Online Lending Firm Found Criminally Liable for Violating Data Privacy Law

February 19, 2021 | 11:36 AM GMT+0800 Last Edit: February 22, 2021

The National Privacy Commission (NPC) has recommended the prosecution of Fynamics Lending Inc., the operator of the PondoPeso online lending application which has reportedly been harassing and public-shaming delinquent borrowers, for violating the data privacy law.

In a 40-page decision, the Commission chaired by Privacy Commissioner Raymund Enriquez Liboro determined the criminal liability of Fynamics Lending Inc. and its Board of Directors, for violation of Section 25 (Unauthorized Processing of Personal Information and Sensitive Personal Information) of the Data Privacy Act (DPA).

Violators of Section 25 could be penalized by imprisonment of up to three years, and a fine of up to P2 million for unauthorized processing involving personal information. Where sensitive personal information is involved, violators shall be penalized by imprisonment of up to six years and slapped with a fine of up to P4 million.

The Commission is forwarding the decision and a copy of the pertinent case records to the Department of Justice, recommending the prosecution of the Respondents for the crimes of Unauthorized Processing under Section 25 of the DPA for its further actions.

You may access a copy of the pseudonymized Decision here (https://www.privacy.gov.ph/wp-content/uploads/2021/02/NPC-19-910-In-re-FLI-Decision-LYA-Final-pseudonymized-17Dec2020.pdf).

Complaints against Fynamics

The decision on Fynamics Lending Inc. resulted from one of the sua sponte investigations conducted by the NPC against online lending companies. From July 6, 2018, to July 31, 2019, NPC received 689 complaints against online lending companies and their applications. A total of 113 complaints were made against Fynamics’ online lending app during the period.

Complaints against Fynamics’ online lending app include the following:

  1. The app used personal information from complainants’ mobile phonebook/directory/contact list to contact third persons, without their consent or authority;
  2. Personal information about the data subjects, unwarranted and false information, was discussed with third persons, including friends, relatives, co-workers, and the data subject’s superior. These persons were often told that the data subjects named them as co-makers or character references. In some cases, they were asked to settle the loan on behalf of the data subjects;
  3. Agents or representatives of the app used personal information about data subjects and others in their contact list to damage the reputation of data subjects or to harass, threaten, or coerce them to settle their loans;
  4. Methods used in personal data processing information were unduly intrusive, including posting on social media of personal and sensitive personal information of data subjects or even subjecting their contacts to threats and harassment. The personal information processed was excessive or otherwise used for purposes beyond what is necessary or authorized under their agreement.

The decision emphasized the role that personal information controllers play in “ensuring that the innovation and growth that happens in the Philippines continue to abide by the laws and ethical practices, leading to products and services that are free from any doubt on their security and informational privacy.”

“The National Privacy Commission once again reminds businesses to adhere to the data privacy law and respect their customers’ data privacy rights. To operators and companies behind online lending applications whose business model exploits borrowers, the Commission is determined to halt your unethical and illegal use of your customers’ personal information.” Privacy Commissioner Raymund Liboro said.

Dangerous permissions

As mentioned in the Decision, a technical report prepared by the NPC Task Force on Online Lending Mobile Applications found that Fynamics’ online lending app could access the complainants’ mobile contact lists. The ability to read the user’s contacts is considered dangerous permission.

Dangerous permissions are those that “cover areas where the app wants data or resources that involve the user’s private information or could potentially affect the user’s stored data or the operation of other apps,” the Decision read.

In October 2019, the NPC issued a ban on data processing against 26 online lending apps for data privacy violations including debt-shaming. The order led to the takedown of these sites from app download giant, GooglePlay.

In September 2020, the NPC issued a circular ordering online lending applications to stop accessing contact lists of borrowers.

The NPC continues to investigate other online lending companies that have been the subject of numerous complaints ranging from harassment to public shaming of borrowers.

***