Pres. Ferdinand Marcos Jr. has issued an executive order (EO) establishing new classification and residency rules for government data, including requirements to keep highly sensitive information within Philippine jurisdiction.
Executive Order No. 119, signed on July 13, updates the government’s data classification system to address cybersecurity threats, cloud computing, and cross-border data flows.
The order covers government data in digital or physical form that is created, collected, processed, stored, transmitted, or maintained by government agencies.
It also covers data handled by private entities on behalf of the government in connection with public-private partnerships, public services, public utilities, critical infrastructure, and strategic or sensitive projects, subject to the implementing guidelines.
Government data is divided into Restricted Access Data and Open Access Data. Restricted Access Data is further classified as Top Secret, Secret, Confidential, or Restricted, depending on the potential damage that unauthorized disclosure may cause.
Under EO 119, Top Secret and Secret data must be stored within Philippine territory or in places where the Philippines exercises sovereignty or jurisdiction, such as embassies and consulates.
Confidential data must generally be stored in the same locations. However, overseas storage or processing may be allowed with prior approval from the Joint Oversight Committee for Data Classification and the implementation of safeguards that maintain government control and protect national security.
Restricted data may be stored on secured cloud platforms, subject to encryption, risk mitigation, and other cybersecurity requirements.
Other government information, including open access data, may be stored on secure cloud platforms regardless of physical location or ownership, provided that similar security controls are in place.
EO 119 states that all government data will remain subject to Philippine laws and jurisdiction regardless of where it is stored, processed, or handled.
Government agencies using cloud providers or other private companies will remain responsible for data security and compliance. They must include appropriate contractual and technical safeguards covering information handled by these service providers.
Roy D. Ibay, head of regulatory affairs at Smart Communications and convenor of Protecta Pilipinas, said in a Facebook post that the policy could increase demand for domestic data storage infrastructure.
“After a long period of meetings and discussions with government, finally this Executive Order is released,” Ibay said. “This will be a big boost to our country’s local data center industry.”
Lawyer Russell Stanley Geronimo, meanwhile, said the order institutionalized data sovereignty and residency but warned that local storage would not necessarily prevent foreign authorities from obtaining government information held by US cloud companies.
“[T]here’s a problem: Philippine data residency fails to address the extraterritorial reach of the US Cloud Act, which empowers US authorities to compel American cloud providers to disclose data in their custody regardless of where the servers are physically located,” Geronimo commented.
The US Clarifying Lawful Overseas Use of Data Act, or Cloud Act, allows US authorities, subject to applicable legal processes, to compel providers under US jurisdiction to disclose data within their possession, custody, or control even when the information is stored abroad.
“This means that a US cloud service provider operating a local Philippine server may be compelled by the US government to disclose its stored data upon issuance of a US warrant,” Geronimo said.
“Because EO 119 relies entirely on territorial jurisdiction, it leaves critical government data stored by US cloud providers in Philippine servers and data centers legally exposed to foreign warrants.”
EO 119 creates a Joint Oversight Committee for Data Classification co-chaired by the Department of Information and Communications Technology and the National Security Council.
The committee will issue implementing guidelines, develop a compliance action plan, and monitor agencies’ adherence to the framework.
Agencies must comply with the requirements for Top Secret and Secret data within the second year of the order’s effectivity. Full compliance covering the remaining government data is required within the third year.


