Online Lending App Disclosure of Loan Details to Contacts

Below is a comprehensive discussion about the disclosure of borrower information by online lending apps in the Philippines, with particular attention to the legal and regulatory framework. This information is provided for general reference and does not constitute formal legal advice.

1. Overview of Online Lending Apps and Their Practices

Online lending applications (often referred to as “fintech lending apps”) facilitate loans to consumers through mobile devices or websites. A common practice among some apps, especially those operating without scrupulous data handling measures, is to request access to the borrower’s phone contacts or other personal data. In certain instances, these apps then use that information to contact friends, family, or colleagues of the borrower to pressure them into repaying their loans.

Such disclosures or communications to third parties (i.e., the borrower’s phone contacts) can lead to privacy violations, harassment claims, and regulatory sanctions. The laws and regulatory guidelines in the Philippines relevant to these practices include:

  1. Republic Act No. 10173, or the Data Privacy Act of 2012 (“DPA”)
  2. Implementing Rules and Regulations of the DPA
  3. Lending Company Regulation Act of 2007 (Republic Act No. 9474) and related SEC regulations
  4. Circulars, advisories, and opinions from the National Privacy Commission (NPC)
  5. Guidelines and enforcement actions by the Securities and Exchange Commission (SEC)

2. The Data Privacy Act of 2012 (RA 10173)

2.1 Key Principles

The Data Privacy Act of 2012 imposes obligations on any entity (referred to as a “personal information controller” or “personal information processor”) that collects, processes, stores, or uses personal data. Under the DPA, the following principles must be observed:

  1. Transparency – The data subject (borrower) must be aware of the nature, purpose, and extent of the processing of their personal data, including how it may be disclosed to third parties.
  2. Legitimate Purpose – Personal data must be processed in connection with a declared and specific purpose that is not contrary to law.
  3. Proportionality – Data collected should be relevant and not excessive in relation to the purposes for which it is processed.

2.2 Consent

A cornerstone of lawful data processing under the DPA is consent from the data subject. In principle, a lending app should obtain explicit, informed consent for:

  • Collecting the borrower’s contact list or phone book details (if necessary for legitimate business reasons, which is often questionable).
  • Using or disclosing those details to third parties, including the borrower’s contacts.

However, even if a borrower clicks “allow” for the app to access phone contacts or other data, it does not automatically grant the lending company unfettered right to broadcast the borrower’s personal information to those contacts. Consent is valid only if:

  • It is freely given, specific, informed, and an indication of will.
  • It covers the particular use or disclosure.

Given that many lending apps bury broad permissions in their terms of service, the National Privacy Commission (NPC) has stressed that “bundled consent” or vague, catch-all provisions do not suffice. Borrowers cannot be coerced into consenting to extremely broad data usage as a condition of receiving credit.

2.3 Fair and Lawful Processing; Prohibited Acts

Under the DPA, certain acts are expressly prohibited and subject to penalties. Among them is unauthorized disclosure of personal information. If an app discloses a borrower’s personal or loan details to the borrower’s contacts without valid consent or another lawful basis (e.g., a legal obligation), it may be liable for:

  • Unauthorized Processing under Section 25 of the DPA.
  • Unauthorized Disclosure under Section 27 of the DPA.
  • Malicious Disclosure under Section 28 of the DPA (if done with malice or bad faith).

Penalties include imprisonment and significant fines depending on the specific infraction, harm caused, and the number of data subjects affected.

3. Role of the National Privacy Commission (NPC)

3.1 NPC Jurisdiction

The NPC is the regulatory body empowered to enforce and oversee compliance with the Data Privacy Act. It can:

  • Conduct investigations upon receiving complaints.
  • Issue orders, including cease-and-desist orders, and impose administrative fines.
  • Refer criminal offenses to the Department of Justice for prosecution.

3.2 NPC Enforcement Actions Against Lending Apps

Since around 2019, the NPC has actively cracked down on unscrupulous lending apps that harass borrowers or violate privacy rights by contacting or shaming them in front of family and friends. The NPC has repeatedly emphasized that:

  1. Access to a borrower’s phone contacts is not automatically justified even if an app’s terms of service mention it.
  2. Using borrowers’ personal data to harass or shame them into paying is a serious violation of the DPA.
  3. Borrowers have the right to file complaints with the NPC, which has penalized some operators for these offenses and ordered them to stop their illegal data-processing practices.

Any borrower or data subject who believes their data privacy rights have been violated may file a complaint directly with the NPC, accompanied by relevant documents such as screenshots, call logs, or voice recordings.

4. Securities and Exchange Commission (SEC) Regulations

4.1 Lending Company Regulation Act (RA 9474)

The Lending Company Regulation Act of 2007 governs lending companies and requires them to register with the Securities and Exchange Commission (SEC). The SEC, in coordination with other agencies, also addresses unfair collection practices. Some noteworthy points:

  • Registered lending companies must comply with ethical standards in collection, including privacy obligations.
  • The SEC can impose fines, revoke licenses, or penalize companies engaging in “unreasonable or unfair collection practices,” which include threatening or harassing borrowers and their contacts.
  • The SEC has issued Memorandum Circulars clarifying prohibited debt collection practices, explicitly mentioning the unauthorized use of social media or phone contacts to shame borrowers.

4.2 SEC Advisories

The SEC has issued public advisories warning consumers to be cautious of “online lending applications” that may operate illegally or fail to comply with regulatory standards. These advisories often mention:

  • The importance of verifying whether the lending entity is registered and licensed.
  • The risk of personal data misuse when dealing with unregistered or rogue apps.
  • Possible sanctions and penalties for violations, including closure of the lending company’s operations.

5. Potential Legal Liabilities and Remedies

5.1 Data Privacy Violations

As outlined, lending apps and their operators may face criminal and civil liability under the Data Privacy Act for unauthorized disclosure of borrower data. Borrowers can seek redress by:

  • Filing complaints with the National Privacy Commission.
  • Seeking damages for harm caused by the violation (e.g., reputational harm, emotional distress).

5.2 Harassment or Defamation

If a lending app uses personal data to harass a borrower (or the borrower’s contacts), the borrower may have a separate cause of action under relevant laws on harassment, unjust vexation, or even defamation under the Revised Penal Code, depending on the content of the messages.

5.3 SEC Enforcement

Borrowers can also lodge complaints with the SEC if the online lending app is licensed (or claims to be licensed). The SEC can investigate unethical or illegal debt-collection practices, leading to:

  • Fines, license revocation, or suspension against the lending company.
  • Possible lawsuits against the responsible officers.

5.4 Complaints to Other Agencies

Depending on the circumstances, borrowers may also seek assistance from:

  • The Department of Trade and Industry (DTI), if consumer rights are implicated.
  • The Philippine National Police (PNP) or National Bureau of Investigation (NBI), if criminal acts such as extortion, threat, or blackmail are involved.

6. Key Considerations for Borrowers

  1. Check Registration and Licenses – Before using an online lending app, verify if it is duly registered with the SEC and if it discloses legitimate contact and business information.
  2. Read Privacy Policies Carefully – Even if the policy is lengthy, pay special attention to how the app claims to collect, process, and disclose your data.
  3. Exercise Caution When Granting Permissions – Carefully review which app permissions you are granting. If the app demands full access to your phone book, question whether it is truly necessary for the loan.
  4. Document Harassment or Violations – If an online lender harasses you or your contacts, document all evidence (screenshots, recordings, messages). This will be important if you file a complaint.
  5. Consider Filing Complaints – If your rights under the Data Privacy Act are violated, you can file a complaint with the NPC. If there are other abuses, the SEC, NBI, PNP, or the courts may provide recourse.

7. What Regulators and Lawmakers Are Doing

Because of widespread complaints, Philippine regulators continue to:

  • Issue advisories reminding the public to use only licensed and transparent lending platforms.
  • Investigate reports of privacy violations, harassment, and unfair collection practices.
  • Impose stricter guidelines and penalties on offenders.

Additionally, lawmakers occasionally propose amendments or new legislation to refine fintech regulation and strengthen data protection measures in loan transactions, though the Data Privacy Act remains the primary legal bulwark against unauthorized data sharing.

8. Conclusion

In the Philippine context, disclosure of loan details to a borrower’s contacts by an online lending app can lead to multiple legal violations, most notably under the Data Privacy Act of 2012. Lending apps must secure valid and informed consent if they seek to collect or use a borrower’s phone contacts. Moreover, any unauthorized or malicious disclosure of personal data—particularly for harassment or shaming—can be penalized with criminal charges, fines, or license revocation.

Affected borrowers are advised to know their rights, document any wrongdoing, and approach the appropriate agencies (NPC, SEC, law enforcement) for remedies. Regulators in the Philippines are increasingly vigilant about privacy abuses in fintech, making it critical for both borrowers and lenders to understand their respective obligations and protections.

Disclaimer

This write-up is intended for general informational purposes and does not constitute legal advice. For specific concerns related to online lending app practices and potential privacy violations, it is best to consult a qualified lawyer or reach out to the National Privacy Commission and/or the SEC for guidance.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login