Philippines Data Privacy Act — AI Systems (NPC Advisory 2024-04): AI Compliance Requirements

The Philippines National Privacy Commission (NPC) issued Advisory No. 2024-04 on December 19, 2024: Guidelines on the Application of the Data Privacy Act of 2012 (Republic Act 10173) to AI Systems Processing Personal Data. This advisory is binding guidance under existing law — immediate compliance required for any organization processing personal data of Philippine residents using AI systems. Key obligations: (1) Data subjects retain full RA 10173 rights even when AI is involved. (2) Controllers are strictly liable for AI system outcomes. (3) Automated decisions affecting individuals require meaningful human oversight capability. (4) AI systems processing personal data must register with the NPC. (5) Data Protection Impact Assessments required for high-risk AI processing. Third-party AI providers do NOT reduce controller liability.

Check your compliance — free Download checklist

Key Facts

Effective Date

December 19, 2024

Maximum Penalty

PHP 500,000 to PHP 5,000,000 (~$8,500–$85,000 USD) per violation + up to 6 years imprisonment; NPC enforcement

What Your Business Must Do

4 compliance requirements identified. Critical requirements carry the highest risk of enforcement action.

AI Accountability & Liability Documentation

Critical

Under NPC Advisory 2024-04: you remain strictly liable for AI system outcomes even when using third-party AI providers (OpenAI, Google, Anthropic, etc.). Document: (1) Which AI systems process Philippine resident data. (2) Your accountability framework — who is responsible for AI decisions. (3) How you verify AI system compliance with RA 10173 principles. Third-party AI providers must be covered by Data Sharing Agreements.

Automated Decision Transparency & Human Oversight

High Priority

AI systems making significant decisions affecting Philippine residents must: (1) Be disclosed to affected individuals. (2) Have meaningful human intervention capability available. (3) Allow individuals to question and contest decisions. Document your human-in-the-loop procedures and provide a mechanism for individuals to request human review.

Data Protection Impact Assessment for High-Risk AI

High Priority

Required for AI systems that pose high risk to data subjects' rights, including: AI-based profiling, large-scale automated processing, AI using biometric or sensitive personal data. Conduct and document a DPIA before deploying such systems. NPC may request review.

NPC Registration & Privacy Officer

Medium Priority

Organizations processing personal data of Philippines residents with AI must register with the NPC and designate a Data Protection Officer (DPO). Registration is online at privacy.gov.ph. DPO must be knowledgeable in data privacy law and AI governance.

Frequently Asked Questions

Does Philippines Data Privacy Act — AI Systems (NPC Advisory 2024-04) apply to my business?

What is the penalty for non-compliance?

The maximum penalty under Philippines Data Privacy Act — AI Systems (NPC Advisory 2024-04) is: PHP 500,000 to PHP 5,000,000 (~$8,500–$85,000 USD) per violation + up to 6 years imprisonment; NPC enforcement. Fines are typically scaled by company size, severity of violation, and whether violations were willful or accidental.

How do I comply with Philippines Data Privacy Act — AI Systems (NPC Advisory 2024-04)?

The 4 requirements above cover the core obligations. The fastest path to compliance is: (1) conduct an AI risk assessment, (2) document your AI systems, (3) implement transparency disclosures where required. ComplianceIQ generates all required documents automatically.

Official Source

https://privacy.gov.ph/wp-content/uploads/2025/02/Advisory-2024.12.19-Guidelines-on-Artificial-Intelligence-w-SGD.pdf

Last updated: 2026-04-12 — verify at source before relying on this information.

Don't leave compliance to chance

ComplianceIQ scans your AI tools, tells you exactly which regulations apply, and generates all required documents — in 30 minutes.

Start your free compliance scan