LETTER TO LEGAL COUNSEL

Dear Attorney,

I hope this letter finds you in good health. I am writing to seek legal advice regarding a situation I have encountered with a lending application from which I obtained a small loan. I discovered that representatives of the lending app have been contacting individuals in my phone’s contact list, even though those persons are not, and were never intended to be, designated guarantors or character references. I have reason to believe that the lending app is performing these calls in an attempt to shame or harass me into repaying my loan, and I am deeply concerned about the legal and personal implications of these actions.

To provide some context, I submitted my application using the lending app’s platform, provided basic personal details, and granted access to certain parts of my phone’s data as part of the loan application. I was under the impression that the lending app would limit its communications to me and to the references that I explicitly listed. However, based on what I have witnessed and the complaints from individuals in my contact list, it seems that the lending app has contacted people who were not identified as my references. This has caused me significant distress, and it has also strained my personal relationships. I am worried that they might continue to call and harass additional contacts.

Could you please advise me on my rights and possible recourses under Philippine law, particularly concerning the protection of personal data and remedies against unfair collection practices? I want to know which legal provisions may apply if a company misuses or abuses my contact information without explicit and lawful authority, and I would like your perspective on how best to proceed if the lending app continues these unwelcome practices.

Thank you for your time and guidance. I look forward to hearing from you.

Sincerely,

(Your Concerned Client)

LEGAL ARTICLE: UNAUTHORIZED CONTACT OF THIRD PARTIES BY LENDING APPS UNDER PHILIPPINE LAW

Introduction

In the Philippine setting, mobile-based lending applications (“lending apps”) have seen tremendous growth as Filipinos adopt technology-driven solutions for faster access to credit. However, with progress and convenience come legal questions and consumer-protection issues. One particularly disturbing concern involves lenders contacting borrowers’ family members, friends, or colleagues—individuals who were not listed as guarantors or references—to pressure a borrower into repaying a loan. This legal article explores the pertinent legal frameworks, potential remedies, and the safeguards that Philippine law provides for privacy and fair debt-collection practices.

This piece is meant to serve as a comprehensive resource for any borrower who experiences harassing or unauthorized phone calls to third parties, especially where the borrower’s consent is neither clearly given nor properly established. It focuses primarily on the Data Privacy Act of 2012 (“DPA”), the regulations of the Bangko Sentral ng Pilipinas (“BSP”), the Securities and Exchange Commission (“SEC”), and other relevant provisions under Philippine law.

1. Fundamental Legal Framework

   1.1. Data Privacy Act of 2012 (Republic Act No. 10173)

   The Data Privacy Act (DPA) is the bedrock legislation for the protection of personal data in the Philippines. It aims to safeguard the fundamental right to privacy of communication while ensuring the free flow of information for innovation and growth. The DPA mandates that personal data must only be processed if it is done fairly, lawfully, and for legitimate purposes. The “processing” of personal data, as defined, includes the collection, storage, use, disclosure, or destruction of such data.

   In the context of lending apps, borrowers often grant access to their phone contact lists as part of an application process. This consent, however, is presumed to be restricted solely to legitimate loan processing, evaluation, and communications regarding the loan. Any communications that are beyond the scope of consent, especially calls that can be construed as harassment to the borrower or to non-consenting individuals in the contact list, may be deemed an unauthorized or excessive processing of personal data. If such communications are undertaken without a lawful basis, the lending company and its agents could be held administratively, civilly, or even criminally liable under the DPA.

   1.2. Consumer Protection Laws and Debt Collection Regulations

   The Philippines has a range of consumer protection laws, including the Consumer Act (Republic Act No. 7394) and the Truth in Lending Act (Republic Act No. 3765). While these do not specifically focus on data privacy or third-party communications, they impose fair dealing requirements on lenders. Furthermore, the Bangko Sentral ng Pilipinas (BSP) has issued regulations that govern how banks and financial institutions (including lending companies, if they fall under BSP regulation) should handle their collection efforts. There are established guidelines on debt collection practices that place limitations on harassing behaviors and unauthorized disclosures of personal data. Although many app-based lending companies operate under different licenses or government agencies, these guidelines serve as an important reference for what would be considered unfair and unethical collection practices.

   1.3. Securities and Exchange Commission (SEC) Oversight

   For non-bank lending and financing companies, the SEC is the primary regulator, particularly through the Lending Company Regulation Act of 2007 (Republic Act No. 9474) and the Financing Company Act (Republic Act No. 8556). The SEC, in collaboration with other agencies, has issued guidelines and warnings against illegal or aggressive methods of debt collection by lending companies. If the lending app is registered with the SEC, it must abide by fair collection standards that prohibit harassment, unauthorized publication of names, and other intrusive acts directed at collecting debts.

   In particular, the SEC has sanctioned certain companies, and in some cases revoked licenses or imposed penalties for unacceptably aggressive or abusive collection tactics that infringe on privacy rights. Lending companies under SEC supervision may also face penalties for failing to implement data protection policies consistent with the DPA.

2. Application of the Data Privacy Act to Contact List Access

   2.1. Consent Requirements

   Under the DPA’s Implementing Rules and Regulations (IRR), consent must be informed, freely given, and time-bound in relation to the declared, specified, and legitimate purpose. When a user downloads a lending app and permits access to the phone’s contact list, that permission must not be construed as unlimited authority to use or disclose the data for unrelated or abusive ends. If the lending app uses that contact information to make unsolicited calls to individuals who have no direct connection to the loan, it could be argued that the lender has violated the “purpose limitation” principle under the DPA.

   Lenders must be transparent about how they intend to use borrowers’ personal information at the time of data collection. If the app’s terms and conditions did not thoroughly describe that these contact list entries could be used as potential reference points for debt collection calls, or if the user’s consent was obtained through vague or deceptive disclaimers, the lending app may be in breach of the DPA’s consent requirement.

   2.2. Principle of Legitimate Purpose and Proportionality

   The DPA provides that personal data shall be processed only for purposes that are legitimate, stated, and not contrary to law, morals, or public policy. Moreover, the scope of personal data collected must be proportional to the declared objective. If the app’s objective is only to evaluate creditworthiness, it may have no legal basis to contact and harass random individuals in the borrower’s contact list once the loan is approved. Collecting vast amounts of data beyond the immediate needs of credit evaluation raises questions about whether the app’s data processing activity is indeed proportional to the stated purpose.

   2.3. Privacy Notices and the “Right to Be Informed”

   Borrowers must be adequately informed of the extent of data collection and the ways in which the lender will use their data. The DPA’s “Right to Be Informed” obligates the personal information controller (in this case, the lending company) to provide notice about how data will be handled, to whom it may be disclosed, and for how long it may be retained. Failure to provide adequate notices or disclaimers about contacting third parties in the borrower’s phone contacts can expose the lending app to liability.

   2.4. Security Measures and Accountability

   Lending companies are required under the DPA to institute strict security measures to prevent unauthorized access or disclosure of personal data. This means that even if the borrowers themselves provided the contact data, the lending app is accountable for how that data is subsequently used or shared. Where unauthorized calls are made to third parties without a valid basis, that practice may trigger enforcement actions by the National Privacy Commission (“NPC”). Lending apps, by virtue of collecting personal data, fall under the scope of “personal information controllers” as defined by the DPA and must abide by the DPA’s legal obligations.

3. Harassment vs. Legitimate Debt Collection

   3.1. Defining Harassment in Collection Efforts

   Philippine jurisprudence and regulatory standards consider certain methods of debt collection to be abusive if they are intended to “shame” the borrower or cause unnecessary humiliation or distress. Examples of prohibited acts may include posting a borrower’s personal details on social media platforms, sending threats of harm, contacting unrelated individuals to pressure the borrower, or disclosing the borrower’s indebtedness to such unrelated individuals. While lenders may indeed pursue borrowers for payment, their methods must remain legal and must not encroach upon the borrower’s dignity, privacy, or the privacy of third parties.

   3.2. The Role of the NPC and Other Authorities

   The National Privacy Commission is the principal agency tasked with enforcing the DPA. If a borrower or an affected third party believes that their privacy rights have been violated by the lending app’s practices, they may lodge a complaint with the NPC. The NPC has power to investigate alleged violations, issue cease-and-desist orders, and impose fines or other penalties. Beyond the NPC, borrowers or third parties who have suffered harassment may also seek recourse under laws dealing with libel, unjust vexation, or harassment, if the lender’s behavior meets the elements of those offenses.

   3.3. Evidence Collection and Documentation

   An individual seeking legal remedies must gather proof of the lender’s invasive or abusive acts. Such evidence may include call records, screenshots of text messages, social media posts by the lender, or written and notarized statements from witnesses or the third parties who received unwarranted calls. Accurate and thorough documentation is crucial for substantiating any complaint filed with the NPC, the SEC, or in a civil or criminal case.

4. Legal Remedies for Affected Borrowers and Third Parties

   4.1. Filing a Complaint with the National Privacy Commission

   An aggrieved borrower or third party may file a complaint directly with the NPC. The complaint should detail the nature of the alleged privacy violation and must be supported by evidence. The NPC will typically evaluate whether the complaint falls under its jurisdiction and may initiate an investigation. If the NPC finds sufficient basis, it can penalize the lending company and/or issue a compliance order or cease-and-desist order.

   4.2. Pursuing Civil Actions for Damages

   Under Section 37 of the DPA, any person who suffers damage due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of their personal data may be entitled to compensation. A civil suit for damages can be initiated if the borrower or third party wants to recover actual damages suffered, as well as moral or exemplary damages, depending on the circumstances. Such suits can also include injunctive relief to stop the lending app from continuing its harassing or invasive conduct.

   4.3. Administrative Sanctions by the SEC or BSP

   If the lending app is registered with the SEC, borrowers may file a complaint for abusive debt collection practices. The SEC can investigate the matter and, if warranted, impose administrative sanctions ranging from fines to revocation of the lender’s Certificate of Authority to operate. In the case of banks and quasi-banks regulated by the BSP, complaints might be directed to the BSP for a similar range of remedial actions. These administrative sanctions serve to remind other lenders that debt collection must not be carried out at the expense of consumer rights.

   4.4. Criminal Liabilities

   The DPA provides for criminal penalties in cases where the personal data has been processed without consent, with malicious intent, or in a manner that violates the law. If a borrower or third party can show that the lending company’s officials willfully engaged in unauthorized data processing for the purpose of harassment, the individuals involved might be subject to criminal charges. Such penalties can include imprisonment and substantial fines, depending on the gravity of the offense and the extent of the damage.

5. Preventive Measures and Best Practices

   5.1. Reading the Fine Print

   Borrowers must exercise due diligence before downloading and using lending apps. Reading the terms of service and privacy policies is critical. While it can be tedious, ensuring that one understands how their data will be collected and used can prevent future disputes. If any clause appears ambiguous or excessively broad, it may be prudent to seek clarification or look for alternative lending options with more transparent policies.

   5.2. Revoking or Restricting Permissions

   Many smartphone operating systems allow users to revoke certain permissions granted to apps, such as access to contact lists. If a borrower suspects that an app is misusing or overreaching in data collection, adjusting these permissions is a proactive step. However, doing so after the loan has been released might lead to conflict with the lender if the permission was part of the agreement. Nonetheless, it is within the user’s prerogative to protect their privacy and that of the individuals in their contact list.

   5.3. Documenting All Interactions

   To build a strong case against unscrupulous lenders, borrowers and third parties should maintain detailed records of all interactions with the lending app, including dates and times of phone calls or messages. This documentation will be invaluable in substantiating any allegations of privacy violations or harassment before the NPC, SEC, or a court.

   5.4. Seeking Timely Legal Advice

   If borrowers face repeated harassing calls, or if they learn that the lender has been contacting unrelated parties, they should consider consulting a lawyer promptly. A lawyer can help assess the strength of the borrower’s claims, explore available remedies, and draft appropriate legal correspondence, such as a demand letter or a request for the lender to cease unauthorized communication practices.

6. Steps To Follow When Confronted With Harassment

   6.1. Notify the Lender in Writing

   Borrowers may send a written notice (or through email) to the lending app, reminding them of their obligations under the DPA and other relevant laws. The letter should also request the cessation of calls to unauthorized third parties and demand that the lender respect the borrower’s privacy rights and the privacy rights of others. This formal notification serves as evidence that the borrower has taken steps to resolve the matter amicably.

   6.2. File a Complaint with the NPC

   If the harassing behavior persists, the next step would be to prepare and file a formal complaint with the National Privacy Commission. The complaint must be accompanied by relevant evidence, such as screenshots, call recordings (if permissible), and detailed narratives explaining how the lending app misused the borrower’s or third parties’ personal data. The NPC’s complaint process typically includes mediation and possible investigation; if proven, the NPC can impose sanctions and direct the lending app to correct its practices.

   6.3. Coordinate with Other Affected Individuals

   If multiple people in the borrower’s contacts also receive harassing calls, it might strengthen the complaint if all affected parties collectively file or submit evidence. A pattern of repeated, unauthorized contact to non-consenting third parties highlights the lender’s systemic disregard for privacy norms and can bolster claims of unauthorized data processing.

   6.4. Consider Further Legal Action

   Depending on the severity of the harassment and the consequences suffered by the borrower, additional legal action—either civil or criminal—may be warranted. Consulting an attorney helps in deciding whether to initiate a court case for damages, if the borrower has endured significant emotional distress or reputational harm. Furthermore, if the lender’s actions are egregious enough, a criminal complaint under the DPA or other applicable laws may be appropriate.

7. Regulatory Trends and Proposed Reforms

   7.1. Growing Accountability Under the DPA

   Since the passage of the Data Privacy Act, regulators have been increasingly attentive to cases involving the misuse of personal data. The National Privacy Commission continues to refine its rules and guidelines, clarifying how lending apps are expected to handle sensitive personal information. Hence, borrowers can expect more robust enforcement efforts, with heavier fines and penalties levied on erring companies.

   7.2. Self-Regulation and Industry Best Practices

   Some financial technology associations encourage member companies to adopt stringent data protection measures and ethical collection practices. Voluntary self-regulation, while not always foolproof, can promote better industry standards and lessen the likelihood of privacy abuses. For borrowers, patronizing apps that align with recognized industry codes of conduct is a good risk-management strategy.

   7.3. Enhancing Consumer Awareness

   Government agencies and consumer advocacy organizations aim to educate the public on the importance of data privacy. The overarching goal is to empower borrowers to recognize potential red flags when installing apps and to understand available recourses if they encounter harassing or unauthorized data processing. Greater consumer awareness places pressure on lending companies to act ethically, knowing that borrowers can and will pursue legal remedies in instances of overreach.

8. Conclusion

Unauthorized contact of third parties by lending apps in an effort to compel or shame borrowers into repayment is a serious concern under Philippine law. The Data Privacy Act of 2012 (RA 10173) grants individuals legal protections against the unauthorized or excessive processing of personal data. Borrowers who find themselves harassed—or whose contacts receive intrusive calls—can turn to the NPC, the SEC, and civil or criminal avenues for relief.

Philippine jurisprudence and regulations underscore that while lenders have a legitimate interest in collecting debts, they cannot trample upon privacy rights or resort to abusive and unethical methods. The principle of proportionality, the requirement of informed consent, and the explicit prohibition of harassing conduct converge to limit the scope of what lenders can lawfully do with borrower data.

In practical terms, borrowers should safeguard themselves by diligently reading loan agreements and app permissions, documenting all communications with lenders, and seeking professional legal counsel if the lender engages in harassment. By working with the National Privacy Commission and other authorities, borrowers can stand up for their rights and compel unscrupulous lending apps to cease their unlawful practices, ensuring that the financial technology sector remains transparent, accountable, and beneficial to consumers.

Ultimately, addressing these concerns contributes to the creation of a more ethical lending environment, one where consumer protection and privacy are held paramount. The legal infrastructure in the Philippines offers adequate remedies—through administrative, civil, and criminal means—to protect borrowers and unsuspecting contacts alike. As the market for lending apps continues to expand, both the government and the private sector should remain vigilant in upholding strict data privacy standards and promoting fair collection practices. This will ensure that technological advances serve their intended purpose: to foster financial inclusion without sacrificing fundamental rights and freedoms.

Disclaimer: This article has been prepared for informational purposes only and does not constitute legal advice. Individuals with specific queries should consult an attorney for tailored guidance on their particular situation.