Table of Contents
Key Takeaway
- 🎯 NPC Advisory No. 2026-01, issued April 13, 2026, clarifies that scraping publicly available personal data is fully subject to the Data Privacy Act of 2012: The National Privacy Commission expressly rejects the view that public availability equates to consent — just because data is online does not mean it can be scraped freely.
- 📊 Five obligations for organizations that scrape publicly available personal data: Declared lawful basis, necessity and proportionality assessment, heightened scrutiny for sensitive data and vulnerable subjects, disclosure to data subjects, and operational channels for the right to object, be informed, and request erasure.
- 💼 The Advisory affects every organization using AI, analytics, marketing, profiling, or platform operations: If your business collects, uses, purchases, or hosts publicly available personal data, NPC Advisory 2026-01 applies to you — and non-compliance carries civil, criminal, and administrative liability.
- 🔧 Privacy Impact Assessments (PIAs) are now required for data scraping activities: Including scraping conducted by third-party processors. Organizations must document why scraping is necessary and why less-intrusive means cannot achieve the same purpose.
- ⏱️ Heightened scrutiny applies to sensitive personal information and vulnerable categories: Minors, the elderly, and persons with disabilities receive additional protections. Organizations must apply stricter standards when scraping data about these groups.
![]()
NPC data privacy advisory 2026 changes the rules for every Philippine organization that touches publicly available personal data. The National Privacy Commission has made it clear: public does not mean free to use.
On April 13, 2026, the National Privacy Commission (NPC) issued Advisory No. 2026-01, the Guidelines on Data Scraping of Publicly Available Personal Data. The advisory clarifies that the scraping of publicly available personal data remains fully subject to the Data Privacy Act of 2012 (DPA) — expressly rejecting the view that public availability equates to consent. Baker McKenzie, in its legal analysis published May 8, 2026, confirmed that data scraping, particularly when automated, large-scale, or commercially driven, is a regulated form of personal data processing under Philippine law.
For Filipino professionals — whether running businesses that use AI, managing marketing campaigns that profile customers, or building platforms that host user data — the NPC data privacy advisory 2026 creates new compliance obligations that cannot be ignored. This article explains what the advisory requires, who it affects, and what to do now.
The Core Rule: Public Does Not Mean Free to Use
The fundamental principle of the NPC data privacy advisory 2026 is simple but powerful: just because personal data is publicly available online does not mean it can be scraped, collected, or processed without compliance with the Data Privacy Act.
| Common Misconception | NPC Advisory Reality | What This Means |
|---|---|---|
| “If data is public, anyone can use it” | Public availability does not equal consent | Scraping public data still requires lawful basis |
| “Scraping is not regulated” | Data scraping is regulated personal data processing | Automated, large-scale scraping is fully subject to DPA |
| “We didn’t collect it, we just bought it” | Purchasing scraped data carries the same obligations | Organizations using scraped data must comply |
| “AI training is exempt” | AI training using scraped data is regulated | AI systems trained on personal data need compliance |
| “It’s just social media data” | Social media data is personal data under DPA | Scraping social media requires lawful basis |
This rule directly affects the AI automation push in Philippine businesses. AI systems that are trained on scraped personal data — names, photos, social media profiles, contact information — must comply with the NPC advisory. The deepfake threat, which uses scraped audio and video to clone voices and faces, demonstrates why unregulated data scraping is dangerous.
The Five Obligations: What NPC Advisory 2026-01 Requires
The NPC data privacy advisory 2026 codifies five specific obligations for organizations that scrape publicly available personal data. These obligations apply to Personal Information Controllers (PICs) and Personal Information Processors (PIPs) alike.
1. Declared and Demonstrable Lawful Basis
Every data scraping activity must be supported by a valid lawful basis under the Data Privacy Act. The NPC recognizes several lawful bases including: legitimate interest (Section 12(f) of the DPA), contractual necessity, legal obligation, vital interests, and — in limited cases — consent. Organizations must declare which basis they rely on and be able to demonstrate it. Public availability is not a lawful basis.
2. Necessity and Proportionality Assessment
Organizations must document that scraping is necessary to achieve the stated purpose and that less-intrusive means would not satisfy that purpose. This means you cannot scrape everything available when a narrower, more targeted approach would work. The assessment must be documented — not just assumed.
3. Heightened Scrutiny for Sensitive Data and Vulnerable Subjects
The NPC data privacy advisory 2026 imposes additional protections for sensitive personal information (health, sexual life, religion, political affiliation, offenses) and for vulnerable categories of data subjects — including minors, the elderly, and persons with disabilities. Scraping data about these groups requires stricter standards and may be subject to NPC review.
4. Disclosure to Data Subjects
Organizations must disclose to data subjects — including third parties whose data is incidentally processed — what is being collected, why, how it is processed, and what rights they have. This is particularly challenging for scraped data, where the organization may have no direct relationship with the data subject. The advisory requires disclosure nonetheless.
5. Operational Channels for Data Subject Rights
Organizations must maintain operational channels for the right to object, the right to be informed, and the right to erasure — even where the controller has no prior relationship with the data subject. This means a person whose data was scraped must be able to contact the organization, object to the processing, and request erasure, and the organization must respond.
Who Is Affected: The Scope of NPC Advisory 2026-01
The NPC data privacy advisory 2026 applies broadly. The NPC data privacy advisory 2026 scope is wider than many organizations realize. Baker McKenzie’s analysis confirms it affects organizations that “collect, use, purchase, or host publicly available personal data, including for analytics, artificial intelligence, marketing, profiling, and/or platform operations.”
| Organization Type | How They’re Affected | Key Compliance Action |
|---|---|---|
| AI companies | AI training data often includes scraped personal data | Document lawful basis for training data |
| Marketing firms | Scraping social media for customer profiling | Conduct PIA; implement right to object |
| OSINT platforms | Querying public endpoints for identity verification | Declare lawful basis; zero-retention architecture |
| Recruitment agencies | Scraping LinkedIn and job boards for candidate data | Necessity assessment; disclosure to candidates |
| Fintech companies | Scraping financial data for credit scoring | Heightened scrutiny; PIA required |
| Platform operators | Hosting publicly accessible personal data | Enhanced transparency and security obligations |
| Research organizations | Academic research using scraped public data | Declare research lawful basis; ethics review |
| BPO companies | Processing client data that may include scraped sources | Vendor compliance; client data governance |
The BPO industry — which handles sensitive data for global clients — must pay particular attention. If a BPO processes scraped data on behalf of a client, both the client (as PIC) and the BPO (as PIP) have obligations under the NPC data privacy advisory 2026.
Privacy Impact Assessments: The New Requirement
The most operationally significant requirement of the NPC data privacy advisory 2026 is the mandate for PIAs. The NPC data privacy advisory 2026 makes PIAs non-negotiable. is the mandate for Privacy Impact Assessments (PIAs) for data scraping activities. A PIA is a systematic assessment of how personal data is processed, what risks the processing poses to data subjects, and what measures are in place to mitigate those risks.
| PIA Component | What to Document | Why It Matters |
|---|---|---|
| Purpose description | Why the scraping is necessary | Must justify the processing |
| Lawful basis | Which DPA basis applies | Must be declared and demonstrable |
| Data scope | What data is being scraped | Must show proportionality |
| Necessity assessment | Why less-intrusive means won’t work | Must prove scraping is the minimum necessary |
| Risk assessment | What risks scraping poses to data subjects | Must identify and rate risks |
| Mitigation measures | How identified risks are addressed | Must be operational, not theoretical |
| Third-party processors | Who else handles the scraped data | PIAs must cover processor activities |
PIAs must be conducted before scraping begins, updated when scraping activities change, and made available to the NPC upon request. Organizations that scrape without a PIA are in non-compliance — and the NPC has stated that non-compliance may result in civil, criminal, or administrative liability.
The AI Connection: Why NPC Advisory 2026-01 Matters for AI Development
The NPC data privacy advisory 2026 has direct implications for AI development in the Philippines. AI systems — particularly large language models and computer vision systems — are often trained on scraped data from the internet. The NPC advisory makes clear that this training data, when it includes personal data, must comply with the DPA.
This creates a tension. The Microsoft Philippines AI agenda, the AI automation push, and the broader PAIIM 2033 infrastructure plan all depend on AI development. But AI development often relies on scraped data. The NPC data privacy advisory 2026 means Philippine AI developers must ensure their training data complies with the DPA — or face liability.
| AI Use Case | Data Privacy Risk | NPC Compliance Action |
|---|---|---|
| Training LLMs on web data | Personal data in training sets | PIA; lawful basis; data minimization |
| Fine-tuning on social media | Scraped user profiles and posts | Lawful basis; right to object channel |
| Face recognition systems | Scraped facial images | Heightened scrutiny; sensitive data rules |
| Voice cloning technology | Scraped audio from social media | Connects to deepfake threat |
| AI-powered profiling | Scraped behavioral and demographic data | Proportionality assessment required |
The Liability: What Happens If You Don’t Comply
The NPC data privacy advisory 2026 is not a recommendation — it is a regulatory issuance backed by the enforcement powers of the Data Privacy Act. Non-compliance can trigger three types of liability.
| Liability Type | What It Covers | Potential Consequences |
|---|---|---|
| Administrative | NPC enforcement actions, penalties, compliance orders | Fines up to ₱5 million; cease and desist orders; public censure |
| Civil | Lawsuits by data subjects for damages | Compensation for damages; injunctive relief |
| Criminal | Criminal prosecution for unauthorized processing | Imprisonment of 1-6 years; fines of ₱500,000 to ₱5 million |
The Philippine cyber threat landscape — with 1.3 million breached accounts and 266 data breach incidents in 2025 — shows that data privacy enforcement is no longer theoretical. The NPC has been issuing over 100 advisory opinions, and the NPC data privacy advisory 2026 signals that enforcement is escalating.
What Filipino Organizations Must Do Now
1. Audit Your Data Scraping Activities
Identify every activity in your organization that involves scraping, collecting, purchasing, or processing publicly available personal data. If you don’t know what you’re scraping, you can’t comply. Document every source, every purpose, and every use case.
2. Conduct Privacy Impact Assessments
For every data scraping activity identified, conduct a PIA covering purpose, lawful basis, data scope, necessity, risks, and mitigation. The NPC framework provides PIA templates. If you need help, consult a Data Protection Officer (DPO) or privacy lawyer.
3. Declare Your Lawful Basis
For each scraping activity, determine and document which lawful basis under the DPA applies. If you cannot identify a lawful basis, stop the scraping until you can. Public availability is not a lawful basis.
4. Implement Data Subject Rights Channels
Create operational channels — email, web form, phone — through which data subjects can exercise their rights to object, be informed, and request erasure. These channels must work even for people who have no relationship with your organization. Appoint a Data Protection Officer to handle these requests.
5. Review AI Training Data
If your organization develops or uses AI systems, review the training data for personal data. Ensure that scraped training data complies with the NPC advisory. If it doesn’t, either obtain lawful basis, anonymize the data, or remove the personal data from the training set.
6. Update Vendor Contracts
If third-party vendors scrape data on your behalf, update contracts to require NPC advisory compliance. Include breach notification clauses, PIA requirements, and audit rights. The 100% supply chain breach rate means vendor compliance is your compliance.
The Regional Context: Philippines in ASEAN Privacy Regulation
| Country | Privacy Regulation | Key Feature |
|---|---|---|
| Philippines | DPA 2012 + NPC Advisory 2026-01 | First ASEAN country with comprehensive data scraping rules |
| Singapore | PDPA with amendments | Mature privacy regime; scraping regulated |
| Malaysia | PDPA (amended 2024) | Growing enforcement; data scraping addressed |
| Indonesia | PDP Law (2022) | Data sovereignty focus; scraping regulated |
| Thailand | PDPA (2022) | Privacy framework in enforcement phase |
| Vietnam | PDPD (decree 2023) | AI Law includes privacy provisions |
The Philippines, with NPC Advisory 2026-01, is among the first ASEAN countries to issue specific guidelines on data scraping. This positions the Philippines as a regional leader in data privacy regulation — but also means Philippine organizations face compliance requirements that some ASEAN peers have not yet implemented.
The Deeper Question: Can the Philippines Regulate Data Without Stifling AI?
The NPC data privacy advisory 2026 represents a balancing act that every digital economy faces: protecting personal data without stifling innovation. The advisory does not prohibit data scraping — it requires that scraping be done lawfully, transparently, and with accountability. This is the right approach.
But the tension is real. The AI talent gap and the cybersecurity crisis show that Philippine organizations already struggle to implement existing regulations. Adding data scraping compliance requirements — PIAs, lawful basis documentation, data subject rights channels — adds to the compliance burden.
The Boomi-Omdia study found 87% of Philippine organizations report unmanaged shadow integrations. If organizations cannot manage their integrations, can they manage their data scraping? The ransomware threat and the government cyberattacks show that security maturity is low. Can privacy maturity be higher?
The NPC has taken the right step by issuing clear guidelines. The next step is enforcement — and whether Philippine organizations treat the advisory as a compliance checklist or as a framework for responsible data governance. The organizations that do the latter will be the ones that build trust with customers, regulators, and partners in the AI economy. The organizations that ignore it will face the liability that the NPC has now made clear is real.
FAQ: NPC Data Privacy Advisory 2026
What is NPC Advisory No. 2026-01?
NPC Advisory No. 2026-01, issued on April 13, 2026, is the National Privacy Commission’s guidelines on data scraping of publicly available personal data. It clarifies that scraping publicly available personal data is fully subject to the Data Privacy Act of 2012 and that public availability does not equate to consent.
Does NPC Advisory 2026-01 prohibit data scraping?
No. The advisory does not prohibit scraping of publicly available personal data. It requires that scraping be done lawfully, with a declared lawful basis, proportionality assessment, disclosure to data subjects, and operational channels for data subject rights. Organizations must be deliberate, accountable, and transparent about their scraping activities.
Who is affected by the NPC data scraping advisory?
The advisory affects any organization that collects, uses, purchases, or hosts publicly available personal data — including for analytics, AI training, marketing, profiling, and platform operations. This includes AI companies, marketing firms, OSINT platforms, recruitment agencies, fintech companies, BPO companies, and research organizations.
What are the five obligations under NPC Advisory 2026-01?
The five obligations are: (1) declared and demonstrable lawful basis, (2) necessity and proportionality assessment, (3) heightened scrutiny for sensitive data and vulnerable subjects, (4) disclosure to data subjects including third parties, and (5) operational channels for the right to object, be informed, and request erasure.
What is a Privacy Impact Assessment (PIA) and when is it required?
A PIA is a systematic assessment of how personal data is processed, what risks it poses, and what mitigation measures exist. Under NPC Advisory 2026-01, PIAs are required for all data scraping activities, including scraping conducted by third-party processors. PIAs must be documented and available for NPC review.
Can AI companies train models on scraped public data under the advisory?
Yes, but AI training using scraped personal data must comply with the DPA. AI companies must declare a lawful basis, conduct a PIA, ensure proportionality, and provide data subject rights channels. Training data containing personal data is subject to the same obligations as any other scraped data.
What liability do organizations face for non-compliant data scraping?
Non-compliance may result in administrative liability (fines up to ₱5 million, cease and desist orders, public censure), civil liability (lawsuits for damages), and criminal liability (imprisonment of 1-6 years, fines of ₱500,000 to ₱5 million) under the Data Privacy Act and related NPC issuances.
Does public availability of data mean consent to scrape?
No. NPC Advisory 2026-01 expressly rejects the view that public availability equates to consent. Just because personal data is accessible online does not mean it can be scraped, collected, or processed without a valid lawful basis under the Data Privacy Act.
What should Filipino organizations do to comply with the NPC advisory?
Audit data scraping activities, conduct Privacy Impact Assessments, declare lawful basis for each activity, implement data subject rights channels, review AI training data for personal data, update vendor contracts to require NPC compliance, and appoint a Data Protection Officer.
How does the NPC advisory compare to other ASEAN privacy regulations?
The Philippines is among the first ASEAN countries to issue specific guidelines on data scraping. Singapore, Malaysia, Indonesia, Thailand, and Vietnam all have privacy regulations, but the NPC advisory places the Philippines as a regional leader in data scraping-specific guidance — meaning Philippine organizations face compliance requirements that some ASEAN peers have not yet implemented.
This article is based on NPC Advisory No. 2026-01, Baker McKenzie legal analysis (May 2026), DivinaLaw analysis, OSINT.PH compliance documentation, and the Data Privacy Act of 2012 (RA 10173) and its Implementing Rules and Regulations. Legal information in this article is for informational purposes only and does not constitute legal advice. Consult a licensed Philippine attorney or Data Protection Officer for compliance guidance specific to your organization.




