Philippines NPC AI Guidelines: Data Privacy Act Compliance for AI Systems

What Are the NPC AI Guidelines?

On 19 December 2024, the Philippines National Privacy Commission (NPC) issued Advisory Guidelines on the Application of the Data Privacy Act on AI Systems Processing Personal Data. These guidelines clarify how the existing Data Privacy Act of 2012 (Republic Act No. 10173) applies to artificial intelligence.

While the guidelines are advisory, they carry significant weight because they interpret mandatory obligations under the Data Privacy Act. The NPC has authority to audit AI systems, investigate complaints about algorithmic bias, and enforce the DPA.

Key Provisions

Algorithmic Bias Requirements

The guidelines establish clear obligations for organizations using AI that processes personal data:

Identify and monitor biases: Personal Information Controllers (PICs) must actively identify, monitor, and limit biases in their AI systems. The guidelines recognize three types of bias:

• Systemic bias: Bias embedded in training data, institutional processes, or societal structures
• Human bias: Bias introduced through human decisions in AI development and deployment
• Statistical bias: Bias from data collection, sampling, or modeling techniques

Limit, not eliminate: The guidelines take a pragmatic approach — organizations must "limit" biases rather than eliminate them entirely. This acknowledges that zero bias is technically impractical while still requiring meaningful effort.

Prevent harmful impact: AI systems must not have manipulative or unduly oppressive impact on data subjects. This is particularly important for AI used in:

• Credit scoring and lending decisions
• Employment screening and hiring
• Insurance underwriting and claims
• Customer segmentation and pricing

AI Washing Prohibition

The guidelines explicitly prohibit "AI washing" — misrepresenting the extent to which AI is involved in data processing. Organizations must:

• Accurately describe AI involvement in their privacy notices
• Not overstate or understate AI's role in decision-making
• Provide truthful information about how AI processes personal data

NPC Audit Authority

The NPC can:

• Audit AI systems for compliance with the Data Privacy Act
• Investigate complaints about algorithmic bias or discriminatory profiling
• Issue compliance orders requiring changes to AI systems
• Impose penalties for DPA violations

The Data Privacy Act Foundation

The NPC AI guidelines build on the Data Privacy Act's existing requirements:

Consent and Lawful Processing

• Valid consent required for personal data processing
• For sensitive personal data (health, biometrics, race), explicit consent is needed
• Consent must be informed — individuals must understand AI-related processing

Data Subject Rights

• Right to be informed about data processing, including AI use
• Right to access personal data held by the organization
• Right to object to processing, including automated processing
• Right to erasure (deletion) of personal data
• Right to data portability
• Right to damages for privacy violations

Proportionality and Legitimate Purpose

• AI data processing must be proportionate to its declared purpose
• Data collection must be limited to what is necessary
• Purpose limitation applies — data collected for one purpose cannot be repurposed for AI training without additional consent

Security Requirements

• Reasonable and appropriate organizational, physical, and technical measures to protect personal data
• Regular security assessments
• Data breach notification requirements

Proposed AI Legislation

The Philippines has multiple AI bills under consideration:

House Bill No. 1196 (AIDA)

Would establish the Artificial Intelligence Development Authority under DOST. Key provisions:

• National AI strategy development
• Regulatory standards for AI systems
• Compliance management
• Transparency requirements for General-Purpose AI (GPAI)

House Bill No. 3195 / Senate Bill No. 852

Would establish a Philippine Council on Artificial Intelligence and an AI Bill of Rights.

National AI Strategy (NAIS-PH)

Approved by President Marcos Jr. in May 2025, the whole-of-government strategy through 2028 includes five pillars:

1. Infrastructure development
2. Workforce capacity building
3. Innovation ecosystem
4. Ethical policy frameworks
5. Strategic deployment in priority sectors

How to Comply

Step 1: DPA Compliance Review

• Review your Privacy Impact Assessment for AI systems
• Ensure consent mechanisms cover AI-related data processing
• Update privacy notices to accurately describe AI involvement (avoid AI washing)
• Verify data subject rights procedures accommodate AI-specific requests

Step 2: Algorithmic Bias Assessment

• Identify potential sources of systemic, human, and statistical bias in your AI systems
• Implement monitoring mechanisms for ongoing bias detection
• Establish procedures for bias mitigation when issues are detected
• Document bias assessments and remediation efforts

Step 3: Transparency Implementation

• Accurately describe AI involvement in privacy notices and terms of service
• Provide accessible information about how AI affects individuals
• Implement channels for data subjects to ask questions about AI decisions
• Train customer-facing staff on AI-related inquiries

Step 4: NPC Audit Readiness

• Maintain documentation of AI governance practices
• Document bias assessment methodologies and results
• Keep records of data processing activities related to AI
• Prepare for potential NPC inquiries or audits

Related Regulations

• Singapore PDPA & AI: More detailed AI-specific guidance in neighboring market
• Indonesia PDP Law: Similar GDPR-inspired data protection
• ASEAN AI Governance Guide: Regional framework the Philippines aligns with
• EU GDPR: The model for many provisions in the Data Privacy Act