The National Privacy Commission (“NPC”) released NPC Circular No. 2022-02 (“Circular”), amending the NPC Circular No. 2020-01 or the “Guidelines on the Processing of Personal Data for Loan-Related Transactions”. According to NPC Commissioner John Henry Naga, the newly-issued guidelines were issued to address data privacy concerns caused by the recent prevalence of online lending.
Section 3(A) of NPC Circular No. 2020-01 was amended to require lending companies, financing companies, and other persons acting as such (collectively, “Lenders”) to provide just-in-time notices before obtaining the consent of data subjects (i.e., borrower or loan applicant) for the processing of their personal data. A just-in-time notice provides data subjects with information on how their provided data will be processed.
Details on the processing of data shall be provided in the most appropriate format and in consideration of the convenience of the borrowers and the business process or model of the Lenders. For example, in case the loan transaction is facilitated through a mobile application, the information should be readily accessible and easily located within the same platform.
The Circular provides that Lenders are prohibited from conducting unnecessary processing, which includes requiring data subjects to consent to unnecessary permissions involving personal and sensitive information. Mobile applications shall only ask for access to personal data through permissions or protected resources if its collection is suitable, necessary, and not excessive to the legitimate purpose of the loan transaction and debt collection. Application permissions which include accessing of contact lists, cameras, microphones, or linking to social media accounts must only commence at the point where such information is necessary for the loan transaction or debt collection (e.g., access to cameras and microphones for purposes of calls, interviews with the Lender, or KYC).
In case the Lenders’ application requires access to the camera or photo gallery of the data subject for KYC purposes, access to the camera or photo gallery may be allowed for that particular stage in the loan process only and must be turned off as soon as the KYC has been fulfilled. The Circular specifically requires that when the purpose has already been achieved and there is no other lawful criteria or reason to provide continued access, the mobile application shall prompt the data subject that the application’s access may already be revoked, turned off, or disallowed. Particularly, the Lenders’ application should turn off its access to the camera or photo gallery by default or prompt the data subject through notifications that such access may already be turned off or closed.
Access to contact lists are not prohibited, for as long as access to and processing of the list is for the purpose of deriving proportional metadata or for identifying and contacting character references or guarantors provided by the data subject. However, unbridled processing of contact lists is prohibited. Unbridled processing refers to processing that is unconstrained, excessive, and disproportional to the purpose which include, but is not limited to, processing that leads to harassment or collection of debt outside of the guarantors indicated by the data subject, or processing that results in unfair collection practices.
The Circular also seeks to protect the data privacy rights of the data subject’s character reference and guarantor. Notably, the Circular provides that character references shall not be automatically treated as guarantors to the loan obtained by the data subject. While the Circular states that data subjects have the responsibility of informing their character references of the latter’s inclusion, the Lenders shall also inform the character references that they were chosen by the borrower as a character reference and how their contact details were obtained. They shall be provided with the option of having their personal data removed as character reference should they wish to do so. Moreover, their contact details shall not be used for any other purpose outside of the loan transaction (e.g., marketing).
Meanwhile, a guarantor is “one who expressly binds himself or herself to the creditor to fulfill the obligation of the individual borrower in case the latter should fail to do so”. Despite being provided by the borrower as a guarantor, the Lender must separately secure consent from the guarantor. For purposes of debt collection, the Lender is expressly prohibited from contacting persons in the borrower’s contact list other than those who were declared as guarantors.
The Circular likewise ensures that Lenders strengthen their security measures to safeguard the information collected. Lenders shall submit the complete list of names of all publicly available applications that they own and operate. Personal Information Processors (“PIPs”) or third-party service providers operating in the Philippines that are engaged by the Lenders shall also be required to register with the NPC whenever they are engaged in the processing of personal data. PIPs and third-party service providers shall ensure that the appropriate controls are in place to ensure that the processing of personal data are secured and protected.
Violators of the Circular shall be liable for penalties, fines, and other disciplinary measures as provided in the Republic Act No. 10175, otherwise known as the “Data Privacy Act”, its implementing rules and regulations, and other issuances of the NPC.
