This country-specific Q&A provides an overview of TMT laws and regulations applicable in Philippines.
Is there a single regulatory regime that governs software?
There is currently no single regulatory regime that specifically governs software. Several laws regulate the different aspects of the software industry, such as the Data Privacy Act of 2012 (“DPA”), Cybercrime Prevention Act (“CPA”), Electronic Commerce Act, Consumer Protection Act, and the Intellectual Property Code of the Philippines (“IP Code”).
How are proprietary rights in software and associated materials protected?
Under Philippine Law, intellectual properties are protected under the IP Code. Depending on the material or work, an asset may be considered as a copyright, patent, or trademark. Software may be protected under a copyright or patent.
In the event that software is developed by a software developer, consultant or other party for a customer, who will own the resulting proprietary rights in the newly created software in the absence of any agreed contractual position?
Under the IP Code, the person who commissions the work shall own the patent (and consequently the proprietary rights), unless otherwise agreed upon by the customer and the developer or consultant. If the invention was made in the course of the developer/consultant’s employment, the following rules shall apply:
The patent shall belong to the employee if the inventive activity is not a part of his regular duties even if the employee uses the time, facilities, and materials of the employer.
The patent shall belong to the employer if the invention is the result of the performance of his regularly assigned duties unless there is an express or implied agreement saying otherwise.
Are there any specific laws that govern the harm / liability caused by Software / computer systems?
There are currently no specific laws that govern the harm and liability caused by software and computer systems. However, the provisions of the Consumer Act of the Philippines (“Consumer Act”) apply to protect consumers from the hazards of goods and services released in the market. Under the Consumer Act, a seller or supplier may be liable for deceptive products. The DPA also applies if the software is used to collect or process personal information and data breaches occur.
To the extent not covered by (4) above, are there any specific laws that govern the use (or misuse) of software / computer systems?
The CPA governs the misuse of software and computer systems. It punishes several acts committed in cyberspace, such as illegal access of a computer system, system interference, illegal interception, computer-related forgery, computer-related fraud, and computer-related identity theft. It also penalizes misuse of devices, such as the use of a computer program designed to commit any of the offenses aforementioned.
The E-Commerce Act also penalizes hacking, piracy, and violations of the Consumer Act or other relevant laws when such act is committed through the use of electronic data messages or electronic documents or used to facilitate e-commerce transactions.
Other than as identified elsewhere in this overview, are there any technology-specific laws that govern the provision of software between a software vendor and customer, including any laws that govern the use of cloud technology?
Other than the Consumer Act and E-Commerce Act as indicated above, there are currently no specific technology laws that govern provisions of software between a vendor and customer. Software agreement would generally be covered by the contractual stipulations of the parties. However, software vendors may be required to comply with certain standards and requirements depending on the nature and intended use of the software.
Cloud First Policy
The DICT’s Departmental Circular No. 2017-002 provided for the Philippine government’s Cloud First Policy (the “Cloud First Policy”). Under the Cloud First Policy, government departments and agencies are mandated to utilize cloud computing solutions as a primary part of their infrastructure planning and procurement. Government agencies are recommended to select the appropriate cloud deployment model according to the agency’s specific needs and the type of data it handles.Through the Cloud First Policy, the Philippine government aims to eliminate the duplication of hardware and systems and fragmentation of databases and promote the use of cloud computing technology to reduce costs, increase employee productivity, and develop excellent online services for Philippine citizens.
Policy on Cloud Computing for Financial Institutions
The Bangko Sentral ng Pilipinas (“BSP”) issued BSP Circular No. 808, which pertains to guidelines on information technology risk management for all banks and other BSP-supervised institutions. Under BSP Circular No. 808, a financial institution is required to consult the BSP before making any significant commitment to cloud computing. The BSP only allows the use of public cloud computing models for non-core operations and business processes that do not directly involve sensitive data.
Is it typical for a software vendor to cap its maximum financial liability to a customer in a software transaction? If ‘yes’, what would be considered a market standard level of cap?
There are currently no market-standard financial liability caps as regards software transactions. Liability caps are generally determined by the agreement of the parties.
Please comment on whether any of the following areas of liability would typically be excluded from any financial cap on the software vendor’s liability to the customer or subject to a separate enhanced cap in a negotiated software transaction (i.e. unlimited liability): (a) confidentiality breaches; (b) data protection breaches; (c) data security breaches (including loss of data); (d) IPR infringement claims; (e) breaches of applicable law; (f) regulatory fines; (g) wilful or deliberate breaches.
There are currently no set standards regarding excluded liability from any financial cap in the Philippines. Exclusions, if any, would be negotiated by the parties.
Is it normal practice for software source codes to be held in escrow for the benefit of the software licensee? If so, who are the typical escrow providers used?
It is not common in the Philippines to hold in escrow the software source codes for the benefit of the software licensee.
Are there any export controls that apply to software transactions?
There are currently no export controls in the Philippines that apply to software transactions. However, if the software transaction involves the transfer of intellectual property rights, it may be classified as a technology transfer which must be registered with the Bureau of Trademarks. The registration thereof operates as a notice to third parties, including foreign parties, that the subject of the Technology Transfer Arrangement is protected by the Trademark laws of the Philippines.
Software transactions are also covered by the Strategic Management Trade Act, which provides that the export of strategic and military goods or goods of high military importance (e.g., software) are prohibited or are subject to specific conditions (i.e., exporter must be registered, and the export of the goods must be authorized by the Strategic Trade Management Office of the DTI).
Other than as identified elsewhere in this questionnaire, are there any specific technology laws that govern IT outsourcing transactions?
There are currently no specific technology laws that govern IT outsourcing transactions. IT outsourcing transactions are generally governed by the contractual stipulations of the parties. However, some IT service providers may be required to comply with certain standards and requirements for regulated industries, such as banking and insurance.
For example, the BSP has issued specific guidelines for BSP-Supervised Financial Institutions (“BSFIs”), such as banks and non-bank financial institutions that outsource certain services to third parties.
Please summarise the principal laws (present or impending), if any, that protect individual staff in the event that the service they perform is transferred to a third party IT outsource provider, including a brief explanation of the general purpose of those laws.
Outsourcing of IT services does not necessarily involve the transfer of employees, assets, or third-party contracts, except if there is a contractual arrangement to that effect. Outsourcing of services does not automatically terminate the employment relationship. The employee who performs the services that will be transferred to a third-party IT outsourcing provider is still protected by Philippine labor laws. Thus, even if the services performed by an employee are outsourced to a third party, employees cannot be terminated unless there are just or authorized causes. Just causes for termination include serious misconduct, wilful disobedience, or gross and habitual neglect of duties, while authorized causes include redundancy, installation of labor-saving devices, or cessation of operation of the establishment.
In terminating the services of an employee, the employer is required to comply with both substantive due process (i.e., the cause for dismissal must be allowed under law) and procedural due process. Likewise, if the employee will be terminated due to an authorized cause, the employee must be paid separate pay.
Which body(ies), if any, is/are responsible for the regulation of telecommunications networks and/or services?
The NTC is the primary governmental agency tasked with implementing the Public Telecommunications Policy Act (“PTPA”), which regulates communications networks and services.
Please summarise the principal laws (present or impending), if any, that govern telecommunications networks and/or services, including a brief explanation of the general purpose of those laws.
The main law that regulates communications networks and services in the Philippines is the PTPA. In particular, the PTPA governs the development of telecommunications and the delivery of public telecommunications services in the country.
The Public Service Act, as amended (“PSA”) also regulates the provision of public service in the Philippines and considers the provision of telecommunications as a public service.
The Policy Guidelines on the Co-Location and Sharing of Passive Telecommunications Tower Infrastructure for Macro Cell Sites (the “PTTI Policy”) also governs the co-location and sharing of Passive Telecommunications Tower Infrastructures by Independent Tower Companies (“ITCs”) and Mobile Network Operators (“MNOs”). It aims to promote the accessibility and development of reliable information and communications technology throughout the country.
Telecommunications networks are also undoubtedly involved in the processing of personal data, and as such, are covered by the Data Privacy Act of 2012 (“DPA”).
There are also several pending bills before the House of Representatives, which include 1) House Bill No. 8098, otherwise known as the “Telecommunications Coverage Data Disclosure Act” which requires all PTEs, including internet service providers (“ISPs”), operating in the Philippines to disclose and publish, on an annual basis, their coverage data; and 2) House Bill No. 8221, otherwise known as the “Better Internet Act”, which requires PTEs and ISPs to provide their subscribers with a minimum download speed for paid internet services.
Which body(ies), if any, is/are responsible for data protection regulation?
The National Privacy Commission is the primary body responsible for administering and implementing the provisions of the DPA and monitoring and ensuring compliance with international standards set for data protection.
Please summarise the principal laws (present or impending), if any, that that govern data protection, including a brief explanation of the general purpose of those laws.
The DPA governs the protection and processing of personal data in the Philippines. The DPA protects personal data in three (3) ways:
First, there must be a lawful basis to use or process personal data. Before any entity may be able to collect or use personal data, the data subject must either give express consent or there must be some legal obligation to the information that is going to be used.
Second, entities that maintain personal data have certain obligations, such as confidentiality and integrity of such data. Such entities are required to have appropriate and reasonable measures to prevent data breaches or possible loss of data. They are also required to notify data subjects in case there is any data breach.
Lastly, data subjects have certain rights with respect to their personal data, such as the right to access and erasure of their personal data, and the right to damages for any violation of their rights.
Any person that violates the provisions of the DPA may be held liable for monetary penalties and imprisonment.
What is the maximum sanction that can be imposed by a regulator in the event of a breach of any applicable data protection laws?
The maximum fine for a breach of the DPA is PhP5 million for a combination or series of violations of the DPA. For a single act, the maximum penalty of PhP4 million may be imposed for the unauthorized use or processing of sensitive personal information such as the race, criminal history, sexual life, or government-issued identifiers of a data subject.
Do technology contracts in your country typically refer to external data protection regimes, e.g. EU GDPR or CCPA, even where the contract has no clear international element?
Technology contracts may refer to external data protection regimes, even when the contract has no clear international element. The parties are free to stipulate the applicability of other external data protection regimes if they deem it essential or necessary for the transaction. However, it is not a common practice.
Which body(ies), if any, is/are responsible for the regulation of artificial intelligence?
The Philippine legal system does not have a legal framework that specifically regulates artificial intelligence (“AI”). However, there are several bills pending in Congress aiming to increase research on AI and its potential in helping improve Filipinos’ lives.
Please summarise the principal laws (present or impending), if any, that that govern the deployment and use of artificial intelligence, including a brief explanation of the general purpose of those laws.
The Philippines does not have any principal law governing the deployment and use of AI. However, House Bill No. 7396 or the proposed “Act Promoting the Development and Regulation of AI in the Philippines” was recently filed in the House of Representatives seeking the creation of the Artificial Intelligence Development Authority (“AIDA”). The AIDA will have the general mandate and power to oversee the development and deployment of AI technologies, ensure compliance with AI ethics, principles, and guidelines, and protect the rights and welfare of individuals and communities affected by AI technologies.
While there are no specific laws currently governing this matter, the general doctrines of contract, civil and tort laws still cover liabilities for stipulated obligations and negligence. AI software is also copyrightable and patentable works that are protected by Intellectual Property laws.
Are there any specific legal provisions (present or impending) in respect of the deployment and use of Large Language Models and/or generative AI?
Currently, there are no present or impending legal provisions in respect of the deployment and use of Large Language Models and/or generative AI.
Which body(ies), if any, is/are responsible for the regulation of blockchain and / or digital assets generally?
The BSP and the SEC primarily regulate blockchain and digital assets. Particularly, the BSP regulates virtual asset services providers (“VASP”)—entities that offer services or engage in activities that provide facilities for the transfer or exchange of digital assets. On the other hand, the SEC has jurisdiction over the issuance, distribution, sale, or offer for sale of virtual/digital assets in the Philippines, which may be considered securities.
What are the principal laws (present or impending), if any, that govern (i) blockchain specifically (if any) and (ii) digital assets, including a brief explanation of the general purpose of those laws?
BlockchainsThere are currently no laws that govern and regulate blockchains specifically. The blockchain technology itself, however, may be governed by the IP Code as the technology may be considered patentable and its codes copyrightable. Its use as a ledger to facilitate transactions and transfer of data may be governed by the DPA, and civil code provisions, and, depending on its content, may be governed by Philippine criminal laws.Meanwhile, House Bill No. 0658, otherwise known as “An Act Establishing the Basic Regulatory Framework for Blockchain Technology in the Philippines” was filed before the House of Representatives on 01 July 2022. “House Bill No. 0658 sought to (i) identify the permitted and restricted use of blockchain technology; (ii) encourage the use of blockchain in the broader economy and the technology in human development programs; and (iii) establishes the BSP as the regulatory and policymaking body for the use of blockchain in the financial sector.
Digital AssetsPresently, the Philippines does not have a dedicated framework dealing with the issuance, offer, distribution, or sale of digital assets and tokens. Previously, the SEC issued draft rules for an initial coin offering (“ICO”) in 2018 and draft rules for a digital asset exchange (“DAE”) in 2019. However, these regulations have not yet been finalized and published, and, therefore not yet in force.The proposed ICO rules primarily govern the conduct of ICOs. On the other hand, the proposed DAE rules primarily govern the registration and operation of an exchange where digital assets are traded, if the online platform is accessible in or from the Philippines.While there is no specific law dedicated solely to digital assets, the Securities Regulation Code (“SRC”), which is the primary law governing securities and investments in the Philippines, may be deemed to apply to certain types of digital assets that may be deemed as securities and, therefore, subject to certain requirements prior to its sale or offering to the public.
Are blockchain based assets such as cryptocurrency or NFTs considered “property” capable of recovery (and other remedies) if misappropriated?
Neither the Supreme Court of the Philippines nor any other government entities have released any issuances on whether cryptocurrencies and non-fungible tokens (“NFT”) are considered as “property” capable of recovery if misappropriated. There are currently no specific laws or regulations related to the recovery of blockchain-based assets. However, the general doctrines on properties or ownership and the civil and criminal liabilities provided under Philippine law may apply.
Which body(ies), if any, is/are responsible for the regulation of search engines and marketplaces?
Under the Joint Administrative Order No. 22-01, Series of 2022 (“JAO No. 22-01”), the DTI, NPC, Department of Health (“DOH”) Department of Agriculture (“DA”), and the Intellectual Property Office of the Philippines (“IPOPHL”) are jointly responsible in regulating all e-commerce transactions, including those transacted through e-marketplaces. They are enjoined to coordinate and assist in the enforcement of the provisions of JAO No. 22-01, which is intended to protect consumers against deceptive, unfair, and unconscionable sales acts and prices in the e-commerce platform.
Please summarise the principal laws (present or impending), if any, that govern search engines and marketplaces, including a brief explanation of the general purpose of those laws.
Businesses conducted through search engines and e-marketplaces are governed by the PNS 2155 and JAO No. 22-01.
The PNS 2155 was issued by the DTI as a national standard guideline for online retailers and e-marketplaces. It provides guidelines for pre-purchase, purchase, and post-purchase activities as well as provisions for customer support and merchant verification.
JAO No. 22-01 was issued to provide guidelines in e-commerce transactions for online businesses and online consumers. Under JAO No. 22-01, all online businesses must comply with the rules on warranty under the Civil Code and rules on warranty, labeling, and defective products and services under the Consumer Act.
Which body(ies), if any, is/are responsible for the regulation of social media?
There is currently no specific government entity that is solely dedicated to the regulation of social media in the Philippines. However, several government agencies have oversight in addressing various aspects related to social media and online content such as the NPC— which ensures the protection of personal data and have jurisdiction over privacy-related issues concerning social media platforms, and the Cybercrime Investigation and Coordinating Center—which is in charge of cybercrime prevention and enforcement.
Please summarise the principal laws (present or impending), if any, that govern social media, including a brief explanation of the general purpose of those laws?
Although the Philippines has consistently ranked among the top counties in the world in terms of social media use, there is no specific law therein that regulates social media platforms. However, such platform providers, along with their users, are still subject to several related laws, such as the DPA and the CPA, and may be penalized in case of violation.
What are your top 3 predictions for significant developments in technology law in the next 3 years?
Laws regulating Artificial IntelligenceConsidering that AI has been becoming a powerful tool used by individuals for analyzing and computing large sums of data, there may be several legislations in the future that intend to regulate AI and its use. Notably, there are already a number of bills pending in the Philippines Congress aiming to increase research on AI to identify its potential uses in helping improve Filipinos’ lives and prevent its abuse.
Tightening the regulations on digital assets and crypto exchangesWith the collapse of FTX last year, countries with crypto-friendly laws and regulations may be under pressure to tighten these laws and regulations. Digital assets may be treated similarly to “property” or “securities”, which will require strict regulation and oversight. Tightening regulations would ensure that consumers, especially non-sophisticated consumers, are protected from the dangers of crypto trading and false crypto advertising.
Stronger Antitrust and Competition Regulation of Digital MarketplacesDue to the lockdowns imposed in 2020, consumers were forced to rely on digital marketplaces. While buying through digital marketplaces offered convenience, antitrust issues emerged because of the market control and dominance of existing digital marketplaces. Laws related to the regulation of the digital marketplace and online platforms may be developed in the next few years to address competition concerns and abuse of dominant position by existing players in the industry.
Do technology contracts in your country commonly include provisions to address sustainability / net-zero obligations or similar environmental commitments?
Technology contracts in the Philippines do not typically include provisions to address sustainability, net-zero obligations, or similar environmental commitments. Environmental commitments are usually undertaken by way of corporate sustainability commitments in compliance with the Environmental, Social, and Governance criteria and the Code of Corporate Governance.
Estimated word count: 3800
Join our mailing list to receive updates on new Guides: