, ,

Public Doesn’t Mean Free For All: What NPC Advisory No. 2026-01 Means for Your Data Practices

Written by

·

If your compliance mental model still runs on “if it’s public, it’s fair game,” the National Privacy Commission would like a word.

On 13 April 2026, the NPC issued Advisory No. 2026-01, its Guidelines on Data Scraping of Publicly Available Personal Data. It is a short document with an outsized message: publicly accessible personal data has never been outside the reach of the Data Privacy Act of 2012, and the Commission is done letting that ambiguity slide.

For anyone building or buying AI systems, running analytics on customer or prospect data, or simply operating a platform where users post profiles or content, this Advisory is not background reading. It is a checklist.

The core clarification

The Advisory’s central move is definitional, not novel. It confirms that data scraping, defined broadly as the automated or manual extraction of personal data from websites, applications, or other online sources, constitutes processing under the DPA regardless of whether the source is publicly viewable. Text, images, audio, video, and user profile data are all captured.

The Commission is explicit that public availability does not equate to consent, and it does not authorise use beyond what a data subject would reasonably have contemplated when the information was made public. A LinkedIn bio being visible to anyone who searches your name is not an invitation to fold that data into a marketing database, a facial recognition model, or an AI training set without an independent lawful basis.

This closes a loophole that a fair number of organisations, including several AI vendors, have been operating under quite comfortably.

Who this actually reaches

Two categories of entity are squarely in scope, and the second one catches people off guard.

Scrapers. Personal Information Controllers and Personal Information Processors who actively extract personal data from online sources must establish a lawful basis under Sections 12 or 13 of the DPA, conduct and maintain Privacy Impact Assessments for the activity, and ensure the data collected is adequate, relevant, and proportionate to a specific, legitimate purpose. Processing for purposes beyond what was originally declared requires either a fresh lawful basis, adequate notice to affected data subjects, or both.

Hosts. If your platform, app, or website makes personal data publicly viewable, whether that is a directory, a forum, a review section, or user profiles, you now have affirmative obligations too. The Advisory expects hosts to inform users that their data may be subject to scraping, disclose what categories of data are exposed, provide a mechanism for objection, and implement technical safeguards such as rate limiting and bot detection to deter unauthorised extraction.

In other words, this is not solely a rulebook for the scraper. It is also a rulebook for the scraped-from.

The categories drawing heightened scrutiny

A few practices are singled out for closer regulatory attention:

  • Sensitive personal information (health, sexual life, religious affiliation, political opinions, offences, and the like) is generally off-limits for scraping absent strict statutory conditions, even if it happens to be technically public.
  • Data belonging to minors and elderly individuals receives heightened scrutiny regardless of the purpose.
  • Large-scale scraping, profiling, data enrichment, and data aggregation, precisely the activities that power most commercial AI training pipelines and adtech stacks, attract closer regulatory attention than a one-off, narrowly scoped extraction would.

What counts as unauthorised

The Advisory flags specific conduct as exposing an organisation to civil, criminal, and administrative liability: bypassing a website’s technical safeguards, using deceptive means to obtain data, or scraping in violation of a platform’s terms of service. Accountability stays with the PIC even where a third-party PIP is doing the actual scraping on its behalf, so outsourcing the technical work does not outsource the legal exposure. Contracts with scraping vendors need to explicitly prohibit unauthorised scraping and build in adequate data privacy and security terms, not just service levels.

Downstream misuse is also called out directly. Scraped data cannot be used in a manner that facilitates doxxing, identity fraud, or unauthorised surveillance, and organisations processing scraped data are expected to build in mechanisms to detect and limit bias or discriminatory treatment arising from its use or interpretation.

The AI angle nobody’s blog post is spelling out yet

Most of the commentary on this Advisory so far treats it as a general-purpose data scraping update. That undersells it.

Read alongside NPC Advisory No. 2024-04, the Guidelines on the Application of the DPA to AI Systems Processing Personal Data, Advisory 2026-01 effectively extends the Commission’s AI governance framework backward into the data acquisition stage. Most conversations about AI compliance in the Philippines focus on the output side: transparency to end users, automated decision-making disclosures, bias mitigation in the model itself. This Advisory says the Commission is equally interested in where your training data came from in the first place.

If you are in-house counsel, a founder, or a vendor manager evaluating an AI tool, foundation model, or data enrichment provider, the questions to be asking right now are:

  1. Did the vendor’s training data acquisition process rely on scraping personal data, and if so, what lawful basis did they document?
  2. Was a PIA conducted for that scraping activity, and can it be produced on request?
  3. Does the vendor’s contract with you address downstream liability if their data sourcing turns out to be non-compliant?
  4. If you host any public-facing personal data yourself, from employee directories to customer testimonials, have you updated your privacy notice and implemented basic anti-scraping safeguards?

These are no longer theoretical questions. They are the kind of thing a regulator, a plaintiff’s counsel, or a diligence team in an M&A transaction is now entitled to ask, and expect a straight answer to.

The bottom line

The NPC has drawn a clear line: scale, automation, and commercial intent turn what feels like passive observation of public information into active, regulated processing. Organisations that treat public data as a compliance-free zone, whether they are scraping it, buying it, or simply hosting it, are now operating on borrowed time.

If your organisation touches AI training pipelines, analytics, marketing databases, or any platform with user-generated public content, this is the moment to run a scraping and hosting audit, not wait for an NPC inquiry to prompt one.


This article is for general informational purposes only and does not constitute legal advice. For guidance specific to your organisation’s data processing activities, consult qualified counsel.

Related materials

National Privacy Commission, NPC Advisory No 2026-01, Guidelines on Data Scraping of Publicly Available Personal Data (13 April 2026) https://privacy.gov.ph/wp-content/uploads/2026/04/SGD_A_1.pdf

National Privacy Commission, ‘Advisories & Circulars’ https://privacy.gov.ph/pips-and-pics/advisories-circulars/

Baker McKenzie, ‘Philippines: NPC Tightens Rules on Data Scraping’ (Insight, 2026) https://www.bakermckenzie.com/en/insight/publications/2026/05/philippines-npc-tightens-rules-on-data-scraping

Quisumbing Torres, ‘Guidelines on Scraping Publicly Available Personal Data Issued by NPC’ (2026) https://www.quisumbingtorres.com/en/alerts/2026/05/guidelines-scraping-publicly-available-personal-data-npc

NewsBytes.PH, ‘NPC issues guidelines on scraping of publicly available personal data’ (28 April 2026) https://newsbytes.ph/2026/04/28/npc-issues-guidelines-on-scraping-of-publicly-available-personal-data/

DivinaLaw, ‘DivinaLaw Legal Watch: NPC Advisory No 2026-01’ (2026) https://www.divinalaw.com/wp-content/uploads/2026/05/NPC-01-NPC-Advisory-No.-2026-01.pdf

Fediverse Reactions