Most of us today rely on online shopping and deliveries for their ease and accessibility. Just a few taps and the items you checked out will be at your doorstep soon.
Recently, however, a customer filed a complaint with the National Privacy Commission (NPC) for alleged violation of Republic Act 10173, or the Data Privacy Act of 2012, against Shopee Philippines Inc.
According to the complainant, her minor child’s picture was taken by the courier service without consent and was used as proof of delivery. She subsequently asked Shopee to remove her son’s photo from its system, but this was denied.
In her complaint, she said that Shopee violated Section 28 of the Data Privacy Act (Processing of Personal Information and Sensitive Personal Information for Unauthorized Purposes) and Section 23 (Unauthorized Disclosure). She also asked that Shopee be fined, that her son’s photo be removed from its system, and that Shopee be ordered to state in its guidelines that the taking of a minor’s photo is prohibited.
The NPC ruled in the case of MAF v. Shopee Philippines Inc. (NPC 21-167, 22 September 2022) that Shopee did not violate Sections 28 and 23 of the law, but it violated the general privacy principle of proportionality.
For a controller of personal information like Shopee to be held liable under Section 28, the processing of personal or sensitive personal information must be for a purpose not covered by the authority given and could not have reasonably been foreseen by the data subject, or was not authorized by existing laws.
It cannot be argued that the processing was for a purpose not necessary and related to Shopee’s legitimate interest since the complainant had filed for a refund of a missing item in her order. The same entailed a review of proof of delivery of the package, which was not an unauthorized purpose.
Shopee was not likewise liable under Section 23, contrary to the complainant’s assertion that the photo was shown to the seller of the items she ordered, the third party, without consent.
The NPC explained that the seller is not considered a third party. Shopee merely acted as an intermediary between the seller and the complainant, the parties to the sale.
However, Shopee violated the general privacy principle of proportionality. Citing Section 11(d) of the Data Privacy Act and Section 18 of its Implementing Rules and Regulations, the NPC said that processing is deemed proportional when it is adequate, relevant and necessary to the declared and specified purpose, and the processing performed is the least intrusive means available.
The act of taking the customer’s son’s picture was disproportional as it was not the least intrusive means to the declared and specified purpose, which was to have proof of delivery. The same could have been achieved by taking a picture of his arm holding the package. Shopee’s actions and refusal to delete the photo from its system warranted the award of nominal damages amounting to P15,000.
The NPC, however, did not recommend prosecution.