Philippines Data Privacy Act’s Application to AI Systems Processing Personal Data

1. Introduction

The governance of AI systems is becoming increasingly critical, particularly when these systems process personal data. To address this, the National Privacy Commission (NPC) of the Philippines issued Advisory Guidelines on the Application of the Data Privacy Act (DPA), its Implementing Rules and Regulations (IRR), and NPC Issuances to AI Systems Processing Personal Data (‘Advisory Guidelines’)  on December 19, 2024.

The Advisory Guidelines clarify how Personal Information Controllers (PICs) and Personal Information Processors (PIPs) can responsibly develop, test, train, and deploy AI technologies while adhering to the principles of data protection enshrined in the DPA. It emphasizes adhering to general data privacy principles, including accountability, transparency, and fairness, respecting data subject rights, identifying lawful bases for processing, and implementing security measures to protect personal data. This blog provides a comprehensive overview of the obligations outlined in the Advisory Guidelines.

2. Compliance with Data Privacy Principles

The Advisory Guidelines highlight the importance of adhering to the following key data privacy principles:

Transparency

PICs must provide clear and accessible information to data subjects about the processing of their personal data during the development or deployment of AI systems. This includes:

• Explaining the purpose, nature, and scope of the processing.
• Describing the factors, inputs, and outputs of the AI system, associated risks, and its impact on data subjects.
• Detailing available dispute resolution mechanisms.

All disclosures must be presented straightforwardly and concretely, using clear, understandable language to the intended audience while retaining necessary technical terminology.

Accountability

PICs bear responsibility for the processing of personal data by AI systems and the resulting outcomes. This accountability extends to the development, deployment, training, and testing of such systems, even when processing is outsourced to PIPs.

To demonstrate compliance, the:

• PICs (and their PIPs, when applicable) must implement and document effective policies and procedures ensuring compliance with the DPA, its IRR, and related issuances.
• Documentation should include policies specifically addressing AI systems that process personal data.

Additionally, the PICs must establish governance mechanisms to ensure ethical and responsible AI processing, including:

• Conducting Privacy Impact Assessments (PIAs),
• Adopting privacy-by-design and privacy-by-default principles,
• Implementing industry-standard security measures,
• Continuously monitoring AI operations,
• Establishing AI ethics boards,
• Regularly retraining and updating AI systems, and
• Providing mechanisms for human intervention in automated decisions and reviewing AI outputs.

PICs must regularly evaluate the effectiveness and proper implementation of governance mechanisms to ensure compliance and adapt to emerging risks.

Moreover, when AI systems perform automated decision-making with significant risks to data subjects' rights and freedoms, PICs must:

• Enable meaningful human intervention by qualified individuals, and
• Allow data subjects to question and contest decisions that impact their rights significantly.

Fairness

PICs are required to ensure personal data processing is free from manipulation or undue oppression. To do so, they must:

• Implement mechanisms to detect, monitor, and limit biases in AI systems, including systemic, human, and statistical biases, and
• Avoid deceptive practices such as AI washing, where the role of AI is overstated to the detriment of data subjects.

Accuracy

The PICs must maintain the accuracy and currency of personal data to uphold fairness in AI system outputs. To maintain accuracy, it recommends the adoption of measures to verify and update personal data used in AI systems regularly.

Data Minimization

The PICs must ensure that they exclude personal data that does not contribute meaningfully to developing, training, or deploying AI systems.

3. Lawful Basis for Processing

To process personal data for AI development and deployment, the Advisory Guidelines require the PICs to identify and establish the most appropriate lawful basis for processing under Sections 12 and 13 of the DPA. Publicly available personal data remains subject to DPA protections. PICs must determine a lawful basis for processing such data and ensure compliance with privacy principles.

4. Data Subject Rights

AI systems that process personal data can significantly impact the exercise of data subject rights. Therefore Advisory Guidelines mandate the PICs to implement mechanisms, such as Privacy-Enhancing Technologies (PETs), to safeguard these rights. Key obligations include:

Providing the Right to Object, Rectification, and Erasure/Blocking

• PICs must provide effective mechanisms or alternative measures to facilitate these rights.
• PICs must inform data subjects about the scope and consequences of exercising their rights.
• If a request is infeasible, PICs must explain why and strive to achieve the intended effect of the requested right through alternative measures.

Continuous Accessibility of Rights

• PICs must ensure that data subjects can exercise their rights at all stages of the AI system lifecycle—before, during, and after its development or deployment.

Incorporation into Datasets

• The inclusion of personal data in datasets does not inherently make the exercise of data subject rights unreasonable. In such circumstances, failing to provide meaningful mechanisms for exercising data subject rights undermines claims that such requests are impractical.

5. Interpretation Principle

The Advisory Guidelines clarify that any ambiguities in interpreting the provisions of this Advisory should favor the protection of data subjects' rights and interests.

How Securiti Can Help

Securiti is the pioneer of the Data + AI Command Center, a centralized platform that enables the safe use of data and GenAI. It provides unified data intelligence, controls and orchestration across hybrid multicloud environments. Large global enterprises rely on Securiti's Data Command Center for data security, privacy, governance, and compliance.

Securiti Gencore AI enables organizations to safely connect to hundreds of data systems while preserving data controls and governance as data flows into modern GenAI systems. It is powered by a unique knowledge graph that maintains granular contextual insights about data and AI systems.

Gencore AI provides robust controls throughout the AI system to align with corporate policies and entitlements, safeguard against malicious attacks and protect sensitive data. This enables organizations to comply with the Philipines Data Privacy Act (DPA).

Request a demo to learn more.