Republic of the Philippines

NATIONAL PRIVACY COMMISSION

LEGAL AND ENFORCEMENT OFFICE

NOEMI L. DADO,
Complainant,
NPC Case No. 18-016
-versus- (Formerly CID Case No. 18-D-016)
For: Violation of Data Privacy Act of
FACEBOOK, INC., 2012
Respondent.
x----------------------------------------------------------x

DECISION

This is a case where complainant alleged that respondent violated her data privacy rights when
the latter allegedly processed her personal information and shared the same with Cambridge
Analytica through the app “This Is Your Digital Life” without her consent.

These Proceedings

The parties were ordered to confer for discovery on 14 August 2018.1 Complainant has sent an
email confirming her attendance at the said conference.2 However, based on records, both parties
failed to appear during the scheduled discovery conference.

On 30 March 2021, the Commission sent an Order requiring respondent to submit a report on the
details of the sharing of personal data of complainant and her friends with third-party
applications, to further help with the investigation of the possible data privacy violation.

On 01 May 2021, the Commission received a letter2 dated 30 April 2021 from Facebook in response
to the above-mentioned Order. There being no other pleadings on record, the investigation on the
case was terminated.

Upon evaluation of the complaint, the investigating officer found that the complainant failed to
discharge the burden of proof because complainant did not adduce sufficient evidence to prove
the allegations in her complaint.

Facts

Complainant Noemi L. Dado filed a complaint via the Complaints- Assisted Form (“CAF” for
brevity) on 16 April 2018 against respondent Facebook, Inc., (“Facebook” for brevity) for alleged
violation of the Data Privacy Act of 2012 (“DPA” for brevity).

1 Order to Confer for Discovery dated 24 July 2018. Records, p. 11. 2

Email dated 25 July 2018.
2 Letter dated 30 April 2021

5th

Ref No.: CID-22-06051 NPC_LEO_CID_DCS-V3.0, R0.0, 06 May 2022

Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1307
URL: https//www.privacy.gov.ph Email Add: [email protected] Tel No. 8234-2228
 Page 2
Complainant alleged that respondent processed her personal information without her consent.
She alleged that when she checked to see if her information may have been shared with
Cambridge Analytica by the app “This Is Your Digital Life,” she received the following
information:

“Based on our investigation, you don’t appear to have logged into “This Is Your Digital
Life” with Facebook before we removed it from our platform in 2015.
However, a friend of yours did log in.

As a result, the following information was likely shared with “This Is Your Digital Life”:
• Your public profile, Page likes, birthday and current city.

A small number of people who logged into “This Is Your Digital Life” also shared
their own News Feed, timeline, posts and messages which may have included
posts and messages from you. They may also have shared your hometown.”3

Since respondent did not disclose the identity of complainant’s Facebook friend who logged into
“This is your Digital Life,” and which messages were compromised, complainant filed the instant
complaint and requested assistance from the Commission.

Complainant prayed for the imposition of damages in the amount of P250,000.00 and for the
respondent to reveal the compromised posts and private messages, as well as the name of the
friend who logged into the app.4

On 01 May 2021, the Commission received a letter5 dated 30 April 2021 from Facebook in response
to the Order dated 30 March 2021. Facebook emphasized that Facebook Ireland, an affiliate of
Facebook, Inc., is the entity providing Facebook services to users in the Philippines at the relevant
time and that the information provided in the letter was provided by Facebook Ireland.

Facebook alleged that Dr. Alexandr Kogan was employed at the University of Cambridge when
he developed the subject “thisisyourdigitallife” App as part of his academic research, which
provided the basis for Cambridge Analytica's data analysis. Cambridge Analytica is a “global
leader in data-driven campaigning” which uses data analysis of social media profiles to inform
targeted advertising on the web.6

Facebook reiterated that the third-party app developer, Dr. Kogan, only had access to data that
users who installed the App consented to give to the App and, in the case of such users’ friends,
data that those friends published on the Facebook Platform and that was made available to the
App in accordance with their privacy settings. Dr. Kogan has stated publicly message data was
only collected from a small subset of installers – not friends – and that no message data was shared
with Cambridge Analytica. Accordingly, messages were not compromised, and no data was
shared with Dr. Kogan without the user’s consent and in accordance with user privacy settings.

Facebook stated that it can confirm that a user by the name Noemi Lardizabal-Dado whose
account indicates that she is located in the Philippines is among the group whose data was
potentially shared with Dr. Kogan although there is no reason to believe her data was shared with
Cambridge Analytica. However, Facebook cannot say conclusively that the Complainant’s data
was in fact shared with Dr. Kogan, nor can Facebook, based on currently available information,
identify the Complainant’s friend who may have shared the Complainant’s information with Dr.
Kogan assuming Complainant’s privacy settings permitted such sharing.

3 Id., at p. 2.
4 Id., at p. 3.
5 Letter dated 30 April 2021
6 https://thetab.com/uk/cambridge/2018/04/13/how-is-cambridge-university-linked-to-cambridge-analytica-

andthe-facebook-data-scandal-110205
Ref No.: CID-22-06051 NPC_LEO_CID_DCS-V3.0, R0.0, 06 May 2022

Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1307
URL: https//www.privacy.gov.ph Email Add: [email protected] Tel No. 8234-2228
 Page 3
Moreover, Facebook relayed that Dr. Kogan and Cambridge Analytica have stated publicly that
the unauthorized transfer of data (i.e., from Dr. Kogan to Cambridge Analytica) was limited to
Facebook users in the United States.7

With respect to messages, Facebook claimed that Dr. Kogan’s application requested consent to
access Facebook messages for a small subset of installers, but not their friends and that messages

were not shared with Cambridge Analytica. 8 Facebook reiterated that Dr. Kogan had stated
publicly that his application gathered Facebook messages from several thousand users as part of
an academic research project at the University of Cambridge and that those messages were never
provided to Cambridge Analytica.

Issues

Whether or not the complainant was able to prove that the respondent committed a violation
of the Data Privacy Act of 2012 and therefore entitled to the reliefs prayed for.

Discussion

Complainant was not able to prove any

data privacy violation for failure to adduce
evidence to support the complaint for
violation of the Data Privacy Act.

Section 16 of the Data Privacy Act of 2012 enumerates the rights of Data subjects, to wit:

“SEC. 16. Rights of the Data Subject. – The data subject is entitled to:

(a) Be informed whether personal information pertaining to him or her

shall be, are being or have been processed;

(b) Be furnished the information indicated hereunder before the entry of

his or her personal information into the processing system of the
personal information controller, or at the next practical opportunity:

(1) Description of the personal information to be entered into the

system;
(2) Purposes for which they are being or are to be processed;
(3) Scope and method of the personal information processing;
(4) The recipients or classes of recipients to whom they are or may be
disclosed;
(5) Methods utilized for automated access, if the same is allowed by the
data subject, and the extent to which such access is authorized; x x
x”

7 See also https://ico.org.uk/media/action-weve-taken/2618383/20201002_ico-o-ed-l-rtl-0181_tojulian-knightmp.pdf

(nothing that “the data from GSR . . . shared with SCL/Cambridge Analytica by Dr Kogan related to US registered
voters”).

5th
8 Ibid.

5th

Ref No.: CID-22-06051 NPC_LEO_CID_DCS-V3.0, R0.0, 06 May 2022

Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1307
URL: https//www.privacy.gov.ph Email Add: [email protected] Tel No. 8234-2228
 Page 4
Upon evaluation of the complaint, it is apparent that the complainant failed to attach sufficient
evidence to substantiate the allegations in her complaint that indeed respondent violated
complainant’s rights under the Data Privacy Act of 2012.

In particular, the allegations of the complaint included the following:

1. Complainant got notice on her Facebook account timeline containing a link to know
whether her personal data had been shared with Cambridge Analytica by the app
“This is your Digital Life;”

2. Complainant checked the link provided in the said notice;

3. Through accessing the link, complainant discovered that her personal data may have
been likely shared with “This is your Digital Life” application; and

4. Respondent shared complainant’s personal data without the latter’s consent.

As evidence of these allegations, complainant submitted a screenshot of Facebook Help Center.

The said screenshot informs the user whether the account users’ information may have been
shared with Cambridge Analytica by the involved application, to wit:

“Based on our investigation, you don’t appear to have logged into “This Is Your Digital
Life” with Facebook before we removed it from our platform in 2015.

However, a friend of yours did log in.

As a result, the following information was likely shared with “This Is Your Digital Life”:

• Your public profile, Page likes, birthday and current city.

A small number of people also logged into “This Is Your Digital Life” also shared
their own News Feed, timeline, posts and messages which may have included
posts and messages from you. They may also have shared your hometown.”9

Apart from this screenshot, the records are bereft of any evidence to show that the respondent
indeed committed violations of the Data Privacy Act.

This alone, will not prove that respondent indeed shared complainant’s information with
Cambridge Analytica. No evidence was presented to prove the circumstances surrounding the
screenshot. Moreover, respondent stated that there is no conclusive proof that the personal data
of complainant was indeed shared, neither can they confirm that the messages were
compromised.

Perusal of the records, the screenshot submitted as part of complainant’s evidence did not contain
any name for purposes of identification and verification if the Facebook account was in fact
complainant’s own account. There are no indication nor information about the account or account
user who took the said screenshot. Thus, other than the said screenshot submitted by the
complainant to support her claims, complainant had no other evidence aside from her testimony
which is self-serving and unilateral narration of facts.

In the instant case, respondent did not disclose the identity of complainant’s Facebook friend who
logged into “This is your Digital Life,” and which messages were compromised, thus,

9Id., at p. 2. 11
Id., at p. 3.
Ref No.: CID-22-06051 NPC_LEO_CID_DCS-V3.0, R0.0, 06 May 2022

Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1307
URL: https//www.privacy.gov.ph Email Add: [email protected] Tel No. 8234-2228
 Page 5
complainant prayed for the respondent to reveal the compromised posts and private messages,
as well as the name of the friend who logged into the app.11

Thus, the Commission wrote a letter to Facebook to confirm the account of complainant Noemi
Lardizabal-Dado is included in 1.175 million Filipinos whose data were potentially shared
inappropriately with Dr. Kogan, name of the friend who shared complainant data with Dr.
Kogan, and messages that were compromised.

Facebook in their response, stated that they cannot conclusively confirm that the complainant’s
data was shared with Dr. Kogan because of the expansive methodology Facebook used to identify
and notify potentially affected users. But they can confirm that a user by the name Noemi
Lardizabal-Dado whose account indicates that she is in the Philippines is among the group whose
data was potentially shared with Dr. Kogan but not necessarily shared with Cambridge Analytica.
Facebook reiterated that Dr. Kogan and Cambridge Analytica have stated publicly that the
unauthorized transfer of data was limited to Facebook users in the United States.10

Facebook also stated in their response that based on currently available information, Facebook
cannot provide the identity of the complainant’s friend who may have shared the complainant’s
information with Dr. Kogan if complainant’s privacy settings permitted such sharing.

With respect to messages, Facebook stated that Dr. Kogan’s application requested to access
Facebook messages for a small subset of installers and not their friends. Facebook claimed that
Dr. Kogan has stated publicly that his application gathered Facebook messages from several
thousand users as part of academic project at the University of Cambridge, and that those
messages were never provided to Cambridge Analytica. Thus, it is highly unlikely that
complainant’s messages were accessed by Dr. Kogan, much less that they were compromised by
improper disclosure to Cambridge Analytica.

To reiterate, Facebook used an expansive methodology that is likely over- inclusive in its
information campaign in relation to issue. Facebook included anyone who installed the app
during its lifetime, and anyone who may have been friends on Facebook with any of those people
at the time between when the App first became active on Facebook Platform in November 2013
and when the App’s access to friends’ data was limited in May 2015.

Facebook claimed that it possibly over- count the total number of users whose data was in fact
accessed by the App, however, Facebook wanted to be as comprehensive as possible in its
analysis.11 Thus, Facebook had sent notification to users potentially affected by the incident to
provide the affected users with an opportunity to take precautions or remedial measures to
protect their own data such as changing the privacy setting of users’ account.

However, we cannot tilt the burden of proving all the allegations in the instant complaint to
respondent nor force the latter to produce evidence in favor of the complainant. The complainant
has to prove her case by submitting enough evidence to support her claim that she was indeed
affected by the incident.

Elementary is the rule that in administrative proceedings, the quantum of proof necessary for a
finding of guilt is substantial evidence, which is that amount of relevant evidence that a
reasonable mind might accept as adequate to support a conclusion.

See also https://ico.org.uk/media/action-weve-taken/2618383/20201002_ico-o-ed-l-rtl-0181_tojulian-knight-

10

mp.pdf (nothing that “the data from GSR . . . shared with SCL/Cambridge Analytica by Dr
Kogan related to US registered voters”).

5th
11 Id.,

Ref No.: CID-22-06051 NPC_LEO_CID_DCS-V3.0, R0.0, 06 May 2022

Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1307
URL: https//www.privacy.gov.ph Email Add: [email protected] Tel No. 8234-2228
 Page 6

Further, the complainant has the burden of proving by substantial evidence the allegations in her
complaint. Settled is the rule that bare allegations, unsubstantiated by evidence, are not
equivalent to proof.12 Likewise, charges based on mere suspicion and speculation cannot be given
credence.13

Based on the allegations alone, the acts of respondent may constitute violations of the Data
Privacy Act, however, complainant failed to support such allegations. The records of this case
are bereft of any evidence or affidavit that would have satisfied the weight of evidence necessary
to allow this Commission to rule in favor of complainant.

To establish a violation of the provisions of the DPA, it is essential that a complaint contains
narration of facts and statement of allegations supported and substantiated with evidence,
testamentary, documentary or otherwise.

Rule II, Section 3 of the Rules of Procedure14 states,

“SECTION 3. Form and contents of the complaint. – The complaint should

be in the proper form, as follows:

xxx

6. The complaint shall include a narration of the material facts and

supporting testimonial or documentary evidence, if any, all of
which show: (a) the violation of the Data Privacy Act of 2012, its
Implementing Rules and Regulations, or NPC issuances; or (b) the
acts or omissions allegedly committed by respondent and in the
case of juridical persons, employees or agents who committed the
offense amounting to a privacy violation or personal data breach.
xxx

9. The supporting documents shall consist of copies of any

documentary evidence and the affidavits of witnesses, if any,
including those affidavits necessary to identify the documents
and to substantiate the complaint.
xxx

Failure to comply with the proper form and contents of the

complaint may cause for outright dismissal under Section 1(1), Rule
IV: Provided, an application that does not comply with the foregoing
requirements may be acted upon if it merits appropriate
consideration on its face, or is of such notoriety that it necessarily
contains sufficient leads or particulars to enable the taking of
further action.” (Emphasis added.)

Clearly, complainant failed to discharge the burden of proof because she did not adduce sufficient
evidence to prove the allegations in her complaint. Failing the same, complainant was not able to
establish as fact that respondent committed the acts complained of.

12 Cardinez et. al v. Spouses Prudencio, et. al., G.R. No. 213001, 04 August 2021.
13 BSA Tower Condominium Corp. v. Reyes II, A.C. No. 11944, June 20, 2018.
14 NPC Circular 21-01 Rules of Procedure

5th
Ref No.: CID-22-06051 NPC_LEO_CID_DCS-V3.0, R0.0, 06 May 2022

Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1307
URL: https//www.privacy.gov.ph Email Add: [email protected] Tel No. 8234-2228
 Page 7
Complainant Noemi L. Dado is not
entitled to damages and other reliefs
prayed for.

Complainant stated in the complaint-assisted-form that she is asking for the reliefs of damages
and for the respondent to reveal the posts, private messages that were compromised and the name
of the friend who logged into the app.15

However, as previously discussed, the complainant failed to present evidence on the allegations
in her complaint showing and proving that her personal data was compromised and that she
sustained damages due to such violation of her rights as data subject. Neither the complainant
was able to establish that she is entitled to other damages under the New Civil Code, which
requires no proof of pecuniary loss. Clearly, in the absence of facts and proof showing her
entitlement to damages and other reliefs prayed for, the same cannot be imposed on respondent.

WHEREFORE, all premises considered, the instant complaint is hereby DISMISSED for failure
to adduce evidence to substantiate the allegations in the complaint, without prejudice to the filing
of civil, criminal, administrative cases with the appropriate courts or bodies, and without
prejudice to the refiling with the National Privacy Commission (NPC) in accordance with the
Rules of Procedure of the NPC.

SO ORDERED.

Pasay City, 19 December 2022.

MARIA THERESITA E. PATULA

Director IV, Legal and Enforcement Office

cc:

NOEMI L. DADO
121 Bern Corner Panama St. Pasig Green
Park, Brgy. Manggahan, Pasig City
Email: [email protected]

FACEBOOK, INC.
Facebook HQ, Menlo Park, CA. 547, 406
32nd Floor, Menarco Tower, 32nd Street,
Bonifacio Global City, Taguig 1630
Email: [email protected]

15 Complaint, p. 3.

5th

Ref No.: CID-22-06051 NPC_LEO_CID_DCS-V3.0, R0.0, 06 May 2022

Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1307
URL: https//www.privacy.gov.ph Email Add: [email protected] Tel No. 8234-2228
 Page 8
ENFORCEMENT DIVISION
GENERAL RECORDS UNIT
National Privacy Commission

5th

Ref No.: CID-22-06051 NPC_LEO_CID_DCS-V3.0, R0.0, 06 May 2022

Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1307
URL: https//www.privacy.gov.ph Email Add: [email protected] Tel No. 8234-2228