NPC Data Scraping Compliance Now Has Regional Enforcement Behind It

What It Means

  • Data scraping compliance in the Philippines now operates inside a cross-border enforcement architecture after the NPC signed a bilateral cooperation agreement with Hong Kong’s privacy regulator at the 65th Asia Pacific Privacy Authorities Forum on June 16, 2026.
  • NPC Advisory No. 2026-01, issued April 13, 2026, eliminates the “publicly available data is unregulated” assumption that AI training, fintech scoring, and ad-tech audience-building operations relied on.
  • Philippine companies scraping public data without a documented lawful basis, a conducted Privacy Impact Assessment, and a declared processing purpose are already in non-compliance. No grace period was announced.
  • The accountability chain under Advisory 2026-01 follows the data, not the corporate structure: outsourcing scraping to a third-party processor does not transfer liability to that processor.
  • Organizations that host publicly available personal data from Philippine users now carry affirmative obligations, including bot detection measures and transparency notices, not just organizations that collect it.

NPC Data Scraping Compliance Starts With a Rule Most Operators Missed

Philippine operators building data pipelines on scraped public content have operated for years on an informal assumption: if the data is publicly posted, it is publicly available for use. The National Privacy Commission’s Advisory No. 2026-01, issued April 13, 2026, formally rejects that position. Data scraping compliance under the DPA now requires a documented lawful basis, a conducted Privacy Impact Assessment, notification to data subjects, and active documentation. The NPC states plainly that public availability does not constitute consent and that scraping, at any scale, is a regulated form of personal data processing.

This would have been a significant domestic development on its own. What happened at the 65th Asia Pacific Privacy Authorities Forum on June 16-17 in Hong Kong changed the enforcement calculus entirely.

data scraping compliance

The APPA Bilateral Changed the Enforcement Reach

The NPC presented Advisory 2026-01 to regional regulators at the forum’s jurisdictional reporting session. On the same occasion, the NPC signed an Affirmation of Cooperation with the Office of the Privacy Commissioner for Personal Data of Hong Kong. Korea and Singapore signed similar agreements simultaneously.

These agreements establish mechanisms for sharing enforcement intelligence across borders, coordinating on investigations involving cross-border data flows, and aligning regulatory postures on AI-driven data collection. The NPC can now receive information from Singapore, Korea, and Hong Kong about data processing practices involving Philippine personal data, and can share its own enforcement information with those authorities.

The practical consequence: a data scraping compliance violation that surfaces through a complaint filed in Hong Kong or through a Singapore enforcement inquiry is no longer contained to that jurisdiction. It can reach the NPC. The reverse is equally true.

Philippine companies that treated NPC enforcement as low-probability on the basis that the regulator was domestically scoped and historically slow are now operating under a different enforcement architecture. Data scraping compliance obligations that were once checked against a single regulator now carry cross-border exposure.

The Actor Classes That Should Treat This as Immediate

Three categories of Philippine-operating businesses face the most direct exposure under the combined force of Advisory 2026-01 and the bilateral cooperation agreement.

AI model developers and data labeling companies that train on scraped public content from social platforms, news sites, or professional networks are now required to document a lawful basis for each scraping activity, conduct PIAs, and impose those same obligations on any third-party processor doing the scraping on their behalf. The advisory explicitly states that accountability remains with the organization even when the actual scraping is outsourced. Data scraping compliance cannot be delegated to a vendor. For AI companies that rely on third-party data brokers or offshore labeling vendors, this closes a gap that many had not recognized as a gap.

Fintech credit scoring platforms using public social media signals, e-commerce behavioral data, or aggregated professional profile information to construct borrower risk models carry a specific additional risk. The advisory prohibits using scraped data for purposes beyond those originally declared. A scraping activity conducted for one stated purpose cannot simply be repurposed for credit assessment without a fresh lawful basis analysis and updated documentation. Many scoring models in the Philippine fintech space are built on exactly this kind of repurposed public data aggregation.

Recruitment and HR platforms that source candidate profiles by aggregating publicly available information from LinkedIn, GitHub, or similar platforms are inside the advisory’s scope. The aggregation itself, at scale, triggers the PIA requirement regardless of whether the individual data points were publicly posted. Data scraping compliance for this category means documenting purpose, limiting retention, and maintaining evidence of a lawful basis for every collection run.

The Obligation That Most Operators Have Not Read

The least-discussed provision of Advisory 2026-01 is Section 6’s accountability clause as applied to platform operators that host public data. The advisory imposes obligations not just on organizations that scrape but on organizations whose platforms host publicly available personal data that may be scraped by third parties.

Under this provision, a Philippine e-commerce marketplace, a professional networking platform operating in the Philippines, or a government agency maintaining a public records database must implement bot detection mechanisms, rate limiting, and clear notices informing users that their posted data may be subject to scraping. These are not advisory recommendations. They are affirmative compliance obligations.

This is new. Before Advisory 2026-01, hosting publicly available data carried no specific data scraping compliance duties. Now it does.

Data Scraping Compliance Has a Regional Enforcement Dimension Now

The NPC presenting Advisory 2026-01 at the APPA Forum was not ceremonial. Regional regulators now know the rules, how the NPC defines lawful basis for scraping, and what the accountability chain looks like under Philippine data protection law. That shared regulatory knowledge is the precondition for coordinated enforcement.

Data scraping compliance in the Philippines is no longer a single-regulator question. The advisory sets the domestic rules. The bilateral cooperation sets the enforcement reach. Organizations operating cross-border data pipelines that touch Philippine personal data are dealing with a regulator that is no longer working alone. Both are already in effect, and neither came with a transition period.


Track more regulatory shifts that affect your business in Policy & Regulation section of Hemos PH.

Must Read

cambodia rice imports
Cambodia Rice Imports Surge as Philippine Harvest Prices Hit Bottom
Q3 Borrow FI
PH Government Borrowing for Q3 Raises Price of Private Credit
PEMEDES licensing
DICT's PEMEDES Licensing Gate Closes on Small Couriers
nuclear power auction
Nuclear Power Auction Sets First Delivery at 2038
Scroll to Top