NPC clears Jollibee, Viber in Christmas campaign data breach probe

The National Privacy Commission (NPC) said Tuesday that no privacy breach occurred in last year’s Christmas marketing campaign by fast-food giant Jollibee and messaging app Viber.

The NPC launched an investigation after receiving multiple complaints from Viber users over automated greeting stickers that appeared within private chat interfaces.

“The National Privacy Commission’s Complaints and Investigation Division (NPC-CID) has determined that the Jollibee Foods Corporation and Rakuten Viber ‘Holiday Gems Christmas Campaign 2025’ did not involve the processing of personal information," the commission said in a statement.

"The NPC-CID also did not find evidence of unlawful access to user communications,” it added. 

Complaints emerged during the Christmas season last year after Viber users reported the sudden appearance of automated Jollibee-themed greeting stickers in private chats.

These were reportedly triggered when users typed Christmas-related keywords, raising concerns over possible unauthorized access to messages.

The NPC investigation, however, found that the animated visuals “were deployed at the device level without transmitting message content to external servers for keyword detection.”

“Furthermore, the investigation confirmed that campaign delivery parameters were based on country codes rather than geographic tagging or user location data,” the NPC added.

The NPC-CID said there were insufficient indicators of personal data processing as defined under Section 3 of the Data Privacy Act of 2012.

Under the law, personal information controllers must ensure that any processing of personal data for direct marketing purposes complies with the principles of transparency, legitimate purpose, and proportionality.—MCG, GMA News