Data Privacy Obligations For E-Commerce Platform Users in PHILIPPINES

🇵🇭 DATA PRIVACY OBLIGATIONS OF E-COMMERCE PLATFORM USERS IN THE PHILIPPINES

I. INTRODUCTION

E-commerce users in the Philippines include:

  • Buyers (customers)
  • Sellers (online merchants)
  • Riders / delivery personnel
  • Platform users (Shopee, Lazada, etc.)
  • Third-party service providers

Under Philippine law, they are considered either:

  • Data Subjects (whose personal data is collected), or
  • Personal Information Controllers (PICs) / Processors (PIPs) when they handle others’ data

Even ordinary users may incur liability when they:

  • Share personal data of others
  • Process data without consent
  • Misuse platform data (screenshots, chats, addresses)

II. LEGAL FRAMEWORK

1. Republic Act No. 10173 (Data Privacy Act of 2012)

Key obligations:

A. Lawful Processing (Section 12 & 13)

Personal data must be:

  • With consent OR
  • Based on lawful grounds (contract, legal obligation, legitimate interest, etc.)

B. Principles of Data Privacy (Section 11)

  • Transparency
  • Legitimate purpose
  • Proportionality

C. Rights of Data Subjects

Users have rights to:

  • Access their data
  • Correct inaccuracies
  • Object to processing
  • Data portability
  • Erasure/blocking in certain cases

2. Obligations of E-commerce Users (Practical Application)

Even “ordinary users” must comply when they:

âś” Do:

  • Use data only for intended transaction (e.g., shipping info)
  • Protect customer details
  • Avoid unnecessary sharing of personal data

❌ Must NOT:

  • Post someone’s address publicly
  • Share customer contact lists without consent
  • Use platform data for harassment, scams, or profiling
  • Screenshot and publish private chats involving others

III. IMPORTANT NPC PRINCIPLES FOR E-COMMERCE

1. Consent is NOT automatic in online transactions

Even if data is given (e.g., address for delivery), it:

  • cannot be reused for other purposes without consent

2. “Purpose Limitation”

Data collected for:

  • delivery → cannot be used for marketing or exposure

3. Platform liability exists, but users can also be liable

If a user misuses data, they may be:

  • civilly liable (damages)
  • administratively liable (NPC complaint)
  • criminally liable (Section 25–33 RA 10173)

IV. CASE LAWS AND JURISPRUDENCE (IMPORTANT)

Below are 6+ Philippine cases shaping e-commerce privacy obligations:

1. Trimillos v. FCash Global Lending (NPC Case, CA-reviewed)

đź“Ś G.R. No. 271360 (2025)

Facts:

  • Lending app accessed user phone contacts
  • Sent messages to contacts without consent

Doctrine:

  • Unauthorized access to contact lists violates DPA
  • “Consent to app use ≠ consent to third-party disclosure”

Relevance:

➡ E-commerce apps cannot access or use contact lists beyond necessity
➡ Users/agents who misuse contact data may be liable

2. FCash Global Lending v. NPC / Court of Appeals Review

đź“Ś NPC 19-605 (affirmed in CA decision)

Doctrine:

  • Data misuse causing reputational harm is actionable under DPA
  • Unauthorized disclosure = violation of confidentiality obligation

Relevance:

➡ Users who forward private loan or transaction data may be liable

3. Vivares v. St. Theresa’s College

đź“Ś G.R. No. 202666 (2014)

Doctrine:

  • Privacy extends to online digital content
  • Posting personal photos without consent violates privacy expectations

Relevance:

➡ Posting screenshots of buyers/sellers chats = potential privacy violation
➡ Even “public platform content” may be protected depending on context

4. Disini v. Secretary of Justice

đź“Ś G.R. No. 203335 (2014)

Doctrine:

  • Online speech is protected but not absolute
  • Privacy restrictions must be proportional

Relevance:

➡ Users cannot justify disclosure of personal data as “free speech”
➡ Harassment or exposure of private data may still be punishable

5. Ople v. Torres

đź“Ś G.R. No. 127685 (1998)

Doctrine:

  • Recognized informational privacy as a constitutional right
  • Government data systems must protect personal information

Relevance:

➡ Foundation of Philippine data privacy law
➡ Applies to digital platforms handling addresses, IDs, phone numbers

6. MAF v. Shopee Philippines (NPC Case 21-167)

Facts:

  • Delivery rider took photo of customer and minor during delivery

Doctrine:

  • Consent required even for “proof of delivery”
  • Overcollection of personal data violates proportionality

Relevance:

➡ Riders/users cannot capture and store images without lawful purpose
➡ E-commerce delivery data must be minimal and necessary

7. Eastwest Rural Bank v. PNP Anti-Cybercrime Group

đź“Ś G.R. No. 273720

Doctrine:

  • Disclosure of personal data is allowed only for:
    • legal claims
    • fraud investigation
    • lawful government authority

Relevance:

➡ Sharing customer data in e-commerce disputes must follow legal channels
➡ Users cannot freely expose others’ data for “complaints”

8. Atty. Puntalba v. NPC

đź“Ś NPC CID Case No. 18-121 (2020)

Doctrine:

  • Unauthorized disclosure of addresses and personal details = violation
  • Even professionals are liable for improper sharing

Relevance:

➡ Ordinary users are also liable if they expose private seller/buyer data

V. COMMON E-COMMERCE PRIVACY VIOLATIONS BY USERS

1. DOXXING (illegal exposure of identity)

  • Posting seller/buyer addresses
  • Sharing phone numbers publicly

2. Screenshot leakage

  • Posting private chats with names visible

3. Misuse of delivery data

  • Using shipping info for harassment or scams

4. Contact list abuse

  • Uploading or sharing contacts without consent

5. Fake reviews using personal data

  • Posting identifiable customer info to shame sellers

VI. LIABILITY OF USERS

Under RA 10173:

A. Civil Liability

  • Damages for privacy violations
  • Injunctions (removal of posts/data)

B. Criminal Liability

  • Unauthorized processing
  • Improper disclosure
  • Unauthorized access

C. Administrative Liability (NPC)

  • Fines
  • Cease-and-desist orders
  • Compliance directives

VII. KEY LEGAL PRINCIPLES FROM JURISPRUDENCE

Across cases, the Supreme Court and NPC consistently affirm:

1. Privacy survives online transactions

Even in e-commerce, data remains protected.

2. Consent must be specific

General “platform agreement” is not enough for all uses.

3. Purpose limitation is strict

Delivery data ≠ marketing data ≠ public disclosure data

4. Users can be liable, not just companies

Individuals who misuse data are personally accountable.

VIII. CONCLUSION

E-commerce users in the Philippines have real legal obligations under the Data Privacy Act, especially when handling other people’s information.

Core rule:

“Data given for transactions is not data for public use.”

From jurisprudence like:

  • Vivares
  • Disini
  • Ople
  • Shopee NPC cases
  • Trimillos v. FCash
  • Eastwest Rural Bank

…it is clear that Philippine law strongly protects:

  • buyer data
  • seller identity
  • delivery information
  • chat communications

Even ordinary users can be liable if they misuse or expose personal data.

RELATED Blog

Cyber Law and Fake News during COVID-19

Using Cyberspace To Vent Out Anger By Travestying ...

Internet Censorship

Reasonable security practices and procedures and s...

Cyber Fraud in Banking industry

Supreme Court Upholds Right to Internet as a Funda...

Supreme Court Issues Landmark Guidelines on Live S...

European Union Introduces Tougher Data Privacy Law...

United States Supreme Court to Decide on Whether A...

Cyber Law at Afghanistan

LEAVE A COMMENT

comments

Load more comments

Copyright © 2024 Law Gratis. Design by Digiinterface