News

Philippines orders halt to biometric data collection by Global Identity Platform

09 October 2025

Key takeaways

Immediate halt to data processing: The NPC directed the platform to stop collecting and processing personal data in the Philippines, including biometric identifiers such as retinal scans, fingerprints, and other personal details such as names, ages, addresses.

Deficiencies in consent and transparency: The NPC found that the platform’s privacy notice and biometric consent form contained vague and ambiguous disclosures, violating the fundamental right to be informed. This lack of clarity undermined other key data subject rights, including access, withdrawal of consent, and erasure and without clear mechanisms to exercise these rights, individuals were left without meaningful control over their personal data.

Real risk of harm: The NPC emphasized that biometric identifiers, unlike passwords or ID cards, are immutable and cannot be replaced once compromised. The continued processing of such data without adequate safeguards would therefore expose individuals to permanent and irreparable harm. Furthermore, a single breach of biometric data could result in lifelong vulnerability to identity fraud and misuse, with no effective legal or technical remedy.

The Philippines' National Privacy Commission (NPC) has issued a Cease and Desist Order (CDO) against a global digital identity platform over its alleged unauthorized processing of personal data, in particular biometric data, from Philippine residents. The order, dated 23 September 2025, signals the NPC's growing scrutiny over the processing of biometric information.

Background

The platform under investigation develops proof-of-human tools designed to secure digital environments in response to the growing risks posed by artificial intelligence. The NPC launched its inquiry following reports that individuals in the Philippines were being asked to submit sensitive personal data without a lawful basis or adequate protective measures.

The NPC found that the platform failed to uphold the principle of transparency. For example, its privacy notice did not meet the consent and security standards under the Data Privacy Act of 2012 and was further undermined by misrepresentations and vague disclosures.

The NPC also identified a lack of mechanisms to ensure the deletion of biometric data upon withdrawal of consent, raising serious concerns about the protection of individuals’ fundamental privacy rights.

The NPC observed that, unlike passwords or ID cards, biometric identifiers cannot be reset or replaced. Any compromise results in permanent exposure to harm. It concluded that the continued processing of biometric data posed grave and irreversible risks to individuals, with a single breach potentially leading to lifelong consequences.

In addition, the NPC found that the consent relied upon by the platform was neither specific, freely given, nor informed. It highlighted misleading claims about the nature of the data being processed, such as those found in the platform’s privacy notice, and noted failures to uphold key data subject rights, including the right to be informed, the right to access, the right to withdraw consent, and the right to erasure.

Taken together, the NPC determined that the platform’s practices were harmful to public interest and that a cease and desist order was necessary to protect the rights of data subjects.

Implications for businesses

This enforcement action highlights the NPC’s proactive stance on emerging digital technologies. Organizations operating in the Philippines or collecting data from its residents should ensure that consent mechanisms are clear, informed, and freely given, and should review their processes and safeguards concerning biometric data in particular.

You can access the full Cease and Desist Order here.

Authored by Charmian Aw and Ciara O'Leary.