Sadsad Tamesis Legal and Accountancy Firm

Menu

RA 10175 The Cybercrime Prevention Act of 2012, Explained

“Cybercrime” in the Philippines is not a vague idea. It is a specific list of offenses with specific penalties, and RA 10175 is the list. The Cybercrime Prevention Act of 2012 sits behind nearly every Philippine cybercrime case: every cyber libel complaint, every online fraud prosecution, every cybercrime warrant served on a platform or provider. Whether you are studying the law, reporting on it, checking your company’s exposure, or named in a document that cites it, this guide explains what it actually says.

It is written by STLAF Global’s cybercrime practice, led by Atty. Gabriel D. Adora, a criminal law practitioner who handles cases under this statute.

Talk to STLAF

What is RA 10175?

RA 10175, the Cybercrime Prevention Act of 2012, is the Philippines’ cornerstone cybercrime law: it defines which online acts are crimes, sets their penalties, and gives law enforcement the tools to investigate them.

Before 2012, online offenses were prosecuted through a patchwork: the Revised Penal Code written decades before the internet, and the E-Commerce Act of 2000 (RA 8792), which penalized hacking but little else. RA 10175 replaced the patchwork with a single statute that does three things: it defines the offenses, it creates the investigative machinery (including the cybercrime warrant system and the DOJ Office of Cybercrime), and it connects the Philippines to international cooperation on cases that cross borders. Its implementing rules took effect in 2015, and the Supreme Court settled its constitutionality in 2014, a story covered below.

Most people meet RA 10175 through one of its offenses, usually cyber libel, and assume that is the whole law. It is one section of a much larger statute.

The offenses: what counts as cybercrime under RA 10175

RA 10175 defines three groups of offenses: attacks on computer systems and data, crimes committed through computers such as fraud and identity theft, and content offenses including cybersex and cyber libel.

Offenses against computer data and systems

These are the attacks on the machinery itself:

  • Illegal access. Getting into a computer system or account without right. The hacked Facebook or email account, the most common cybercrime experience in the country, sits here.
  • Illegal interception. Capturing data in transmission that was not meant for you.
  • Data interference. Damaging, deleting, or altering someone else’s data, including by introducing viruses or malware.
  • System interference. Hindering or disrupting a computer system or network.
  • Misuse of devices. Producing or distributing tools, including passwords and malware, designed for committing these offenses.
  • Cyber-squatting. Acquiring a domain name in bad faith to profit from, mislead, or destroy a reputation.

Computer-related offenses

These are familiar crimes given digital form:

  • Computer-related forgery. Faking or altering data to make it pass as authentic.
  • Computer-related fraud. Causing damage or loss through unauthorized manipulation of data or systems. Many online scam prosecutions run through this provision alongside estafa under the Revised Penal Code.
  • Computer-related identity theft. Acquiring or using another person’s identifying information without right. The fake social media account wearing your name and photos is the everyday example, and most victims do not know it is a defined crime.

Content-related offenses

These punish what is published or transmitted:

  • Cybersex. The willful engagement in online sexual activity for favor or consideration, as defined by the law.
  • Online child sexual abuse and exploitation. Originally covered through the child pornography provisions; this area is now governed primarily by a dedicated statute, RA 11930, which imposes heavy duties on platforms, providers, and financial institutions.
  • Cyber libel. Libel under the Revised Penal Code committed through a computer system, the single most litigated offense in the statute. It is large enough to deserve its own treatment: read our complete guide to cyber libel in the Philippines, covering how cases are filed and defended.

Penalties under RA 10175

Penalties under RA 10175 generally run one degree higher than their offline equivalents, with imprisonment and fines scaled to the offense.

That one-degree-higher principle is the statute’s signature: the legislature treated the internet’s reach and permanence as aggravating. The practical effect is that an act which would carry a moderate penalty offline carries a heavier one committed online, which is exactly what happened with libel. Individual offenses carry their own ranges, and a conviction can also bring fines and civil liability alongside imprisonment.

Who enforces it

Cybercrime complaints in the Philippines are investigated by the NBI Cybercrime Division and the PNP Anti-Cybercrime Group, prosecuted by the Department of Justice, and coordinated internationally through the DOJ Office of Cybercrime. The working map:

  • NBI Cybercrime Division receives complaints, investigates, and conducts digital forensics.
  • PNP Anti-Cybercrime Group (PNP-ACG) does the same within the national police, including operations.
  • DOJ Office of Cybercrime (OOC) is the statute’s creation and its most internationally important piece: the central authority for mutual legal assistance and extradition on cyber matters, and the channel through which preservation orders and cross-border requests move.
  • Cybercrime Investigation and Coordinating Center (CICC) carries policy coordination across agencies.

For the person with a live problem, the practical question is simpler: complaints are filed with the NBI or the PNP-ACG, or directly with the prosecutor. Our cyber libel guide walks through that filing path step by step.

How evidence is gathered: the cybercrime warrants

Electronic evidence under RA 10175 is gathered through four court-issued cybercrime warrants covering disclosure, interception, search and seizure, and examination of computer data. The Supreme Court’s Rule on Cybercrime Warrants (A.M. No. 17-11-03-SC, in force since August 2018) governs how law enforcement lawfully reaches digital evidence:

  • WDCD, Warrant to Disclose Computer Data: compels a person or provider to hand over specified data.
  • WICD, Warrant to Intercept Computer Data: authorizes collection of data in transit.
  • WSSECD, Warrant to Search, Seize and Examine Computer Data: the digital search warrant.
  • WECD, Warrant to Examine Computer Data: authorizes forensic examination of a device already lawfully in custody.

Service providers also carry preservation duties for traffic and subscriber data, which is why evidence that seems gone can often still be reached if counsel moves quickly. This matters in both directions. For complainants, it means anonymous offenders and deleted content are not automatically dead ends. For the accused, it means the warrant process can be examined and challenged: evidence gathered outside the rules is vulnerable, and testing how the digital evidence was obtained is a core part of cybercrime defense.

How far the law reaches: jurisdiction and the international layer

RA 10175 claims jurisdiction beyond Philippine territory in defined cases, and the Budapest and Hanoi conventions supply the cooperation channels that make cross-border cases workable.

The statute’s jurisdiction provisions extend to defined situations involving conduct outside the country, including offenses committed by Filipinos abroad and offenses involving computer systems in the Philippines. This is the legal answer to the most common belief in this field, that a person abroad or behind a fake account is untouchable. The belief is wrong often enough that it should never be the reason a victim does nothing, and wrong enough that distance should never be treated as a defense strategy.

The international machinery behind this is real. The Philippines has been a party to the Budapest Convention on Cybercrime since 2018, the treaty that lets investigations reach evidence held in other member countries, and it signed the UN Convention against Cybercrime in Hanoi in October 2025, with ratification in progress. Cross-border requests move through the DOJ Office of Cybercrime, and they take time, but the channels exist and they are used.

This international layer is the core of STLAF’s positioning as Philippine-side counsel for international cybercrime matters: the cases where Philippine law, evidence, or parties connect to the wider world.

The constitutional history: what Disini changed

In Disini v. Secretary of Justice (2014), the Supreme Court upheld most of RA 10175, struck down several provisions, and narrowed online libel to original authors.

The law’s passage in 2012 triggered immediate constitutional challenges, mainly on free-speech grounds. The 2014 ruling settled the framework: the core offense list survived, certain provisions were struck down, and cyber libel was upheld with an important limit, that liability attaches to the original author of defamatory content rather than to those who merely receive or react to it. This page is maintained against current jurisprudence.

RA 10175 and the Data Privacy Act: which law applies?

RA 10175 punishes crimes committed through computers, while the Data Privacy Act regulates how organizations handle personal data; one incident can trigger both.

The two laws are constantly confused because they share territory. The clean way to hold them apart: RA 10175 is criminal law aimed at offenders; RA 10173, the Data Privacy Act, is regulatory law aimed at organizations that hold people’s data. A hacking incident at a company shows how both fire at once: the intruder committed illegal access under RA 10175, and the company simultaneously acquired regulatory duties under the Data Privacy Act, including the 72-hour breach notification. One event, two legal frameworks, two very different kinds of legal work.

For the regulatory side, read our guide to the Data Privacy Act, and for the live-incident scenario, our Data Breach Incident Response service.

Frequently asked questions

What is RA 10175 in simple terms?

The Philippine law that defines which online acts are crimes, sets their penalties, and gives law enforcement the tools and warrants to investigate them.

Hacking into accounts or systems, online fraud, identity theft through fake accounts, intercepting communications, spreading malware, cybersex, and cyber libel.

Yes, under Section 4(c)(4). It is the most litigated offense in the statute and has its own complete guide on this site.

The NBI Cybercrime Division and the PNP Anti-Cybercrime Group investigate; the DOJ prosecutes; the DOJ Office of Cybercrime handles international cooperation.

In defined circumstances, yes, including offenses committed by Filipinos abroad and cases involving systems in the Philippines.

In Disini v. Secretary of Justice (2014), it upheld most of the law, struck down several provisions, and limited online libel liability to original authors.

RA 10175 punishes computer crimes committed by offenders; the Data Privacy Act regulates how organizations handle personal data. One incident can engage both.

The statute has not been substantively amended. It stands as enacted in 2012, shaped by the Disini ruling, later jurisprudence, and its 2015 implementing rules.

When the law meets your situation

A statute is a list; your situation is specific. STLAF practices in the matters this law creates, from cyber libel filing and defense to breach response and digital evidence, with the legal and financial sides handled in one firm. If something covered by RA 10175 has reached you or your business, the team can route your matter to the right counsel.

Contact STLAF
International Cybercrime practice

This guide is general legal information, not legal advice for a specific situation.

https://157.245.54.109/ https://128.199.163.73/ https://cadizguru.com/ https://167.71.213.43/
Scroll to Top