On Social Media Use and Privacy
How do you characterize the relationship between Facebook, a user who posted a picture of his friend to his feed, and the latter under the Data Privacy Act (DPA)?
The DPA states:
Data Privacy Act, Section 3 (h)Ā Personal information controllerĀ refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf. The term excludes:
...
(2) An individual who collects, holds, processes or uses personal information in connection with the individualās personal, family or household affairs.
How do we determine if the user posted the picture in connection with their personal, family, or household affairs? I reckon this is subjective, depending on case to case, but if we take a look at National Privacy Commission's (NTC's) stance with CCTV systems:
NPC Circular No. 2024-02, Section 1(A) Where CCTV systems capture images of individuals beyond the boundaries of a private and non-commercial residence or establishment, particularly where it monitors a public space, such use cannot be considered purely for personal, family, or household use.
It appears that where an act goes beyond private use, a user who posted the picture online may be considered as personal information controller. Interestingly, the Supreme Court in Vivares, et al. vs. St. Theresa's College, et. al., promulgated after the effectivity of the DPA but did not apply it, ruled that:
Before one can have an expectation of privacy in his or her OSN activity, it is first necessary that said user, in this case the children of petitioners, manifest the intention to keep certain posts private, through the employment of measures to prevent access thereto or to limit its visibility. And this intention can materialize in cyberspace through the utilization of the OSNās privacy tools. In other words, utilization of these privacy tools is the manifestation,in cyber world, of the userās invocation of his or her right to informational privacy.
Therefore, a Facebook user who opts to make use of a privacy tool to grant or deny access to his or her post or profile detail should not be denied the informational privacy right which necessarily accompanies said choice. Otherwise, using these privacy tools would be a feckless exercise, such that if, for instance, a user uploads a photo or any personal information to his or her Facebook page and sets its privacy level at "Only Me" or a custom list so that only the user or a chosen few can view it, said photo would still be deemed public by the courts as if the user never chose to limit the photoās visibility and accessibility. Such position, if adopted, will not only strip these privacy tools of their function but it would also disregard the very intention of the user to keep said photo or information within the confines of his or her private space.
Applying the Supreme Court's logic and the stance of the NPC, it now appears that where a post has been made public, it desists to be a purely personal affair. This seems to be consistent with the Court of Justice of the European Union (CJEU) when it decided the Lindqvist case, ECLI:EU:C:2003:596, applying Directive 95/46, precedent to the GDPR:
As regards the exception provided for in the second indent of Article 3(2) of Directive 95/46, the 12th recital in the preamble to that directive, which concerns that exception, cites, as examples of the processing of data carried out by a natural person in the exercise of activities which are exclusively personal or domestic, correspondence and the holding of records of addresses.
That exception must therefore be interpreted as relating only to activities which are carried out in the course of private or family life of individuals, which is clearly not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people.
As an aside, I argue that publicity should not be the sole arbiter whether an act is purely personal or not. It is possible to post a picture for the world to see but remain a purely personal activity, while it is also possible that posting a picture to only a handful of people cannot be a purely personal act. I believe intent is important in determining the breadth of this exception.
In any case, assuming arguendo that the DPA does not care whether or not the user was processing personal data within a filing system, and presupposing again that the user posted the picture publicly for the world to see (and not to their "friends only"), the user appears to be a personal information controller under the eyes of the law.
What is the relationship between the user who posted the picture and Facebook, the site where the picture is hosted?
To answer this question, we have to take a look into what kind of processing is happening under the hood. Under the DPA:
Section 3(j) ProcessingĀ refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.
We can surmise that the user collected and shared the picture, while Facebook stored and shared the picture further for anyone who visits the user's wall or feed. In this case, I believe they are separate - not joint - personal information controllers.
The CJEU, in one case (Wirtschaftsakademie Schleswig-Holstein, ECLI:EU:C:2018:388), proclaimed that:
While the mere fact of making use of a social network such as Facebook does not make a Facebook user a controller jointly responsible for the processing of personal data by that network, it must be stated, on the other hand, that the administrator of a fan page hosted on Facebook, by creating such a page, gives Facebook the opportunity to place cookies on the computer or other device of a person visiting its fan page, whether or not that person has a Facebook account.
The CJEU case is different in our scenario of a user who only posted a picture in his feed, not make a page wherein they agree for Facebook to place cookies on users who visit such page. As such, the user who only posted a picture in their feed is not a joint controller with Facebook, but rather a separate and distinct personal information controller.
Having thus concluded that Facebook and the user who pictured the picture of another (let us call this person the data subject) are separate and distinct controllers, has the poster the right to post a picture under the DPA without consent of the data subject?
Let us suppose in this case that the picture is only an ordinary personal information. You may only process ordinary personal information under the following legal bases:
Data Privacy Act, Section 12 The processing of personal information shall be permitted only if not otherwise prohibited by law, and when at least one of the following conditions exists:
(a) The data subject has given his or her consent;
...
(f) The processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.
The poster did not ask for the data subject's consent, so the only reasonable option left is legitimate interest. Has the poster any legitimate interest in posting the picture of the data subject, such that consent of the latter is not required?
When determining whether a personal information controller can process information under their legitimate interests, one of the more crucial points is the reasonable expectation of privacy test under the broader balancing of interests test (the analysis itself is called legitimate interest assessment or LIA). Basically, does the data subject reasonably expect that his picture will not be taken and shared in social media?
The test is highly subjective and depends case to case. What is the picture of, exactly? Let's say the user took a picture of the data subject, who is the user's cousin, in a beach while they were frolicking. Certainly, the data subject in this case has no or little reasonable expectation of privacy since he is both aware of his picture being taken and that his cousin will post the picture in Facebook later.
However, things change when a stalker took a picture of the same data subject frolicking in the same beach. This time, the data subject has reasonable expectation of privacy since he only expected his companions to take a picture of him, not a stalker.
How about Facebook? What is the legal basis for Facebook to process (e.g., host it in its servers) the picture of the data subject?
The answer still seems to be legitimate interest, though it is best spelled out as legitimate business interest in the case of juridical entities like Facebook.
It should be noted that even if the personal information controller has a legal basis for processing personal information, they still have to comply with the general privacy principles of transparency, proportionality, and legitimate purpose. This means that they need to apprise the data subject that they have posted a picture of them, that they only posted a portion of the picture necessary for the purpose they are seeking, and that such purpose is lawful.
Having stated the foregoing, can the data subject whose picture was posted request either the user or Facebook to take it down?
Under a footnote in NPC Advisory 2021-01 on Data Subject Rights, it states:
When processing is based on consent, the right to object is inherent since consent, by its nature and definition, may be withdrawn. As to processing based on legitimate interest, the right to object applies when the rights and freedoms of the data subject overrides such legitimate interest of the PIC or of a third party. For instance, a data subject can invoke his or her right to object where personal data are processed in circumstances where he or she does not reasonably expect further processing or when the processing is causing substantial damage or distress to the data subject.
It appears the answer seems to be yes, but only when the data subject proves that the effect or impact of the picture is more dire than the legitimate interests of the user who posted such, or the picture contains private information prejudicial to the data subject.
Can the data subject go straight to Facebook to ask for the data subject to be taken down?
Still, the answer is yes, but again the same condition applies. The data subject has to prove that the picture is causing substantial damage or distress.
It should be noted that though the DPA applies in the processing personal information, this cannot stop or prevent a civil case from being instituted for violating Article 26 of the Civil Code.