Privacy violations by third-party collectors contacting non-borrowers

In the rapidly evolving landscape of Philippine fintech, the proliferation of Online Lending Applications (OLAs) has brought about a surge in unethical and illegal debt collection practices. One of the most pervasive issues involves third-party collectors (TPCs) contacting individuals who never signed a loan agreement—often referred to as "non-borrowers." These individuals are frequently targeted simply because they appear in the borrower’s mobile contact list or were unilaterally listed as "character references" without their consent.

The Statutory Framework: Republic Act No. 10173

The primary shield against these intrusions is the Data Privacy Act of 2012 (DPA). Under this law, any individual whose personal information is processed is considered a Data Subject, regardless of whether they have a contractual relationship with the lender.

Core Principles of Processing

For the processing of a non-borrower’s data to be legal, it must adhere to three pillars:

  1. Transparency: The non-borrower must be informed that their data is being processed.
  2. Legitimate Purpose: The data must be used for a specific, declared, and lawful purpose.
  3. Proportionality: The processing must be adequate and not excessive.

Contacting a non-borrower to "shame" them into pressuring the actual borrower violates all three principles. The National Privacy Commission (NPC) has consistently ruled that a borrower’s consent to access their contact list does not constitute legal consent from the third parties within that list.

Regulatory Prohibitions: SEC and BSP Guidelines

Government regulators have issued specific circulars to curb "predatory" collection tactics that involve non-borrowers.

SEC Memorandum Circular No. 18 (Series of 2019)

The Securities and Exchange Commission (SEC) explicitly prohibits "Unfair Debt Collection Practices." Under this circular, it is illegal for lenders or their TPCs to:

  • Contact persons in the borrower's contact list other than those named as guarantors or co-makers.
  • Use threats, profanity, or any form of harassment against any person (borrower or otherwise).
  • Disclose the borrower's name and details to third parties, except in specific legal circumstances.

NPC Circular No. 20-01

This circular specifically addresses the processing of personal data for loan management. It prohibits OLAs from:

  • Requiring access to a borrower's contact list, photo gallery, or social media accounts as a condition for the loan.
  • Processing data for the purpose of "debt shaming" or harassing the borrower’s social circle.

Common Privacy Violations Against Non-Borrowers

The following actions by third-party collectors constitute actionable violations of Philippine law:

Violation Description Legal Basis
Unauthorized Disclosure Revealing the borrower's debt status to a friend, colleague, or relative. DPA Sec. 20; SEC MC 18
Identity Theft/Misrepresentation Claiming a non-borrower is a "co-maker" when they never signed anything. Revised Penal Code; DPA
Harassment Repeatedly calling, texting, or messaging a non-borrower despite their refusal to cooperate. SEC MC 18; Cybercrime Prevention Act
Processing Without Consent Collecting and storing the phone numbers of a borrower's contacts without their direct permission. DPA Sec. 11

Legal Remedies for Non-Borrowers

Non-borrowers who find themselves harassed by third-party collectors have several avenues for redress:

1. The National Privacy Commission (NPC)

A non-borrower can file a formal complaint for unauthorized processing and processing for unauthorized purposes. The NPC has the power to issue "Cease and Desist" orders and recommend criminal prosecution against the directors of the lending firm and the TPC.

2. The Securities and Exchange Commission (SEC)

If the lender is a registered financing or lending company, the SEC’s Corporate Governance and Finance Department handles complaints regarding unfair collection practices. Violations of MC 18 can lead to heavy fines or the revocation of the lender's Certificate of Authority to Operate.

3. Bangko Sentral ng Pilipinas (BSP)

If the TPC is acting on behalf of a bank or a BSP-supervised financial institution, a complaint can be filed through the BSP’s Consumer Protection Department.

4. Criminal and Civil Action

Under the DPA, the "unauthorized processing" of personal information can carry a penalty of one to three years of imprisonment and fines ranging from Php 500,000 to Php 2,000,000. Furthermore, victims may sue for damages under the Civil Code (Article 26) for violation of privacy and peace of mind.

Summary of the Legal Position

In the Philippine context, a non-borrower is a stranger to the loan contract and owes no obligation—legal or moral—to the lender. The act of "reaching out" to them to facilitate debt collection is not a "standard business practice" but a breach of the Data Privacy Act and a violation of SEC fair-practice regulations. Consent given by a borrower to a mobile app does not bind the contacts in their phonebook, and any attempt to involve these third parties via harassment or data exploitation is punishable by law.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login