Filing a complaint for violation of the Data Privacy Act against lending apps

In the digital-first economy of the Philippines, Fintech lending apps (often referred to as Online Lending Platforms or OLPs) have proliferated. While they provide accessible credit, many have become notorious for "online shaming," unauthorized access to contact lists, and the disclosure of sensitive information to third parties. These acts constitute serious violations of Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012 (DPA).

If you are a victim of predatory data practices, the law provides a specific mechanism for redress through the National Privacy Commission (NPC).

1. Common Violations by Lending Apps

Under the DPA, personal information controllers (lending companies) must adhere to the principles of transparency, legitimate purpose, and proportionality. Common violations include:

  • Unauthorized Access: Accessing your phone’s contact list, gallery, or social media accounts without clear, specific consent for a legitimate purpose.
  • Malicious Disclosure: Contacting people in your phone book who are not your co-makers or references to inform them of your debt.
  • Online Shaming: Posting your photo or loan details on social media to pressure payment.
  • Processing for Unauthorized Purposes: Using your data for harassment rather than just identity verification or credit scoring.

2. Pre-requisite: The "Opportunity to Address" Rule

Before the NPC will formally entertain a complaint, the law generally requires the complainant to give the lending company an opportunity to address the grievance.

  1. Send a Formal Letter/Email: Communicate your concerns to the lending app’s Data Protection Officer (DPO).
  2. State Your Demand: Request they stop the harassment, delete unauthorized data, or provide an explanation for the breach.
  3. Wait for a Response: If they ignore you, provide an unsatisfactory answer, or the harm continues after 15 days, you may proceed to file a formal complaint with the NPC.

3. Filing the Formal Complaint

The NPC handles complaints through its Legal Division. To initiate a case, you must submit a Complaints Assistance Form or a notarized Formal Complaint.

Required Information:

  • Complainant's Details: Your full name, address, and contact information.
  • Respondent's Details: The name of the lending app and the registered corporate name of the company behind it (often found in the "About Us" or "Terms and Conditions" section of the app).
  • Statement of Facts: A chronological narrative of what happened.
  • Supporting Evidence: This is the most crucial part (see below).

4. Essential Evidence to Collect

A complaint is only as strong as its proof. You should gather:

  • Screenshots: Messages sent to your contacts, social media posts shaming you, and threatening SMS or Viber messages.
  • Call Logs: Records of the frequency and timing of harassing calls.
  • Contact Testimonies: If your friends or family were contacted, ask them for screenshots of the messages they received.
  • App Permissions: Proof (via phone settings screenshots) of what data the app accessed.
  • The Demand Letter: A copy of your initial communication to their DPO and proof that they received it.

5. The NPC Adjudication Process

Once a complaint is filed, the process typically follows these stages:

Stage Description
Evaluation The NPC determines if the complaint is within its jurisdiction and if there is a "prima facie" case.
Mediation The NPC may call both parties to a meeting to see if a settlement (e.g., deletion of data, apology, or damages) can be reached.
Adjudication If mediation fails, the parties submit "Position Papers." The NPC then issues a Decision or Sua Sponte Order.

6. Penalties and Consequences

If the lending app is found guilty, the NPC can:

  • Cease and Desist Orders (CDO): Order the app to stop processing data or shut down operations.
  • Deletion of Data: Compel the company to scrub your information from their servers.
  • Recommendation for Prosecution: Refer the case to the Department of Justice (DOJ) for criminal prosecution.
  • Administrative Fines: Impose heavy fines based on the company's annual gross income.

Criminal Penalties under the DPA can include imprisonment ranging from 1 to 6 years and fines from Php 500,000 to Php 5,000,000, depending on the gravity of the offense (e.g., Malicious Disclosure vs. Unauthorized Processing).

7. Practical Tips for Victims

  • Check the SEC Registry: Verify if the lending app is registered with the Securities and Exchange Commission (SEC). If they are not registered, they are operating illegally, which adds another layer of liability.
  • Do Not Engage in Profanity: When communicating with the app's DPO, remain professional. This shows you are acting in good faith should the case reach the NPC.
  • Report to Google/Apple: Simultaneously report the app to the Play Store or App Store for policy violations regarding user privacy to help get the app delisted.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login