Be Careful: 4 Local Online Lending Apps Ordered Taken Down For Privacy Violations
Four local online lending apps have been ordered taken down from the Google Play Store for alleged violations of the data privacy law. The National Privacy Commission (NPC) said it is coordinating with Google’s regional office to get JuanHand, Pesopop, CashJeep, and Lemon Loan off of its app download platform as they have been the subject of numerous complaints of unauthorized use of personal data, leading to harassment and shaming of borrowers.
In a news release, the NPC said the apps can process information ranging from a borrower’s sensitive personal data, location, photos, media files, emails, contact lists, and data from social media platforms like Facebook, Instagram, and Google+.
The apps have reportedly gained access to “a trove of information in the borrowers’ mobile devices, including contacts and social media data, that are excessive and may be weaponized to harass and shame delinquent borrowers before persons in their mobile devices’ contact list to collect debts.”
Banning the four apps is “crucial to prevent serious privacy risks and protect and preserve the privacy rights of data subjects,” Privacy Commissioner Raymund Liboro said. “These online lending apps raised many red flags and the companies operating these apps demonstrate problematic data actions that expose borrowers to serious privacy risks and harms.”
In addition to the ban, the NPC also ordered the companies operating the apps—Wefund Lending Corporation (Juan Hand), Joywin Lending Investor Inc. (Lemon Loan), Cash8 Lending Corporation (CashJeep), and Populus Lending Corporation (Pesopop) to immediately stop processing their borrowers’ personal data.
Two of the companies did not file position papers when the NPC reached out to them for comment, while the other two failed to convince the Commission why it should not impose the ban.
The NPC said it is studying whether the OLA operators’ directors, officers, and agents are criminally liable for its handling of users’ private data.
What the OLAs did
Based on the investigation by the NPC’s Complaints and Investigation Division (CID), the apps violated the principles of transparency, legitimate purpose, and proportionality in the Data Privacy Act of 2012 and the NPC issuance on the Processing of Personal Data for Loan-Related Transactions.
“The four apps have gained access to practically all the data in a borrower’s mobile device, according to NPC’s CID, which simulated the registration process of loan applicants and evaluated source codes,” the NPC said. “The apps can process information ranging from a borrower’s sensitive personal data, location, photos, media files, emails, contact lists, and data from social media platforms like Facebook, Instagram, and Google +.”
As an example, the NPC said JuanHand could read a borrower’s calendar of events and confidential information, add, and modify calendar events, and send emails to contacts without the borrower’s knowledge. The CID’s Fact-Finding Report also found that borrowers have unwittingly granted JuanHand a “permanent right” to use the “true, up-to-date, valid and complete information” they have provided so they can avail themselves of a loan."
JuanHand has been downloaded over one million times from the Play Store. Lemon Loan and Pesopop, more than 500,000 times each; and CashJeep, over 100,000 times.
As of Thursday afternoon (August 26), JuanHand and Pesopop are no longer present on the Google Play Store, but Lemon Loan and CashJeep are still there and could still be downloaded byusers.
The NPC said is studying more than 200 OLAs available for download and intends to issue orders and other actions based on its investigation.