Introduction

The rapid rise of online lending applications (OLAs) in the Philippines has provided convenient access to credit for millions of Filipinos, particularly the unbanked and underbanked. However, this convenience has come at a steep cost for many borrowers who fall into default. Numerous OLAs engage in predatory practices that include unauthorized access to borrowers’ phone contacts, gallery, SMS, and other personal data, followed by systematic harassment, shaming, and threats directed not only at the borrower but also at their family members, employers, and entire contact lists.

These practices constitute serious violations of Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012 (DPA), its Implementing Rules and Regulations (IRR), and related issuances of the National Privacy Commission (NPC). This article comprehensively discusses the legal framework, the specific violations committed by rogue OLAs, the rights of affected data subjects, the step-by-step procedure for reporting, available remedies, and complementary legal actions under other laws.

Legal Framework

Republic Act No. 10173 (Data Privacy Act of 2012)

The DPA is the primary law governing the processing of personal information in the Philippines. It applies to all personal information controllers (PICs) and personal information processors (PIPs), including online lending platforms, whether domestic or foreign-based, that process personal data of Philippine residents.

Key principles violated by predatory OLAs:

• Legitimate purpose – Collection must be for a declared, specified, and legitimate purpose.
• Proportionality – Processing must be adequate, relevant, and not excessive.
• Transparency – Data subjects must be informed of the extent of processing.
• Consent – Sensitive personal information (e.g., financial data, contacts treated as personal information when linked to an individual) requires explicit consent.
• Security – PICs must implement reasonable and appropriate safeguards.

National Privacy Commission Issuances Specifically Addressing Online Lending

• NPC Advisory No. 2020-01 – Warned the public against predatory lending apps that misuse personal data for debt shaming.
• NPC Advisory No. 2021-01 – Reiterated that accessing contacts, gallery, SMS, and other phone data as “collateral” is illegal and constitutes unauthorized processing.
• NPC Circular No. 2022-04 (Guidelines on Online Lending Harassment) – Explicitly declared that sending derogatory, threatening, or shaming messages to contacts constitutes malicious disclosure under Section 31 of the DPA.
• NPC PHE Bulletin No. 17 – Classified debt shaming using borrowed personal data as a personal data breach involving dignity.

The NPC has consistently ruled that requiring access to contacts as a condition for a loan is a violation of the principle of proportionality and constitutes coerced consent, which is invalid under the DPA.

Common Violations Committed by Online Lending Apps

1. Unauthorized Access to Personal Data

   • Requiring full access to contacts, SMS, gallery, microphone, and location as a loan condition.
   • Using Android/iOS permissions to extract data without valid consent.

2. Unauthorized Processing and Disclosure

   • Sending mass messages to all contacts stating “Your friend [Name] is a thief/deadbeat.”
   • Editing and circulating obscene or humiliating photos of the borrower.
   • Posting borrower details on social media or “shaming” groups.

3. Malicious Disclosure (Section 31, RA 10173)

   • Intentional disclosure of personal or sensitive personal information without consent, with malicious intent or gross negligence.

4. Personal Data Breach Involving Dignity

   • Debt shaming is now formally recognized by the NPC as a breach that affects the dignity of the data subject, triggering mandatory breach notification requirements.

5. Processing Without Legitimate Purpose or Beyond Declared Purpose

   • Contacts are collected purportedly for “verification,” but used for harassment upon default.

Rights of Data Subjects Under the DPA

Every borrower is a data subject with the following enforceable rights:

1. Right to be informed
2. Right to object
3. Right to access
4. Right to rectification
5. Right to erasure/blocking (right to be forgotten when data is processed illegally)
6. Right to damages
7. Right to file a complaint with the NPC
8. Right to data portability (added by NPC Circular 2020-02)

How to Report Violations to the National Privacy Commission

Step-by-Step Filing Procedure (Updated as of 2025)

1. Gather Evidence (essential for successful complaint)

   • Screenshots of the app’s permission requests
   • Loan agreement or privacy notice (if any)
   • Screenshots of harassing messages sent to you or your contacts
   • Photos of edited/obscene images circulated
   • Call logs or recordings of threats
   • List of contacts who received messages
   • App name, developer, Google Play/Apple App Store link

2. File the Complaint via the NPC Online Complaint Portal

   • Go to https://complaints.privacy.gov.ph
   • Register an account or log in
   • Select “File a Complaint”
   • Choose “Personal Information Controller (PIC) Abroad” if the app is foreign-based (most predatory apps are)
   • Fill out the online complaint form
   • Upload all evidence
   • Submit

3. Alternative Filing Methods

   • Email: complaints@privacy.gov.ph or info@privacy.gov.ph
   • Walk-in at NPC Office: Philippine International Convention Center (PICC) Complex, Pasay City
   • Courier to the above address

4. What Happens After Filing

   • NPC acknowledges receipt within 72 hours
   • Preliminary assessment within 10 days
   • If prima facie case exists, NPC issues Show Cause Order to the OLA
   • Respondent is required to answer within 5–10 days
   • NPC conducts investigation, clarificatory hearings if needed
   • Decision issued within 180 days (extendable)
   • Common outcomes: Cease and Desist Order (CDO), fines, order to delete data, payment of damages

Current NPC Penalties (as of 2025)

• Administrative fines: Up to ₱5,000,000 per violation
• Criminal penalties (upon NPC endorsement for prosecution):
  • Unauthorized processing: 1–3 years imprisonment + ₱500,000–₱2,000,000 fine
  • Malicious disclosure: 3–6 years imprisonment + ₱500,000–₱4,000,000 fine
  • Combination of violations can reach maximum penalties

The NPC has imposed multimillion-peso fines on several lending apps (e.g., Cashalo, JuanHand, and unregistered apps) and successfully obtained takedown orders from Google and Apple.

Complementary Legal Actions

While the NPC route is the fastest and most direct, victims may pursue parallel remedies:

1. Criminal Complaints (File with Prosecutor’s Office or Police)

   • Grave threats (Art. 282, Revised Penal Code)
   • Unjust vexation (Art. 287)
   • Cyberlibel (RA 10175)
   • Violation of RA 10175 (Cybercrime Prevention Act) – computer-related identity theft, illegal access
   • Violation of RA 9995 (Anti-Photo and Video Voyeurism Act) if obscene edited photos are circulated

2. Civil Action for Damages

   • File at Regional Trial Court for moral, exemplary, and actual damages (often ₱100,000–₱500,000 awarded in successful cases)

3. SEC Complaint (if the lending company is registered)

   • File online at https://www.sec.gov.ph/online-submission-of-complaints/

4. Bangko Sentral ng Pilipinas (BSP) (if operated by a BSP-supervised entity)

5. Department of Trade and Industry (DTI) for unfair trade practices

Preventive Measures and Best Practices

• Never grant access to contacts, gallery, or SMS when applying for loans
• Use only SEC-registered online lending platforms (list available at https://www.sec.gov.ph/online-lending-companies/)
• Read the privacy notice and data processing agreement carefully
• Borrow only from legitimate financing/lending companies
• Report suspicious apps immediately to Google Play (“Report inappropriate apps”) or Apple App Store

Conclusion

Harassment and unauthorized data access by online lending apps are not mere “collection tactics” — they are serious criminal and administrative offenses under Philippine law. The National Privacy Commission has demonstrated strong resolve in prosecuting predatory lenders, issuing multimillion-peso fines and permanent bans. Victims are not helpless. With proper documentation and prompt reporting, borrowers can hold these rogue apps accountable, recover damages, and force the permanent deletion of their stolen personal data.

Every complaint filed strengthens the NPC’s enforcement actions and contributes to cleaning up the online lending industry. Do not suffer in silence — report today.