In the Philippine employment landscape, the transition of an employee from one company to another often involves background checks, reference verifications, and informal communications between employers. A particularly sensitive and increasingly litigated scenario arises when a former employer proactively sends an email to a new employer regarding the former employee. Such communications may contain performance evaluations, disciplinary records, or opinions about the employee’s conduct. While ostensibly aimed at protecting business interests or assisting a colleague in the industry, these emails frequently raise serious legal concerns under the Data Privacy Act of 2012 (Republic Act No. 10173, as amended) and the Revised Penal Code’s provisions on defamation (libel). This article provides a comprehensive examination of the legal framework, the elements of potential violations, the interplay between privacy and reputational rights, available remedies, and practical implications for employers and employees in the Philippines.

I. The Legal Landscape: Constitutional and Statutory Foundations

The Philippine Constitution enshrines the right to privacy as an implicit but fundamental guarantee, explicitly recognized in Article III, Section 3 (right against unreasonable searches and seizures) and Article III, Section 1 (due process and equal protection). The Supreme Court has consistently interpreted these provisions to include informational privacy—the right to control the disclosure and use of one’s personal data. This constitutional foundation is operationalized through two key statutes relevant to employer-to-employer communications: the Data Privacy Act of 2012 (DPA) and the Revised Penal Code (RPC) on libel.

The DPA, enacted to align the Philippines with international data protection standards, regulates the processing of personal information by both government and private entities. It applies to any “personal information controller” (PIC) or “personal information processor” (PIP), terms that easily encompass employers who collect, store, and share employee data. Meanwhile, defamation under the RPC remains a criminal offense, with libel (written defamation) carrying penalties of fine and imprisonment, in addition to civil liability for damages under the Civil Code.

II. Data Privacy Act Violations in Former Employer Emails

A. Definition of Personal Information and Sensitive Personal Information

Under Section 3(g) of the DPA, “personal information” includes any information that can identify an individual, directly or indirectly. Employment-related data—such as performance ratings, reasons for resignation or termination, attendance records, or disciplinary actions—qualifies as personal information. When the data touches on health, education, genetic or sexual life, or other enumerated categories under Section 3(l), it becomes “sensitive personal information,” triggering stricter protections.

An email from a former employer that discloses the employee’s termination for “misconduct,” “poor performance,” or “attitude problems” almost invariably involves the processing (collection, use, storage, or disclosure) of such personal information.

B. Lawful Bases for Processing and the Absence Thereof in Reference Emails

Section 12 of the DPA enumerates the lawful criteria for processing personal information. These include:

• Consent of the data subject;
• Contractual necessity;
• Legal obligation;
• Protection of vital interests;
• Public interest or exercise of official authority; or
• Legitimate interests of the PIC, provided the data subject’s rights are not overridden.

In the context of a former employer voluntarily emailing a new employer, consent is the most commonly asserted basis. However, Philippine jurisprudence and National Privacy Commission (NPC) guidelines emphasize that consent must be freely given, specific, informed, and unambiguous. A general waiver signed during employment (e.g., in an employment contract allowing reference checks) is often insufficient if it does not explicitly cover unsolicited disclosure to a specific new employer after employment has ended. The NPC has issued Advisory Opinions stressing that post-employment disclosures require fresh, granular consent.

Even under the legitimate interests exception (Section 12(f)), the former employer must conduct a balancing test (Legitimate Interests Assessment) showing that its interest in sharing the information outweighs the employee’s right to privacy. Mere “professional courtesy” or an unsubstantiated fear that the employee “might repeat the same behavior” rarely meets this threshold, especially when the disclosure is unsolicited.

C. Data Breach and Security Obligations

Employers are required under Section 20 of the DPA and its Implementing Rules and Regulations (IRR) to implement reasonable security measures. Sending sensitive employment details via unsecured email (without encryption or password protection) may itself constitute a security breach if it leads to unauthorized access. The NPC has repeatedly emphasized that employers remain responsible for the data even after the employee has left.

D. Rights of the Data Subject

The former employee, as data subject, enjoys the following rights under Section 16 of the DPA that are directly implicated:

• Right to be informed of the processing;
• Right to object to processing (including automated processing);
• Right to rectification or erasure (“right to be forgotten”);
• Right to data portability; and
• Right to file a complaint with the NPC.

An employee who learns of the offending email may demand immediate cessation of further disclosure and may seek a cease-and-desist order from the NPC.

III. Defamation (Libel) under the Revised Penal Code

A. Elements of Libel

Article 353 of the RPC defines libel as a public and malicious imputation of a crime, vice, defect, or any act, omission, condition, or circumstance tending to cause dishonor, discredit, or contempt of a person. The elements are:

1. Imputation of a discreditable act or condition;
2. Malice (presumed in every defamatory imputation unless privileged);
3. Publication to a third person; and
4. Identifiability of the offended party.

An email sent to a new employer satisfies the publication requirement because it is communicated to a third party (the new employer’s HR or management). Even if the email is marked “confidential,” Philippine courts have held that transmission to even one person outside the privileged circle constitutes publication.

B. Malice and Privileged Communication Defense

Malice is presumed. The former employer may invoke the defense of qualified privileged communication under Article 354 of the RPC, which covers “a private communication made by any person to another in the performance of any legal, moral, or social duty.” However, this privilege is not absolute. It is lost if:

• The communication is made with actual malice (knowledge of falsity or reckless disregard of truth);
• The statements exceed what is necessary for the duty; or
• The communication is made to persons who have no legitimate interest in receiving the information.

Philippine jurisprudence, such as Borjal v. Court of Appeals (G.R. No. 126466, 14 January 1999) and Cabacungan v. People (G.R. No. 189852, 2013), has clarified that employment reference letters or background checks may qualify as privileged only if they are (1) made in good faith, (2) based on factual records, and (3) limited to the recipient’s legitimate need to know. Unsolicited emails that go beyond verifiable facts into opinions such as “untrustworthy,” “lazy,” or “troublemaker” often cross into actionable defamation.

C. Criminal vs. Civil Liability

Libel is both a criminal and civil wrong. Criminal prosecution may be initiated by the offended party before the prosecutor’s office or directly with the court in cases of private libel. Civil damages (actual, moral, exemplary, and attorney’s fees) may be claimed separately or simultaneously under Articles 33 and 2219 of the Civil Code. In employment contexts, moral damages are frequently awarded when the email causes the new employer to rescind a job offer or terminate the employee shortly after hiring.

IV. Interplay Between Data Privacy and Defamation Claims

The two causes of action are not mutually exclusive and often reinforce each other. A single email can trigger:

• An administrative complaint before the NPC for DPA violations (fines up to ₱5 million per violation, plus possible imprisonment of 1–6 years under Section 25);
• A criminal libel case under the RPC; and
• A civil suit for damages.

The NPC has jurisdiction over privacy matters and may refer evidence of libel to the Department of Justice. Conversely, courts hearing libel cases may take judicial notice of DPA principles when assessing the reasonableness of the disclosure.

Notably, the Cybercrime Prevention Act of 2012 (Republic Act No. 10175) may apply if the email is sent through electronic means, potentially increasing penalties under its libel provision (Section 4(c)(4)), although the Supreme Court in Disini v. Secretary of Justice (G.R. No. 203335, 2014) struck down certain overbroad provisions while upholding the core libel penalty enhancement for online publication.

V. Relevant Jurisprudence and NPC Issuances

Although no single landmark Supreme Court decision addresses the exact scenario of a former-employer email, analogous cases provide strong guidance:

• People v. Manalastas (G.R. No. 166390, 2014) – emphasized that malice is negated only by clear evidence of good faith and factual basis.
• NPC Advisory Opinion No. 2018-003 and NPC Circular No. 2020-01 – underscore that employers must obtain explicit consent for post-employment disclosures and that “blacklisting” via informal networks violates data minimization principles.
• Labor law overlay: The Department of Labor and Employment (DOLE) and Civil Service Commission guidelines discourage negative reference practices that could constitute constructive dismissal or unfair labor practice under the Labor Code.

VI. Practical Risk Mitigation for Employers

To avoid liability, former employers should:

1. Adopt a strict “no comment” or “verify dates of employment only” reference policy unless the employee provides a specific, written, dated consent naming the new employer and the exact information to be disclosed.
2. Limit disclosures to verifiable, documented facts rather than opinions.
3. Use secure, encrypted channels and maintain audit logs of any disclosures.
4. Implement a data retention and deletion policy that minimizes post-employment records.
5. Train HR personnel on DPA and defamation risks.

New employers, upon receiving such an email, should treat it with caution: verify its authenticity, give the employee an opportunity to respond (due process under labor law), and avoid acting solely on the unsolicited information to prevent vicarious liability.

VII. Remedies Available to the Aggrieved Employee

The employee may pursue:

• NPC complaint (administrative, fast-track, no filing fee);
• Criminal libel complaint (may require preliminary investigation);
• Civil action for injunction, damages, and attorney’s fees;
• Complaint with DOLE or NLRC if the disclosure leads to loss of employment (unfair labor practice or illegal dismissal angle);
• Cybercrime complaint if disseminated online.

Damages in successful cases have ranged from ₱500,000 to several million pesos, depending on the severity of reputational and economic harm.

VIII. Emerging Issues and Future Directions

With the rise of remote work, digital recruitment platforms, and inter-company HR networks, unsolicited emails are increasingly replaced by informal WhatsApp/LinkedIn messages or shared Google Drive folders—scenarios that still fall squarely under DPA and RPC rules. The NPC’s ongoing push toward stricter enforcement (including the 2023–2025 Strategic Plan) and the possible amendment of the DPA to incorporate more GDPR-like features suggest that courts and regulators will continue to tighten protections. Employers who treat employee data as a mere corporate asset rather than a protected right do so at their peril.

In conclusion, Philippine law strikes a careful balance between an employer’s interest in legitimate information sharing and the fundamental rights to privacy and reputation. An email from a former employer to a new employer that discloses personal employment information without proper consent or falls outside privileged communication is not merely unprofessional—it carries significant criminal, administrative, and civil exposure. Both employers and employees must navigate this terrain with informed caution, guided by the clear mandates of the Data Privacy Act and the Revised Penal Code.