The "Cart Before the Horse" Legacy of Philippine Legislation: Doing More Harm to Tech Startups than to Tech Predators

It is a well-observed reality in Philippine governance: the country has no shortage of brilliant, world-class minds drafting laws that look spectacular on paper. However, there is a systemic disconnect between the creation of a policy and the actual infrastructural capacity to execute it.

When a law is passed without a realistic assessment of the ground reality, the burden of execution is inevitably shifted onto the public. The result? Law-abiding citizens and businesses endure immense friction, red tape, and compliance costs, while the actual bad actors continue to exploit the cracks in an overwhelmed, reactive regulatory system.

The Tech Laws: Good Intentions, Punitive Compliance

Here is a breakdown of how well-meaning technology laws in the Philippines have penalizingly burdened those who try to comply, while failing to achieve their core objectives.

Data Privacy Act of 2012 (RA 10173)

• The Promise: To safeguard personal data and elevate the Philippines to global data protection standards (modeled heavily after Europe's strict frameworks).
• The Inefficiency: The National Privacy Commission (NPC) mandates rigorous compliance—requiring corporations, institutions, and even medium-sized tech startups to appoint Data Protection Officers (DPOs), perform exhaustive Privacy Impact Assessments (PIAs), and register data processing systems.
• The Sufferer: Legitimate local companies spend millions of pesos and countless man-hours ensuring strict compliance to avoid crippling fines. Meanwhile, the state’s own backyard has proven to be sieve-like. Massive data breaches hitting major state institutions (such as PhilHealth, the PSA, and the PNP) occur with alarming frequency. The system heavily penalizes compliant private companies for minor administrative lapses, yet struggles to enforce institutional accountability for systemic, macro-level state leaks.

SIM Registration Act (RA 11934)

• The Promise: To eradicate SMS scams, "smishing," and anonymous cybercrimes by linking every active SIM card to a verified identity.
• The Inefficiency: The implementation was rushed, shifting the logistical burden entirely onto the public and telecom companies. Registration portals routinely crashed, senior citizens and rural residents struggled with digital literacy hurdles, and millions faced the threat of sudden network deactivation.
• The Sufferer: Compliant citizens who obediently registered their identities still find their inboxes flooded with spam and scam messages. This even led me to stop giving out business cards which contain my mobile number. International and localized scam networks quickly adapted by shifting to Over-The-Top (OTT) apps like Viber, Telegram, and WhatsApp, purchasing pre-registered SIM cards via underground black markets, or using fake IDs that basic telecom verification systems failed to cross-check. The compliant citizen handed over sensitive personal data to a centralized registry, while criminal networks bypassed the law entirely.

Internet Transactions Act of 2023 (RA 11967)

• The Promise: To protect online consumers, regulate e-commerce, and establish trust in the digital marketplace by holding platforms accountable.
• The Inefficiency: Full compliance mandates that digital platforms and online merchants submit extensive corporate, trade, and tax data to the DTI’s E-Commerce Bureau. It also enforces strict solidary and subsidiary liability on platforms for merchant offenses.
• The Sufferer: Small-scale, home-based Filipino entrepreneurs and legitimate MSMEs bear the brunt of regulatory friction, paperwork, and compliance costs just to stay on local platforms. On the flip side, fly-by-night foreign drop-shippers, rogue social media marketplace sellers, and overseas operations continue to flood the market with counterfeit or hazardous goods, completely out of reach of local DTI enforcement.

Cybercrime Prevention Act of 2012 (RA 10175)

• The Promise: To penalize online fraud, hacking, identity theft, and digital exploitation.
• The Inefficiency: The law included highly controversial provisions on online libel, which have been frequently weaponized against journalists, whistleblowers, and ordinary citizens involved in petty internet arguments.
• The Sufferer: When an average citizen falls victim to identity theft, phishing, or a mobile wallet scam, reporting it to the PNP Anti-Cybercrime Group (ACG) or the NBI often leads to a dead end. Victims are routinely met with understaffed, under-equipped local desks that lack the forensic tools and cross-jurisdictional capacity to track down online criminals, effectively leaving the everyday user defenseless despite a heavy legal framework.

This is what you call Ivory-Tower Engineering. Lawmakers look at successful frameworks in developed nations (like Europe's GDPR or other Western models) and copy-paste the architecture into the Philippine legal system.

They build the regulatory roof before checking if the economic and institutional pillars can support the weight. Until the legislative process mandates rigid, localized feasibility studies and funds the enforcement infrastructure before penalizing non-compliance, the Filipino people will continue to be the default guinea pigs for well-intentioned but fundamentally hollow laws.