Data Privacy Rights Against Online Lending Apps in the Philippines

A Legal Article in the Philippine Context

I. Introduction

Online lending applications have become common in the Philippines because they offer fast, paperless, and convenient access to credit. A borrower may download an app, submit personal information, upload identification documents, authorize permissions, and receive loan proceeds within a short period. This convenience, however, has produced a serious legal problem: abusive data collection, unauthorized access to phone contacts, public shaming, harassment, threats, identity misuse, and unlawful disclosure of personal information.

The issue is not merely about debt collection. It is also about data privacy, consumer protection, cybercrime, harassment, and financial regulation. Borrowers remain liable for legitimate loans, but lenders and collection agents do not acquire the right to violate privacy, threaten family members, publish personal information, access phone contacts without lawful basis, or shame borrowers online.

In the Philippines, borrowers and other affected persons have enforceable rights under the Data Privacy Act of 2012, its implementing rules, issuances of the National Privacy Commission, relevant Securities and Exchange Commission rules on lending and financing companies, and other civil, criminal, and administrative laws.

This article discusses the data privacy rights of borrowers and affected third parties against online lending apps in the Philippine setting.

II. The Nature of Online Lending Apps

Online lending apps are digital platforms that offer loans through mobile applications or websites. They may be operated by lending companies, financing companies, fintech platforms, or entities acting as loan intermediaries, collectors, or service providers.

A typical online lending process involves:

  1. account creation;
  2. submission of name, address, mobile number, email, employment details, income information, and emergency contacts;
  3. upload of government IDs or selfies;
  4. consent to app permissions;
  5. loan application and approval;
  6. disbursement through e-wallet, bank transfer, or remittance channel;
  7. repayment monitoring; and
  8. collection activity in case of default.

The problem arises when the app collects more information than necessary, accesses phone contacts, uses borrower information for intimidation, sends threatening messages, contacts unrelated third parties, or publishes personal information to force payment.

III. Legal Framework

A. Data Privacy Act of 2012

The principal law is the Data Privacy Act of 2012, Republic Act No. 10173. It protects personal information in information and communications systems in both government and private sectors.

The law regulates the processing of personal information and sensitive personal information. Processing includes collection, recording, organization, storage, updating, retrieval, use, consolidation, blocking, erasure, destruction, disclosure, and sharing.

Online lending apps process personal data when they collect borrower information, access contact lists, store identification documents, verify identity, assess creditworthiness, communicate with borrowers, disclose information to collection agents, or contact third parties.

B. National Privacy Commission Rules and Orders

The National Privacy Commission, or NPC, is the government agency responsible for implementing and enforcing data privacy law. It has authority to receive complaints, investigate violations, issue orders, recommend prosecution, and impose administrative sanctions within its authority.

The NPC has repeatedly addressed complaints involving online lending apps, especially those involving excessive app permissions, contact list harvesting, shaming, unauthorized disclosure, and harassment through personal data.

C. Securities and Exchange Commission Regulation

Lending and financing companies are generally regulated by the Securities and Exchange Commission. Online lending operators may be required to register as lending or financing companies, comply with disclosure requirements, and avoid unfair debt collection practices.

The SEC has issued rules and advisories against abusive online lending practices, including threats, insults, obscenities, false representation, public shaming, and unauthorized disclosure of borrower information.

D. Consumer Protection Laws

The Financial Products and Services Consumer Protection Act and related rules may apply when the lending activity involves financial products or services. Borrowers may have rights to transparency, fair treatment, responsible pricing, proper disclosure, and protection from abusive conduct.

E. Cybercrime Prevention Act

Some online lending practices may also involve cybercrime, especially if personal information is used through information systems to threaten, defame, extort, or harass a borrower or third party.

F. Civil Code and Revised Penal Code

Depending on the facts, victims may also invoke civil rights, damages, defamation, unjust vexation, grave threats, coercion, slander, libel, or other criminal and civil remedies.

IV. Personal Information Involved in Online Lending Apps

Online lending apps may process several categories of personal data.

A. Ordinary Personal Information

This may include:

  1. full name;
  2. address;
  3. mobile number;
  4. email address;
  5. birth date;
  6. occupation;
  7. employer name;
  8. income information;
  9. loan amount;
  10. repayment history;
  11. device information;
  12. IP address;
  13. app usage logs; and
  14. emergency contact details.

B. Sensitive Personal Information

Sensitive personal information may include:

  1. government-issued ID numbers;
  2. health-related information, if collected;
  3. financial account details;
  4. biometric data or facial image used for verification;
  5. marital status, depending on context;
  6. tax information;
  7. location data, if precise and identifying;
  8. information about children or dependents, if collected; and
  9. other data classified as sensitive by law.

Sensitive personal information requires stricter treatment because misuse may expose the borrower to fraud, discrimination, humiliation, identity theft, or financial harm.

C. Third-Party Personal Information

A major issue with online lending apps is the collection and use of data belonging to people who did not borrow money. These may include:

  1. phone contacts;
  2. relatives;
  3. friends;
  4. coworkers;
  5. employers;
  6. neighbors;
  7. emergency contacts; and
  8. social media contacts.

These persons are also data subjects. They have rights even if they are not borrowers.

V. Data Privacy Principles Applicable to Online Lending Apps

Under Philippine data privacy law, personal data processing must generally comply with the principles of transparency, legitimate purpose, and proportionality.

A. Transparency

Borrowers must be informed about what data will be collected, why it will be collected, how it will be used, who will receive it, how long it will be kept, and how the borrower may exercise rights.

An online lending app should have a clear, accessible, and understandable privacy notice. It should not hide material data practices in vague language or misleading consent screens.

Transparency requires meaningful notice before or at the time of collection. A borrower should not discover only after default that the app accessed contacts, screenshots, device files, or social media information.

B. Legitimate Purpose

The collection and use of data must be connected to a lawful and declared purpose. A lending app may process data to verify identity, assess loan eligibility, prevent fraud, disburse funds, collect legitimate debts, and comply with law.

However, the following are not legitimate purposes:

  1. public shaming;
  2. threatening borrowers;
  3. humiliating family members;
  4. spreading debt information to contacts;
  5. posting borrower photos online;
  6. using contact lists as leverage;
  7. pretending that third parties are co-makers;
  8. creating fake criminal accusations;
  9. sending defamatory messages; and
  10. coercing payment through embarrassment.

A debt may be valid, but the method of collection may still be illegal.

C. Proportionality

Only data that is adequate, relevant, suitable, necessary, and not excessive should be collected. This is especially important for app permissions.

A lending app may need identity and repayment information. But it generally does not need unrestricted access to an entire contact list, photo gallery, text messages, calendar, camera roll, or social media accounts merely to grant a small loan.

Proportionality asks: Is this data truly necessary for the declared lending purpose?

If the answer is no, the collection may be excessive.

VI. Consent in Online Lending Apps

Consent is often presented as the lender’s defense. Borrowers are told that they clicked “I agree,” allowed app permissions, or accepted terms and conditions. But consent under privacy law must be meaningful.

A. Consent must be informed

The borrower must understand what data is being collected and how it will be used. A vague statement such as “we may use your data for collection purposes” may not justify contacting everyone in the borrower’s phonebook or sending defamatory messages.

B. Consent must be specific

Consent should relate to specific purposes. Consent to identity verification is not necessarily consent to public disclosure. Consent to receive collection reminders is not consent to harassment.

C. Consent must be freely given

There is doubt about whether consent is freely given when the borrower has no real choice and the app demands excessive permissions before loan access. Even when consent is valid for some data processing, it does not legalize abusive, unlawful, or disproportionate practices.

D. Consent may be withdrawn

A data subject may withdraw consent, subject to lawful obligations and legitimate processing grounds. Withdrawal does not erase a valid debt, but it may limit further unnecessary or abusive processing.

E. Consent does not authorize illegal acts

Even if a borrower accepted the app’s terms, the lender cannot use consent to justify threats, defamation, identity theft, unauthorized disclosure, or unfair collection practices.

VII. Common Data Privacy Violations by Online Lending Apps

A. Excessive Collection of Data

Some apps request permissions that are unnecessary for lending. These may include:

  1. full contact list;
  2. photo gallery;
  3. SMS inbox;
  4. call logs;
  5. microphone;
  6. location tracking;
  7. social media accounts;
  8. calendar;
  9. device storage; and
  10. other unrelated device data.

Excessive collection may violate proportionality.

B. Contact List Harvesting

One of the most abusive practices is harvesting the borrower’s phone contacts and using them for collection pressure. The app may message relatives, friends, employers, officemates, or even unrelated acquaintances.

This may violate the privacy rights of both the borrower and the third-party contacts. Third parties did not apply for the loan and did not authorize the app to process their information.

C. Unauthorized Disclosure of Debt

A borrower’s debt information is personal information. Disclosing it to relatives, coworkers, employers, or social media contacts may be unlawful unless justified by law, contract, legitimate interest, or proper authority.

Even if a person is listed as an emergency contact, this does not automatically mean the lender may disclose the borrower’s debt details, accuse the borrower of fraud, or pressure the contact to pay.

D. Public Shaming

Some collectors send messages such as:

  1. “This person is a scammer.”
  2. “This person is a criminal.”
  3. “This person refuses to pay debts.”
  4. “Do not trust this person.”
  5. “Please help us collect from this debtor.”
  6. “Your employee is a fraud.”

These messages may involve unauthorized disclosure, defamation, harassment, unfair collection, and possibly cybercrime.

E. Posting Photos or Personal Information Online

Posting a borrower’s photograph, ID, address, employer, or loan information on social media or messaging groups may be a serious privacy violation. It may also constitute libel, cyberlibel, or other civil or criminal wrongs depending on the content.

F. Threats and Intimidation Using Personal Data

Collectors may threaten to:

  1. report the borrower to police;
  2. file criminal charges;
  3. shame the borrower’s family;
  4. contact the employer;
  5. post the borrower’s photo online;
  6. visit the borrower’s home;
  7. seize property without court process;
  8. contact all phone contacts;
  9. blacklist the borrower; or
  10. harm the borrower.

Using personal data to threaten or intimidate may constitute unlawful processing and may trigger other legal liabilities.

G. Misrepresentation to Third Parties

Collectors sometimes tell contacts that they are legally responsible for the borrower’s debt, even if they are not co-makers, guarantors, sureties, or authorized representatives. This may be deceptive and abusive.

An emergency contact is not automatically a guarantor. A reference person is not automatically liable for the loan.

H. Retention of Data After Loan Closure

Lenders should not keep personal data longer than necessary for the declared purpose, legal compliance, legitimate business needs, or dispute handling. Indefinite retention without justification may violate privacy principles.

I. Sharing Data With Unauthorized Collection Agencies

A lender may outsource collection, but it remains responsible for the processing of personal data by its agents or processors. Sharing borrower data with collection agencies must be covered by proper legal basis, data sharing arrangements, security safeguards, and confidentiality obligations.

The lender cannot avoid liability by saying the collector acted independently if the collector was acting for the lender.

J. Weak Data Security

Online lending apps often collect IDs, selfies, phone numbers, addresses, and bank or e-wallet details. Poor security may expose borrowers to fraud, identity theft, phishing, SIM-related scams, and account takeover.

If a data breach occurs, the lender may have notification and mitigation obligations.

VIII. Rights of Borrowers and Data Subjects

Under Philippine privacy law, borrowers and affected third parties have several rights.

A. Right to Be Informed

A data subject has the right to know whether personal information is being processed. The lending app must explain the nature, purpose, scope, recipients, retention period, and rights available.

Borrowers may demand clarity on:

  1. what information was collected;
  2. whether contacts were accessed;
  3. who received the information;
  4. whether collection agencies were given the data;
  5. how long the data will be retained;
  6. whether the data was disclosed to third parties; and
  7. how to request correction, deletion, or blocking.

B. Right to Object

A borrower may object to processing, especially when processing is based on consent or legitimate interest and is being done in an excessive or abusive manner.

The right to object does not automatically cancel a loan obligation, but it may restrict unnecessary or unlawful processing.

C. Right of Access

A borrower may request access to personal data processed by the lending app. This may include:

  1. categories of data collected;
  2. sources of data;
  3. purpose of processing;
  4. recipients of disclosures;
  5. logic involved in automated processing, where applicable;
  6. retention period;
  7. identity of processors or collection agencies; and
  8. copies of relevant personal data.

This right is useful when preparing complaints.

D. Right to Rectification

A borrower may request correction of inaccurate or outdated information. For example, if the app wrongly lists the borrower’s employer, address, loan status, or contact person, the borrower may demand correction.

E. Right to Erasure or Blocking

A borrower may request deletion, blocking, removal, or destruction of personal data when processing is unlawful, excessive, no longer necessary, or based on withdrawn consent, subject to lawful retention grounds.

The lender may retain certain data for legal, accounting, audit, regulatory, or dispute purposes, but it should not continue unnecessary or abusive processing.

F. Right to Damages

A person harmed by inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of personal information may seek indemnity or damages, depending on the circumstances.

G. Right to File a Complaint

Borrowers and affected third parties may file complaints with appropriate agencies, including the NPC, SEC, law enforcement, or courts, depending on the nature of the violation.

IX. Rights of Third Parties Contacted by Online Lending Apps

A third party whose number was harvested or contacted by an online lending app also has rights. A person need not be the borrower to be a victim of privacy abuse.

For example, a coworker, relative, employer, or friend may receive messages saying the borrower is a scammer or debtor. That third party’s phone number and identity may have been processed without lawful basis.

A third party may demand:

  1. how the app obtained their number;
  2. why their data was processed;
  3. deletion of their contact details;
  4. cessation of messages;
  5. identity of the lender or collector;
  6. proof of lawful basis; and
  7. accountability for harassment or unauthorized processing.

An emergency contact may be contacted for limited legitimate purposes, but this does not authorize harassment, disclosure of unnecessary loan details, or pressure to pay someone else’s debt.

X. Debt Collection Versus Data Privacy

A common misunderstanding is that a borrower who owes money loses privacy rights. This is wrong.

A valid debt gives the lender the right to collect, but collection must be lawful. The lender may:

  1. send payment reminders;
  2. call or message the borrower within reasonable limits;
  3. use lawful collection agencies;
  4. send demand letters;
  5. negotiate payment plans;
  6. report to authorized credit bureaus, if lawful and properly disclosed;
  7. file a civil case;
  8. pursue lawful remedies under contract; and
  9. charge lawful interest, penalties, or fees.

The lender may not:

  1. shame the borrower publicly;
  2. disclose the debt to unrelated contacts;
  3. threaten criminal imprisonment for ordinary nonpayment;
  4. pretend to be law enforcement;
  5. access contacts without lawful basis;
  6. publish the borrower’s ID or photo;
  7. insult, curse, or degrade the borrower;
  8. threaten violence;
  9. pressure employers to terminate the borrower;
  10. misrepresent third parties as liable;
  11. use fake subpoenas or fake warrants; or
  12. process personal data beyond what is necessary.

The borrower’s obligation to pay and the lender’s obligation to respect privacy can exist at the same time.

XI. Criminal Liability Issues

Depending on the facts, abusive online lending practices may trigger criminal liability.

A. Unauthorized Processing of Personal Information

Processing personal data without proper authority, beyond consent, or in violation of law may be punishable under data privacy law, especially if sensitive personal information is involved.

B. Unauthorized Disclosure

Disclosure of personal information to unauthorized persons may be actionable. For example, sending loan details to the borrower’s entire contact list may be treated as unauthorized disclosure.

C. Malicious Disclosure

If personal data is disclosed with malice or bad faith, liability may be heavier.

D. Cyberlibel

If defamatory statements are made online or through electronic means, cyberlibel may be considered. Calling a borrower a scammer, fraudster, criminal, or immoral person may expose the collector or lender to defamation claims if the statement is false, malicious, or unjustified.

E. Grave Threats or Coercion

Threatening harm, exposure, criminal action, or reputational destruction to compel payment may constitute threats or coercion depending on the content and circumstances.

F. Unjust Vexation

Repeated harassment, insults, or annoying messages may potentially fall under unjust vexation or other offenses, depending on facts.

G. Identity Theft and Fraud

If the app or collector uses the borrower’s documents, selfie, ID, or personal data to impersonate the borrower, create accounts, or commit fraudulent acts, more serious liability may arise.

XII. Administrative Liability

A. Before the National Privacy Commission

The NPC may investigate data privacy violations involving online lending apps. Possible outcomes may include orders to stop unlawful processing, delete unlawfully obtained data, improve privacy practices, notify affected data subjects, or face penalties and prosecution recommendations.

B. Before the Securities and Exchange Commission

The SEC may act against lending or financing companies that engage in abusive collection, operate without authority, violate disclosure rules, or breach regulations applicable to online lending platforms.

Possible consequences may include fines, suspension, revocation of registration or certificate of authority, app takedown coordination, and public advisories.

C. Before Other Agencies

Depending on the facts, complaints may also involve:

  1. Philippine National Police Anti-Cybercrime Group;
  2. National Bureau of Investigation Cybercrime Division;
  3. Department of Trade and Industry, for consumer-related complaints in some cases;
  4. Bangko Sentral ng Pilipinas, if the entity is within BSP supervision;
  5. local prosecutor’s office; and
  6. regular courts.

XIII. Civil Remedies

Victims may seek civil remedies when privacy violations cause damage. These may include:

  1. actual damages;
  2. moral damages;
  3. exemplary damages;
  4. nominal damages;
  5. attorney’s fees;
  6. injunction;
  7. deletion or blocking of data;
  8. correction of records;
  9. cease-and-desist relief; and
  10. other appropriate court relief.

Moral damages may be relevant when a borrower suffers humiliation, anxiety, reputational injury, emotional distress, or social embarrassment due to unlawful disclosures or harassment.

XIV. Evidence Gathering for Complaints

A borrower or third party should preserve evidence carefully.

A. Screenshots

Take screenshots of:

  1. messages from collectors;
  2. caller profiles;
  3. phone numbers;
  4. text messages;
  5. social media posts;
  6. group chats;
  7. app permissions;
  8. privacy policy screens;
  9. loan terms;
  10. repayment demands;
  11. threats;
  12. defamatory statements; and
  13. messages sent to relatives or employers.

Screenshots should show dates, times, sender information, and full message content.

B. Call Logs and Recordings

Call logs may help prove repeated harassment. Recording calls may raise separate legal considerations, so victims should be careful. Written summaries of calls, including date, time, caller number, and statements made, may also help.

C. App Information

Save:

  1. app name;
  2. developer name;
  3. screenshots from app store;
  4. website;
  5. company name;
  6. registered business name;
  7. SEC registration details, if known;
  8. terms and conditions;
  9. privacy policy;
  10. loan agreement;
  11. disclosure statement; and
  12. payment instructions.

D. Witness Statements

If relatives, friends, coworkers, or employers received messages, ask them to preserve screenshots and provide written statements.

E. Proof of Harm

Save evidence of:

  1. employer action;
  2. emotional distress;
  3. medical consultation;
  4. reputational harm;
  5. financial loss;
  6. business loss;
  7. identity theft;
  8. unauthorized transactions; and
  9. expenses incurred due to the violation.

XV. Demand Letter or Privacy Rights Request

Before or alongside a complaint, the borrower may send a written demand or privacy rights request to the lending app, its data protection officer, or customer support.

The letter may request:

  1. cessation of contact list messaging;
  2. deletion of third-party contacts;
  3. removal of defamatory posts;
  4. access to personal data;
  5. identification of recipients of disclosures;
  6. copy of consent records;
  7. identity of collection agencies;
  8. correction of inaccurate data;
  9. blocking or deletion of excessive data;
  10. explanation of lawful basis;
  11. preservation of records for investigation; and
  12. confirmation that no further unauthorized disclosure will occur.

A written request helps show that the lender was notified and given an opportunity to correct the violation.

XVI. Sample Data Privacy Rights Request

[Date]

To: Data Protection Officer / Compliance Officer [Name of Online Lending App or Company]

Re: Request to Stop Unauthorized Processing and Disclosure of Personal Data

Dear Sir/Madam:

I am writing regarding your company’s processing of my personal information in connection with a loan account under the name [Name].

I have received reports and evidence that your representatives have contacted persons in my phone contacts and disclosed information about my alleged loan obligation. These persons are not co-makers, guarantors, sureties, or authorized representatives. I did not authorize the disclosure of my personal loan information to them.

I hereby request that your company:

  1. immediately stop contacting my phone contacts, relatives, coworkers, employer, and other third parties regarding my loan, except where expressly authorized by law;
  2. stop disclosing my loan information to unauthorized persons;
  3. identify all personal data collected from my device or application;
  4. disclose the source and recipients of my personal data;
  5. identify all collection agencies or third parties to whom my data was shared;
  6. delete or block personal data that is excessive, unauthorized, or unlawfully obtained;
  7. remove any defamatory or privacy-violating posts or messages, if any;
  8. preserve all records, call logs, messages, and processing logs relevant to this matter; and
  9. provide a written response within the period required by law and applicable regulations.

This request is made without prejudice to my right to file complaints before the National Privacy Commission, Securities and Exchange Commission, law enforcement agencies, and the courts.

Respectfully,

[Name] [Contact Information]

XVII. Sample Complaint Narrative

A complaint may state:

I applied for a loan through [App Name] on [date]. During the application, the app requested access to my contacts and other device permissions. After I missed or delayed payment, representatives of the app began sending messages to my relatives, friends, coworkers, and employer. These persons were not co-makers or guarantors. The messages disclosed my alleged debt and accused me of being a scammer/criminal/fraudster. Some messages included my photo, address, ID, or other personal information. I suffered embarrassment, anxiety, and reputational harm. I request investigation for unauthorized processing, excessive data collection, unauthorized disclosure, and harassment.

The complaint should attach screenshots, app details, contact numbers, loan agreement, privacy policy, and witness statements.

XVIII. Liability of Collection Agencies

Online lenders often use collection agencies or outsourced collectors. These collectors may be considered personal information processors or agents, depending on their role.

The lender remains responsible for ensuring that collection agents:

  1. process data only under lawful instructions;
  2. maintain confidentiality;
  3. use data only for authorized collection purposes;
  4. do not disclose information to unauthorized third parties;
  5. do not harass or shame borrowers;
  6. implement security safeguards;
  7. delete or return data when no longer needed; and
  8. comply with data privacy law.

A lender cannot simply blame a third-party collector if the collector was acting under its authority or for its benefit.

XIX. Employer Contact and Workplace Shaming

One of the most harmful practices is contacting the borrower’s employer. A lender may claim that employer contact is necessary to verify employment or locate the borrower. However, disclosure of debt details to supervisors, HR personnel, coworkers, or company group chats may be excessive and unlawful.

A collector should not:

  1. tell the employer that the borrower is a fraudster;
  2. demand salary deduction without proper authority;
  3. ask the employer to discipline or terminate the borrower;
  4. disclose private debt details to coworkers;
  5. send humiliating messages to workplace channels;
  6. threaten legal action against the employer; or
  7. pretend that the employer is liable.

If employment verification is legitimately needed, it should be limited, discreet, and consistent with the privacy notice and lawful purpose.

XX. Emergency Contacts Are Not Automatically Liable

Borrowers are often required to provide emergency contacts or character references. These persons are usually not debtors. They are not liable unless they signed as co-makers, guarantors, sureties, or otherwise legally assumed responsibility.

An online lending app may not automatically treat an emergency contact as:

  1. a guarantor;
  2. a collection agent;
  3. a substitute debtor;
  4. a public recipient of debt information;
  5. a person authorized to receive confidential loan details; or
  6. a person who may be harassed into paying.

At most, an emergency contact may be contacted for limited purposes, such as verifying identity or reaching the borrower, but even this must be done lawfully and proportionately.

XXI. Credit Reporting and Blacklisting

Lenders may report repayment behavior to authorized credit bureaus or credit information systems if they comply with applicable law, disclosures, consent requirements, and data sharing rules.

However, threatening a borrower with vague “blacklisting” may be abusive if used to intimidate or mislead. A lender should not falsely claim that the borrower will be imprisoned, permanently banned from all banks, or publicly listed as a criminal.

Credit reporting must be accurate, lawful, transparent, and limited to authorized recipients.

XXII. Deletion of Data After Payment

Borrowers often ask whether paying the loan requires the lender to delete all data. The answer is nuanced.

Payment may end the collection purpose, but the lender may still retain some records for legitimate legal, regulatory, accounting, tax, audit, fraud prevention, or dispute purposes.

However, after full payment, the lender should not continue:

  1. contacting third parties;
  2. publishing borrower information;
  3. using contact lists;
  4. processing excessive device data;
  5. sending collection threats;
  6. retaining unnecessary harvested data; or
  7. using data for unrelated marketing without valid basis.

Borrowers may request deletion or blocking of data no longer necessary.

XXIII. Data Breach Issues

Because online lending apps collect sensitive borrower information, a data breach can be serious. If IDs, selfies, addresses, phone numbers, and financial details are exposed, borrowers may face identity theft and fraud.

Possible signs of a breach include:

  1. unsolicited messages from unknown lenders;
  2. identity theft attempts;
  3. fake loan accounts;
  4. phishing messages;
  5. unauthorized e-wallet or bank activity;
  6. spam calls after app registration;
  7. leaked ID photos; and
  8. messages from strangers using borrower data.

A lender has duties to implement reasonable and appropriate security measures. In serious cases, notification to affected data subjects and regulators may be required.

XXIV. Unregistered or Illegal Online Lending Apps

Some online lending apps may operate without proper registration or authority. Borrowers should check whether the company is duly registered and whether it has authority to operate as a lending or financing company.

If an app is unregistered, this may strengthen complaints before the SEC and other authorities. However, even a registered company may violate data privacy law if it uses abusive practices.

The legality of the lender and the legality of its collection methods are related but separate issues.

XXV. The Borrower’s Own Responsibilities

A borrower should also act responsibly.

A borrower should:

  1. read app permissions before installation;
  2. avoid granting unnecessary permissions;
  3. review the privacy policy;
  4. borrow only from registered and reputable lenders;
  5. keep copies of loan documents;
  6. pay legitimate debts or communicate inability to pay;
  7. request restructuring when necessary;
  8. avoid giving false information;
  9. avoid using another person’s identity;
  10. document abusive collection;
  11. revoke unnecessary app permissions;
  12. uninstall apps that harvest data;
  13. change passwords if data misuse is suspected; and
  14. file complaints when rights are violated.

Privacy rights protect borrowers from abuse, but they do not erase lawful debt.

XXVI. Practical Steps When Harassed by an Online Lending App

A borrower or third party may take these steps:

1. Preserve evidence

Take screenshots, save messages, record dates and times, and gather witness statements.

2. Revoke app permissions

On the phone settings, disable contact, location, camera, storage, SMS, and microphone permissions that are not necessary.

3. Notify contacts

Tell relatives, friends, coworkers, and employers not to respond to harassment and to preserve screenshots.

4. Send a written privacy request

Demand cessation of unauthorized disclosure, access to records, deletion of excessive data, and identification of data recipients.

5. Report to app store platforms

Report apps that engage in abusive data practices.

6. File complaints

Depending on the facts, file complaints with NPC, SEC, cybercrime authorities, or prosecutors.

7. Consider legal counsel

For serious defamation, threats, employer damage, identity theft, or large-scale data misuse, legal assistance may be needed.

XXVII. Sample Cease-and-Desist Message

A borrower may send:

You are directed to stop contacting my relatives, friends, employer, coworkers, and other third parties regarding my loan. They are not co-makers, guarantors, or sureties. Your disclosure of my personal loan information to unauthorized persons is a violation of my privacy rights and may expose you and your company to administrative, civil, and criminal liability. All further communications should be addressed directly to me through lawful and respectful means. I reserve all rights to file complaints with the National Privacy Commission, Securities and Exchange Commission, law enforcement agencies, and the courts.

XXVIII. Sample Message for Third Parties

A third party may reply:

I am not the borrower, co-maker, guarantor, or surety for this loan. I do not consent to your processing of my mobile number or personal information for debt collection. Stop contacting me and delete my information from your records unless you can show a lawful basis for processing it. Further messages will be documented and reported to the proper authorities.

XXIX. Common Defenses of Online Lending Apps and Responses

A. “The borrower consented.”

Consent must be informed, specific, and lawful. Consent to apply for a loan does not authorize harassment, public shaming, or disclosure to unrelated contacts.

B. “The borrower gave access to contacts.”

Phone permission does not automatically justify harvesting, storing, and using all contacts for debt collection. Processing must still be necessary, proportional, and lawful.

C. “The borrower is delinquent.”

Delinquency allows lawful collection, not unlawful disclosure or abuse.

D. “The contacts were emergency references.”

Emergency references are not automatically guarantors or recipients of confidential debt information.

E. “The collection agency did it.”

The lender may still be responsible for its agents and processors.

F. “The borrower’s debt is true.”

Even true information may not be freely disclosed to unauthorized persons. Privacy law protects personal data even when the data is accurate.

G. “The borrower agreed to the terms and conditions.”

Terms and conditions cannot override mandatory law or authorize illegal acts.

XXX. Special Issue: False Criminal Threats

Many collectors threaten borrowers with criminal cases for nonpayment. In general, ordinary failure to pay a debt is civil in nature. A borrower may face criminal liability only if there are facts constituting a criminal offense, such as fraud, falsification, identity theft, or issuance of worthless checks under applicable law.

A collector should not falsely tell a borrower that nonpayment alone means automatic arrest, imprisonment, police blotter, or criminal conviction. Such threats may be abusive, deceptive, and unlawful.

XXXI. Special Issue: Use of Borrower’s Photo or ID

A borrower’s selfie, ID photo, and government identification number are sensitive and high-risk data. They should be used only for legitimate verification and compliance purposes.

Misuse includes:

  1. sending the ID to contacts;
  2. posting the ID online;
  3. using the selfie in shame graphics;
  4. creating fake wanted posters;
  5. using the ID to threaten criminal action;
  6. sharing the ID with unauthorized collectors;
  7. retaining the ID without safeguards; and
  8. using the ID for unrelated applications or accounts.

Such conduct may create serious liability.

XXXII. Special Issue: Automated Credit Scoring

Some lending apps may use automated processing or algorithms to approve loans, set limits, assess risk, or determine collection intensity. Borrowers may have privacy rights related to automated decision-making, including the right to be informed about processing logic where applicable.

Automated scoring must still be fair, lawful, transparent, and based on relevant data. Using excessive device data, contact lists, or unrelated personal information may raise proportionality concerns.

XXXIII. Special Issue: Marketing and Re-Loan Offers

After a borrower pays, some apps continue sending promotional messages or re-loan offers. Marketing must have a proper legal basis. Borrowers may object to direct marketing and request removal from marketing lists.

Debt collection data should not be automatically repurposed for unrelated marketing without proper notice and lawful basis.

XXXIV. Remedies Before the National Privacy Commission

A complaint before the NPC should generally identify:

  1. complainant’s name and contact information;
  2. respondent app or company;
  3. facts of the incident;
  4. personal data involved;
  5. privacy rights violated;
  6. screenshots and evidence;
  7. harm suffered;
  8. relief requested; and
  9. prior demand or communication, if any.

Possible relief may include cessation of unlawful processing, deletion or blocking of data, investigation, compliance orders, and referral for prosecution where warranted.

XXXV. Remedies Before the Securities and Exchange Commission

Complaints before the SEC may focus on:

  1. abusive debt collection;
  2. unfair collection practices;
  3. operation without authority;
  4. misleading terms;
  5. excessive charges or unclear disclosures;
  6. harassment;
  7. threats;
  8. public shaming;
  9. unauthorized contacting of third parties; and
  10. violations of lending or financing company regulations.

The SEC route is particularly relevant when the respondent is a lending or financing company or claims to be one.

XXXVI. Remedies Before Cybercrime Authorities

When messages involve threats, cyberlibel, identity theft, online posting, or coordinated harassment, victims may approach cybercrime authorities. Evidence should be preserved in original form as much as possible.

Useful evidence includes:

  1. screenshots with URLs or phone numbers;
  2. message headers, where available;
  3. links to posts;
  4. account names;
  5. app details;
  6. call logs;
  7. witness statements;
  8. device information;
  9. date and time of incidents; and
  10. copies of demand letters.

XXXVII. When Court Action May Be Necessary

Court action may be considered when:

  1. serious reputational harm occurred;
  2. the employer was contacted and employment was affected;
  3. defamatory posts remain online;
  4. threats are ongoing;
  5. identity theft occurred;
  6. damages are substantial;
  7. injunction is needed;
  8. the lender ignores administrative complaints;
  9. there are multiple victims;
  10. criminal prosecution is pursued; or
  11. personal safety is threatened.

A court may be asked to award damages, issue injunctive relief, or address criminal liability depending on the case.

XXXVIII. Frequently Asked Questions

1. Can an online lending app access my contacts?

Only if there is a lawful basis, proper notice, and the processing is necessary and proportional. Broad access to an entire contact list for debt collection is highly questionable and may be unlawful, especially if used for harassment.

2. Can they message my relatives?

They may not disclose your debt to relatives unless there is a lawful basis. Relatives are not automatically authorized recipients of your loan information.

3. Can they contact my employer?

They should not disclose your private debt information to your employer or coworkers unless lawfully justified. Workplace shaming is abusive and may violate privacy and other laws.

4. Can they post my photo online?

Posting your photo, ID, or debt information online to shame you may be a serious privacy violation and may also give rise to other legal claims.

5. Can I refuse to pay because they violated my privacy?

A privacy violation does not automatically cancel a valid debt. However, you may file complaints and seek remedies for the unlawful conduct.

6. Can they make my emergency contact pay?

No, unless the emergency contact signed as a co-maker, guarantor, surety, or otherwise legally assumed liability.

7. Can I demand deletion of my data?

Yes, you may request deletion, blocking, or removal of unlawfully obtained, excessive, or unnecessary data. The lender may retain certain records if required by law or legitimate legal purposes.

8. Can I sue for damages?

Yes, depending on the facts and proof of injury. You may seek damages for unlawful processing, defamation, harassment, or other wrongful acts.

9. Can they threaten me with imprisonment?

Ordinary nonpayment of debt is generally civil, not criminal. Criminal liability requires separate criminal acts such as fraud, falsification, or other offenses.

10. What if the app is no longer in the app store?

You may still preserve evidence and file complaints against the company, operators, collectors, phone numbers, payment channels, and other identifiable parties.

XXXIX. Best Practices for Online Lenders

A lawful online lending app should:

  1. collect only necessary data;
  2. avoid contact list harvesting;
  3. provide a clear privacy notice;
  4. obtain meaningful consent where required;
  5. use proportionate verification methods;
  6. secure borrower data;
  7. limit access to authorized personnel;
  8. train collection agents;
  9. prohibit threats, insults, and shaming;
  10. avoid unauthorized third-party disclosure;
  11. maintain data sharing agreements;
  12. provide rights request channels;
  13. appoint a data protection officer where required;
  14. retain data only as long as necessary;
  15. implement breach response procedures;
  16. comply with SEC rules;
  17. use fair collection practices;
  18. verify third-party collectors;
  19. document compliance; and
  20. respect borrower dignity.

XL. Best Practices for Borrowers

A borrower should:

  1. check if the lender is registered;
  2. read the privacy policy;
  3. inspect app permissions;
  4. avoid apps requiring unnecessary access;
  5. keep copies of all loan documents;
  6. screenshot terms before accepting;
  7. pay responsibly or communicate early;
  8. avoid borrowing from multiple abusive apps;
  9. use separate emergency contacts only with consent;
  10. avoid giving false references;
  11. revoke unnecessary permissions;
  12. document harassment;
  13. warn contacts not to engage with collectors;
  14. send privacy requests in writing;
  15. file complaints promptly;
  16. monitor identity theft risks;
  17. change passwords if needed;
  18. check e-wallet and bank activity;
  19. avoid panic payments to suspicious accounts; and
  20. seek legal help for serious cases.

XLI. Policy Considerations

The online lending problem shows the tension between financial inclusion and privacy protection. Fast credit can help people facing urgent expenses, but financial access should not come at the cost of dignity, security, and lawful treatment.

Abusive lending apps often target financially vulnerable borrowers. Excessive interest, short repayment periods, hidden fees, aggressive permissions, and shaming tactics create a cycle of debt and fear. Data privacy law serves as a safeguard by limiting how personal information may be weaponized.

Responsible digital lending must be built on fairness, transparency, proportionality, and accountability.

XLII. Conclusion

Data privacy rights against online lending apps in the Philippines are real and enforceable. A borrower who owes money does not surrender the right to dignity, confidentiality, and lawful treatment. A lender may collect a legitimate debt, but it must do so without excessive data collection, contact list harvesting, unauthorized disclosure, public shaming, threats, or harassment.

The key principles are simple: collect only what is necessary, use data only for lawful purposes, disclose it only to authorized persons, protect it securely, and respect the rights of borrowers and third parties.

Victims should preserve evidence, revoke excessive permissions, send written privacy requests, and file complaints with the appropriate agencies when necessary. Online lending companies, in turn, must recognize that technology does not exempt them from Philippine privacy, consumer protection, and debt collection laws.

In the Philippine legal context, the debt may be enforceable, but abusive data practices are not.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login