Communicating using messaging apps is very common nowadays since it’s faster and more convenient. Private, confidential, and intimate conversations can also be found there, with information ranging from texts, images, and files to videos.

As with other forms of communication, messaging apps can be abused and used as a tool for blackmail, disagreements, slander, and identity theft, among others. The screenshot function comes in handy as proof that the conversation happened. The question is, can we use screenshots as evidence in Court when relevant cases are filed? Another critical question is, are we not violating privacy laws by taking and using screenshots?

The case of Cadajas vs. People (2021) answered these questions. It started when the Cadajas (24 y/o) had a relationship with AAA (14 y/o). They were using the Messenger App for their communications, and when AAA’s mother read the conversations, she disapproved of the relationship. AAA’s mother could read the messages because AAA would borrow her mother’s phone to use Facebook and forget to log out of the app.

Later on, AAA’s mom was shocked and disheartened by the messages she found. Candajas was luring AAA to send pictures of her breasts and vagina. AAA on the other hand sent the photos to Candajas. After learning that her mother found out about the conversation, AAA rushed to a computer shop to delete the conversation. On the other hand, her mom was able to force her to open Candajas’ account to get a copy of the conversation.

Cadajas was found guilty by the Lower Court, Court of Appeals, and even the Supreme Court. He was sentenced to reclusion perpetua and a fine of Php 1,000,000.

Cadajas argued that his right to privacy was violated because the information presented as evidence came from his account. However, the Court disagreed with the argument.

• Article 3 Sec 3 of the Philippine Constitution defines privacy. The Bill of Rights was intended to protect private individuals against government intrusions. Hence, its provisions are not applicable between and amongst private individuals. Excerpt from the decision: “In this case, the photographs and conversations in the Facebook Messenger account that were obtained and used as evidence against petitioner, which he considers as fruit of the poisonous tree, were not obtained through the efforts of the police officers or any agent of the State. Rather, these were obtained by a private individual. Indeed, the rule governing the admissibility of an evidence under Article III of the Constitution must affect only those pieces of evidence obtained by the State through its agents. It is these individuals who can flex government muscles and use government resources for a possible abuse.”
•  According to the Court, the Data Privacy Law allows the processing of data and sensitive personal information where it relates to the determination of criminal liability of a data subject and, when necessary, for the protection of lawful rights and interests of persons in court proceedings. In this case, this becomes true since Cadajas is charged with two violations, RA 9775 and 10175.
•  Cadajas failed the reasonable expectation of privacy test. Excerpt from the decision: “Petitioner’s expectation of privacy emanates from the fact that his Facebook Messenger account is password protected, such that no one can access the same except himself. Petitioner never asserted that his Facebook Messenger account was hacked or that the photos were taken from his account through unauthorized means. Rather, the photos were obtained from his account because AAA, to whom he gave his password, had access to it. Considering that he voluntarily gave his password to AAA, he, in effect, has authorized AAA to access the same. He did not even take steps to exclude AAA from gaining access to his account. Having been given authority to access his Facebook Messenger account, the petitioner’s reasonable expectation of privacy, in so far as AAA is concerned, had been limited. Thus, there is no violation of privacy to speak of.”
•  Cadajas should have raised his objection to the admissibility of the photos during the proceedings in the RTC.

The side of child pornography and cybercrime will not be discussed since, based on the background of the case, it’s clear that the elements for these violations are present.

The Supreme Court (SC) agreed to the decisions made by the lower and appeals courts with separate concurring and dissenting opinions from the Justices. There are insights, however, from privacy pundits providing a different perspective. Atty. Jamael Jacob shares in his article that Section 19 of the DPA law is an appropriate basis for processing personal data for criminal investigation purposes. He said the data subject rights may not be invoked. His article states, “But just because your rights have been taken away from you does not automatically make processing your personal data lawful. Examining Sections 4, 12, and 13 of the DPA is critical to establishing that. Section 4 talks about its scope, including the so-called exemptions from the law. Sections 12 and 13, on the other hand, list the valid grounds for processing personal and sensitive personal information (and privileged information), respectively.”

Another point he made was distinguishing the two different data processing activities that went on concerning the case. Per his article, “These two I speak of were those carried out by the mother, on the one hand, and those by the government (i.e., law enforcement officers, the prosecutor, and the courts), on the other. When the Court spoke about data processing, it was as if it only referred to one. Why is the distinction important? It matters because a legal basis recognized by the DPA that is properly invoked by one may not necessarily be available to others. That, in turn, means lawful data processing performed by one party does not necessarily validate that conducted by another.”

He said that when the Court follows a different approach to handling the case, it will still be allowed to come up with the same conclusion.

The case of Cadajas vs. People is undoubtedly a big step for the development of cybercrime, evidence, and data privacy handling and regulation. It also serves as a warning for predators and cybercriminals that the law in the Philippines has teeth and is enforced for everyone.