On April 13, 2026, the Philippines' National Privacy Commission issued NPC Advisory No. 2026-01, settling a question that has lingered since the platform era began: does posting personal data in public strip it of legal protection? The Commission's answer is an emphatic no. Scraping publicly available personal data, the advisory holds, remains fully subject to the Data Privacy Act of 2012 (Republic Act No. 10173). Public visibility is not consent, organizations must establish an independent lawful basis, conduct Privacy Impact Assessments (PIAs), and — per the Commission — large-scale, automated, or commercial scraping can attract administrative, civil, and criminal liability.
The regulator has a real point
It would be easy to caricature this as bureaucrats not understanding the open web. It isn't. The strongest case for the advisory is concrete: a name on a public LinkedIn page or a voter roll was disclosed for one purpose, and bulk re-collection into a searchable dossier creates harms the data subject never agreed to — doxxing, fraud, stalking, discriminatory profiling, and the training of models that regurgitate personal details. As Baker McKenzie's analysis of the advisory notes, the NPC explicitly rejects the idea that "public availability does not constitute consent" and extends compliance duties to the hosts of public data too, who must now warn users their data may be scraped and offer mechanisms to object (Baker McKenzie). The principle that purpose limitation survives publication is defensible and broadly consistent with how the EU and other regulators treat scraping.
The teeth are criminal, and that changes the calculus
Where the advisory becomes harder to defend is in what it attaches to. The Data Privacy Act is not a civil-fines statute like the GDPR. Its penalty chapter is criminal. The full text of RA 10173 sets imprisonment of one to three years and fines of ₱500,000 to ₱2,000,000 for unauthorized processing of personal information, rising to three to six years and up to ₱4,000,000 for sensitive personal information — with penalties escalating when at least 100 individuals' data is affected (RA 10173, Chapter VIII). Any meaningful scraping operation clears the 100-person threshold in its first second.
The advisory layers this criminal exposure onto a definition of "unauthorized" that is doing a great deal of work. Section 12 of the Act lists six lawful bases — consent, contract, legal obligation, vital interests, national emergency, and legitimate interests — but the advisory's posture treats legitimate interests as something to be proven defensively, after a PIA, rather than a workable default. For a journalist scraping a corruption suspect's public asset filings, a researcher mapping disinformation networks, a security firm cataloguing leaked credentials, or a startup building a price-comparison index, the message is that good-faith collection now begins under the shadow of a prison term.
A pattern, not an isolated rule
The advisory does not arrive in a vacuum. The Philippines has been steadily assembling a stack of legal instruments that govern who may speak, connect, and collect online. The SIM Registration Act (RA 11934), signed October 10, 2022, requires every mobile subscriber to register identity documents against their number; by July 2023, roughly 113.97 million SIMs — about 67.83% of active subscriptions — had been registered (SIM Registration Act overview). Security researchers warned at the time that a centralized identity-to-number database is a surveillance vector and a breach magnet, and a black market in pre-registered SIMs duly emerged.
Atop that sits criminal cyberlibel. In Disini v. Secretary of Justice (G.R. No. 203335), decided February 18, 2014, the Supreme Court upheld the constitutionality of online libel under the Cybercrime Prevention Act of 2012, declining to decriminalize it even as it struck down aiding-and-abetting liability and the criminalization of likes and shares (Disini v. Secretary of Justice). The conviction of journalist Maria Ressa showed how that survives in practice.
Seen together, identity is mandatory to get online, speech carries criminal risk, and now the collection of public information carries criminal risk too. Each measure is individually justifiable; cumulatively they describe an environment where the legal downside of digital activity falls hardest on the people scrutinizing power — journalists, researchers, watchdogs — rather than on the bad actors the rules invoke.
Proportionate would look different
None of this argues for a scraping free-for-all. The harm the NPC names is real, and a privacy regulator that ignored industrial-scale data harvesting would be failing. The objection is to the instrument. Three adjustments would keep the protection while removing the chilling effect.
- Enforce on harm, not collection. The wrong is fraud, profiling, and re-identification — the downstream uses — not the act of reading a public page. Penalties should track demonstrated harm.
- Codify safe harbors. Journalism, academic research, statistical analysis, and security testing need bright-line legitimate-interest protection, not case-by-case mercy after a PIA.
- Decriminalize the default. Civil and administrative remedies, not imprisonment, should be the front line. Prison belongs to deliberate, malicious data theft — not to a researcher who guessed wrong about a lawful basis.
The NPC has correctly diagnosed that public does not mean unprotected. The risk is that, in a jurisdiction already heavy with criminal digital liability, the cure narrows the open internet for exactly the people who use it to hold institutions accountable.