The rapid growth of online lending applications in the Philippines has introduced convenient access to credit for many Filipinos. At the same time, it has sparked widespread concern over aggressive debt-collection tactics, including the routine practice of contacting borrowers’ designated references and, in many cases, scraping and calling entire phone contact lists. This article provides a comprehensive examination of the legality of these practices under Philippine law, focusing on the primary statutes, regulatory framework, data-protection principles, and potential liabilities.

The Primary Legal Framework

The central statute governing the processing of personal data by lending apps is Republic Act No. 10173, the Data Privacy Act of 2012 (DPA). The DPA applies to all natural or juridical persons engaged in the processing of personal data in the Philippines, whether the processing occurs inside or outside the country, provided the data subject is a Philippine resident or the processing relates to the offering of goods or services to Philippine residents.

Key definitions under the DPA are directly relevant:

• “Personal information” refers to any information from which the identity of an individual is apparent or can be reasonably and directly ascertained.
• “Processing” includes collection, recording, organization, storage, retrieval, use, disclosure, and destruction of personal data.
• A “personal information controller” (PIC) is the entity that controls the processing of personal data—in this context, the lending company or app operator.

Lending companies themselves are primarily regulated by Republic Act No. 9474, the Lending Company Regulation Act of 2007. This law requires all lending companies to register with the Securities and Exchange Commission (SEC) and empowers the SEC to prescribe rules on operations, capitalization, and conduct. While RA 9474 does not contain detailed debt-collection provisions, the SEC has authority to sanction registered entities for unfair or abusive practices that violate other laws, including the DPA.

Additional statutes that may be triggered depending on the manner of contact include:

• Revised Penal Code provisions on unjust vexation (Article 287), grave coercion (Article 286), and threats (Article 282).
• Republic Act No. 10175, the Cybercrime Prevention Act of 2012, when communications occur through computer systems and involve libel, threats, or harassment.
• Civil Code provisions on privacy (Article 26) and liability for moral damages arising from violation of privacy rights (Articles 2217–2219).

Lawful Basis for Processing Personal Data

Under Section 12 of the DPA, the processing of personal information is lawful only if at least one of the following criteria is met:

1. The data subject has given consent.
2. Processing is necessary for the performance of a contract to which the data subject is a party.
3. Processing is necessary to comply with a legal obligation.
4. Processing is necessary to protect the vital interests of the data subject.
5. Processing is necessary for the legitimate interests of the PIC or a third party, except where such interests are overridden by the fundamental rights and freedoms of the data subject.

References specifically provided by the borrower. When a borrower voluntarily supplies the names, phone numbers, and relationship details of two or three “references” or “emergency contacts” during the loan application, and the app’s privacy notice or loan agreement clearly discloses that these individuals may be contacted for verification purposes or in the event of default, the borrower’s consent generally covers the initial collection and limited use of that data. Contacting those specific references to confirm the borrower’s identity, employment, or whereabouts, or to request assistance in locating the borrower, can fall within the scope of contractual necessity or legitimate interest, provided the communication remains proportionate and is not conducted in a harassing manner.

General phone contacts and address-book scraping. The situation changes dramatically when an app requests (or silently obtains) permission to access the borrower’s entire phone contact list and then uses those numbers for collection purposes. Here, the data subjects are the hundreds or thousands of individuals whose names and numbers are stored in the borrower’s device. The borrower cannot lawfully consent on their behalf. The lending app becomes a PIC with respect to those third-party personal data without any direct relationship or consent from those individuals. In the absence of another lawful basis—such as a legal obligation or a narrowly tailored legitimate interest that demonstrably outweighs the contacts’ privacy rights—the processing violates Section 12 of the DPA.

Even if the app argues “legitimate interest” in debt recovery, the DPA’s proportionality and data-minimization principles require that the least intrusive means be used. Contacting every person in a borrower’s phonebook is rarely the least intrusive means; it is typically viewed as excessive and therefore unlawful.

Transparency, Notice, and Data-Subject Rights

Section 16 of the DPA and its Implementing Rules and Regulations require that data subjects be informed, at or before the time of collection, of the purposes for which their data will be processed, the identity of the PIC, the recipients of the data, and their rights as data subjects. When an app contacts a reference or a random contact, that individual usually receives no prior notice. The sudden call or message informing them that a friend or relative owes money constitutes processing without the transparency required by law.

Data subjects (both the borrower and the contacted individuals) enjoy the rights to be informed, to access, to object, to erasure, to damages, and to file complaints with the National Privacy Commission (NPC). A contact who receives repeated calls or messages from a lending app may exercise the right to object and demand that the app cease processing their data.

Manner of Contact and Potential Criminal or Civil Liability

Even when a lawful basis for processing exists, the manner of contact can independently violate other laws:

• Repeated calls at unreasonable hours, threats of public exposure, or statements intended to shame the borrower in front of family or colleagues may constitute unjust vexation or grave coercion.
• Disclosure of the debt to third parties who have no legitimate need to know can give rise to a civil action for damages under the Civil Code.
• If the communications contain false statements that harm reputation and are published through SMS, social media, or messaging apps, liability under the Cybercrime Prevention Act for cyber libel may arise.

The SEC has, in the exercise of its supervisory powers over registered lending companies, taken the position that abusive collection practices—including the indiscriminate contacting of unrelated third parties—can constitute grounds for administrative sanctions, including suspension or revocation of the lending company’s certificate of authority.

Practical Distinctions and Common Scenarios

1. Designated references who are also co-makers or guarantors. If the reference signed a document assuming joint liability, contacting that individual for payment is generally lawful, subject to the same rules on non-harassment that apply to the principal borrower.
2. References listed only for verification. Contact is permissible for verification or location purposes if disclosed and consented to, but demands for payment directed at a non-liable reference cross into questionable territory.
3. Bulk contact-list use for “skip tracing” or shaming. This practice lacks a lawful basis under the DPA for the vast majority of the individuals whose data is processed and is the type of conduct most frequently challenged before the NPC.
4. Automated SMS blasts or robocalls to contacts. These raise additional issues under the DPA’s security and proportionality requirements and may also implicate telecommunications regulations.

Enforcement Mechanisms and Remedies

• National Privacy Commission. The NPC has primary jurisdiction over DPA violations. It may investigate complaints, issue cease-and-desist orders, impose administrative fines, and refer criminal cases to the Department of Justice. Penalties under the DPA include imprisonment and substantial fines.
• Securities and Exchange Commission. The SEC may investigate complaints against registered lending companies and impose administrative sanctions for violations of RA 9474 or related rules.
• Civil courts. Aggrieved data subjects may file independent civil actions for damages, injunctions, or both.
• Criminal complaints. In egregious cases involving threats, coercion, or unjust vexation, complaints may be filed with the prosecutor’s office.

Conclusion

Contacting specifically designated references is not per se illegal when the borrower has been clearly informed, has given informed consent, and the communications remain proportionate and non-harassing. In contrast, the indiscriminate processing and contacting of individuals whose personal data were obtained solely through the borrower’s phone contact list—without any direct consent or other lawful basis from those individuals—violates the core requirements of the Data Privacy Act of 2012. Such practices expose lending apps and their operators to administrative, civil, and potentially criminal liability.

Philippine regulators have consistently emphasized that the convenience of digital lending does not override fundamental data-protection and privacy rights. Both borrowers and their contacts retain enforceable rights to be free from unauthorized processing of their personal information and from abusive collection tactics. The legality of any specific instance of contact ultimately turns on the presence of a lawful basis under the DPA, the transparency of the processing, the proportionality of the means used, and the absence of harassment or coercion.