Philippines Data Privacy Act (DPA, Republic Act 10173) + NPC AI Advisory: AI Compliance Requirements

DPA Section 13 requires freely given, specific, informed, and indicated consent before processing personal data. AI systems collecting data of Philippine residents must provide a clear Privacy Notice describing: identity of the personal information controller, purposes of processing, AI-specific processing activities, and data subject rights. The NPC requires notices to be available in Filipino and English for Philippine-based users.

DPA Sections 16-18 grant Philippine residents rights to: be informed, access their data, object to processing, erase data (right to be forgotten), rectify inaccuracies, and receive data portability. AI automated decisions significantly affecting individuals must provide human review on request and a clear explanation of the decision logic. Organizations must respond within 10 business days.

DPA Section 26 requires organizations processing data of 500+ data subjects to register with the NPC and designate an accountable Data Protection Officer (DPO). The DPO must be appointed in writing, have access to personal data inventory, and file an annual compliance report with the NPC. AI organizations above the threshold must complete NPC registration before deploying systems.

The NPC issued advisory circulars addressing: (1) AI profiling and automated decision-making must comply with DPA consent requirements; (2) Generative AI must not train on Philippine personal data without consent; (3) Sensitive personal information processed by AI (health, financial, biometric) requires Privacy Impact Assessments (PIAs); (4) Third-party AI processors must sign DPA-compliant data sharing agreements. Organizations must document their AI processing activities in their Personal Data Processing Systems (PDPS) inventory.