NPC Advisory No. 2026-01 on Data Scraping of Publicly Available Personal Data

NPC Advisory No. 2026-01 on Data Scraping of Publicly Available Personal Data

In response to the growing tension between artificial intelligence development and individual privacy rights, the National Privacy Commission (NPC) has moved to formalize the rules of the digital road. On 13 April 2026, the NPC issued Advisory No. 2026-01, establishing comprehensive guidelines for the extraction and processing of publicly available personal data through Data Scraping. In line with this, the NPC emphasizes that the protections of Republic Act No. 10173 (Data Privacy Act of 2012) apply even to data that is readily accessible to the public. This landmark regulatory framework emphasizes that personal information, whether found on a social media profile, a government directory, or a professional networking site, retains its legal protection. By balancing the needs of technological innovation with the sanctity of personal privacy, the NPC ensures that “publicly available” does not equate to “unprotected.”

The Advisory serves a dual purpose: providing operational guidelines for entities performing scraping (Personal Information Controllers or PICs) and establishing protective obligations for organizations that host scrapable data. Furthermore, by setting these boundaries, the Philippines aligns itself with global standards like the EU’s General Data Protection Regulation (GDPR), signaling that it is a safe and regulated environment for ethical digital growth.

Under Section 2 of Advisory No. 2026-01, “Data Scraping” refers to the automated or manual process of extracting publicly available personal data, including text, images, audio and video recordings, and user profiles, from websites, applications, or other online sources. This includes using scraping tools or technologies to access websites through HTTP requests, parsing HTML content of webpages, identifying and extracting specific data elements, e.g., text, images, structuring the data to remove irrelevant information, and storing it in a structured format (e.g., databases or JSON files) for further analysis or use.

Additionally, large-scale scraping refers to the persistent and high-volume automated extraction of public personal data. Unlike occasional or small-scale data collection, this uses constant, high-speed requests to pull information from thousands of webpages at once. For purposes of determining whether scraping is considered large-scale, the following factors may be considered: 

1.   The number of data subjects affected 

2.   The volume of data or the range of data items extracted

3.   The duration or permanence of the data scraping activity, and 

4.   The geographical extent of the data scraping activity.

Mandatory Requirements for Lawful Data Scraping

Data scraping is not prohibited per se but must adhere to strict requirements under the DPA:

1. Legitimate Purpose: PICs must define a specific, lawful purpose that is not contrary to law, morals, public policy, or public order, and such processing shall not be used for purposes that are unrelated or not reasonably expected by data subjects.
2. Lawful Basis: Public availability does not equal consent. PICs must establish a valid legal basis under Section 12 or 13 of the DPA for both extraction and further disclosure.
3. Transparency: Data subjects must be informed via privacy notices or consent forms before processing or at the next practical opportunity.
4. Proportionality: Scraping must be limited to data that is adequate, relevant, and necessary for the declared purpose.
5. Privacy Impact Assessment (PIA): PICs must conduct a PIA to evaluate nature, scope, risks to rights and freedom of data subjects, as well as the adoption of measures to mitigate or address such risks.

For entities that host publicly available personal data (e.g., social media sites, applications or other online platforms) must implement safeguards to protect their users:

1. Hosts must inform users if their data is subject to scraping, which categories are accessible, and whether third-party scraping is permitted under the terms of service.
2. Platforms must provide ways for data subjects to object to or terminate the scraping of their data.
3. Hosts are encouraged to use bot-detection patterns, rate limiting, IP blocking, and CAPTCHAs to mitigate unauthorized scraping.

Unauthorized Practices and Liability

Scraping is deemed unauthorized if it violates the DPA, NPC issuances, or the specific terms of service of a website. Crucially, bypassing technical measures or using deceptive design patterns to obtain data is strictly prohibited. PICs remain fully accountable for scraping activities, even when performed by third-party processors (PIPs). Such arrangements must be governed by contracts that explicitly prohibit the circumvention of security measures. Additionally, scraped data must be subject to clear retention and disposal policies, ensuring data is destroyed once the purpose is fulfilled.

Unauthorized data scraping may result in criminal, civil, and administrative liability. Furthermore, PICs cannot use scraped data for harmful activities such as doxxing, identity fraud, unauthorized surveillance, or the collection of login credentials.

This guide provides a general overview of the above transactions at the time of writing only and

is not intended to be a comprehensive legal advice. This should also not be taken as an opinion

on the topic. For more details and information, you may coordinate with any GVES Law Partner

regarding the matter.

Atty. Jiana Mae S. Robles is an Associate at GVES Law.