Detailed overview
The Philippines does not currently have a single comprehensive AI Act. AI is regulated mainly through data privacy law, official AI policy, sectoral regulation and guidance from the National Privacy Commission, or NPC.
NPC Advisory 2024-04
The NPC issued Advisory No. 2024-04 on the Application of the Data Privacy Act to Artificial Intelligence Systems Processing Personal Data. The advisory applies where personal data is processed in the development, deployment, training or testing of AI systems.
The advisory explains that the Data Privacy Act, its implementing rules and NPC issuances apply to AI systems that process personal information or sensitive personal information. An AI system may process personal data during data collection, model training, testing, prompt processing, profiling, inference, output generation, monitoring or system improvement.
Privacy principles
Organisations using AI with personal data must comply with privacy principles, including transparency, legitimate purpose, proportionality, data quality, security, accountability and protection of data-subject rights. High-risk AI processing may require stronger governance, risk assessment, documentation, privacy impact assessment and human oversight.
AI-generated imagery warnings
The NPC has also warned about risks from AI-generated imagery, including misuse of personal information, non-consensual intimate imagery and harmful content involving children. The NPC recommends safeguards, transparency and mechanisms to remove harmful AI-generated content.
Penalties
There is no single Philippine AI-specific penalty table. Penalties arise under the Data Privacy Act, cybercrime law, consumer law, intellectual-property law, employment law, sector-specific regulation or criminal law depending on the AI use case and violation.
Practical requirements & details
Sourced from NPC Advisory No. 2024-04 on the Application of the Data Privacy Act to AI Systems Processing Personal Data, the Data Privacy Act of 2012 (RA 10173), the National AI Strategy Roadmap (DTI/DICT), and BSP/IC AI guidance.
NPC Advisory 2024-04
- Applies the DPA + IRR to AI systems processing personal information.
- Covers data collection, model training, testing, prompts, profiling, inference, output, monitoring, system improvement.
Privacy principles for AI
- Transparency, legitimate purpose, proportionality, data quality, security, accountability, protection of data-subject rights.
- High-risk AI processing: stronger governance, risk assessment, documentation, privacy impact assessment, human oversight.
NPC warnings on AI-generated imagery
- Misuse of personal information.
- Non-consensual intimate imagery.
- Harmful content involving children.
- NPC recommends safeguards, transparency and removal mechanisms.
DPA penalties
- Imprisonment up to 6 years + fines up to PHP 5M depending on offence severity.
- NPC may issue cease-and-desist orders, compliance orders and refer for prosecution.
Sector overlays
- BSP AI in banking and fintech — governance, model risk, customer protection.
- IC AI in insurance underwriting.
- SEC AI in market intermediaries.
- FDA on AI medical devices.