Executive Order 119 Mandates Philippine Territory Storage for Top Secret and Secret Government Data

President Ferdinand Marcos Jr. signed Executive Order 119 on July 13 establishing data classification and residency rules that require Top Secret and Secret government information to remain stored within Philippine territory, according to Newsbytes.ph. The order creates a four-tier classification system for government data and establishes compliance timelines requiring agencies to meet storage requirements for the most sensitive categories within two years and full compliance within three years.

TL;DR: Executive Order 119 requires Philippine government agencies to store Top Secret and Secret data exclusively within national territory, with a Joint Oversight Committee co-chaired by DICT and the National Security Council overseeing compliance over a three-year implementation period.

Classification Framework Separates Restricted and Open Access Data

Executive Order 119 divides government data into Restricted Access Data and Open Access Data categories. The order further classifies Restricted Access Data into four tiers—Top Secret, Secret, Confidential, and Restricted—based on the potential damage unauthorized disclosure could cause to national security or public interest.

The classification system applies to government data in digital or physical form that agencies create, collect, process, store, transmit, or maintain. Coverage extends to data handled by private entities on behalf of government agencies in public-private partnerships, public services, public utilities, critical infrastructure projects, and strategic initiatives, subject to implementing guidelines the Joint Oversight Committee will issue.

Top Secret and Secret data must remain stored within Philippine territory or locations where the Philippines exercises sovereignty or jurisdiction, including embassies and consulates. Confidential data faces the same territorial requirement but allows overseas storage or processing with prior approval from the Joint Oversight Committee and implementation of safeguards that maintain government control and protect national security.

Philippine government data center servers with security monitoring displays showing classification tiers

Restricted Data May Use Secured Cloud Platforms With Encryption Requirements

Restricted data—the lowest tier in the Restricted Access category—may be stored on secured cloud platforms subject to encryption, risk mitigation, and cybersecurity requirements aligned with network security solutions standards. Open access data and other government information may be stored on secure cloud platforms regardless of physical location or ownership, provided agencies implement appropriate security controls.

The executive order states that all government data remains subject to Philippine laws and jurisdiction regardless of storage location, processing location, or handling arrangements. Government agencies using cloud providers or other private companies retain responsibility for data security and compliance, requiring them to include contractual and technical safeguards covering information these service providers handle.

Industry Observers Cite Local Data Center Demand and US Cloud Act Concerns

Roy D. Ibay, head of regulatory affairs at Smart Communications and convenor of Protecta Pilipinas, said in a July 13 Facebook post that the policy could increase demand for domestic data storage infrastructure. “After a long period of meetings and discussions with government, finally this Executive Order is released,” Ibay said. “This will be a big boost to our country’s local data center industry.”

The order’s timing coincides with ongoing data center expansion activity in the Philippines, where power infrastructure constraints have emerged as a primary bottleneck for facility construction in Metro Manila and surrounding provinces.

Lawyer Russell Stanley Geronimo warned that local storage requirements would not necessarily prevent foreign authorities from obtaining government information held by US cloud companies. “There’s a problem: Philippine data residency fails to address the extraterritorial reach of the US Cloud Act, which enables US authorities to compel American cloud providers to disclose data in their custody regardless of where the servers are physically located,” Geronimo commented.

The US Clarifying Lawful Overseas Use of Data Act allows US authorities to compel providers under US jurisdiction to disclose data within their possession, custody, or control even when stored abroad, subject to applicable legal processes. “This means that a US cloud service provider operating a local Philippine server may be compelled by the US government to disclose its stored data upon issuance of a US warrant,” Geronimo said. “Because EO 119 relies entirely on territorial jurisdiction, it leaves critical government data stored by US cloud providers in Philippine servers and data centers legally exposed to foreign warrants.”

Joint Oversight Committee Will Issue Implementation Guidelines

Executive Order 119 creates a Joint Oversight Committee for Data Classification co-chaired by the Department of Information and Communications Technology and the National Security Council. The committee will issue implementing guidelines, develop a compliance action plan, and monitor agency adherence to the classification and residency framework.

Agencies must comply with requirements for Top Secret and Secret data within the second year of the order’s effectivity. Full compliance covering Confidential, Restricted, and Open Access data is required within the third year. The staggered timeline gives agencies time to assess current data storage arrangements, migrate sensitive information to compliant infrastructure, and establish backup and recovery solutions that meet territorial requirements.

Government agencies using cloud providers will need to verify that contractual arrangements address data sovereignty requirements and that technical controls prevent unauthorized cross-border data transfers. The order requires agencies to maintain audit trails showing where data resides and which entities have access at any point in the information lifecycle.

DICT and National Security Council officials reviewing data classification compliance dashboard

Why This Matters Now

Executive Order 119 forces immediate infrastructure planning decisions for Philippine government agencies and their IT vendors. Agencies currently storing Top Secret or Secret data with international cloud providers face a two-year deadline to migrate that information to facilities within Philippine jurisdiction—a timeline that requires data center capacity assessments, vendor evaluations, and budget allocations to begin within the next six to nine months. The order creates a compliance floor that government IT managers must meet while simultaneously opening procurement opportunities for domestic data center operators, hardware vendors supplying Dell servers and storage for on-premises deployments, and systems integrators capable of executing large-scale data migration projects.

The territorial storage mandate intersects with longstanding jurisdictional tensions in cloud computing. Geronimo’s Cloud Act warning highlights a gap the executive order doesn’t address: legal compulsion operates independently of physical server location when the cloud provider itself falls under US jurisdiction. Government agencies evaluating compliance paths must consider whether meeting the letter of EO 119 by contracting with US cloud providers operating Philippine data centers actually satisfies the order’s national security intent, or whether true sovereignty requires contracting with domestically-owned infrastructure operators. That distinction will shape both short-term migration decisions and long-term strategic direction for government IT infrastructure investment across the three-year compliance window.

The three-year full-compliance deadline also creates a capacity planning challenge for an industry already managing power infrastructure bottlenecks. If even a fraction of national government data currently stored offshore must migrate to Philippine facilities by 2029, the resulting demand will test whether the domestic data center sector can scale fast enough to absorb it—particularly if agencies prioritize Philippine-owned operators over locally-deployed US hyperscalers. That capacity question becomes a direct input into procurement timelines: agencies that delay migration planning may find themselves competing for scarce rack space in the final compliance year.

Recent Posts

Contact Us



    About

    Kital is an innovative telecom, IP Telephony, and customized solutions provider to small-to-medium-sized businesses and large enterprises in the Philippines.

    Follow Us on Social Media

    Scroll to Top