The AI Governance Frontier: Safeguarding Corporate Liability in the Age of Generative AI (Philippines)

The AI Governance Frontier: Safeguarding Corporate Liability in the Age of Generative AI (Philippines)

As 2026 unfolds, Artificial Intelligence (AI) has shifted from a novelty to a core operational pillar for Philippine enterprises. For CEOs and business owners, the promise of hyper-efficiency is balanced by a precarious legal landscape. The use of generative AI in customer service, automated contract drafting, and decision-making algorithms introduces unprecedented risks of “hallucinations,” data leakage, and algorithmic bias. Without a robust governance framework, companies risk not only regulatory fines but also debilitating litigation.

Governing Laws and Emerging Frameworks

While the Philippines has not enacted a comprehensive AI statute,” the regulatory environment is a composite of existing statutes and new administrative issuances:

  • The Data Privacy Act of 2012 (Republic Act No. 10173): Governs how AI systems process personal data. Even when processing is outsourced to an AI vendor, the personal information controller (PIC) remains responsible for ensuring safeguards and compliance. The law expressly allows subcontracting but requires the PIC to ensure confidentiality and proper safeguards.
  • Data Privacy Act IRR (2016). The IRR reinforces accountability: the PIC remains responsible for personal data under its custody including outsourced/overseas processing, and must use contracts or other means to ensure comparable protection. It also clarifies that entities with “links to the Philippines” may be covered even when processing occurs abroad.
  • NPC Joint Statement on AI-Generated Imagery (February 24, 2026): Addresses the protection of privacy against non-consensual AI-generated content.
  • The Cybercrime Prevention Act of 2012 (Republic Act No. 10175): Applies when AI is used for fraudulent or unauthorized access. If AI-enabled acts amount to punishable cyber offenses and are committed for the benefit of a corporation (and with the requisite conditions), the law recognizes corporate/juridical liability by fine, without prejudice to the natural persons’ criminal liability.

Under current National Privacy Commission (NPC) guidelines, businesses must conduct a Privacy Impact Assessment (PIA) before deploying systems that process personal data (NPC Advisory No. 2017-03). Thus, CEOs must ensure that their AI models are “transparent and explainable,” meaning the logic behind an AI’s decision—such as denying a loan or a job application—must be retrievable .

Practical Implications and Typical Scenarios

Consider a scenario where a retail company uses an AI chatbot to handle customer complaints. If the AI “hallucinates” and promises a refund that violates company policy, or worse, uses defamatory language against a competitor, the corporation may be held liable under the doctrine of vicarious liability (Article 2180, Civil Code of the Philippines).

A classic analogy is the direct and primary liability of a communications company for wrongful transmission attributable to employees and operational failures. ( RCPI v. Court of Appeals, G.R. No. L-44748, January 29, 1986). The lesson for AI is practical: an “automated” workflow does not immunize the enterprise if governance and supervision are deficient.

Corporate structure is not a shield for AI misconduct. Courts may disregard separate corporate personalities when used to defeat obligations or protect fraud. See piercing doctrine discussion in Toledo Construction Corp. Employees’ Association-Adlo-KMU v. Toledo Construction Corp., G.R. No. 204868, April 6, 2022.

Practical Advice for CEOs

  1. Establish an AI Ethics Committee: Appoint legal and technical leads to vet AI tools before deployment.
  2. Update Employee Manuals: Define “Acceptable Use” for generative AI to prevent the input of trade secrets into public AI models.
  3. Audit AI Vendors: Ensure your service providers comply with the 2025 Annual Security Incident Report (ASIR) requirements (NPC Circular No. 2024-01).
  4. Contract for accountability (PIC ↔ vendor). Ensure contracts impose security, confidentiality, breach handling, audit rights, and clear role allocation consistent with PIC accountability under the law.
  5. Map data flows (including cross-border). Confirm whether processing has “links to the Philippines” and triggers the IRR’s scope provisions.
  6. Establish escalation and human review. Put guardrails for hallucinations (e.g., refunds/commitments; HR/credit decisions), document approvals, and retain logs for investigations and dispute defense.
  7. Board-level oversight. Treat AI like a regulated operational risk—compliance reporting, incident response drills, and vendor risk scoring.

09 March 2026

About Nicolas and De Vega Law Offices

 Nicolas and de Vega Law Offices is a full-service law firm in the Philippines.  You may visit us at the 16th Flr., Suite 1607 AIC Burgundy Empire Tower, ADB Ave., Ortigas Center, 1605 Pasig City, Metro Manila, Philippines.  You may also call us at +632 84706126, +632 84706130, +632 84016392 or e-mail us at [email protected]. Visit our website https://ndvlaw.com.

SEARCH