President Benigno Aquino III signed the Data Privacy Act into law on August 15, 2012, establishing comprehensive data protection framework for the Philippines. The law aimed to protect personal information in information and communications systems and ensure free flow of information for innovation and growth.

The Data Privacy Act took effect on September 8, 2012, fifteen days after its publication in the Manila Bulletin and Malaya. This marked the beginning of data protection obligations for personal information controllers and processors in the Philippines.

President Rodrigo Duterte issued Executive Order No. 01 reconstituting the National Privacy Commission with independence from DICT supervision. The NPC was granted quasi-judicial powers to enforce the Data Privacy Act and adjudicate complaints.

The National Privacy Commission issued the comprehensive Implementing Rules and Regulations of the Data Privacy Act. The IRR clarified key concepts including consent requirements, data subject rights, security measures, and breach notification procedures.

The NPC issued regulations on the security of personal data requiring organizational, physical, and technical measures to protect personal information. This circular mandated risk assessments, encryption standards, and incident response protocols.

Following several high-profile data breaches including the COMELEC voter database leak, the NPC issued binding guidance on breach notification timelines and content requirements. Organizations faced mandatory 72-hour reporting windows and potential penalties for delayed disclosure.

The NPC imposed a PHP 6 million penalty on Nationwide Air Espana for unauthorized processing and disclosure of passenger personal data. This was the first significant administrative penalty demonstrating the NPC's enforcement capability and commitment to sanctions.

The NPC issued comprehensive guidelines on obtaining valid consent for data processing, requiring clear, specific, and freely given consent. The circular prohibited pre-ticked boxes and required granular consent for different processing purposes.

During the COVID-19 pandemic, the NPC issued guidelines balancing public health data collection with privacy rights. The advisory permitted health data processing for contact tracing while requiring strict security, purpose limitation, and data minimization.

The NPC found PhilHealth liable for the massive September 2020 data breach exposing sensitive health information of millions of members. The case established that government agencies are equally accountable under the Data Privacy Act.

The NPC issued pioneering guidelines regulating artificial intelligence and automated decision-making that uses personal data. The circular required transparency, human intervention options, and prohibition of solely automated decisions affecting legal or significant rights.

The NPC issued updated regulations on international data transfers requiring adequacy assessments and appropriate safeguards. The circular introduced standard contractual clauses and binding corporate rules for compliant cross-border transfers.

The NPC imposed a PHP 15 million penalty on a major telecommunications company for inadequate security measures leading to a massive customer data breach. This represented the highest administrative fine in NPC history and signaled escalating enforcement.