How to Report Data Privacy Violations by Online Lending Apps to the NPC

The proliferation of Online Lending Apps (OLAs) in the Philippines has provided quick access to credit for many. However, this convenience often comes with a dark side: aggressive and illegal data processing practices. Many OLAs have been flagged for "debt shaming," unauthorized access to contact lists, and the disclosure of sensitive personal information to third parties.

Under the Data Privacy Act of 2012 (Republic Act No. 10173), borrowers have the right to protect their personal information. If an OLA has misused your data, you have the legal standing to file a formal complaint with the National Privacy Commission (NPC).

Common Data Privacy Violations by OLAs

Violations typically occur when an app exceeds the "principle of proportionality"—collecting more data than is necessary for a legitimate purpose. Common infractions include:

  • Unauthorized Access: Accessing your phone’s contacts, gallery, social media accounts, or location data without explicit and informed consent.
  • Debt Shaming: Contacting people in your contact list to inform them of your debt or to pressure you into payment.
  • Unauthorized Disclosure: Sharing your personal or sensitive information with third-party collection agencies or posting it on public social media platforms.
  • Lack of Transparency: Failing to provide a clear Privacy Notice explaining how your data is collected, used, and stored.

Step-by-Step Process for Reporting to the NPC

The NPC does not typically entertain anonymous complaints for formal adjudication. To seek redress, you must follow the official complaints procedure.

1. Exhaust Internal Remedies (The 15-Day Rule)

Before the NPC takes cognizance of a complaint, you must first communicate your grievance to the Data Protection Officer (DPO) of the lending company.

  • Send a formal letter or email to the OLA's DPO detailing the violation.
  • The OLA has 15 days to respond and address your concern.
  • Note: This step may be bypassed if there is an urgent need to prevent further harm or if the OLA has no identifiable DPO.

2. Prepare the Formal Complaint

If the OLA fails to resolve the issue within 15 days, you may file a Complaints-Assisted Form or a formal Affidavit-Complaint with the NPC. Your complaint must include:

  • Your full name and contact details.
  • The name and address of the OLA (or its operator).
  • A clear and concise statement of the facts constituting the violation.
  • The specific relief you are seeking (e.g., a cease and desist order).

3. Gather Evidence

Documentation is critical for a successful case. Ensure you have copies of:

  • Screenshots: Evidence of the app's permissions, harassing text messages, or social media posts shaming you.
  • Call Logs: Records of unauthorized calls to your contacts.
  • Proof of Communication: Your initial letter to their DPO and any response (or lack thereof).
  • Loan Agreement: To show the terms you originally agreed to.

4. Filing the Complaint

You can submit your complaint through the following channels:

  • Email: complaints@privacy.gov.ph
  • Physical Filing: NPC Office at the Philippine International Convention Center (PICC), Pasay City.
  • Online Portal: Check the official NPC website for the latest digital filing system updates.

What Happens After Filing?

Once a complaint is filed, the NPC will evaluate it for "legal sufficiency."

  1. Mediation: The NPC may call both parties to a mediation conference to reach an amicable settlement.
  2. Investigation: If mediation fails, the NPC will conduct a formal investigation. They may issue a Subpoena to compel the OLA to produce evidence or testify.
  3. Adjudication: The Commission will issue a Decision. If the OLA is found liable, the NPC can:
  • Order the deletion of illegally obtained data.
  • Issue a Cease and Desist Order (CDO) against the app.
  • Recommend the criminal prosecution of the app owners under the DPA.
  • Impose administrative fines.

Important Legal Considerations

Criminal Penalties: Under the Data Privacy Act, "Malicious Disclosure" and "Unauthorized Processing" are criminal offenses. If convicted, perpetrators can face imprisonment ranging from one to seven years and fines ranging from PHP 500,000 to PHP 5,000,000, depending on the severity of the offense.

Concurrent Jurisdiction: Aside from the NPC, you may also report OLAs to the Securities and Exchange Commission (SEC) if they are engaging in unfair debt collection practices as defined under SEC Memorandum Circular No. 18, s. 2019. Reporting to both agencies often provides a more comprehensive legal shield.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login