In the Philippines, social media accounts on platforms such as Facebook, Instagram, X (formerly Twitter), and TikTok represent significant repositories of personal data, memories, and digital identity. Unauthorized access to these accounts, followed by the deletion of photos or other content, constitutes a serious violation of laws protecting the confidentiality, integrity, and availability of computer data and systems. These acts are primarily addressed under the Cybercrime Prevention Act of 2012 (Republic Act No. 10175), supplemented by the Data Privacy Act of 2012 (Republic Act No. 10173) and, in appropriate cases, provisions of the Revised Penal Code. Such incidents often arise in personal disputes, including romantic breakups, family conflicts, or acts of revenge, and have increased with the widespread adoption of social media.

Legal Framework

The cornerstone legislation is RA 10175, which defines and penalizes cybercrimes committed against or through computer systems, including social media accounts. A social media account qualifies as a "computer system" under the law, encompassing hardware, software, and data accessible via networks.

Key provisions include:

• Illegal Access (Section 4(a)(1)): This covers the intentional access to the whole or any part of a computer system without right. Logging into another person's social media account using stolen credentials, guessed passwords, phishing, keyloggers, or social engineering falls squarely within this offense, even if the password was previously shared but consent has been withdrawn.

• Data Interference (Section 4(a)(3)): This penalizes the intentional or reckless alteration, damaging, deletion, or deterioration of computer data, electronic documents, or electronic data messages without right. Deleting photos from an accessed account directly constitutes data interference, as photos are stored as digital data on the platform's servers and the user's device-linked account. This includes bulk deletion, selective removal, or actions that render data inaccessible.

• Related Offenses:

  • System Interference (Section 4(a)(4)): If the deletion or access hinders the normal functioning of the account (e.g., changing settings, locking out the owner).
  • Computer-related Identity Theft (Section 4(b)): Unauthorized acquisition, use, misuse, or deletion of identifying information, which can include profile details and associated photos.
  • When committed in connection with other crimes (e.g., extortion), penalties under the Revised Penal Code may be imposed one degree higher.

The Data Privacy Act (RA 10173) applies concurrently when personal information—defined broadly to include photographs that identify an individual—is processed without consent. Photos on social media are personal data, and unauthorized access or deletion may violate principles of lawful processing, consent, and data security.

• Unauthorized processing of personal information: Imprisonment of 1 to 3 years and fines from ₱500,000 to ₱2,000,000.
• Unauthorized access or intentional breach: Similar penalties.
• Processing for unauthorized purposes: 1 year and 6 months to 5 years imprisonment plus fines.
• Violations involving sensitive personal information (e.g., intimate or revealing photos) carry higher penalties of 3 to 6 years.

Other potentially applicable laws include:

• Anti-Photo and Video Voyeurism Act (RA 9995): If the deleted (or previously accessed) photos are intimate or private images captured or shared without consent, especially in cases involving threats to republish.
• Revised Penal Code: Analogous application for malicious mischief (destruction of property), estafa (if deception was used to gain access and deletion caused damage), or robbery/extortion (as in cases demanding payment for restoration or non-deletion). Libel provisions may apply if deletion accompanies defamatory posts or captions.

Elements of the Offenses

For Illegal Access:

• There must be access to the computer system (or part thereof).
• The access must be without right or authority.
• It must be committed intentionally.

For Data Interference:

• Intentional or reckless alteration, damage, deletion, or deterioration of data.
• The act must be without right.
• The data includes photos stored in the account.

Prosecutors must prove the offender's identity and intent. Evidence often includes login logs from the platform, IP addresses, device forensics, timestamps of deletions, and witness testimony. Courts recognize that even previously shared passwords do not confer perpetual authority once consent is revoked.

Penalties

Under RA 10175 (Section 8), illegal access and data interference are punishable by prision mayor (6 years and 1 day to 12 years imprisonment) or a fine of at least ₱200,000 up to an amount commensurate with the damage incurred, or both. If the offense causes substantial economic or reputational harm, the fine increases accordingly. When the cybercrime facilitates another offense under the Revised Penal Code or special laws, the penalty for that offense is imposed in its maximum period or one degree higher.

Data Privacy Act violations carry independent penalties ranging from fines of ₱500,000 to ₱5,000,000 and imprisonment up to 6–7 years, depending on the severity and whether sensitive data is involved. Multiple charges can be filed, leading to cumulative penalties.

Relevant Jurisprudence

Philippine courts have addressed these acts in various contexts. In one landmark Supreme Court case, the accused was convicted of robbery after hacking his ex-girlfriend's Facebook account, posting her nude photos, and demanding money in exchange for their deletion. The Court affirmed the conviction and sentence of imprisonment, illustrating how unauthorized access combined with deletion (or threatened retention) can escalate to graver offenses.

The Supreme Court has also provided guideposts for proving ownership and control of a social media account in criminal cases, emphasizing factors such as linked email or phone numbers, recovery processes, and consistent usage patterns to establish the victim's ownership and the accused's unauthorized intrusion.

The Philippine National Police Anti-Cybercrime Group (PNP-ACG) and National Bureau of Investigation (NBI) Cybercrime Division regularly handle such cases, with numerous arrests for Facebook account hacking involving data deletion or misuse.

Investigation and Prosecution

Victims should immediately:

1. Secure the account (change password, enable two-factor authentication, log out all sessions) while preserving evidence.
2. Document everything: screenshots of unauthorized logins, deleted photos (if recoverable), timestamps, and communications.
3. Report to the platform (e.g., Facebook's hacked account recovery) for assistance in restoration and logs.
4. File a complaint with the PNP-ACG (national or regional units) or NBI Cybercrime Division. These agencies can secure Warrants to Disclose Computer Data (WDCD), search and seizure warrants, and conduct digital forensics.

The complaint leads to an investigation, potential filing of an information in the Regional Trial Court, and trial. Cyber warrants facilitate obtaining data from service providers. Jurisdiction lies where the offense was committed or where its effects are felt, often in the victim's location.

Prescription periods generally follow the penalties: offenses punishable by prision mayor prescribe in 20 years, though specific rules under RA 10175 align with the imposed penalty.

Civil Remedies

Independent of or alongside criminal action, victims may pursue civil damages for actual losses (e.g., lost business from deleted professional photos), moral damages for distress and reputational harm, and exemplary damages. Injunctions can compel account restoration or data recovery. Actions may be filed under the Civil Code provisions on quasi-delicts or human relations.

Defenses

Common defenses include:

• Valid consent or authorization (e.g., joint management of an account, though courts require clear, ongoing permission).
• Lack of intent (accidental access or deletion, rare in practice).
• Ownership or legitimate claim to the data (seldom successful for third parties).
• Insufficient evidence linking the accused to the acts.

The burden remains on the prosecution to prove guilt beyond reasonable doubt.

Practical and Preventive Considerations

Victims should act swiftly to mitigate harm: recover the account, restore deleted content where possible (platforms sometimes retain backups), and monitor for further misuse. Digital forensics experts can sometimes recover deleted photos.

To prevent such incidents, users should employ strong, unique passwords; enable two-factor authentication; avoid sharing credentials; regularly review active sessions and linked devices; and adjust privacy settings to limit visibility. Businesses operating social media pages should use dedicated professional accounts and access controls.

In intimate image cases, immediate reporting prevents further dissemination and strengthens legal claims under multiple statutes. Public awareness campaigns by the PNP-ACG highlight the seriousness of these offenses, which undermine personal security in the digital realm.

Unauthorized social media account access and photo deletion in the Philippines are robustly criminalized, reflecting the law's adaptation to technological realities. Victims have multiple avenues for redress through criminal prosecution, administrative complaints to the National Privacy Commission, and civil suits, ensuring accountability for violations of digital privacy and integrity.