MANILA, Philippines — Their debts were small, but the price they paid was scandalously steep.
The first time “Roger” heard from his college friend after all these years, he was shocked. She didn’t ask how he was, what his kids were doing, or how he was enjoying a life so different from their college days.
What she wanted to know was why he gave her number to an online lending company that was hounding him at that time. The company told her that he was in debt and needed to pay up.
Roger took out a loan using the company’s app back in May, after seeing an ad on Facebook. His payment had been overdue for a week when the company contacted his college friend.
But in fact he didn’t give the company her number. The company tapped his contact list, then messaged his college friend to get him to make good on his debt.
The company also called his wife and threatened to report him to his boss so he would lose his job.
Roger, 26, has since paid back the loan. And he vowed to never use the app again.
When he took out the loan, Roger was working two jobs. He was doing online work at night and was behind on his internet bills, which was why he used the app.
Reviews on the app store about the company’s reputation were mixed, but he didn’t think there would be a problem. He was only borrowing P3,000, after all.
“You borrowed a small amount, and then they’ll embarrass you like that. I already paid for it. I’m earning again. But the people they called will never forget about it,” he told the Inquirer.
921 complaints
Roger is not alone. The National Privacy Commission (NPC) has reported receiving 921 formal complaints since July 2018 about online lending companies who publicly shame borrowers to get them to pay up.
The complainants did not include Roger. He had never heard of the NPC before, so he reported his experience to the Department of Trade and Industry, which, he said, did nothing about it.
Three companies are facing cases filed by the NPC for violating the Data Privacy Act of 2012. These are Fynamics Lending Inc. (operator of the PondoPeso app), Unipeso Lending Co. (CashLending app) and Fcash Global Lending Inc. (Fast Cash app).
Privacy Commissioner Raymund Enriquez Liboro earlier released copies of the investigators’ fact-finding reports, which recommended criminal prosecution of the board members of the three companies.
“The investigation determined that their business practice specifically targets the privacy of persons, practically making a profit out of people’s fear of losing face and dignity. These unethical practices simply have no place in a civilized society and must stop,” Liboro then said.
The NPC is focusing on these three firms because they accounted for 61 percent of the complaints. The investigation of other companies is ongoing.
The three companies had yet to respond to Inquirer’s request for comment as of this writing.
The issue here is not necessarily how the companies make a profit, but the manner with which they get borrowers with overdue payments to settle their debts—a strategy that involves threats and harassment through texts, phone calls, or online messages.
According to the NPC’s fact-finding report, these companies use the contact lists of their users in disclosing the unpaid debts to family members, friends and coworkers.
The companies also have access to the users’ data, including their pictures and location.
‘Dirty secrets’
In an affidavit sent to the NPC, one complainant said Fast Cash threatened to post her selfies on Facebook. Another said the CashLending app changed her profile picture on Facebook to an obscene picture.
A Facebook post, written in Filipino and reported by yet another complainant in an affidavit, quoted a threat thus: “Why did you change your profile and name? Maybe it’s because you don’t want to be embarrassed? Don’t you want everyone to know about your dirty secrets?”
None of these would have happened unless the users gave permission to these apps. But many users backed into a corner by circumstance didn’t have a choice. Roger, for one, said he could not use the app unless he agreed that the company could access his contacts.
There are varied permissions a user can give to a specific app. In the Google Play Store, for example, there are three categories that are grouped based on the level of risk associated to that permission.
Of these three, there is what Google calls the “dangerous permission,” which, if granted, would allow the app to send SMS messages, access personal information and take pictures, among other functions.
But the NPC argued that although the users gave their approval, the lack of easily understandable and clear information, among other factors, meant that it was not a “valid” consent.
“For consent to be considered valid, it should be informed consent, where the information provided is accessible, clear and easily understood. Bundled consent does not meet the criteria for specific consent,” the NPC said.
Airtight case
The companies and their respective directors have up to this week to respond to the charges filed by the NPC, Liboro said.
Lacking any response, the NPC said it would make a final decision based on available evidence and information against the three companies, all of which were incorporated in 2018.
The NPC has an “airtight” case, Liboro said. Among the charges filed against the companies are noncompliance with the legal requirements of processing personal data, as well as malicious and unauthorized disclosure.
Their operators may face imprisonment of up to seven years and fines of not more than P5 million under the Data Privacy Act of 2012.
The three companies are registered in the Securities and Exchange Commission. According to Lito Villanueva, chair of the industry group FinTech Alliance, there are now more than 100 online lending companies in the country that offer services either through mobile apps or on the internet.
‘Bad eggs’
“The difficulty there is we don’t even know how many among them are legitimate,” Villanueva said in a phone interview last week, noting that there must be a way to remove the “bad eggs.”
FinTech Alliance has more than 30 member companies, including big players such as PayMaya and Home Credit. Villanueva said the group accounted for over 90 percent of FinTech-initiated transactions, including lending and payments.
“Some people might think that data privacy is just about giving permission for your data to be accessed. But data privacy is much more than that. We should also think of where these data will be used and how that will affect you,” said Anthony Co, data privacy officer of Home Credit.
“On a more practical note, it is also important to remind the public to be careful of what apps they download on their phones, or (about) opening any suspicious emails, as you might be giving them access to your personal information, such as your phone numbers or even your bank details,” he added.
Consumers who want to file formal complaints in the NPC can email complaints@privacy.gov.ph, or send their queries to info@privacy.gov.ph. More information about privacy rights are available on the commission’s official website, privacy.gov.ph.
‘We know your ugly face’
Until the government makes a definitive decision, the three companies facing legal action in the NPC can continue to operate—and borrowers who underestimate the risks remain vulnerable to the shaming strategy.
And the companies’ threats are not veiled or subtle, according to the complainants’ statements.
“Before you sue us, we already [sent] a text blast to all of your contacts,” a text message to a complainant against PondoPeso read.
“We know your home address, your office and even your ugly face,” it said.
And more: “Good luck with your privacy law.”