Over a month ago, the National Privacy Commission (NPC) reported that it was investigating 48 lending companies based on charges of harassment, public shaming, and/or misuse of personal information filed by hundreds of individuals.
According to most allegations, the firms had accessed their borrowers’ contact list and used it for their aggressive—some would argue, unethical—collection practices.
While it refused to identify the erring firms, the Commission promised that the summary hearings relating to the cases could be done in a month’s time and resolved after a couple more.
News about these types of complaints are common today. That there seem to be more of them now may be attributed to the sudden increase in the number of lending companies, particularly those that operate via mobile phone apps.
On the surface, there seems to be nothing wrong with this picture. Giving people more opportunities to raise funds is in sync with the persistent push by the Bangko Sentral ng Pilipinas towards financial inclusion. Many people do not maintain bank accounts, which often makes them ineligible for the loans these institutions offer.
Other lending firms aim to fill that gap. Unfortunately, as with any opportunity out there, risks will always be involved, as well as cases of abuse.
The potential for abuse among lending outfits, especially with respect to their collection activities, is so apparent that the BSP even came out with a specific policy (Circular No. 454) to prohibit what it refers to as “unfair collection practices”. They include:
- use or threat of violence or other criminal means to harm the debtor, including his or her reputation or property
- use of obscenities, insults, or profane language which amount to a criminal act or offense under applicable laws
- disclosure of the names of debtors who allegedly refuse to pay, except when allowed by applicable law or policies
- threatening to take any unlawful action
- communicating (or threatening to) to any person false credit information, including failure to communicate that a debt is being disputed
- making any false representation or using deceptive means to collect a debt, to attempt to collect one, or to obtain information concerning a debtor
- making contact at unreasonable or inconvenient times or hours (i.e., before 6am or after 10pm), unless the account is past due for more than 60 days, or the debtor has given his or her express permission, or if said times are the only reasonable or convenient opportunities for contact
Unfortunately, it turns out this has not deterred lending companies from going to extremes with their collection tactics. And this is why having the Data Privacy Act of 2012 (DPA) around is a good thing.
With the DPA, borrowers (including their contacts) enjoy additional protection from abusive lending companies, by making sure these entities process their personal data in a manner that is consistent with the so-called privacy principles, as well as other applicable requirements of the law.
Any company found wanting in its compliance efforts can be ordered by the NPC to clean up its act and/or pay indemnity in favor of the people who have suffered as a result of its actions. The Commission may also recommend the filing of criminal cases.
That said, it is disappointing to observe that the DPA hasn’t fared better than its BSP counterpart—not yet, at least. After a cursory review of the privacy notices and public profiles of some of the “popular” lending apps around, here are some of my findings:
The companies behind some of these lending apps don’t provide reliable contact details, which makes it hard for aggrieved clients to complain or even inquire about their accounts. There are those who make use of free email services like Gmail, which causes one to doubt if these are legitimate businesses to begin with. Under the DPA, companies are supposed to indicate clearly their identities as personal information controllers, including their contact information.
The privacy notices of most lending apps do not acknowledge the existence of data subject rights. To comply with the so-called “Openness” Principle, companies engaged in personal data processing are expected to recognize and uphold the rights of individuals over their personal data. There are very few instances when these rights can be waived.
Most lending companies do not indicate a data retention period or policy. As a requirement, this information is crucial. It allows regulators and the public alike to determine if companies are keeping personal data only for a reasonable period after their declared use has already been achieved. It is often those data that are retained for an indefinite period that are most susceptible to unauthorized use.
Finally, practically all of the lending apps I analyzed ask their users for permission to control or manipulate the latter’s mobile phones in ways that any reasonable person would find intrusive and excessive.
Oftentimes, they ask you, as their client, to let them: (a) take pictures and videos using your camera; (b) read your contact list; (c) determine your precise location; (d) read, modify, or delete the contents of your storage device; (e) view your Wi-Fi connections; and (f) pair your phone with another Bluetooth device. One app even wants to use a phone’s microphone and record sounds (including, presumably, conversations). And just like that, it turns out access to their contact list could be the least of people’s worries.
The NPC clearly has its work cut out for itself. If the DPA is to be the pro-consumer policy it was always meant to be, it will have to show its fangs at some point and the Commission will have to be its primary executioner, more than the courts.
In the meantime, the public as would-be borrowers would do well to keep the contract law principle, caveat emptor, close to heart. Latin for “let the buyer beware,” it essentially tells people to be wary of the products they are poised to purchase or acquire, since they necessarily assume all the risks attached (e.g., its defects).
With lending apps, people should be very careful if they are considering the services being offered. They should read the privacy notices well and appreciate fully the permissions they will be giving away before actually installing the apps on their phones.
Some wrongs can be corrected once the damage is done. This is where the courts, the NPC, and other regulators usually come in. Other problems, though, can be avoided entirely just by being more discreet and meticulous in our choices. —VDS, GMA News
A related article may be found at the website of the Ateneo de Manila’s University Data Protection Office.
Jamael Jacob (@jamjacob) is a lawyer specializing in the field of law, ICT, and human rights. He is currently the Director of the University Data Protection Office of the Ateneo de Manila University, and Policy and Legal Advisor to the Foundation for Media Alternatives. The views expressed herein do not necessarily represent or reflect the views of the organizations he is currently affiliated with as well as those of GMA News.