I. INTRODUCTION: WHAT IS AI-ASSISTED SMART CITY SURVEILLANCE?

AI-assisted smart city surveillance refers to systems deployed by:

• LGUs (local government units)
• MMDA-type traffic authorities
• Police and public safety agencies
• Private city infrastructure operators

These systems include:

• CCTV networks
• Facial recognition systems
• Automatic number plate recognition (ANPR)
• AI behavior detection (loitering, crowd detection)
• Drone-based surveillance
• Real-time video analytics in command centers

In the Philippines, these systems are legal but heavily regulated because they process personal data at scale in public spaces.

II. CORE LEGAL FRAMEWORK

1. Data Privacy Act of 2012 (R.A. 10173)

Applies whenever individuals are identifiable in video, AI logs, or metadata.

Key principles:

• Transparency
• Legitimate purpose
• Proportionality
• Security safeguards

📌 Crucial rule:
Even in public spaces, identifiable data = personal data under law.

2. 1987 Philippine Constitution

Relevant rights:

• Right to privacy (Art. III, Sec. 3)
• Protection against unreasonable searches
• Due process limitations on surveillance

3. NPC Circular No. 2024-02 (CCTV Systems Framework)

This is the most important modern regulation for smart city surveillance infrastructure.

It requires:

• Clear signage and notice of surveillance
• Privacy Impact Assessments (PIA)
• Data minimization
• Defined retention limits
• Access control and audit logs
• Procedures for data subject access requests

📌 Applies to:

• CCTV networks
• AI-enhanced surveillance systems
• Public-private surveillance partnerships

(From NPC policy framework on CCTV systems)

4. NPC Advisory on Facial Recognition (2023–2024 guidance)

Key rule:

• Facial recognition = high-risk processing
• Requires:
  • Separate legal basis
  • Enhanced PIA
  • Strict transparency obligations

📌 Meaning:
AI that identifies individuals automatically is treated as sensitive surveillance processing.

5. Cybersecurity and Data Breach Rules (NPC Circular 2020-01)

• Mandatory breach notification within 72 hours
• Incident logs required
• Evidence preservation for investigations

III. KEY LEGAL PRINCIPLES FOR SMART CITY AI SURVEILLANCE

1. Surveillance is “personal data processing”

CCTV and AI video analytics = processing under the DPA.

2. Public space ≠ unlimited surveillance power

Even in streets, malls, and transport hubs:

• Privacy law still applies when individuals are identifiable

3. AI increases legal risk level

AI adds:

• profiling risk
• automated decision-making
• biometric identification concerns

4. Proportionality test is central

Authorities must prove:

• Surveillance is necessary
• Less intrusive methods are insufficient

IV. MAJOR LEGAL AND NPC CASE LAW / ENFORCEMENT PRECEDENTS (AT LEAST 6)

Although the Philippines has limited Supreme Court decisions specifically on AI surveillance, NPC decisions and related jurisprudence establish binding principles.

1. NPC Advisory Opinion No. 2020-04 (CCTV Use Framework)

Doctrine:

CCTV monitoring of public and semi-public spaces is lawful only if:

• purpose is legitimate (security, safety, compliance)
• rights of individuals are not overridden

Relevance to AI surveillance:

➡ AI analytics must pass the same legitimacy test.

2. NPC Circular No. 2024-02 (CCTV Systems Regulation)

Doctrine:

Entities using surveillance systems must:

• notify individuals (signage requirement)
• implement proportionality
• allow data subject access to footage

AI relevance:

➡ Smart city command centers must provide access rights even for AI-enhanced footage/logs

3. NPC Advisory Opinion No. 2022-015 (Use of Cameras in Surveillance Visits)

Doctrine:

Images of individuals in surveillance contexts are:

• personal data under R.A. 10173
• usable under legitimate interest or legal authority

AI relevance:

➡ AI classification of individuals still counts as personal data processing.

4. NPC v. Online Lending Apps (2019–2023 enforcement cluster)

Doctrine:

• Excessive data collection violates proportionality
• Accessing unrelated data (contacts, behavior logs) is unlawful

AI surveillance relevance:

➡ AI crowd monitoring or behavioral tracking must not exceed necessity.

5. Fynamics Lending / PondoPeso Decision (NPC Enforcement Case)

Doctrine:

• Unauthorized data processing and profiling is unlawful
• Consent does not justify excessive or abusive data use

AI relevance:

➡ AI profiling of citizens in public spaces (risk scoring, behavioral tagging) can be illegal without strong legal basis.

6. Grab Philippines NPC Case / Investigation (Selfie verification case)

Doctrine:

• Biometric and video-based verification requires transparency and proportionality
• Poor disclosure = violation of DPA

AI relevance:

➡ Facial recognition in smart cities requires strict notice and explicit safeguards.

7. MAF v. Shopee Philippines (NPC Case 21-167)

Doctrine:

Even operational data capture must follow proportionality rules.

Key principle:

• Unnecessary imaging or surveillance violates privacy law

AI relevance:

➡ AI-enhanced CCTV cannot collect “extra behavioral data” unrelated to security.

8. World App Biometric Data Cease and Desist Order (NPC, 2025)

Doctrine:

• Consent obtained through incentives is invalid if not freely given
• Excessive biometric collection is prohibited

AI relevance:

➡ Smart city facial recognition cannot rely on passive or coerced consent.

V. SPECIAL LEGAL ISSUES IN AI SMART CITY SURVEILLANCE

1. Facial Recognition Risks

• Creates biometric database
• Enables identity tracking across city zones
• Requires high legal threshold

2. Real-time profiling

AI systems that classify:

• “suspicious behavior”
• crowd density risk
• loitering detection

➡ may amount to automated decision-making

3. Data sharing between agencies

• Police + LGU + private operators must have:
  • data sharing agreements
  • lawful basis
  • access logs

4. Retention and deletion problem

AI systems often store:

• video feeds
• embeddings (facial vectors)
• behavioral metadata

📌 All must have:

• retention limits
• deletion protocols

VI. NPC COMPLIANCE REQUIREMENTS FOR SMART CITY AI SYSTEMS

Any AI surveillance deployment must have:

1. Privacy Impact Assessment (PIA)

Mandatory before deployment.

2. Data Protection Officer (DPO)

Responsible for compliance.

3. Transparency Measures

• visible CCTV signage
• public notice of AI use

4. Security safeguards

• encryption
• role-based access control
• audit logs

5. Data subject rights mechanisms

• access to footage
• correction (where applicable)
• complaint channels

VII. LEGAL SUMMARY TABLE

VIII. CONCLUSION

AI-assisted smart city surveillance in the Philippines is not prohibited, but it operates under a strict privacy-first regulatory framework. The law does not reject surveillance—but it tightly controls how far AI can go in identifying, tracking, and profiling individuals in public spaces.

Philippine jurisprudence and NPC enforcement consistently establish this core principle:

Public safety objectives do not override the constitutional and statutory right to privacy; AI surveillance must remain necessary, proportionate, and transparent at all times.