Selling Customer Databases in the Philippines – Criminal Liability of Employees and Officers for Data Theft and Unauthorized Disclosure

/ Administrative, Criminal and Civil Procedure and Litigation, Commercial and Business Law, Criminal and Penal Law, Data Privacy Law and Compliance, Legal Advice on Philippine Law and Jurisprudence / By

Selling Customer Databases in the Philippines: Criminal Liability of Employees and Officers for Data Theft and Unauthorized Disclosure

Introduction: Why “customer list selling” triggers criminal exposure

In the BPO and e-commerce sectors, customer databases are often the business’s most valuable asset: they contain identities, contact details, transaction histories, complaints, and behavioral data. When an employee, contractor, or officer copies a customer list and sells or shares it with a third party, the risk is not limited to HR discipline or civil damages. Depending on the facts, the act can expose individuals—and sometimes responsible corporate officers—to criminal prosecution under Philippine data privacy law, and it can also escalate into broader criminal investigations where courts may authorize seizures of digital devices and records.

Governing laws: the primary criminal framework

The most direct criminal provisions for “selling customer databases” are found in the Data Privacy Act of 2012 (Republic Act No. 10173, 2012), particularly the offense of unauthorized disclosure. Under the law, personal information controllers and processors (and their officials, employees, or agents) may be penalized when personal information is disclosed to a third party without the data subject’s consent, subject to statutory requirements and defenses.

Unauthorized disclosure is expressly penalized under the Data Privacy Act, which covers both personal information and sensitive personal information. The penalty depends on the type of data disclosed. (Data Privacy Act of 2012, 2012, Section 32.)

The Implementing Rules and Regulations (IRR) of the Data Privacy Act reiterate and operationalize these offenses and likewise recognizes malicious disclosure as a punishable act when the disclosure is done with malice or in bad faith and involves unwarranted or false information relating to personal information or sensitive personal information. (IRR of Republic Act No. 10173, 2016, Sections 58–60.)

What prosecutors typically look for: the conduct that turns internal access into a crime

In many BPO and e-commerce incidents, the employee’s access to customer data is initially legitimate (e.g., access given for customer support, order fulfillment, fraud screening, or account maintenance). Criminal exposure usually arises when the person goes beyond authorized purpose and transfers the data to a third party, especially for profit.

Read this article for additional information
What restrictions apply to the SEC when publishing findings or information concerning a violation?

Common fact patterns that may lead to prosecution include:

  • Exporting CRM records (names, emails, phone numbers, addresses) and selling them to marketing groups or competitors.
  • Sharing customer lists with a side business that runs advertisements, loan offers, or scams.
  • Extracting “high-value” accounts (VIP buyers, repeat purchasers) and offering the list to rival sellers.
  • Disclosing complaint logs and refund histories to third parties to target customers with “recovery” schemes.

Data Privacy Act offenses most relevant to customer database selling

1) Unauthorized Disclosure (RA 10173)

If an employee or officer discloses personal information to a third party without the consent of the data subject, this may fall under unauthorized disclosure. The law penalizes disclosure of personal information (and imposes heavier penalties for sensitive personal information). (Data Privacy Act of 2012, 2012, Section 32.)

In customer database cases, the disclosure element may be satisfied by:

  • Sending the database to a personal email address for later resale;
  • Uploading it to cloud storage and sharing download links;
  • Providing printed copies or screenshots to a buyer;
  • Giving database access credentials to an outsider.

2) Malicious Disclosure (IRR of RA 10173)

Where the disclosure is characterized by malice or bad faith, and involves unwarranted or false informationrelating to personal information or sensitive personal information, criminal liability may attach for malicious disclosure as recognized in the IRR. (IRR of Republic Act No. 10173, 2016, Section 58.)

In workplace scenarios, malicious disclosure allegations are often paired with evidence of:

  • Retaliation against the employer (e.g., disgruntled employee leaking customer info);
  • Intentional damage to customers (e.g., exposure leading to harassment or fraud);
  • Fabricated customer data used to mislead or harm others.

3) Combination or Series of Acts (RA 10173 and its IRR)

Read this article for additional information
How to Align Philippine Operations with the GDPR

Data theft schemes often involve multiple steps (unauthorized access, copying, transfer, disclosure). The statute and IRR recognize that a combination or series of acts across enumerated offenses can trigger a higher penalty range. (Data Privacy Act of 2012, 2012, Section 33; IRR of Republic Act No. 10173, 2016, Section 60.)

Who can be charged: employees, agents, and corporate officers

The Data Privacy Act’s penalties can apply not only to rank-and-file employees but also to officers who participated in or, by gross negligence, allowed the crime. If the offender is a corporation or other juridical person, liability attaches to responsible officers involved or those who grossly negligently allowed the offense. (Data Privacy Act of 2012, 2012, Section 34.)

This is particularly relevant in BPO and e-commerce settings where database access is managed through:

  • Role-based access controls;
  • Data export permissions;
  • Audit logs and monitoring;
  • Vendor/outsourcer access provisioning.

If leadership ignores glaring weaknesses (e.g., no audit logs, shared credentials, mass exports allowed without approvals), prosecutors may examine whether that amounts to gross negligence enabling unlawful disclosure.

Large-scale exposure and public officer-related enhancements

Penalties may increase when the incident is large-scale, such as when the personal information of at least 100 persons is affected or involved. (Data Privacy Act of 2012, 2012, Section 35.)

Read this article for additional information
How to Legally Transfer Customer Data Across Southeast Asia

Where the offender is a public officer acting in the exercise of duties, additional accessory penalties may apply. (Data Privacy Act of 2012, 2012, Section 36.) While most BPO/e-commerce cases are private-sector, this becomes relevant when the customer database is held by government, government-controlled entities, or contractors handling government datasets.

Search, seizure, and digital evidence: how these cases are investigated

Customer database selling cases are evidence-heavy. Investigators typically build proof through forensic examination of computers, storage devices, and documents showing copying, exporting, and transfer. In raids or office searches, the validity of warrants and the specificity of items to be seized are recurring issues.

The Supreme Court has recognized that search warrants are not “general warrants” when items are described with reasonable particularity and bear a direct relation to the offense charged, even if technical precision is difficult due to the nature of the items. (Worldwide Web Corporation, et al. v. People of the Philippines, et al., G.R. No. 161106, 2014.)

For companies, this underscores the importance of retaining system logs and maintaining clear data governance: these materials can exculpate the innocent, identify the true actor, and show whether the event was an insider sale, a negligent exposure, or an external breach.

Employment dimension: “confidentiality” violations and good-faith disclosures

Not every disclosure of company-related information is treated the same way, especially in labor disputes. The Supreme Court has ruled that vague or overly broad employer definitions of “confidential information” cannot automatically justify dismissal for loss of trust and confidence, particularly where disclosure is made in good faith for a legitimate purpose such as pursuing a legal claim. (Yonzon v. Coca-Cola Bottlers Philippines, Inc., G.R. No. 226244, 2021.)

This doctrine does not legalize selling customer databases. Rather, it highlights two practical points:

  • Companies should draft confidentiality policies with clarity and precision, distinguishing trade secrets, client/customer personal data, and internal communications.
  • In enforcement, intent and context matter: good-faith use for a legal claim differs from disclosure for profit or sabotage.

Typical “customer database” contents and why the classification matters

Criminal exposure rises when the database includes sensitive personal information (for example, data that triggers higher statutory penalties for unauthorized disclosure). (Data Privacy Act of 2012, 2012, Section 32.)

Examples of data sets that commonly appear in BPO/e-commerce systems:

  • Personal information: full name, email address, mobile number, delivery address, purchase history, customer service tickets.
  • Higher-risk fields: government IDs, financial data, authentication details, fraud flags, account recovery data.

Summary table: frequent theories of criminal liability under data privacy law

ConductLikely theoryNotes for BPO/e-commerce settings
Sending a customer list to an outsider without customer consentUnauthorized disclosure (Data Privacy Act of 2012, 2012)Often proven by emails, exports, chat logs, cloud links, and audit trails.
Leaking customer data to harm customers or the employer, with bad faithMalicious disclosure (IRR of RA 10173, 2016)Badges of malice include retaliation, sabotage, or deliberate exposure to scams.
Multiple steps: copying, exporting, distributing, repeated disclosuresCombination or series of acts (RA 10173, 2012; IRR, 2016)Prosecutors may aggregate acts into a heavier-penalty theory.
Management ignores obvious access-control failures enabling the sale/leakOfficer liability via participation or gross negligence (RA 10173, 2012)Policies, training records, approvals, and monitoring are critical evidence.

What companies can do to reduce risk and improve prosecutability

When customer database theft occurs, companies usually want two outcomes: stop the leakage and build a case that can survive scrutiny. Measures that commonly matter in criminal complaints include:

  • Access governance: limit export permissions, require approvals for bulk downloads, and disable shared credentials.
  • Audit logs: retain logs long enough to capture slow-moving exfiltration and correlate activity with user accounts.
  • Incident response: preserve devices, image drives, and document chain of custody so evidence is admissible and credible.
  • Clear policies: define “confidential information” precisely and align employee NDAs with actual data classifications, mindful that overbroad definitions can be challenged in labor disputes. (Yonzon v. Coca-Cola Bottlers Philippines, Inc., G.R. No. 226244, 2021.)

What employees and officers should understand before sharing or “reusing” customer data

In many cases, individuals rationalize database sharing as “just marketing” or “not harmful” because the data is widely available. That assumption is risky. Once the information comes from an employer-controlled database and is disclosed to a third party without consent, the conduct can be framed as unauthorized disclosure, with enhanced exposure if sensitive personal information is involved. (Data Privacy Act of 2012, 2012, Section 32.)

For officers and team leads, liability risk is not limited to direct selling. Where leadership participates in or grossly negligently allows unlawful disclosure, the statute contemplates liability for responsible officers. (Data Privacy Act of 2012, 2012, Section 34.)

Conclusion: treating customer databases as regulated assets, not merely “company property”

In the Philippines, selling customer databases is not merely an internal policy violation; it can trigger criminal prosecution under the Data Privacy Act, especially through unauthorized disclosure and related offense structures for repeated acts. (Data Privacy Act of 2012, 2012, Sections 32–35; IRR of RA 10173, 2016, Sections 58–60.)

For organizations, the most defensible posture combines clear data governance, strong access controls, and disciplined evidence preservation. For employees and officers, the safest rule is simple: customer data obtained through work systems should not be copied, exported, or shared outside authorized channels, and it should never be monetized or used for unrelated purposes.

About Nicolas and De Vega Law Offices

 Nicolas and de Vega Law Offices is a full-service law firm in the Philippines.  You may visit us at the 16th Flr., Suite 1607 AIC Burgundy Empire Tower, ADB Ave., Ortigas Center, 1605 Pasig City, Metro Manila, Philippines.  You may also call us at +632 84706126, +632 84706130, +632 84016392 or e-mail us at [email protected]. Visit our website https://ndvlaw.com.

SEARCH

LATEST POST

Contact us Now!

CONTACT FORM

    ABOUT THE FIRM

    A full-service law firm dedicated to delivering a broad range of quality legal services which large firms are able to deliver but with the personal touch which only small firms can provide. We are located at the bustling Ortigas Central Business District in Pasig City, Metro Manila, Philippines.

    CONTACT US

    OUR PRACTICE AREAS

    OFFICE HOURS

    • Monday 8:30AM - 5:30PM
    • Tuesday 8:30AM - 5:30PM
    • Wednesday 8:30AM - 5:30PM
    • Thursday 8:30AM - 5:30PM
    • Friday 8:30AM - 5:30PM
    • Saturday Closed - Closed
    • Sunday Closed - Closed