In what is believed to be the first case of a local firm found violating the data privacy law, the National Privacy Commission (NPC) has recommended the criminal prosecution of Fynamics Lending Inc., the operator of the PondoPeso online lending application that was the subject of numerous data privacy complaints.
In a 40-page decision, the NPC determined the liability of Fynamics Lending Inc. and its board of directors, as responsible officers, for violation of Section 25 (Unauthorized Processing of Personal Information and Sensitive Personal Information) of the Data Privacy Act (DPA).
Under Section 25 of the DPA, the unauthorized processing of personal information shall be penalized by imprisonment of up to three years, and a fine of up to P2,000,000 shall be imposed on persons who process personal information without the consent of the data subject or without being authorized under the DPA or any existing law.
The unauthorized processing of sensitive personal information shall be penalized by imprisonment of up to six years. A fine of up to P4,000,000 shall be imposed on persons who process personal information without the data subject’s consent or without being authorized under the DPA or any existing law.
The privacy body is forwarding the decision and a copy of the pertinent case records to the Department of Justice, recommending the prosecution of the respondents for the crimes of Unauthorized Processing under Section 25 of the DPA for its further actions.
The decision was served to the Respondents on Feb. 15 and 16, 2021. A copy of the pseudonymized decision can be accessed here.
The decision on Fynamics Lending Inc. came from one of the sua sponte (on its own accord) investigations conducted by the NPC against online lending companies.
From July 6, 2018, to July 31, 2019, NPC received 689 complaints against several online lending applications, constituting around 55% of the total complaints filed before the NPC.
A total of 113 complaints were made against Fynamics’ online lending app during the period. The NPC said continues to investigate other online lending companies that have been the subject of numerous complaints ranging from harassment to public shaming of borrowers.
Complaints against Fynamics’ online lending app include the following:
- The app used personal information from complainants’ mobile phonebook/directory/contact list to contact third persons, without their consent or authority;
- Personal information about the data subjects, unwarranted and false information, was discussed with third persons, including friends, relatives, co-workers, and the data subject’s superior. These persons were often told that the data subjects named them as co-makers or character references. In some cases, they were asked to settle the loan on behalf of the data subjects;
- Agents or representatives of the app used personal information about data subjects and others in their contact list to damage the reputation of data subjects or to harass, threaten, or coerce them to settle their loans;
- Methods used in personal data processing information were unduly intrusive, including posting on social media of personal and sensitive personal information of data subjects or even subjecting their contacts to threats and harassment. The personal information processed was excessive or otherwise used for purposes beyond what is necessary or authorized under their agreement.
The decision emphasized the role that personal information controllers play in “ensuring that the innovation and growth that happens in the Philippines continue to abide by the laws and ethical practices, leading to products and services that are free from any doubt on their security and informational privacy.”
“The National Privacy Commission once again reminds businesses to adhere to the data privacy law and respect their customers’ data privacy rights. To operators and companies behind online lending applications whose business model exploits borrowers, the Commission is determined to halt your unethical and illegal use of your customers’ personal information. The law will make you pay for the deliberate and willful violation of the Data Privacy Act,” NPC chair Raymund Liboro said.
As mentioned in the decision, a technical report prepared by the NPC Task Force on Online Lending Mobile Applications found that Fynamics’ online lending app could access the complainants’ mobile contact lists. The ability to read the user’s contacts is considered dangerous permission, it said.
Dangerous permissions are those that “cover areas where the app wants data or resources that involve the user’s private information or could potentially affect the user’s stored data or the operation of other apps,” the decision read.
In 2019, the NPC issued a ban on data processing to 26 online lending apps that have been the subject of borrowers’ complaints. The ban led to the takedown of these sites from GooglePlay.
In 2020, the NPC halted online lending applications from accessing contact lists of borrowers.