Presently, there are no Philippine laws or regulations that specifically govern the metaverse. However, given its all-encompassing scope as a virtual reality platform providing an alternative digital meeting and collaboration space – its application can be widely adopted in gaming, social media, workspace collaboration/virtual offices, health tech, e-commerce, payments, and many more areas. In this regard, existing regulations applicable to these verticals or industries will apply to their counterpart metaverse applications insofar as they carry out said regulated activities.
Key applicable laws and regulations for the metaverse, as can be seen through market trends and industry practice in the Philippines, are as follows.
Data Privacy and Cybersecurity
Data processing activities of metaverse platforms, if involving Philippine citizens or residents, will be subject of the Philippine Data Privacy Act of 2012, its Implementing Rules and Regulations, and the issuances of the National Privacy Commission (NPC). In order to meet the expectations of an augmented reality, metaverse platforms are expected to collect more sensitive personal information from data subjects (ie, biometrics, racial profile, medical data, and government records). Additionally, metaverse platforms that offer collaborative digital spaces (ie, for virtual office space, and entertainment events) also heavily process commercial and proprietary data. The volume and scale of metaverse platform’s data processing activities corresponds to richer data assets that create heightened risks for cyber-attacks.
As such, metaverse platforms and their data controllers are expected to implement rigorous cybersecurity standards (ie, in conformity with ISO/IEC 27001 and ISO/IEC 27002) on top of the general continuing compliance requirements of Philippine data privacy laws and regulations.
Intellectual Property
Metaverse projects in the Philippines have largely been offshoots or pivoted concepts of decentralised ledger technology (DLT) projects that involve Non-Fungible Tokens (NFTs) and gaming platforms. Creators of NFTs in metaverse ecosystems may avail of IP protection under the Philippine Intellectual Property Code (ie, trade mark and copyright). In 2022, the Philippine Intellectual Property office (IPOPHL), through its Bureau of Copyright and Related Rights (BCRR), signed a memorandum of understanding with metaverse platform Stardust Digital Private Ltd that enabled IPOPHL and Stardust to collaborate and promote the development, protection, commercialisation and internationalisation of original Philippine-registered IP products and services and creative content through the Stardust metaverse. Additionally, the IPOPHL collaborates with the European Union Intellectual Property Office (EUIPO) for capacity building and knowledge sharing activities relating to metaverse, Al and cybersecurity.
For existing IP or brand owners, enforcement of IP rights that are subject of potential infringement in metaverse platforms can be availed of through existing dispute settlement mechanisms of the IPOPHL. While ownership and provenance of digital assets in the metaverse can be traced through DLT, it is still highly recommended to secure traditional IP registrations for metaverse content creators and brand owners through IP registration procedures with the IPOPHL.
E-Commerce and Payments
Further enabling digital transactions, the metaverse presents a unique opportunity to venture into new forms of digital assets (ie, virtual land and establishments) as well as other forms of digital goods (ie, avatars, digital wearables, and digital art). This naturally created the need to implement e-commerce and payment solutions within metaverse platforms – many of which were implemented using virtual assets. In any event, payment solutions must still bridge cash (fiat) to digital assets (for top-up/withdrawal purposes) for such metaverse participants.
In the Philippines, the conversion of fiat to virtual assets (and vice versa) generally requires a Virtual Asset Service Provider (VASP) licence while payment solutions that enable fund transfers (whether in fiat or virtual assets) will require an Operator of Payment Systems (OPS) registration – both from the Philippine Central Bank or the Bangko Sentral ng Pilipinas (BSP). A VASP licence can only be availed of by an onshore entity – however, BSP Memorandum No M-2022-035 implemented a moratorium on VASP licences (subject to certain exceptions) until September 2025 (subject to the confirmation of the BSP Monetary Board). Meanwhile, offshore entities can avail of OPS registration and the same is presently not subject of any existing moratorium.
Metaverse and AI
Metaverse projects have also developed to account for the rapid rise and application of Generative AI. These projects heavily blend the legal and regulatory frameworks pertaining to data privacy and cybersecurity as well as Intellectual Property protection and enforcement. See 4. Artificial Intelligence for further discussion on this topic.
The Philippine digital economy is heavily-enabled by various laws and regulations chiefly from the BSP, the Securities and Exchange Commission (SEC), the Insurance Commission (IC), and the Department of Information and Communications Technology (DICT). The authors will discuss these regulator-led digital economy verticals in turn.
Bangko Sentral ng Pilipinas
The BSP highlights the role of digital payments as the key to unlocking the Philippine digital economy. In this regard, the BSP has its Digital Payments Transformation Roadmap aimed at strengthening customer preference for digital payments and enabling more innovative and responsive digital financial services. Its three pillars are as follows.
As can be seen, BSP regulations heavily support the Philippines’ push towards a digital economy by enabling digital payments and various innovative financial solutions. Adoption, however, is stifled due to the country’s lack of accessible IT infrastructure in rural areas which creates limited data connectivity and renders digital payment solutions unreliable or unappealing for both local businesses and consumers. The National ID System – while heavily promoted by the government and by BSP regulations as the means of complying with financial institution’s minimum KYC verification document – lacks significant traction due to limited public knowledge and challenges in administrative capacity causing delays in the issuance of the PhilSys ID.
Securities and Exchange Commission
The SEC is the primary regulator of corporate entities in the Philippines. It also embraced the role of enabling and supporting Philippine fintech through the PhiliFintech Innovation Office (Innovation Office). In addition, it also regulates the following fintech verticals/activities relevant to the Philippine digital economy.
Private stakeholders (both new and incumbent) eagerly await the finalisation of several draft regulatory frameworks of the SEC, specifically: the Guidelines on Online Lending Platforms; the SEC Regulatory Sandbox Framework; and the Rules on Digital Asset Securities Service Providers. These incoming regulatory frameworks are seen as a welcome addition to existing Philippine regulations to augment the Securities Regulation Code (SRC) – seen as the backbone of the SEC’s regulatory scope and powers – which can be seen as inflexible and archaic, particularly on accommodating the salient features of innovative products and services existing in the market and which cannot be fully captured nor regulated by existing regulatory frameworks such as that of the SRC.
Insurance Commission
The IC allows for the electronic commerce of insurance products (through Insurance Circular Letter No 047-14). Moreover, driven by the demands of the pandemic, the IC has issued various regulatory sandbox framework that enables the digitalisation of the insurance industry through innovative products and services, specifically:
Through Insurance Memorandum Circular No 2023-01, the IC has also created its own Implementing Rules and Regulations of the FCPA.
In comparison with other tech hub jurisdictions like Singapore and the US, insurance products and services in the Philippines still heavily rely on traditional agency/brokering models which is ripe for disruption through innovative InsurTech platforms/services that will easily and efficiently scale and democratise access to insurance products.
Department of Trade and Industry
The newly-enacted Internet Transactions Act (Republic Act 11967) grants DICT and the DTI Secretary broad powers to regulate e-commerce transactions within e-marketplaces and other digital platforms. This law is largely propelled by the exponential growth of e-commerce activities in the Philippines which necessitated the creation of an E-Commerce Bureau, the codification of the rights, obligations, and liabilities of parties in internet transactions, as well as the remedies of online consumers, among others. As of date of writing, the DTI is developing its own Implementing Rules and Regulations on the Internet Transactions Act.
While a welcome addition to the country’s suite of consumer protection laws, beginning with the Consumer Act of the Philippines, the implementation of the Internet Transactions Act with respect to offshore-based e-marketplaces and digital platforms remains to be seen as to the effectiveness of enforcement and ensuring consumer protection vis-à-vis the obligations of such offshore-based entities.
Department of Information and Communications Technology
The DICT spearheads the Philippine government’s efforts to improve the country’s IT infrastructure through projects such as the “Broadband ng Masa”, which aims to boost Wi-Fi connectivity in the Philippines. Additionally, the DICT also regulates Private Express and/or Messengerial Delivery Service (PEMEDES), which enables logistics operators to deliver physical goods/products – a critical backbone for country’s booming e-commerce industry. Notably, the PEMEDES regulations is in need of updating given that its enabling regulation (DOTC Circular 2001-01) was issued at a time when delivery of physical goods where contemplated to be within postal services function then under Department of Transportation and Communications (the now-defunct predecessor of the DICT).
At present, no Philippine laws or regulations directly regulate the use of cloud and edge computing in the Philippines. As such, this business activity heavily relies on international industry practices (with Amazon Web Services, Google Cloud Platform, and Alibaba Cloud being the key cloud providers in the Philippines).
Nevertheless, aside from data privacy laws and regulations, industry-specific regulations also apply to cloud providers.
Data Privacy Laws and Regulations
Cloud providers are generally considered Personal Information Processors (PIP) – which handle data processing activities (ie, data storage) under the instruction of Personal Information Controllers (PIP). As such, cloud providers must comply with the Data Privacy Act of 2012 (Republic Act No 10173), its Implementing Rules and Regulations, and the issuances of the NPC. As PIPs, they should also enter into corresponding Data Outsourcing Agreements with PICs.
Moreover, in relation to the government’s “Cloud First Policy” (as discussed below), the NPC also recognises the following industry standards when determining the adequacy of cloud providers:
The DICT’s Cloud First Policy
The DICT’s Cloud First Policy is the main controlling regulation concerning the Philippine government agencies’ use of cloud computing for their IT infrastructure. Cloud service providers should take care to acquire the necessary accreditations the DICT requires and inventory government data they process to ensure the handling of such data is in accord with the standard of treatment prescribed for certain classes of sensitive government data.
BSP’s Regulations on IT Risk Management
Banks and other financial institutions under the BSP are required to do risk assessments and establish risk management frameworks when outsourcing data processing tasks to cloud service providers. At a minimum, the financial institution must be aware of where the cloud service provider will process the data it provides and whether the jurisdiction where the data processing takes place upholds data sovereignty laws. Further, the service contract between the financial institution and the cloud service provider should contain certain stipulations required by the BSP to ensure the financial institution always has the power to control its data.
There are currently no Philippine laws or regulations that specifically govern the development and deployment of artificial intelligence (AI), like the EU AI Act. Certain laws and regulations though touch on some aspects of AI development and deployment. These laws and regulations focus on the protection of fundamental rights and property rights that may be affected by AI.
Data Privacy and Artificial Intelligence
The Data Privacy Act, its Implementing Rules and Regulations, and the NPC’s regulatory issuances are the most pressing and relevant considerations for organisations building and using AI tools. AI development often requires huge amounts of data, which are aggregated into datasets, and some of the data used may fall within the coverage of the Data Privacy Act.
AI developers must be mindful of the laws and regulations concerning the processing of personal information when creating datasets used to train AI tools. On the other hand, organisations using AI to process personal information, such as the use of AI in hiring, should register their AI systems with the NPC and inform persons interacting with their AI tools that they may be affected by decisions or predictions made by the AI.
Intellectual Property Rights and Artificial Intelligence
Various issues related to intellectual property rights surround artificial intelligence. Questions on ownership of AI-generated works, the legality of the unconsented use of intellectual property to train AI, security of intellectual property used to train AI, and more are yet to be settled. It is up to AI developers and users to implement policies to ensure appropriate use of AI, risk mitigation, and record keeping.
Laws and regulations applicable to IT systems are generally applicable as well to IT networks and systems utilising Internet of Things (IoT). These laws and regulations concerning IT systems prescribe standards for cybersecurity and risk management and are generally reserved to industries that handle sensitive matters, such as personal information controllers, financial institutions, and those involved with national security.
The Data Privacy Act, its Implementing Rules and Regulations, and the NPC’s regulatory issuances should be considered when an IoT network is involved in the processing of personal information, especially health-related personal information. The law and its implementing rules require that reasonable and appropriate organisational, physical, and technical measures are implemented to ensure personal information sent and processed through the IoT is not compromised. IoT systems may also be considered a data processing system that may need to be registered with the National Privacy Commission under certain circumstances. When an IoT network is compromised and personal information is affected as a result, the proper data breach reports should be made to the National Privacy Commission.
For financial and government institutions utilising IoT as a part of their IT systems, risk assessments must be done to ensure IoT systems do not pose a degree of risk that the institution deems unacceptable. The BSP requires financial institutions to abide by IT risk management guidelines that may involve assessing and auditing IoT systems. Appropriate controls must also be implemented to ensure external IoT systems, which may compromise cybersecurity, are regulated, or not introduced altogether into the institution’s IT infrastructure.
Mass Media Activities
Media services in the Philippines fall under the general category of “mass media” which refers to the print medium of communication, which includes all newspapers, periodicals, magazines, journals, and publications and all advertising therein, and billboards, neon signs and the like, and the broadcast medium of communication, which includes radio and television broadcasting in all their aspects and all other cinematographic or radio promotions and advertising.
Eligibility
With respect to traditional audio-visual media services such as television and radio, applicants are generally subject to the following requirements.
Regulation on Video-Sharing Platform Services
As of date, there are no laws or regulations in place which particularly regulate video-sharing platform services available on the internet. However, mass media laws and regulations may apply to video sharing platforms and services whose activities fall within the regulatory interpretation of what constitutes as “mass media activities”. In this regard, SEC Opinion No 18-21 provides certain guidelines in determining whether or not an entity is engaged in mass media activities.
Thus, findings of a video-sharing platform services which are contrary to the above guidelines of SEC Opinion No 18-21 run the risk of being classified as engaged in mass media activities, subject to the above-mentioned limitations.
The Public Telecommunications Policy Act and the Amended Public Service Act define “telecommunications” as any process which enables a telecommunications entity to relay and receive voice, data, electronic messages, written or printed matter, fixed or moving pictures, words, music or visible or audible signals or any control signals of any design and for any purpose by wire, radio or other electromagnetic, spectral, optical or technological means. This definition excludes passive telecommunications tower infrastructure and components, such as cables and towers, and value-added services, which are services offered by entities relying on the transmission, switching, and local distribution facilities of telecommunications entities.
In general, Public Telecommunication Entities (PTEs), which refers to any person, firm, partnership or corporation, government or private, engaged in the provision of telecommunications services to the public for compensation, shall comply with the following requirements:
Furthermore, regulatory agencies, such as the NTC require the registration of certain technologies or services, regardless of whether such technology or service needs a franchise to operate. For instance, Voice over Internet Protocol (VoIP) service providers and value-added service providers are required to obtain a certificate of registration from the NTC even though they are not required to obtain a Congressional franchise.
Technology agreements are generally regulated by the Philippine Civil Code’s provisions on contracts, though a number of special laws and regulations should be considered for certain industries that engage in sensitive matters such as finance and personal information processing.
Technology agreements that involve the sharing or outsourcing of processing of personal information should always take into consideration the requirements of the Data Privacy Act of 2012 (DPA), its Implementing Rules and Regulations, and the regulatory issuances of the NPC. Such agreements should provide stipulations guaranteeing protection of personal information to the same extent required by the DPA and its IRR.
For agreements involving the handling of government data, parties to such an agreement should consider the DICT’s Cloud First Policy and its rules on the handling of certain kinds of sensitive government data (ie, highly sensitive and above-sensitive government data may only be stored in data centres on Philippine territory). On the other hand, sensitive government data may be stored in data centres abroad, but only in countries with extradition agreements with the Philippines and have regulations providing at least an equal standard of protection.
Technology agreements with financial institutions regulated by the BSP should conform with the requirements for Technology Service Providers (TSPs). BSP Circular No 1137, requires that contracts with TSPs should recognise the financial institution’s exclusive ownership of all its data, cede any claim or right to the use of the financial institution’s data for any purpose outside the contract’s scope, and guarantee the availability of the data it handles to the financial institution.
When a technology agreement involves the transfer, sharing or licensing of technology, parties to the agreement should consider the provisions of the Philippine Intellectual Property Code (IP Code) for Voluntary Licensing arrangements and Republic Act No 10055, or the Philippine Technology Transfer Act of 2009. The IP Code’s provisions on Voluntary Licensing requires technology transfer and licensing agreements to contain certain dispute resolution and choice-of-law provisions and prohibits stipulations that are anti-competitive and unduly restrict the use of the technology transferred. On the other hand, the Philippine Technology Transfer Act provides incentives to entities engaged in research and development of new technologies.
Electronic signatures and other digital identity schemes have long been recognised by the Philippine government as valid means to authenticate the identities of parties to commercial transactions with the passage of Republic Act No 8792 (Electronic Commerce Act of 2000). The Electronic Commerce Act, as implemented by the Supreme Court’s A.M. No 01-7-01-SC (Rules on Electronic Evidence), gives legal recognition to electronic documents and electronic signatures subject to certain authentication requirements.
Since the passage of the Electronic Commerce Act, the Philippine passed additional laws and regulations that enable authenticate of digital identities. At the forefront of these efforts are DICT’s Philippine National Public Key Infrastructure (PNPKI) programme and the ongoing implementation of Republic Act No 11055, or the Philippine Identification System Act.
DICT PNPKI Programme
The PNPKI program establishes a system for the issuance of digital certificates, which are essentially digital IDs that authenticate the identities of parties to a transaction or correspondence. The DICT envisions the PNPKI digital certificates as an identity authentication tool for all government correspondences. Though there is no requirement mandating the use of PNPKI digital certificates in transactions and correspondences with the Philippine government, the DICT highly encourages members of the private sector to adopt its use as an added layer of protection against phishing scams and identity fraud.
Philippine Identification System Act
The Philippine Identification System Act was originally meant to provide a unified ID, called the PhilID, to individuals to further simplify public and private transaction. This original objective has now been further expanded to also provide universal digital IDs, called an ePhilID, to individuals in addition to the physical ID cards. To encourage the adoption of the PhilID and the ePhilID, the BSP released Circular 1170 (Amended Customer Due Diligence and Electronic Know-Your-Customer Guidelines) and BSP Memorandum No M-2024-006 (Prioritisation of the Philippine Identification and Other Recognised Formats in the List of Acceptable Identification Documents) requiring financial institutions to prioritise the use of the PhilID and the ePHilID as preferred proof of identity for financial transactions.
15/F Strata 2000 F. Ortigas Jr. Road
Ortigas Center
1605
Pasig City
Philippines
+632 86960687
counselors@gorriceta.com www.gorricetalaw.com