A couple of days ago, I was notified by some colleagues about an interesting Advisory Opinion (AdOp) issued recently by the Privacy Policy Office of the National Privacy Commission.
The AdOp deals with a very specific situation described by the inquiring party. Apparently, someone had taken an “intimate photo” of said party and his or her partner, while they were dining at a restaurant. That person later posted the photo in a social media platform accompanied by a “derisive caption.” Feeling slighted, the inquiring party wanted advice about the possibility of filing a complaint relative to the posting of the photo sans their consent.
In response, the AdOp simply stated that the inquiring party could exercise his or her rights as a data subject, as provided under the Data Privacy Act of 2012 (DPA). Since it proceeded to give instructions on the proper filing of a “full-fledged complaint”, it’s safe to assume it meant the right to file a complaint is at least one of those applicable rights.
The AdOp deals with an issue that is common today. It’s rather loaded, too. A closer look reveals that it is actually comprised of interrelated questions that deal with contentious concepts in the field of data protection, some of which the Commission has previously commented on. Thus, it was a missed opportunity to lay down those questions once and for all and the agency’s prevailing views.
So let’s try to unpack them on this space instead.
Are photographs personal data?
At least to the extent that they identify (or tend to) specific individuals, photographs are considered personal data — specifically, personal information. The NPC first confirmed this in a 2018 AdOp. Last year, it clarified via another AdOp that pictures can also qualify as sensitive personal information if they reveal details about a person (e.g., information about his or her education) that warrant a stricter treatment.
This tends to be problematic for certain organizations like schools. Without further guidance that narrows down the definition of “information about education”, even photos remotely associated with a school setting or learning environment could be interpreted as sensitive personal information. This has actually led some parents to ask me: are we no longer allowed to take and share photos of our children’s school events?
Is the processing of photographs covered by the DPA?
Considering the broad definition given by the DPA to the term “processing” and the classification of photographs as personal data, processing photos — whether it be taking them or posting them online — would generally be governed by the DPA.
The NPC acknowledges that there are certain exemptions to the rule. They include processing for journalistic, artistic, literary, or research purposes, or processing in connection with an individual’s personal, family, or household affairs. The DPA explicitly says individuals who perform the latter are not considered personal information controllers.
Unfortunately, both exemptions are susceptible to varying interpretations and are influenced by many factors. For example, it’s hard to adopt a rule that defines what may properly be considered as “personal, family, or household affairs.”
In instances like this, resorting to references from the European Union (EU) is usually a reliable recourse given the history and background of the DPA. This time, though, such a move provides little clarity.
It is true that one inevitably gets to dig up a 2003 court decision declaring that, when the processing of personal data consists of publishing the same on the internet, it no longer qualifies as processing personal data carried out in the course of one’s private or family life. The rationale given is that because the data becomes accessible to an indefinite number of people, its processing cannot possibly remain “purely personal”.
Note, though, that that case was interpreting the EU Data Protection Directive, which has since been replaced by the General Data Protection Regulation. Recital 18 of the latter expressly states that, “[t]his Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity… Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities.”
How does one process photos in a way that does not violate the DPA?
As a general rule, processing photos — including their use in a social media post — should be consistent with Section 12 of the DPA. In a school setting, the NPC notes that the posting of photos in a social media platform by a teacher or a school may ordinarily be justified by the need to fulfill a contract or the legitimate interest of the school (or a third party).
However, it necessarily follows that in the event photos qualify as sensitive personal information, the processing will have to rely on Section 13 instead in order to remain lawful. Looking at the options, personal information controllers almost always end up having consent (of the data subject) as their only viable choice.
It is for this reason that, in its AdOp 2018-051, the NPC opined that when the photo of a person is “candidly” taken and then posted online, it may be considered as unauthorized processing. The NPC’s newest AdOp seems to have arrived at the same conclusion, albeit confronted with a different scenario.
What remedies are available to persons whose photos have been processed unlawfully?
According to the NPC, an aggrieved person can either seek the withdrawal, removal, or destruction of his or her personal data, or the suspension or blocking of the processing thereof, if he or she can prove that his or her photograph has been unlawfully obtained, or used for unauthorized purposes.
Meanwhile, the DPA allows for the filing of appropriate criminal case (i.e., unauthorized processing, processing for unauthorized purposes, malicious disclosure, and/or unauthorized disclosure) against the erring party. Based on the DPA’s implementing rules, the victim may also be indemnified for any damages sustained due to such unlawful collection or unauthorized use of his or her photo.
Taking stock of all these, it is clear that the answers to some questions surrounding the proper taking and use of photos will remain elusive until local jurisprudence actually settles them decisively, or the DPA itself is amended and offers clearer directives.
In the meantime, my advice is that we still rely on our inherent notions of what responsible photography and social media behavior look like. After all, even without a data protection law, such notions will exist, just like our core values of accountability and respect for human dignity. As long as we let these guide our actions, we can continue to use pictures when capturing memories and exploring the boundaries of our imagination.
The author is a lawyer, artist, photographer, and privacy advocate. Additional information and queries may be sent to info@privacyphl.com.
