparency Act, introduced in July 2024, requires clear disclosures about altered media. 

• The Foreign Adversary Controlled Applications Regulation Act, introduced in May 2024, prohibits foreign adversary-controlled applications that allow content sharing with over 1 million active monthly users in the Philippines. 

• The Act Prohibiting Online Publication and Promotion of Gambling-Related Content, introduced in March 2024, bans the distribution and advertising of gambling online.

• The Movie and Television Review and Classification Board Act, introduced in March 2024, requires on-demand streaming services to register, display content ratings, and implement parental controls. 

In September 2024, the Commission on Elections (COMELEC) adopted rules for digital platforms hosting political content in view of the 2025 elections. Platforms are required to register with COMELEC and help remove non-compliant campaign materials, including those that misuse artificial intelligence. Platforms must further monitor content for disinformation.

In November 2023, the Intellectual Property Office adopted rules on voluntary administrative site blocking. Rights holders can request the Office to block infringing websites, requiring internet service providers to comply with blocking orders within 48 hours. 

In August 2022, the Anti-Child Sexual Abuse or Exploitation Materials (CSAEM) Act entered into force. Internet intermediaries must block and prevent the streaming of CSAEM, as well as report violations to the Department of Justice (DOJ). Internet service providers must further notify authorities of CSAEM and block it within 24 hours. 

The 2012 Cybercrime Prevention Act defined various cybercrimes, including hacking, identity theft and cybersquatting. The Act empowers the DOJ to order the removal of illegal content and mandates platforms to retain data for 6 months. 

The Cybercrime Prevention Act established two enforcement agencies: the Office of Cybercrime (OOC) within the DOJ and the Cybercrime Investigation and Coordinating Center (CICC) as a specialised agency under the Department of Information and Communications Technology. 

• In January 2024, the CICC asked social media platforms YouTube, Meta’s Facebook and Marketplace to use artificial intelligence to combat cybercrimes, including scams.

• December 2023, the CICC announced plans to take legal actions against Meta Platforms' Facebook and Instagram as well as X (Twitter) over their failure to stop online scams. 

• In August 2022, the DOJ issued warrants to Facebook and YouTube, requiring the disclosure of data as part of an investigation into the display of child sexual abuse material.

• In April 2022, the telecommunication provider Globe, in collaboration with the OOC and CICC, announced the blocking of 11,320 websites and 502 domains hosting pornographic content, as well as 194 domains of illegal gambling.

In May 2024, the Intellectual Property Office issued the first site-blocking request targeting piracy websites. Additionally, in June 2022, the National Telecommunications Commission ordered internet service providers to block 26 websites linked to “communist terrorist” groups under the Anti-Terror Act.

The 2015 Competition Act regulates anti-competitive practices, including in the digital economy. In October 2024, the Philippine Competition Commission (PCC) released a report highlighting emerging competition issues in the digital sector and suggesting regulatory reforms. Specifically, the PCC recommended (1) building partnerships with countries that have established digital market regulations, (2) enacting new legislation specifically for the digital economy, and (3) enhancing enforcement of the Competition Act with updated guidelines for digital market investigations.

In August 2023, the PCC issued guidelines on reviewing mergers and acquisitions in digital markets. The guidelines focus on transactions involving gatekeepers, data-centric firms, or companies with network effects, which could trigger investigations on PCC’s initiative. In March 2024, the PCC increased the mandatory notification thresholds for mergers. In May 2023, the PCC released non-horizontal merger review guidelines. 

The Internet Transactions Act (ITA), enacted in December 2023, enhances competition and safety regarding e-commerce. The ITA established the E-Commerce Bureau, which collaborates with the PCC to build a database of online platforms and merchants accessible to the government and consumers.

The PCC regularly investigates compliance with competition rules:

• In May 2023, Grab was fined PHP 9 million (approx. USD 157,225) by the PCC for failing to comply with earlier refund orders issued between November 2019 and October 2020. Earlier, in February 2023, Grab was fined PHP 9 million (approx.USD 157,225) for providing misleading compliance reports and not fully adhering to the refund orders. These penalties are part of the PCC's oversight of the commitments proposed by Grab as a condition for the approval of its acquisition of Uber. The investigation into the acquisition began in April 2018, and in October 2018, both Grab and Uber were fined PHP 16 million (approx. USD 278,398) for failing to keep their businesses separate before PCC issued a final ruling.

• In October 2022, the PCC found that Grab’s acquisition of Move It did not breach the thresholds for compulsory notification. 

The Philippines is currently deliberating several proposed laws to regulate artificial intelligence (AI). 

The following Bills were introduced to establish institutions for the governance and oversight of AI. 

• The AI Act (HB 10944), introduced in September 2024, establishes a Board to oversee AI development, research, application and use. 

• The AI Regulation Act (HB 7913), introduced in May 2023, establishes two institutions, a Council and a Board, to uphold user rights and regulate AI use.

• The AI Development and Regulation Act (HB 7396), introduced in March 2023, establishes licensing and certification requirements for AI developers and deployers. The Act also includes provisions to enhance security protections for AI systems and establishes an Authority to adopt additional rules and oversee compliance.

The following Bills were introduced to support the research and development of AI:

• The Artificial Intelligence Development Act (HB 7983), introduced in May 2023, establishes the National Center for AI Research (NCAIR) as the central policymaking and research body for AI development. 

• The Artificial Intelligence Development Act (HB 10457), introduced in November 2021, establishes the National Centre for AI to develop policies and conduct research on AI technologies. The Act mandates the National Innovation Council to prioritise projects on AI development and requires the State to regulate the AI ecosystem, enhance digitisation, and improve infrastructure.

The following Bills were introduced to regulate the use of AI in employment and establish labour protection.

• The AI Regulation Act (HB 10385), introduced in May 2024, seeks to ensure the development of AI while protecting workers’ rights and preventing job displacement. The Act establishes the AI Bureau to manage technical advancements in AI while safeguarding employment.

• The Protection of Labour Against AI Automation Act (HB 9448), introduced in November 2023, focuses on regulating AI use in company processes. It covers hiring decisions and employee evaluations, aiming to protect jobs and ensure fair treatment of workers.

The Department of Trade and Industry launched the National AI Strategy in July 2024 with the aim of boosting the economy by focusing on generative AI and other technological advancements. The roadmap outlines seven strategic imperatives, including strengthening infrastructure, enhancing data use, promoting ethical AI and accelerating innovation. DTI also established the Center for AI Research to create AI solutions for regional issues and foster economic growth, with plans for collaboration with AI Singapore. Finally, in April 2024, the Department of Information and Communications and Technology released a draft memorandum on the principles and guidelines for the ethical and trustworthy use of AI in the government. The principles aim to ensure responsible AI development and use, safeguarding human rights while promoting transparency, data privacy, fairness, and accountability. The guidelines draw from international frameworks such as the ASEAN AI Guide and OECD AI Principles.

In October 2024, the Philippines adopted an Act that imposes a 12% value-added tax (VAT) on non-resident digital service providers. It is applicable to online search engines, e-marketplaces, cloud services, online streaming and advertising. Non-resident providers must register for VAT if their gross sales exceed PHP 3 million (approximately USD 52,408). The Bureau of Internal Revenue (BIR) has the authority to suspend the operations of non-resident providers who do not comply with registration and VAT collection requirements. VAT collections are scheduled to begin in 2025, following the issuance of implementing rules by the BIR.

In January 2021, the Central Bank (BSP) adopted guidelines for virtual asset service providers, establishing a licensing requirement. In May 2023, the Securities and Exchange Commission (SEC) implemented rules under the Financial Products and Services Consumer Protection Act to strengthen protection for digital products and cryptocurrencies. In November 2023, the SEC warned Binance, clarifying that the exchange was not authorised to sell or offer securities in the Philippines. Following this warning, in April 2024, the SEC directed Google and Apple to remove Binance’s applications from their app stores.

Additionally, the BSP launched a pilot project in April 2022 to test a wholesale central bank digital currency. Another pilot project is underway to evaluate a stablecoin backed by the Philippine Peso.

The Philippines is considering two legislative proposals to strengthen online user verification. The Online and Social Media Membership Accountability Act in the House of Representatives requires users to register their social media and online accounts with valid government-issued IDs or certificates. A Senate Bill proposes the same registration and verification process while also requiring social media platforms to provide analytics that disclose users' real identities. The aim is to reduce cyberbullying, harassment, and online scams by making user identities verifiable.