President Ferdinand Marcos Jr. has signed Executive Order No. 119, retiring a 1964 policy on government data classification and replacing it with a modern, risk-based framework built for cloud computing and artificial intelligence.
The new order supersedes Memorandum Circular No. 78, a decades-old policy crafted for a paper-based government bureaucracy that predates the internet, cloud storage, and AI systems now used across public agencies.
Why the Old Policy Needed an Update
The Department of Information and Communications Technology (DICT) said the shift is a direct response to how government agencies now handle information. Cloud computing, AI tools, and other digital technologies have become standard parts of public sector operations, making the six-decade-old classification system increasingly impractical.
Under the previous rules, all government data was generally required to stay within Philippine borders, regardless of how sensitive, or how routine, that information actually was.
A Risk-Based Approach to Data Storage
EO 119 scraps the one-size-fits-all residency requirement in favor of a tiered, risk-based system. Where data can be stored and processed now depends on its sensitivity level:
Top Secret and Secret data must remain within Philippine territory at all times, including at Philippine embassies and consulates abroad.
Confidential data may be processed or stored overseas, but only with prior approval and appropriate safeguards in place.
Restricted and Open Access data can be hosted on secure cloud platforms, provided those platforms meet established cybersecurity and encryption standards.
Importantly, the policy applies exclusively to government-held data. Information owned by private companies falls outside its scope.
What It Means for Cloud Providers and Investors
According to the DICT, the updated framework is designed to give cloud service providers, technology companies, and data center operators clearer regulatory ground to operate on. By aligning the Philippines' data policy with international norms, officials believe the country can become a more attractive destination for hyperscale cloud infrastructure and AI-related investment.
New Oversight Body and Rollout Timeline
EO 119 also establishes the Joint Oversight Committee for Data Classification, to be co-chaired by the DICT and the National Security Council. The committee has been given 120 days to draft and issue implementing guidelines for the new framework.
Government agencies, meanwhile, will not need to comply immediately. The order allows for a phased rollout, giving agencies up to three years to fully transition to the new classification and storage requirements.