The Philippines is quietly becoming one of Southeast Asia's most interesting connected-vehicle markets. Tesla opened direct sales in Manila in 2024, BYD has overtaken several incumbents to become the country's top-selling electric brand, and Chinese brands like GAC Aion, Chery and Geely's Zeekr are arriving with Advanced Driver Assistance Systems (ADAS) that record the road, the cabin and the driver in real time. What none of these vehicles arrive with is a Philippine-specific rulebook for the data they generate.
For the moment, that data — granular GPS traces, accelerometer logs, in-cabin camera footage, voice recordings, biometric driver-monitoring signals — is governed almost entirely by the Data Privacy Act of 2012 (Republic Act 10173) and the case-by-case advisory opinions of the National Privacy Commission (NPC). RA 10173 is a competent general-purpose privacy statute, modelled loosely on the pre-GDPR EU Directive. It was not, however, drafted with a vehicle in mind that can stream a 4K cabin feed back to a manufacturer in Shenzhen or Austin every few seconds.
A regulatory gap, flagged from within
The clearest articulation of the problem has come from Philippine-born technologist Dr. Jean Linis-Dinco, recently profiled in the Electronic Frontier Foundation's Speaking Freely series. Linis-Dinco's broader work focuses on how data-extractive technologies land in jurisdictions whose legal frameworks were not designed for them — and connected vehicles are a textbook example. A Tesla, BYD Seal or Zeekr 001 sold in Quezon City is, functionally, a rolling sensor platform that exports data to servers the NPC has no practical ability to inspect.
That is not, in itself, a reason to panic. It is a reason to write a proportionate, narrowly tailored rule before the absence of one becomes the rule.
What ASEAN neighbours are already doing
The Philippines is not operating in a vacuum. Across ASEAN, the connected-vehicle policy stack is filling in:
- Singapore has run autonomous-vehicle trials under the Road Traffic (Autonomous Motor Vehicles) Rules since 2017 and recently moved to a permanent licensing regime, with the Personal Data Protection Commission issuing sector-specific advisory guidelines on in-vehicle data.
- Thailand has folded connected-vehicle data into the implementing regulations of its 2019 Personal Data Protection Act and is piloting AV corridors in the Eastern Economic Corridor.
- Malaysia, having amended its Personal Data Protection Act in 2024, is consulting on a National Mobility Data Policy.
- Indonesia's 2022 Personal Data Protection Law explicitly contemplates biometric and location data flowing from IoT devices.
The risk for Manila is not that it will be left behind on standards — it is that it will inherit defaults written elsewhere. Whichever ASEAN jurisdiction writes the first detailed connected-car rulebook will shape what manufacturers ship across the region, in much the same way California has shaped US vehicle emissions.
What a sensible Philippine framework would look like
A proportionate framework — one that does not chill the very EV adoption the Department of Energy is trying to accelerate under the Electric Vehicle Industry Development Act (RA 11697) — would do four things, and resist the temptation to do more.
First, classify the data. Telematics needed for vehicle safety (crash logs, ADAS telemetry) is different from cabin video, which is different from biometric driver-monitoring data. A single "personal information" bucket under RA 10173 collapses important distinctions. The NPC could begin with a Circular distinguishing safety-critical, service-related and inferred data categories.
Second, require minimisation and on-device processing by default. A great deal of ADAS functionality — lane-keep, automatic emergency braking, driver drowsiness detection — does not require any data to leave the vehicle. Where data must leave, it should leave in aggregated or anonymised form unless the driver has affirmatively opted in.
Third, set narrow rules for law enforcement access. The Philippine National Police and the Land Transportation Office will, sooner or later, want warrantless access to vehicle location logs. A connected-vehicle framework written before that fight begins is far easier to keep proportionate than one written after.
Fourth, avoid data-localisation mandates. A blunt requirement that all vehicle data stay on Philippine soil would raise costs, fragment global vehicle software, and — as critics of similar proposals elsewhere have noted — does little to actually improve user privacy. Adequacy-style cross-border transfer rules, modelled on the NPC's existing approach, are sufficient.
The free-speech angle people are missing
It is worth saying plainly: connected-vehicle data is, increasingly, speech data. In-cabin microphones capture conversations. Navigation logs reveal who attended which protest, which clinic, which place of worship. A country whose journalists have spent two decades fighting libel suits and surveillance overreach has a particular interest in making sure its cars are not turned into mobile informants — whether by manufacturers monetising the data, or by a future administration subpoenaing it.
The proportionate path
The Philippines does not need to copy the EU's forthcoming Data Act vehicle provisions wholesale, or California's Connected Vehicle Privacy regulations, or China's GB-standard data classification regime. It needs a short, technology-neutral NPC Circular that sets clear defaults for minimisation, transparency, driver control and law-enforcement access — and lets manufacturers compete on privacy as a product feature rather than a compliance afterthought.
Done well, that is exactly the kind of light-touch, evidence-based regulation that lets a market grow. Done badly, or not done at all, it leaves Filipino drivers with the worst of both worlds: cars that watch them, under a law that was written before the cars knew how.