As featured on PhilStar: PH Landscape: Artificial Intelligence, Data Privacy, and Cybersecurity
The rapid rise of artificial intelligence (AI) has unlocked tremendous potential for innovation and transformation across industries. However, as the old saying goes, “With great power comes great responsibility,” and this could not be more relevant when balancing AI adoption with data privacy and cybersecurity. AI systems rely heavily on vast amounts of personal data bringing both opportunities and risks—particularly in countries like the Philippines, where local regulations must align with global standards.
Better Safe Than Sorry
In the Philippines, the Data Privacy Act of 2012 (Republic Act No. 10173), serves as the cornerstone of data privacy protection. The law ensures that businesses and organizations handle personal data responsibly, safeguarding individuals’ privacy while still promoting economic growth. The law adheres to principles of transparency, legitimate purpose, and proportionality, mirroring international standards.
However, as AI adoption accelerates, the potential for privacy intrusions intensifies, not just locally but globally. To protect sensitive information, it’s critical that regulations evolve, ensuring that personal and sensitive data remain secure from AI systems.
The Gold Standard
Globally, the General Data Protection Regulation (GDPR) of the European Union, introduced in 2018, is often regarded as the gold standard for data privacy compliance. It grants individuals comprehensive rights over their personal data and imposes strict requirements on businesses to protect this information. Other privacy laws, such as the California Consumer Privacy Act (CCPA), Japan’s Act on the Protection of Personal Information (APPI), Singapore’s Personal Data Protection Act (PDPA), and the Philippines’ Data Privacy Act, all emphasize the importance of security measures, regular audits, and timely reporting of any breaches.
Two Sides of the Same Coin
AI adoption and data privacy are often seen as two sides of the same coin. On one hand, AI thrives on data, enabling more efficient decision-making and innovation. On the other hand, the more data AI systems consume, the greater the risk to individual privacy.
Privacy regulations like our DPA, its Implementing Rules and Regulations, and other issuances, have implemented privacy-by-design principles, requiring organizations to integrate privacy safeguards into every stage of AI development. AI systems must also comply with data minimization rules, collecting and processing only necessary data. While the DPA provides a solid foundation, it lacks specific AI-related guidelines, though the National Privacy Commission (NPC) has issued advisories and is actively working to address these emerging concerns.
An Ounce of Prevention is Worth a Pound of Cure
Cybersecurity threats to AI systems are another growing concern. Attacks such as data poisoning, where malicious actors feed incorrect data to manipulate outcomes, or model inversion attacks, which attempt to infer sensitive information from AI models, pose serious risks.
In the Philippines, cybersecurity threats are on the rise. Despite vigilance from the NPC and Department of Information and Communications Technology (DICT) limitations in infrastructure and resources make the country more vulnerable. Advanced frameworks like the GDPR in the EU and the National Institute of Standards and Technology Cybersecurity Framework in the U.S. offer stringent protections for AI applications, serving as models for improvement.
Here’s how the Philippines compares to global norms:
1. Enforcement and Penalties:
Under the GDPR, fines for data breaches can reach 4% of global revenue, while penalties in the Philippines, though present, are seen as less severe. Recent updates allow the NPC to impose fines of 0.25% to 3% of annual gross income, but it's yet to be fully tested.
2. Technological Infrastructure:
Global markets like the U.S. invest heavily in cybersecurity, strengthening their defenses against AI-related threats. In contrast, the Philippines faces technological limitations, which heighten its exposure to such risks.
3. AI Governance and Ethics:
While the EU requires transparency in AI decisions, especially those affecting individual rights, the Philippines is just beginning to address ethical concerns like bias and fairness, and we have yet to implement similar legal requirements.
Conclusion
As AI continues to grow, so do the challenges related to data privacy and cybersecurity. The Philippines has made meaningful progress with the Data Privacy Act, but there is still much work to be done to fully align with global standards. To thrive in the AI era, the country will need to invest in stronger cybersecurity defenses and adopt more comprehensive AI governance measures.
As another saying goes, “The best defense is a good offense.” Proactive steps will be crucial in ensuring that AI remains a positive force while safeguarding individual privacy and security. By learning from global leaders and refining our own policies, both the public and private sectors in the Philippines can better navigate the complexities of AI adoption and mitigate the risks posed by data breaches and cyber threats. With the right focus, the Philippines can strike a balance between innovation and protection.
Jessie Josuah P. Hilario
Technology Consulting Lead Consultant
KPMG in the Philippines