Individuals Should Have Authority to Decide Whether to Share Sensitive Data, Legal Experts Argue

Worried that there have been data privacy breaches by online banks, the National Information Technology Development Agency (NITDA) has promised to launch an investigation into their activities, particularly, loan providers.

The Guardian checks have revealed that these online banking platforms breach the privacy of customers with reckless abandon. In 2021, for instance, NITDA said it received 40 petitions from the public about companies that abuse user data.

In August, it imposed an N10 million ($24,000) fine on Soko Lending Company, owners of Sokoloan – an app launched in September 2018 that has over 1 million downloads on the Google Play Store.

The Guardian gathered that what has become more worrisome is that the conventional banks have joined the fray. The Nigeria Data Protection Bureau (NDPB) recently disclosed that it was investigating Wema Bank PLC and KC Gaming Networks (Bet Naija) for alleged breach of customers’ data privacy.

In a statement signed by the Legal, Enforcement & Regulations Lead, NDPB, Bolu Bamigboye, “the objectives of these investigations, as directed by the National Commissioner of the Bureau, Vincent Olatunji, are to determine the impact of the breaches on the affected data subjects and the remedial actions taken by the concerned data controllers.”

The statement said, “this data processing, according to the complaints against the bank, involves using their personal data to open accounts. The bureau is also investigating a report of a breach of data privacy at KC Gaming Networks. The breach, in this case, involved an alleged external attack on the KC Gaming Networks.”

NITDA, already, is teaming up with the Federal Competition and Consumer Protection Council, Nigeria’s consumer protection and antitrust watchdog, to enforce privacy rights in accordance with the Nigeria Data Protection Regulation (NDPR) enacted in 2019.

Besides the petitions, the Director-General of the agency, Kashifu Inuwa, said many Nigerians had recently lamented on social media over alleged unethical and dehumanising conduct of e-commerce platforms that offer short-term loans.

LEGAL experts argue that individuals should have the authority to decide whether or not they want to share certain information, as well as who has access to it, for how long, and for what purpose.

Pointing to the NDPR 2019, which is focused on data privacy and protection, they said individuals should have the ability to change some of this information if necessary. They note that NITDA’s Nigeria Data Protection Regulations (NDPR) 2019 was specifically targeted at addressing Data Privacy and Protection in Nigeria.

Section 37 of Nigeria’s 1999 Constitution, which is the cornerstone of the country’s data privacy rights and protection, harps on Nigerians’ right to privacy in their residences, correspondence, telephone conversations, and telegraphic communications is guaranteed.

While the Nigerian Communications Commission (NCC) Consumer Code of Practice Regulation 200715, Part VI of the NCC regulation, deals with the protection of consumers’ data in the telecoms sector, all licensees must take reasonable precautions to secure their customers’ information from improper or inadvertent disclosures, according to Regulation 35.

The part presupposes that licensees may not disclose this information to a third party unless the consumer or commission authorises it or other applicable laws or regulations require it.

Legal experts cite such laws as the Cyber Crimes (Prohibition, Prevention, etc.) Act 2015; The Cybercrimes (Prohibition, Prevention, etc.) Act, Nigeria’s foremost law on cybercrimes criminalises data privacy breaches. This act prohibits, prevents and punishes cybercrimes in Nigeria. It prescribes that anyone or service provider in possession of any person’s personal data shall take appropriate measures to safeguard such data.

Such laws also include, The Child Rights Act 2003, the act protects and guarantees the right of every child to privacy, family life, home, correspondence, telephone conversation and telegraphic communications subject to the supervision or control of the parents or guardians.

Also, the Central Bank of Nigeria’s Consumer Protection Framework prohibits financial institutions from disclosing the personal information of their customers. It also ensures that these financial institutions take appropriate measures to safeguard customers’ data and necessitates the prior written consent of their customers before sharing these data with anyone.

Another law targeted at protecting consumer privacy is National Identity Management Commission (NIMC) Act 2007. Section 26 of this Act requires the approval of the Commission before a corporate body or anybody can have access to data stored in their database. The Act also empowers the NIMC to collect, collate and process data of Nigerian citizens and residents.

The National Health Act (NHA) 2014, which regulates health users and healthcare personnel, restricts the disclosure of the personal information of users of health services in their records. It also ensures that healthcare providers take the necessary steps to safeguard such data.

There is also Federal Competition and Consumer Protection Act 2019. This Act stipulates that the Federal Competition and Consumer Commission shall ensure that business secrets of all parties concerned in investigations conducted by it are adequately protected during all stages of the investigation or inquiry.

Unfortunately, with these regulations in place, citizens’ privacy is still being violated when they visit online banking platforms and other regular banks.

Dr Lukman Adebisi Abdulrauf, a senior lecturer, at the Department of public law, University of Ilorin, said the Nigerian Constitution guarantees the right to privacy of individuals under Section 37.

This right, according to him, entails that individuals should have some level of discretion and solitude to live their life the way they want, provided such is within the boundaries of the law. This protection covers information about individuals, which is considered private or personal.

However, recent advances in technology have increasingly put pressure on this right. It is now difficult to be effectively protected with technology, considering how intrusive it can be.

Remarkably, personal information about individuals is easily mined and used for several purposes by the government and private businesses such as banks. This constitutes a violation of the right to privacy. To effectively protect the right to privacy within this context, countries worldwide have passed data privacy legislation. Nigeria is yet to pass data privacy legislation.

However, NITDA has recently adopted a regulation that serves the purpose of a data protection law – the Nigeria Data Protection Regulation 2019. The NDPR is an essential instrument in almost all sectors, particularly those that handle individuals’ personal information. This is especially true considering that most businesses have migrated online and now offer products and services through digital systems. Thus, banks are critical institutions that must comply with the provisions of the NDPR.

There are several ways banks infringe the right to data privacy, especially when issuing loans.

According to the NDPR, banks can only process (a technical term which means the collection, storage, use, access, or transmission) information about customers in their possession only after satisfying certain conditions.

The conditions include that such information must only be collected for a lawful and legitimate purpose and must be with the customer’s consent. Thus, it is a violation of the NDPR where a bank (or digital lending platform) goes to the Internet, for example, to fetch information about a customer to determine if s/he is qualified for a loan.

Similarly, it is a breach of the NDPR for the bank to rely on information about a customer for other sources without the customer’s consent. Even when personal information about a customer is lawfully collected (i.e.- with consent), a bank is precluded from sharing this information with other institutions. Indeed, it is common for banks to collaborate among themselves in sharing information when an application for a loan is before them.

For bank A to share information about a customer to Bank B, such can only be done with the customer’s consent. With regard to consent, it is noteworthy that banks must obtain it freely without fraud, coercion or undue influence. From this brief explanation, it is clear that banks (or other online lending institutions) publishing names and further details of loan defaulters on their websites is a violation of the NDPR since it is done without the customer’s consent.

The most typical means by which banks and other digital lending platforms violate customers’ data privacy rights is through the forceful access to a borrower’s device to extract phone contact and location data.

This sort of violation led to the enforcement action against sokoloans, a digital loan company that resulted in the imposition of a ₦10,000,000 fine by NITDA.

This fine is the highest imposed and shows the extent to which NITDA can wield the big stick to protect individuals’ data privacy right. In this case, sokoloan granted customers uncollateralised loans after they have downloaded its mobile application on their phone.

The sokoloan application can access the customer’s phone contacts, and when the customer defaults in repayment, spam messages were sent to the phone contacts of the customer. NITDA considered this to be an ‘Illegal data sharing without appropriate lawful basis, contrary to Article 2.2 of the NDPR.’

Peace Adebola Okeshola said, “despite that Nigeria lacks a formal statute governing data privacy and protection, NITDA commendably issued NDPR in 2019, which expressly covers data privacy and protection in Nigeria.”

The NDPR includes provisions for data subjects’ rights, data controllers’ and processors’ obligations, and data transmission to a foreign area, among other things.

The lawyer added that Section 37 of the Constitution of the Federal Republic of Nigeria 1999 (as amended) (‘the Constitution’) establishes data protection as a constitutional right in Nigeria. As a result, data protection has been the responsibility of each sector’s regulatory authority.

The Nigerian Communications Commission (NCC) governs data collected or processed by Internet service providers and telecommunications firms, while the Central Bank of Nigeria (CBN) monitors financial data protection.

However, she said, “despite the regulations on data protection, there have been continuing customer complaints regarding unjustifiable, illegal and dubious payback enforcement techniques employed by online loan banks. “We have seen instances where bogus allegations have been made by these online loan banks calling and texting their defaulters contacts making baseless acquisitions and addressing them as criminals, dubious persons, kidnappers, etc. These continuing customer complaints regarding dubious payback enforcement techniques, including public shaming and privacy invasions, have resulted in enormous and justifiable consumer annoyance and unhappiness.

“It is surprising how these online loan agencies access the debtors’ contacts and defame their debtors. Nigeria’s online fintech environment has been abused, borrowers have been faced with branding and shaming, with their privacy compromised in the name of loan collection.”

The lawyer continued, “while NITDA, in an attempt to curb this excess of online loan platforms and their vehement disregard of the rights of the debtors, has set a penalty of N10 million on any online lending platform that acts in disregard of the reputation and engages in data privacy invasion. However, many of them continue to operate in violation of NDPR.

“The data invasion of these online loan platforms is a constitutional breach and should be treated as such. The penalty placed by the NDPR might not remedy the harm caused by the defamation and breach of privacy. More punitive sanctions should be meted on defaulting Platforms to serve as deterrent.”