In a move to safeguard borrowers from privacy violations, the National Privacy Commission (NPC) announced its prohibition on online lenders harvesting personal information, such as phone and social media contact lists.
The circular, designated as Circular No. 20-01, was published on September 14, 2020, in response to a surge in complaints regarding online lenders exploiting client data and causing harm to their reputation. This comprehensive directive aims to put an end to the harassment and shaming of delinquent borrowers, a practice that persisted despite previous orders from both the NPC and the Securities and Exchange Commission (SEC) to shut down unscrupulous online creditors.
Responding to Public Concerns
The NPC's decision comes as a response to mounting grievances from individuals who reported unauthorized use of their personal data by online lenders. This misuse not only tarnished the borrowers' reputation but also violated their rights as data subjects. To address these issues, the NPC introduced Circular No. 20-01, effective 15 days after its publication in the Official Gazette or two newspapers of general circulation.
Compliance and Accountability
Privacy Commissioner Raymund Liboro emphasized the significance of treating borrowers' personal information with respect and propriety. He stressed that online lending applications must integrate privacy into their business processes by default, aligning with the principles of the Data Privacy Act (DPA).
The circular outlines dos and don'ts for online lending operators, specifying that accessing phone contacts, email lists, or harvesting social media contacts for debt collection or borrower harassment is strictly prohibited. The borrower's photo captured through the phone camera is allowed only for know-your-customer (KYC) purposes, and under no circumstances should it be exploited to harass or embarrass the borrower for debt collection.
Implementing Responsible Practices
Liboro urged online lending operators to take customers' data privacy seriously, emphasizing the deployment of adequate security measures. The circular not only highlights what online lending operators can and cannot do with borrowers' personal information but also calls for responsible implementation of app permissions, aligning with KYC policies.
The circular further mandates that lending and financing companies, as personal information controllers, must adopt reasonable and appropriate organizational, physical, and technical security measures to protect personal data. Loan details must be presented clearly and informatively, and borrowers must be informed if profiling, automated processing, or credit rating is involved in the loan processing activity.
Transparency and Accountability
To enhance transparency, the circular requires that a separate lawful criterion be in place if personal information is used for marketing, cross-selling, or sharing with third parties unrelated to loan services. Additionally, reasonable policies on data retention must be established for denied loan applications and fully settled loans.
Legal Consequences
Lending or financing companies found in violation of the circular are held accountable under the applicable provisions of the DPA. Section 3E of the circular emphasizes that these entities shall not engage in unfair collection practices, as defined under SEC Memorandum Circular No. 18 series of 2019. Non-compliance may result in fines and imprisonment, reinforcing the commitment to protecting borrowers' privacy.
Positive Impact
The NPC reported a significant decline in public complaints a month after the shutdown order on 26 online lending companies in October 2021 of the previous year, signaling the effectiveness of regulatory measures in curbing privacy violations.
In conclusion, Circular No. 20-01 stands as a robust defense against the unauthorized use of borrowers' personal information by online lenders, ensuring a more secure and respectful treatment of sensitive data. Borrowers can now navigate the online lending landscape with increased confidence, knowing that their privacy is a priority in the eyes of regulatory authorities.