‘Panalo ka ng 1Million’: Proliferation of Text Scams and Breaches to Data Privacy

Mary Clarence Angela T. Protacio

Apart from the much-awaited text message that your Lazada or Shopee delivery is out for delivery or the one-time pin that closes your transaction, another type of text message frequents our mobile phones nowadays—scam text messages. It has become a common experience for a lot of people who use mobile phones to receive spam messages ranging from prizes allegedly won, to distant relatives requesting for financial support. Of late, these text messages have even evolved to include the recipient’s name—a clear cause for concern.

It is thus a source of curiosity, if not suspicion, regarding how the personal data such as a person’s name, identity or contact information is harvested and abused moreso that data subjects under the Data Privacy Act of 2012 (“DPA”) are entitled to be informed when personal information pertaining to him or her are being or have been processed.

Under the DPA, personal information of data subjects must only be collected for specified and legitimate purposes and processed in such a way compatible with such purposes. It is then the responsibility of personal information controllers to ensure that personal information is processed responsibly and is not leaked or harvested by unscrupulous individuals.

As regards personal information of data subjects, specifically their names, there is an obligation on the part of controllers and processors alike to only act in accordance with the legitimate and specified purposes for which a data subject is providing his or her information. Additionally ensuring the security of personal information falls under the responsibility of personal information controllers. Measures need to be implemented to prevent accidental or unlawful disclosure as well as unlawful processing of personal information. Should personal information controllers transfer the personal information, for whatever specified purpose, the level of protection imposed on the personal information must be maintained. With the mandated obligation of entities that control and process people’s personal information, a high level of diligence must be exercised and appropriate penalties be imposed for falling below the standards of the law.

The DPA itself provides for the penalties to be imposed to personal information controllers and processors that fail to comply with their obligations under the law. A penalty of imprisonment as well as a fine is accordingly imposed on those who violate the provisions of the DPA. Unauthorized processing of personal information, or the processing without a data subject’s consent, is penalized with imprisonment ranging from one year to three years and a fine of not less than PhP500,000 but not more than PhP2,000,000. Processing of personal information for unauthorized purposes is penalized with imprisonment ranging from one year and six months to five years and a fine of not less than PhP500,000 but not more than PhP1,000,000. Unauthorized disclosure, or the disclosure to a third-party personal information without the data subject’s consent, without malice or in good faith, can be punished with imprisonment ranging from one year to three years, and a fine of not less that PhP500,000 but not more than PhP1,000,000.

If the offender is a juridical person, the penalty is to be imposed on the responsible officers who participated in, or even by their gross negligence, allowed the commission of the crime. In addition, any of the entity’s rights to control or process data under the DPA may be suspended or revoked. The law even goes further by punishing violations committed in the large-scale, or when personal information of at least one hundred persons is involved. The maximum penalty is imposed when the violation is committed in the large-scale.

With the foregoing, how did these text scams come to be? Remember — “contract tracing forms” were imposed during the height of the pandemic, when the public submitted personal information with the expectation that such is used only for the given purpose of monitoring the spread of the COVID-19. Online shopping and money transfer applications with increasing users made the public provide their personal information. With a surge of these platforms where one provides his or her personal information, a data privacy breach could cause several data subjects to have their personal information used for improper purposes. The proliferation of text scams can be traced here because clearly data subjects’ personal information were illegally accessed. To be sure, data subjects do not provide their information with knowledge nor consent to receive spam messages that seek to take advantage of them by including them in an elaborate scam to part with their money.

Due to the growing concern of the public regarding their personal information being used in such a way, as well as the unfortunate situation when people are scammed of their money through text phishing, the relevant government agencies must ensure the safety of personal information and enforce the existing laws. The National Privacy Commission and the Department of Trade and Industry have issued various advisories warning the public of spam messages that seek to deceive people into believing that they have been employed by an imaginary employer they did not apply with or won a considerable amount which would bring the lottery prize money to shame.

Not only are the public themselves warned to take extra care in falling prey to text phishing, but telcos themselves are also being directed by the National Telecommunications Commission to use their reach in warning the public against these text scams. In the most recent NTC Memorandum Order No. 006-09-2022, the NTC even directed mobile phone manufacturers, distributors, and dealers to educate the public on protective mobile phone features.

Are these safeguards enough? Given the provisions of law which enumerate responsibilities and punish violations, entities that handle personal information of the public should be more diligent in ensuring the security of information entrusted to them. Heavier protection should be imposed to ensure the confidentiality of information submitted by the public, especially those who are prime victims who are likely to fall prey and believe seemingly harmless, but indeed very damaging, text messages.

This article is for informational and educational purposes only. It is not offered and does not constitute legal advice or legal opinion.

Mary Clarence Angela T. Protacio is an associate of the Litigation and Dispute Resolution Department of Angara Abello Concepcion Regala & Cruz Law Offices (ACCRALAW).

[email protected]
(632) 8830-8000

How can we help you?