The National Privacy Commission (NPC) said on Tuesday, Jan. 11, that the Court of Appeals (CA) has upheld its decision against office space lessor Pieceland Corporation for violating the Data Privacy Act.
The CA’s 16th division issued the decision last Dec. 14, 2021 denying the petition for review filed by Pieceland in NPC Case No. 19-528 (Pieceland Corporation v. Manila New Life Church Inc.).
“The Commission welcomes the Decision of the appellate court upholding NPC’s ruling and its recommendation to prosecute violators for the unauthorized processing of sensitive personal information under the Data Privacy Act (DPA),” said privacy commissioner John Henry D. Naga in a statement.
“This favorable Decision is proof that our Commission is working hard in protecting data subjects and guaranteeing their right to privacy. We will be more resolute in implementing and enforcing the DPA against violators,” Naga added.
In 2019, Manila New Life Church Inc. (MNLCI) filed a complaint before the NPC against Pieceland for the unauthorized processing of personal data, in which the NPC ruled in favor of the complainants.
According to deputy commissioner Leandro Angelo Aguirre, who penned the NPC decision, “the availability of a far less intrusive measure demonstrates that the measures employed by Respondents [requiring data subjects to submit passports, government-issued IDs, and colored pictures] are disproportionate to the aim they seek to achieve. In as much as Respondents recognized the issued IDs of the other tenants in the building, the same standard should have been applied to the church members of Complainant.”
The NPC also found that Pieceland processed the personal data of MNLCI members without the consent of data subjects as defined under the DPA.
Pieceland subsequently filed a petition for review at the CA against NPC for allegedly committing a reversible error in ruling that Pieceland violated Section 25(b) of the DPA. However, the appellate court denied the petition and ruled the following:
- NPC validly acquired and exercised jurisdiction over the case;
- Available remedies were exhausted;
- NPC has the power to waive technicalities;
- Consent requirement under DPA was not satisfied;
- Existence of legitimate interest immaterial against prohibition on processing SPI, and;
- Nominal damages warranted but modified, increasing the amount from P1,000.00 to P20,000.00 for specific MNLCI members that filed the complaint.
NPC’s recommendation to prosecute Pieceland and its responsible officers for DPA violations was likewise upheld. Pieceland was also ordered to delete the sensitive personal information they collected from the data subjects.
“The impact of the CA’s decision will help the Commission in further promoting not just the rights and freedoms of the data subjects, but also the obligations and responsibilities of Personal Information Controllers (PICs),” Aguirre said.
“I hope that this is something that will urge PICs to be more mindful of their accountability under the DPA and to ensure that their methods of processing are aligned with the requirements of the law and pertinent issuances of the Commission,” he added.
