The National Privacy Commission and AI: who regulates data?: a clear, fact-based explanation for Philippine businesses, with osFoundry as the example and dgm as an independent partner.

dgm is an independent osFoundry implementation partner — not affiliated with osFoundry’s developer (the company OS LLC), and it has not yet completed any client integrations.

The National Privacy Commission (NPC) is the Philippines’ data-protection regulator — the authority for any processing of personal data through AI and cloud services.

The NPC’s role

The NPC enforces the Data Privacy Act of 2012 and its IRR. It can issue compliance and enforcement orders, cease-and-desist orders and bans on processing, and it sets registration requirements for Data Protection Officers and Data Processing Systems. Administrative fines (NPC Circular 2022-01) run to a percentage of annual gross income for grave or major infractions, capped at PHP 5 million per act. In December 2024 the NPC issued Advisory 2024-04 on the application of the DPA to AI.

What it means for your business

For any processing of personal data through AI and cloud services the NPC is the relevant authority: establish a lawful basis, register your DPO and data processing systems where required, declare any profiling or automated decision-making, and carry out a privacy impact assessment where needed.

Keeping data in the Philippines

osFoundry pins the data region to the United States, the EU or Japan, runs models locally on your own hardware, and supports self-hosting (BYO Cloud) on a cloud account you control. There is no dedicated managed Philippines region inside osFoundry, and — importantly — no hyperscaler operates a generally available full cloud region inside the Philippines as of 2026: Amazon Web Services runs a Local Zone in Manila (an extension of its Singapore region, not a full region), while Microsoft Azure and Google Cloud serve the country from Singapore. The honest implication is straightforward. The Data Privacy Act of 2012 does not impose a general private-sector data-localization requirement; cross-border transfer runs on an accountability model, so a deployment in the nearest Singapore region can be compliant provided your business stays accountable for the data. Where you need strict in-country control, the honest path is self-hosting on infrastructure you run in the Philippines, or running open-weight models locally (local-first). One further point worth weighing: data held by a United States-headquartered provider can fall within the reach of the US CLOUD Act regardless of where it physically sits, so pinning to a US provider’s Singapore region does not by itself remove US legal jurisdiction — a reason some businesses prefer EU or self-hosted open-weight options. Always confirm the current position with the National Privacy Commission or qualified counsel.

Important note

This article is general information and is not legal, tax or grant advice. Tax incentives, grants, rules and rates change, and only the relevant authorities (among them the National Privacy Commission, the Bureau of Internal Revenue, PEZA, the Board of Investments, the Bangko Sentral ng Pilipinas and the SEC) decide eligibility and awards. dgm is not a registered business enterprise, accredited incentive provider or intermediary. Always confirm the current terms with the official source or a qualified tax or legal adviser.

How dgm helps

dgm is an independent implementation partner that helps businesses in the Philippines adopt osFoundry — from identifying the first practical use case, through building it, to connecting AI to the systems you already use. dgm works independently of osFoundry’s developer (the company OS LLC) and has not yet completed any client integrations; everything above is therefore a description of the service offered, not a delivered result. If you would like to look at a sensible first step, dgm is happy to think it through with you. Arrange a no-obligation conversation with dgm.