CA decision boosts rights of data subjects — NPC

Published January 11, 2022, 1:28 PM

by Bernie Cahiles-Magkilat

National Privacy Commission

The National Privacy Commission (NPC) said the decision of the Court Appeals upholding the former in a case by Pieceland Corp. vs. Manila New Life Church Inc. (MNLC) will strengthen the promotion not just the rights and freedoms of data subjects, but also the obligations and responsibilities of Personal Information Controllers (PICs).

NPC Commissioner John Henry D. Naga.

“I hope that this is something that will urge PICs to be more mindful of their accountability under the DPA and to ensure that their methods of processing are aligned with the requirements of the law and pertinent issuances of the Commission,” said NPC Commissioner John Henry D. Naga.

On December 14, 2021, the CA upholds the NPC decision denying the petition for review filed by Pieceland Corporation (Pieceland) and upholding the ruling of the NPC) in NPC Case No. 19-528 (Pieceland Corporation v. Manila New Life Church Inc.).

“The Commission welcomes the Decision of the appellate court upholding NPC’s ruling and its recommendation to prosecute violators for the unauthorized processing of sensitive personal information under the Data Privacy Act (DPA),” said Naga.

“This favorable Decision is proof that our Commission is working hard in protecting data subjects and guaranteeing their right to privacy. We will be more resolute in implementing and enforcing the DPA against violators,” the NPC Chief added.

In 2019, Manila New Life Church Inc. (MNLCI) filed a complaint before the NPC against Pieceland for the unauthorized processing of personal data, in which the NPC ruled in favor of the Complainants.

According to Deputy Commissioner Leandro Angelo Aguirre, ponente of the NPC Decision, “the availability of a far less intrusive measure demonstrates that the measures employed by Respondents [requiring data subjects to submit passports, government issued IDs, and colored pictures] are disproportionate to the aim they seek to achieve.

In as much as Respondents recognized the issued IDs of the other tenants in the building, the same standard should have been applied to the church members of Complainant.” The NPC also found that Pieceland processed the personal data of MNLCI members without the consent of data subjects as defined under the DPA.

In a November 2019, the NPC also ordered the respondents to submit an affidavit of compliance to the Order’s directive to return to MNLCI’s church members all the copies of their passports and valid IDs; delete or dispose all copies of the passports and valid IDs, digital or otherwise; and to allow MNLCI to provide IDs for their church members and officers bearing only their photos and English names.

Pieceland filed a petition for review to the CA against NPC for allegedly committing a reversible error in ruling that Pieceland violated Section 25(b) of the DPA.

However, the appellate court denied the petition and ruled the following: • NPC validly acquired and exercised jurisdiction over the case; • Available remedies were exhausted; • NPC has the power to waive technicalities; • Consent requirement under DPA was not satisfied; • Existence of legitimate interest immaterial against prohibition on processing SPI, and; • Nominal damages warranted but modified, increasing the amount from P1,000.00 to P20,000.00 for specific MNLCI members that filed the complaint.

NPC’s recommendation to prosecute Pieceland and its responsible officers for DPA violations is likewise upheld. Pieceland is also ordered to delete the sensitive personal information they collected from the data subjects.