Complaint Case Notes

編號: 0052/2014/IP

標題: Using instant messaging apps to publicize personal data without data subject’s consent

立案原因: Complaint


    The Complainant reported to the Office for Personal Data Protection (GPDP) that his personal data was publicized in a group message of an instant messaging application.  This message was originally sent by others, but was later forwarded to the said message group by Property Agent A (hereinafter as Agent A).  The message pointed out that the Complainant, without contacting any property agent, personally contacted property owners to ask for property prices.  In addition, Agent A also attached photos of the Complainant and his family in the message, which was a suspected violation of the Personal Data Protection Act (PDPA or Law 8/2005); therefore the Complainant required the GPDP to follow up. 


    According to the information from the Complainant and Agent A, due to the fact that the data publicized in the aforesaid forwarded group message can identify a natural person; therefore, it should be regarded as personal data and to which Article 4(1)(1) of the PDPA governs. 
  GPDP’s investigation revealed that the aforementioned message group has a substantial number of the application users, and Agent A, instead of being the group administrator, is only one of them.  In other words, the number of users of this group and who they are, are all beyond Agent A’s control.  Furthermore, A was incapable to control the extent to which the message to be accessed by others once it was forwarded to the group, in addition that the message itself was labelled as a “forward message”.  These showed that Agent A’s publicizing of the said information was not a purely personal or house activity, but for dissemination instead.  Such publicizing of information is considered as data processing and, consequently, is subject to Article 3(1) of the PDPA. 
  On the other hand, Agent A admitted that before publicizing the information in the message group, his employer was neither informed nor he had gained any explicit consent from the Complainant.  Basically he forwarded the message, without much concern, as it was labelled as such, this justified that Agent A was the person who made the decision to send the message to the group–and hence why he should be regarded as the data controller of the current case. 
  The investigation revealed that Agent A has never contacted the Complainant, in addition that the latter never entrusted the former to engage in any property sale or purchase.  These justified that Agent A did not achieve the criterion of legitimate processing that is based on the consent of the data subject, as Article 6(1) of the PDPA governs.  On the other hand, Agent A’s publicizing of personal data is not compatible with Article 6(2) of the PDPA, which governs that the data processing is carried out for compliance with a legal obligation.  Furthermore, the current situation is not compatible with the criterion laid down in Article 6(3) of the same Law–to protect the vital interests of the data subject if the latter is physically or legally incapable of giving his consent.  The current case also failed to justify that Agent A was acting as a public authority and, therefore, his publicizing of the Complainant’s personal data is not for the performance of a task carried out in the public interest or in the exercise of official authority, which Article 6(4) of the same Law governs.  Other than all those lastly mentioned, only Article 6(5) would be a possible criterion that Agent A might have relied on to legitimize his data processing. 
  Agent A is a licensed estate agent, who has the obligation to be familiar with those laws and regulations with regard to real estate intermediation activities.  Despite having the knowledge that he is bound by professional secrecy and entrust relationship did not exist between him and the Complainant, Agent A insisted on forwarding the message, publicized by other estate agents, and added extra photos of the data subject.  As there were quite a number of users in the message group and Agent A is not the group administrator, he could not control the number of users that joined the group and who they are.  Moreover, he could not control who would read his forwarded message and their real identities.  Without much concern to the impact caused to the data subject if his personal data was publicized, Agent A did not achieve any legitimate interests that needed to be protected; therefore he also failed to justify his data processing on the grounds of Article 6(5) of the PDPA. 
  To sum up, Agent A’s publicizing of personal data of the Complainant through the instant messaging application is a violation of Article 6 of the PDPA.


    Considering that there were a substantial number of users in the message group, the impact impinged on the Complainant and also on his family, the cooperativeness of Agent A and it was his first violation, the GPDP decided to impose a penalty of MOP16000, according to Article 33(2) of the PDPA. 

Please refer to Article 3, 4, 6 and 33 of the Personal Data Protection Act.