The Cadajas case and data privacy
The Supreme Court recently made public a decision it had handed down late last year wherein it held that photos and other content taken from a person’s messaging app account may be used as evidence against him in a criminal case. It denied that person’s assertion that it was a violation of his right to privacy.
If only for the way it gives a peek at the Court’s views regarding the Data Privacy Act of 2012 (DPA), I think the decision is worth a closer look.
The Case
The case is Cadajas v. People (2021) and it is about a man who was convicted of the crime of child pornography. Among the evidence presented against him were photos and messages taken from his Facebook Messenger account by the minor’s parent. It turns out he had given the minor access to his own account. This allowed the latter to give her mother the same access after being pressured to do so.
The assertion of the accused was simple: the materials were obtained in violation of his right to privacy and should have therefore been inadmissible as evidence.
The Court disagreed.
Initially, it went on to discuss the right to privacy, taking particular interest in the aspect of informational privacy. It then declared that the right, as enshrined in the Constitution, only protects private individuals from government intrusions—not from the prying eyes of other private parties. In the latter case, it is the Civil Code, the DPA, and other pertinent laws that apply.
The Court spent some time explaining why the processing of personal data that occurred in connection with the case was proper and allowed under the DPA. It cited two specific reasons: (1) it related to the determination of criminal liability of the person involved; and (2) it was necessary for the protection of lawful rights and interests of persons in court proceedings.
It capped things off by bringing up the reasonable expectation of privacy test and showed why, when used in the case, it proved that there was indeed no privacy violation to speak of.
What seemed off
To the casual observer, the Supreme Court’s rendition of its arguments seems simple enough. Everything is laid out in a straightforward manner. Not quite, I think.
I would argue that the references to the DPA leave a lot to be desired.
For starters, I believe it was wrong for the Court to cite Section 19 of the law as an appropriate basis for the processing of personal data for criminal investigation purposes. If one looks closely, that provision is about the non-applicability of the law’s provisions concerning the rights of data subjects. Briefly, it essentially says that if your personal data is being processed in connection with an investigation regarding your potential criminal, administrative, and/or tax liability, you, as a data subject, may not invoke any of your rights. That’s it.
But just because your rights have been taken away from you does not automatically make the processing of your personal data lawful. To establish that, an examination of Sections 4, 12, and/or 13 of the DPA is critical. Section 4 talks about its scope, including the so-called exemptions from the law. Sections 12 and 13, on the other hand, list down the valid grounds for processing personal information and sensitive personal information (and privileged information), respectively.
That’s one.
I also think the Court failed to distinguish the two different data processing activities that went on in relation to the case and the need to independently assess each one.
These two I speak of were those carried out by the mother, on the one hand, and those by the government (i.e., law enforcement officers, the prosecutor, and the courts), on the other. When the Court spoke about data processing it was as if it was only referring to one.
Why is the distinction important? It matters because a legal basis recognized by the DPA that is properly invoked by one may not necessarily be available to others. That, in turn, means lawful data processing performed by one party does not necessarily validate that conducted by another.
What I’m saying then is that the statements given by the Court about the DPA left a lot of room for uncertainty. One that could one day rear its ugly head when the case is revisited, or worse, cited by future litigants, the trial courts, and even the National Privacy Commission. A misapplication of legal tenets—including court doctrines—could have dire consequences.
Doing things differently
In my opinion, a more careful approach by the Court would still have allowed it to arrive at the same conclusion. This, even if there were two possible ways it could have dealt with the DPA as applied to the facts of the case.
Through a more liberal lens, the Court could have ruled that the DPA does not apply because: (1) the mother did not qualify as a personal information controller, as defined by the law, since she processed the personal data in connection with her “personal, family, or household affairs”; and (2) the processing carried out by the government was among those exempt from the law because it concerned information necessary for public authorities to carry out their constitutionally and statutorily mandated functions.
This perspective lends itself to the view that not all privacy issues are data privacy issues.
Meanwhile, even if it had adopted a narrower view and applied the DPA’s provisions to the case, it was still possible for the Court to uphold the data processing activities that went on. It could have declared the data processing committed by the mother lawful by holding that it was necessary in the pursuit of her legitimate interests. It could have said the same regarding the government’s actions, plus two more potential legal justifications: (1) it was in line with legal obligations the government actors were bound to; and (2) it was necessary to fulfill the functions or mandate of public authorities.
I did note that the Court appeared to imply that sensitive personal information was involved in the case, but I could not really identify what they were referring to. Hence, the focus on grounds pertaining to personal information, in general.
Either path would have been a good alternative to what was adopted in the decision.
Takeaway
I anticipate that some people would look at this and regard having multiple options a source of unnecessary complication. While I understand why it may look that way, I believe nonetheless that it is a necessary problem we must confront now and eventually overcome.
If anything, they are nothing more than additional proof that there are still a lot of uncertainties surrounding the interpretation and application of the country’s data protection law. Lawyers and other privacy practitioners around the country have been waiting for cases like Cadajas to hear from the country’s highest tribunal, hoping that it might finally put many of such questions to rest.
That did not happen this time. But the waiting inevitably continues.
Jamael Jacob (@jamjacob) is a lawyer specializing in the field of law, ICT, and human rights. He works for the University Data Protection Office of the Ateneo de Manila University, the Foundation for Media Alternatives, and the LIGHTS Institute. The views expressed herein do not necessarily represent or reflect the views of the organizations he is currently affiliated with.