Amicus Curiae


Apart from the much-awaited text message that your Lazada or Shopee delivery is out for delivery or the OTP that closes your transaction, another type of text message frequents our mobile phones nowadays — scam text messages. It has become a common experience for a lot of people who use mobile phones to receive spam messages ranging from prizes allegedly won, to distant relatives requesting financial support. Of late, these text messages have even evolved to include the recipient’s name — a clear cause for concern.

It is thus a source of curiosity, if not suspicion, regarding how the personal data such as a person’s name, identity, or contact information is harvested and abused, more so as data subjects under the Data Privacy Act of 2012 (DPA) are entitled to be informed when personal information pertaining to him or her are being or have been processed.

Under the DPA, personal information of data subjects must only be collected for specified and legitimate purposes and processed in such a way that is compatible with such purposes. It is then the responsibility of personal information controllers to ensure that personal information is processed responsibly and is not leaked or harvested by unscrupulous individuals.

As regards the personal information of data subjects, specifically their names, there is an obligation on the part of controllers and processors alike to only act in accordance with the legitimate and specified purposes for which a data subject is providing his or her information. Additionally ensuring the security of personal information falls under the responsibility of personal information controllers. Measures need to be implemented to prevent accidental or unlawful disclosure as well as unlawful processing of personal information. Should personal information controllers transfer the personal information, for whatever specified purpose, the level of protection imposed on the personal information must be maintained. With the mandated obligation of entities that control and process people’s personal information, a high level of diligence must be exercised and appropriate penalties be imposed for falling below the standards of the law.

The DPA itself provides for the penalties to be imposed on personal information controllers and processors that fail to comply with their obligations under the law. A penalty of imprisonment, as well as a fine, is accordingly imposed on those who violate the provisions of the DPA. Unauthorized processing of personal information, or the processing without a data subject’s consent, is penalized with imprisonment ranging from one year to three years and a fine of not less than P500,000 but not more than P2,000,000. Processing of personal information for unauthorized purposes is penalized with imprisonment ranging from one year and six months to five years and a fine of not less than P500,000 but not more than P1,000,000. Unauthorized disclosure, or the disclosure of personal information to a third party without the data subject’s consent, done without malice or in good faith, can be punished with imprisonment ranging from one year to three years, and a fine of not less than P500,000 but not more than P1,000,000.

If the offender is a juridical person, the penalty is to be imposed on the responsible officers who participated in, or even by their gross negligence allowed the commission of the crime. In addition, any of the entity’s rights to control or process data under the DPA may be suspended or revoked. The law even goes further by punishing violations committed on a large-scale, or when personal information of at least 100 persons is involved. The maximum penalty is imposed when the violation is committed on a large-scale.

With the foregoing, how did these text scams come to be?

Remember — “contract tracing forms” were imposed during the height of the pandemic, when the public submitted personal information with the expectation that such was to be used only for the given purpose of monitoring the spread of the COVID-19. Online shopping and money transfer applications with increasing users made the public provide their personal information. With a surge of these platforms where one provides his or her personal information, a data privacy breach could cause several data subjects to have their personal information used for improper purposes. The proliferation of text scams can be traced here because clearly data subjects’ personal information was illegally accessed. To be sure, data subjects do not provide their information with knowledge nor consent to receive spam messages that seek to take advantage of them by including them in an elaborate scam to part with their money.

Due to the growing concern of the public regarding their personal information being used in such a way, as well as the unfortunate situation when people are scammed of their money through text phishing, the relevant government agencies must ensure the safety of personal information and enforce the existing laws. The National Privacy Commission and the Department of Trade and Industry have issued various advisories warning the public of spam messages that seek to deceive people into believing that they have been employed by an imaginary employer they did not apply with or won a considerable amount which would bring the lottery prize money to shame.

Not only are the public themselves warned to take extra care in falling prey to text phishing, but telcos themselves are also being directed by the National Telecommunications Commission (NTC) to use their reach in warning the public against these text scams. In the most recent NTC Memorandum Order No. 006-09-2022, the NTC even directed mobile phone manufacturers, distributors, and dealers to educate the public on protective mobile phone features.

Are these safeguards enough? Given the provisions of law which enumerate responsibilities and punish violations, entities that handle personal information of the public should be more diligent in ensuring the security of information entrusted to them. Heavier protection should be imposed to ensure the confidentiality of information submitted by the public, especially those who are prime victims who are likely to fall prey and believe seemingly harmless, but indeed very damaging, text messages.

This article is for informational and educational purposes only. It is not offered and does not constitute legal advice or legal opinion.


Mary Clarence Angela T. Protacio is an associate of the Litigation and Dispute Resolution Department (LDRD) of the Angara Abello Concepcion Regala & Cruz Law Offices or ACCRALAW.

(632) 8830-8000