https://www.privacy.gov.

ph/2021/02/online-lending-firm-found-criminally-liable-for-violating-data-
privacy-law/

Online Lending Firm Found Criminally

Liable for Violating Data Privacy Law
February 19, 2021 | 11:36 AM GMT+0800 Last Edit: November 11, 2021

The National Privacy Commission (NPC) has recommended the prosecution of Fynamics
Lending Inc., the operator of the PondoPeso online lending application which has reportedly
been harassing and public-shaming delinquent borrowers, for violating the data privacy law.

In a 40-page decision, the Commission chaired by Privacy Commissioner Raymund Enriquez

Liboro determined the criminal liability of Fynamics Lending Inc. and its Board of Directors,
for violation of Section 25 (Unauthorized Processing of Personal Information and Sensitive
Personal Information) of the Data Privacy Act (DPA).

Violators of Section 25 could be penalized by imprisonment of up to three years, and a fine of

up to P2 million for unauthorized processing involving personal information. Where sensitive
personal information is involved, violators shall be penalized by imprisonment of up to six
years and slapped with a fine of up to P4 million.

The Commission is forwarding the decision and a copy of the pertinent case records to the
Department of Justice, recommending the prosecution of the Respondents for the crimes of
Unauthorized Processing under Section 25 of the DPA for its further actions.

You may access a copy of the pseudonymized Decision here

(https://www.privacy.gov.ph/wp-content/uploads/2021/02/NPC-19-910-In-re-FLI-Decision-
LYA-Final-pseudonymized-17Dec2020.pdf).

Complaints against Fynamics

The decision on Fynamics Lending Inc. resulted from one of the sua sponte investigations
conducted by the NPC against online lending companies. From July 6, 2018, to July 31,
2019, NPC received 689 complaints against online lending companies and their applications.
A total of 113 complaints were made against Fynamics’ online lending app during the period.

Complaints against Fynamics’ online lending app include the following:

1. The app used personal information from complainants’ mobile

phonebook/directory/contact list to contact third persons, without their consent or
authority;
2. Personal information about the data subjects, unwarranted and false information, was
discussed with third persons, including friends, relatives, co-workers, and the data
subject’s superior. These persons were often told that the data subjects named them as
co-makers or character references. In some cases, they were asked to settle the loan on
behalf of the data subjects;
3. Agents or representatives of the app used personal information about data subjects
and others in their contact list to damage the reputation of data subjects or to harass,
threaten, or coerce them to settle their loans;

1
https://www.privacy.gov.ph/2021/02/online-lending-firm-found-criminally-liable-for-violating-data-
privacy-law/

4. Methods used in personal data processing information were unduly intrusive,

including posting on social media of personal and sensitive personal information of
data subjects or even subjecting their contacts to threats and harassment. The personal
information processed was excessive or otherwise used for purposes beyond what is
necessary or authorized under their agreement.

The decision emphasized the role that personal information controllers play in “ensuring that
the innovation and growth that happens in the Philippines continue to abide by the laws and
ethical practices, leading to products and services that are free from any doubt on their
security and informational privacy.”

“The National Privacy Commission once again reminds businesses to adhere to the data
privacy law and respect their customers’ data privacy rights. To operators and companies
behind online lending applications whose business model exploits borrowers, the
Commission is determined to halt your unethical and illegal use of your customers’ personal
information.” Privacy Commissioner Raymund Liboro said.

Dangerous permissions
As mentioned in the Decision, a technical report prepared by the NPC Task Force on Online
Lending Mobile Applications found that Fynamics’ online lending app could access the
complainants’ mobile contact lists. The ability to read the user’s contacts is considered
dangerous permission.

Dangerous permissions are those that “cover areas where the app wants data or resources that
involve the user’s private information or could potentially affect the user’s stored data or the
operation of other apps,” the Decision read.

In October 2019, the NPC issued a ban on data processing against 26 online lending apps for
data privacy violations including debt-shaming. The order led to the takedown of these sites
from app download giant, GooglePlay.

In September 2020, the NPC issued a circular ordering online lending applications to stop
accessing contact lists of borrowers.

The NPC continues to investigate other online lending companies that have been the subject
of numerous complaints ranging from harassment to public shaming of borrowers.

***