G.R. No. 271360 - Grace M. Trimillos vs. Fcash Global Lending, Inc.

Case Summary (G.R. No. 271360)

Parties, Setting, and Material Statutes

The NPC, as an independent constitutional body, administers and implements the **Data Privacy Act of 2012 (Republic Act No. 10173, or DPA) and monitors compliance with data protection standards. The case turns on asserted violations of Section 28 (Processing of Personal Information and Sensitive Personal Information for Unauthorized Purposes) and Section 31 (Malicious Disclosure) of the DPA. FCash’s liability was addressed in the NPC proceedings, while evidentiary admissibility and waiver were central in the subsequent appellate review.

Trimillos filed her NPC complaint on July 26, 2019. The NPC rendered its Decision on November 5, 2020, and denied FCash’s Motion for Reconsideration on March 11, 2021. The Court of Appeals (CA) reversed and dismissed the NPC case through a Decision dated May 17, 2023, and denied reconsideration on December 11, 2023. The present petition was granted, and the Supreme Court reversed and set aside the CA rulings, reinstating the NPC Decision and Resolution.

Factual Background Before the NPC

Trimillos alleged that FCash unlawfully accessed her phone’s contact list and informed everyone included therein about the status of her loan, including threats that the contacts would be forced to pay if she did not settle her obligations. She further claimed reputational injury resulting from the messages sent to her co-workers and friends, including text communications that identified her contacts as guarantors and invoked the possibility of legal action.

To support her allegations, Trimillos submitted to the NPC on September 13, 2019 screenshots of the allegedly sent text messages and a print-out of her email correspondence with the National Telecommunications Commission (NTC). One screenshot contained a message that stated FCash had not received a response from Trimillos and that FCash had decided to submit her case for small claims proceedings, including barangay referral, filing in civil court, and the use of a writ of attachment and garnishment or taking personal property if the loan amount remained unpaid. The message also attributed the reason for receipt of the communication to the fact that Trimillos had made those persons “contact reference” and stated that they were implicated in the transactions.

NPC Discovery Conference and FCash’s Lack of Participation

After the complaint was filed, the NPC ordered the parties to appear for a Discovery Conference, initially set for September 5, 2019 but reset to October 31, 2019 due to FCash’s absence. Upon Trimillos’ request that the discovery conference be moved earlier, the NPC issued an order requiring both parties to appear on October 10, 2019. During the conference, both parties manifested willingness to undergo NPC mediation. However, they were unable to reach an agreement, and the proceedings resumed.

At the termination of the Discovery Conference, the NPC required FCash to file its responsive comment. The record showed that no responsive comment was filed. With no other pleadings submitted, the NPC proceeded to resolve the matter.

The NPC Decision and Its Recommendations

On November 5, 2020, the NPC awarded nominal damages to Trimillos and recommended prosecution of FCash under the DPA. The NPC ordered FCash to pay Trimillos PHP 15,000.00 in nominal damages. It further forwarded the decision and pertinent records to the Department of Justice, recommending prosecution for (a) Processing of Personal Information and Sensitive Personal Information for Unauthorized Purposes under Section 28, and (b) Malicious Disclosure under Section 31 of the DPA.

The NPC explained that FCash processed personal information beyond what was necessary and used such information for purposes other than those stated in its privacy policy, particularly when it sent messages to Trimillos’ contacts. It also reasoned that the processing was attended by malice because the messages showed FCash’s intention to shame Trimillos and jeopardize her reputation until she settled her obligations. Based on these findings, the NPC awarded nominal damages as recognition of Trimillos’ violated privacy right.

FCash’s Motion for Reconsideration and the CA’s Reversal

FCash filed a Motion for Reconsideration, but the NPC denied it in a Resolution dated March 11, 2021. FCash then filed a Petition for Review before the CA.

The CA granted FCash’s petition and reversed and set aside the NPC Decision and Resolution, dismissing the case. The CA’s decisive reason was evidentiary: it ruled that the screenshots of the text message were inadmissible because Trimillos allegedly failed to authenticate them through any of the supposed recipients or witnesses as required by the Rules on Electronic Evidence. The CA concluded that without admissible evidence, the NPC could not make findings in Trimillos’ favor.

Trimillos sought reconsideration, but the CA denied it on December 11, 2023.

Issues Raised Before the Supreme Court

The Supreme Court framed the issue as whether the CA erred in finding the evidence presented by Trimillos inadmissible due to failure to comply with authentication requirements under the Rules on Electronic Evidence. Underlying this issue were Trimillos’ arguments that FCash waived any objection by refusing to participate before the NPC and that the CA should not have considered admissibility arguments raised only for the first time on appeal.

The Supreme Court’s Discussion of NPC Procedure and Fairness Requirements

Before resolving the evidentiary issue, the Court discussed the governing NPC procedural rules under NPC Circular No. 16-04, Rules of Procedure of the National Privacy Commission, approved on December 15, 2016. It emphasized that the NPC receives complaints and investigates violations through an investigating officer assigned to determine whether the allegations involve violations of the DPA and whether there is reason to believe a privacy violation or breach occurred. It explained the mechanism of an Order to confer for discovery, the production of discovery conference reports, the requirement for respondents to submit a responsive comment within the specified period, and the consequences of a respondent’s failure to file a comment—namely, that the investigating officer may consider the complaint submitted for resolution while still ensuring the respondent’s access to the evidence on record. The NPC commissioner then reviews the evidence, may issue a decision, and serves it upon the parties.

Applying these procedural standards to the case, the Court noted that when the parties attended the Discovery Conference on October 10, 2019, Trimillos’ evidence submitted on September 13, 2019 had already been made available for examination. After the Discovery Conference, FCash was ordered to file its responsive comment but did not do so, prompting the NPC to decide in Trimillos’ favor.

Waiver of Objections to Evidence and Bar Against Raising Admissibility for the First Time on Appeal

The Court sustained Trimillos’ position. It reiterated the settled doctrine that a party’s failure to interpose a timely objection to evidence is treated as waiver. It cited Lorenzana v. Lelina to stress that an objection to admissibility must be made at the proper time and at the time the evidence is formally offered, and that grounds not raised at the proper time are deemed waived. It further cited Ang v. Court of Appeals to hold that an objection based on lack of authentication—such as that relating to a photograph sent via text message—must be raised when the evidence is offered, or it is considered waived.

Accordingly, the Court held that issues relating to admissibility cannot be raised for the first time on appeal. It explained that fairness and due process require parties to raise objections and defenses at the earliest opportunity before the lower forum, whether the decision originates from a court or from an administrative or quasi-judicial body. It ruled that issues raised at the first instance on appeal are barred by estoppel, and it relied on jurisprudence reinforcing this principle.

Rejection of the CA’s Reliance on Authentication Rules

The Court addressed the CA’s reliance on the authentication requirements under the Rules on Electronic Evidence. While acknowledging the relevance of authenticity and authentication principles, the Court ruled that waiver prevented FCash from benefitting from a late challenge. It observed that the text message screenshots were submitted by Trimillos to the NPC before the Discovery Conference and were available for examination. It also noted FCash’s failure to file a responsive comment where it could have advanced counter-arguments, including admissibility objections, and the further failure to raise the admissibility issue in its Motion for Reconsideration before the NPC. The CA, therefore, was barred by estoppel from reviewing admissibility when FCash had not timely challenged the evidence in the NPC proceedings.

The Court acknowledged that Trimillos’ screenshots involved electronic evidence and that authentication is required for electronic documents under the Rules on Elec

Case Syllabus (G.R. No. 271360)

The case arose from a Petition for Review on Certiorari under Rule 45 filed by petitioner Grace M. Trimillos to assail the Court of Appeals (CA) rulings that reversed and dismissed a decision of the National Privacy Commission (NPC).
The CA reversed the NPC award and dismissal ordered by it, based primarily on its ruling that the petitioner’s electronic evidence was inadmissible for lack of authentication under the Rules on Electronic Evidence.
The Supreme Court granted the petition, reversed the CA, and reinstated the NPC decision.

Parties and Procedural Posture

Trimillos acted as the complainant before the NPC and later became the petitioner before the Supreme Court.
FCash Global Lending, Inc. (FCash) acted as the respondent before the NPC and became the respondent before the Supreme Court.
Trimillos challenged the CA Decision dated May 17, 2023 and its Resolution dated December 11, 2023 that dismissed the NPC case.
FCash earlier sought reconsideration before the NPC, which the NPC denied in a Resolution dated March 11, 2021.
FCash then filed a Petition for Review before the CA, which reversed the NPC decision and dismissed the complaint.
The Supreme Court resolved whether the CA erred in deeming Trimillos’ evidence inadmissible due to failure to comply with authentication requirements under the Rules on Electronic Evidence.

Key Factual Allegations

Trimillos filed a Complaint with the NPC on July 26, 2019, alleging violations of Republic Act No. 10173, the Data Privacy Act of 2012 (DPA), by FCash.
Trimillos alleged that FCash accessed her phone’s contact list without authority and informed the persons in that list about the status of her loan.
Trimillos specifically alleged that her co-workers and friends were told that they were guarantors, and that they would be forced to pay if she did not settle the obligation.
Trimillos alleged that FCash contacted individuals who, according to her, had nothing to do with her transactions, thereby besmirching her reputation.
She submitted to the NPC on September 13, 2019 screenshots of the allegedly sent text messages and a print-out of her email correspondence with the National Telecommunications Commission (NTC).
The decision described a text message containing threats of referral to SMALL CLAIMS, barangay proceedings, and civil action that could include writ of attachment and garnishment, as well as statements indicating that contacts were used as “contact reference.”
The factual record reflected that FCash failed to file a responsive comment after being ordered by the NPC to do so.

NPC Complaint Process

The Supreme Court discussed the NPC’s procedural rules for complaint initiation and investigation as a quasi-judicial function under NPC Circular No. 16-04, Rules of Procedure of the National Privacy Commission, approved on December 15, 2016.
The NPC is an independent body mandated to administer and implement the DPA and to monitor compliance with international data protection standards.
Complaints may be filed motu proprio, by persons subject to a privacy violation, by a personal data breach victim, or by persons otherwise personally affected by a DPA violation.
After the complaint is filed, the NPC assigns an investigating officer to evaluate whether the allegations involve a DPA violation and whether there is reason to believe a privacy violation or data breach occurred.
When allegations are sufficient in form and substance, the investigating officer orders the parties to confer within ten days to determine whether discovery of information and electronically-stored information is reasonably likely to be sought.
The copy of the complaint and its supporting evidence is included in the order to confer for discovery.
The parties’ agreement is reduced into a Discovery Conference Report signed and submitted to the NPC within five days after the conference.
After receipt of the Discovery Conference Report, the investigating officer orders the respondent to submit, within ten days, a responsive comment with supporting documents and witness affidavits, if any.
The investigating officer may also require the complainant to file a reply and may require the respondent to file a rejoinder.
During investigation, parties may examine the evidence submitted and may copy them at their expense.
If the respondent does not file a comment, the investigating officer may consider the complaint as submitted for resolution while the respondent still retains access to the evidence on record.
After termination of the investigation, the investigating officer produces a fact-finding report including results, gathered evidence, and recommendations, which is submitted to the Office of the Commissioner.
The Commissioner reviews evidence and may promulgate a decision or order a clarificatory hearing when additional information is needed.

Discovery and Failure to Comment

The parties appeared before the NPC for a Discovery Conference on October 10, 2019.
By the time of the Discovery Conference, the NPC had already made available for examination the evidence Trimillos submitted on September 13, 2019.
During the Discovery Conference, both parties manifested willingness to avail of NPC mediation proceedings.
The parties failed to reach an agreement, and proceedings resumed after the Discovery Conference terminated.
Upon termination of the Discovery Conference, the NPC ordered FCash to file a responsive comment.
Based on the records, FCash did not file a responsive comment to the Complaint.
Because no further pleadings were filed, the matter was submitted for resolution.

NPC Ruling and Remedies

The NPC issued a Decision dated November 5, 2020 awarding nominal damages to Trimillos.
The NPC ordered FCash to pay Trimillos PHP 15,000.00 as nominal damages.
The NPC recommended criminal p