When Anti-Scam Design Meets Free Expression Law
The Philippines built its SIM Registration Act (Republic Act No. 11934, signed October 10, 2022) with an anti-fraud mandate. The argument was straightforward: text scams had metastasised across a mobile subscriber base of roughly 168 million SIMs, telcos had no reliable mechanism to identify perpetrators, and anonymity was the scammer's primary operational asset. By requiring every SIM card to be registered against a valid government-issued ID before activation, the National Telecommunications Commission (NTC) could pierce that veil.
The outcomes were measurable. Approximately 113.9 million SIMs were registered by the July 2023 enforcement deadline — 67.83% of cards in circulation — while 54 million unregistered SIMs were deactivated. Since 2022, telcos have blocked 3.12 million fraudulent SIM cards and 3.34 billion scam messages. These are genuine anti-fraud results. They justify the core registration rationale.
The problem lies in what the database became once it was built. Under the law's Implementing Rules and Regulations (NTC Memorandum Circular No. 001-12-2022), law enforcement agencies may access SIM subscriber records — full names, addresses, government ID details — upon a court order or subpoena. That access pathway is not limited to fraud investigations. It is available for the full range of criminal proceedings, including prosecutions under Republic Act No. 10175, the Cybercrime Prevention Act of 2012, which criminalises online defamation with penalties one degree higher than traditional libel — up to twelve years' imprisonment.
The Scale of Cyberlibel Enforcement
The data on cyberlibel enforcement makes the structural stakes concrete. According to the Department of Information and Communications Technology (DICT) and the Cybercrime Investigation and Coordinating Center, online libel was the top recorded cybercrime in the Philippines in 2025 — ranking above illegal access, identity theft, and fraud. Philippine authorities recorded 8,987 cybercrime incidents in 2025, a 38% decline from 14,529 in 2024, but cyberlibel held its position atop the classification list across the cumulative period from March 2013 to October 2025 — 87,595 cases in total.
The human cost is not abstract. In April 2025, Cagayan Province Governor Manuel Mamba received a four-to-six-year sentence for cyberlibel over comments made during an online radio programme in 2020. Nobel Peace Prize laureate Maria Ressa continues to appeal a 2020 criminal cyberlibel conviction that carries up to six years and nine months in prison. Between July 2022 and April 2024, eight journalists faced libel or cyberlibel charges under the Marcos administration. The Philippine Supreme Court upheld cyberlibel's constitutionality in Disini v. Secretary of Justice (2014), with the majority reasoning that digital propagation amplifies harm in ways that distinguish it from traditional defamation.
To steelman the existing framework: online defamation does cause concrete harm at a scale and speed that civil remedies may struggle to address. Coordinated harassment campaigns with real-world consequences — lost employment, physical threats, community ostracism — present harms distinct from a printed correction in a regional newspaper. The Disini majority was not wrong that reach matters. States have a legitimate interest in calibrating deterrence to medium.
The structural consequence of combining criminal cyberlibel with mandatory SIM registration is nonetheless severe. There is now no reliably anonymous pathway for online speech made via a registered Philippine mobile number. Any comment posted through a registered SIM can, via subpoena, be traced to a verified real identity with a government ID on file. Civil society groups including the Computer Professionals' Union have characterised the SIM registration system as a de facto surveillance infrastructure — regardless of its original anti-fraud intent.
The NPC's 2026 Policy Agenda
The National Privacy Commission has been active in 2026 in ways directly relevant to this tension. In May 2026, the NPC issued Advisory No. 2026-01, clarifying that personal data scraped from publicly available online sources remains fully regulated under the Data Privacy Act of 2012 (Republic Act No. 10173) — explicitly rejecting the argument that public accessibility is equivalent to consent for data processing. The advisory signals an NPC prepared to assert the DPA's reach even where operational convenience pushes in the opposite direction.
On June 25, 2026, the NPC held a public consultation on draft Guidelines on the Processing of Personal Data for the Availment of Statutory, Government-Mandated, and Other Special Privileges — a framework aimed at streamlining identity verification while constraining unnecessary or excessive data collection. While the immediate scope is government-services identity checks, the underlying principle — that statutory authorisation is necessary but not sufficient for data processing, and that proportionality governs each access decision — applies with equal force to law enforcement subpoenas for SIM registration data in cyberlibel proceedings.
The NPC has not yet issued specific guidance circumscribing how SIM subscriber records may be used in cyberlibel investigations. That gap is significant. Without an explicit NPC advisory requiring courts to apply necessity and proportionality tests before ordering telco disclosure in speech-related cases, the data pipeline between the SIM registration database and cyberlibel prosecution remains without dedicated regulatory guardrails.
The Reform Path
Three Senate bills in the 20th Congress — Senate Bill No. 250 (Sen. Erwin Tulfo), Senate Bill No. 476 (Sen. Jinggoy Estrada), and Senate Bill No. 810 (Sen. Loren Legarda) — would decriminalise libel and cyberlibel, replacing imprisonment with civil liability. The Commission on Human Rights of the Philippines has endorsed this direction, characterising criminal defamation penalties as incompatible with international free expression standards.
Decriminalisation is the correct structural fix. Civil remedies — damages, injunctions, retractions — hold speakers accountable without the chilling effect of criminal prosecution, and without triggering the subpoena pathway into the SIM registration database. When a cyberlibel complaint automatically justifies a subscriber data request, deterrence against defamation and deterrence against legitimate criticism become indistinguishable in practice.
The NTC's March 2025 proposal to require mandatory in-person biometric registration for SIM cards — aimed at closing loopholes exploited through synthetic government IDs — would, if enacted, tighten this architecture further. A more reliable biometric link between identity and device is simultaneously a more reliable evidentiary trail for speech prosecutions.
A proportionate framework has three components: passage of the pending decriminalisation bills; an explicit NPC advisory imposing necessity and proportionality tests before courts order SIM subscriber data disclosure in speech-related proceedings; and a public-interest assessment of the proposed in-person registration rule that weighs its anti-fraud benefits against its implications for the cyberlibel evidence pipeline. The Philippines' experience is a precise case study for every government that treats SIM registration as a purely technical anti-fraud measure: the database that stops today's SMS scammer is the witness for tomorrow's cyberlibel prosecution.