Concerns As Money Lenders Breach Data Protection Law

By Zakariyya Adaramola

Data breach is becoming worrisome as many private organisations now use information given to them by customers for purposes other than what they were collected for, thereby infringing on privacy of Nigerians.

Micro-money lenders are the biggest culprits as they have recently formed a penchant for abuse of personal data of Nigerians by even hacking into their debtors’ phone contacts, then send messages to those in the contacts, telling them the debtors defaulted in the payment of the loan. This is an abuse to their debtors’ personal data, a breach of their privacy and a betrayer of trust as those who aren’t part of the initial agreement they sealed with customers are unnecessarily bothered with calls and threatening messages.

The National Information Technology Development Agency (NITDA) and the Federal Competition and Consumer Protection Commission (FCCPC) said this much recently when they said they would soon start prosecuting money lenders who abuse their debtors’ data.

Section 17(a) of the FCCPA, 2019 empowers the Commission to administer and enforce provisions of every Nigerian law with respect to competition and protection of consumers.

NITDA said it had received over 40 petitions from members of the public on the personal data abuse of some lending companies. It sanctioned an online lending platform, Soko Lending Company Limited (Soko Loans), for privacy invasion. NITDA said this action was taken after receiving series of complaints against the company for unauthorized disclosures, failure to protect customers’ personal data and defamation of character as well as carrying out the necessary due diligence as enshrined in the Nigeria Data Protection Regulation (NDPR). “Soko Loans grants its customers uncollateralised loans and requires a loanee to download its mobile application on their phone and activate a direct debit in the company’s favour. The app gains access to the loanee’s phone contacts’’, NITDA said.

According to one of the complainants, when he failed to meet up with his repayment obligations due to insufficient credit in his account on the date the direct debit was to take effect, the company unilaterally sent privacy-invading messages to the complainant’s contacts.

Investigation revealed many Nigerians who were neither parties to the loan transaction nor consented to the processing of their data have confirmed the receipt of such messages in recent times.

Investigation revealed that the firms embeds trackers that share data with third parties inside their mobile application without providing users information about it or using the appropriate lawful basis.

This amounts to “Use of non-conforming privacy notice, contrary to Article 2.5 and 3.1(7) of the NDPR. And “Insufficient lawful basis for processing personal data, contrary to Articles 2.2 and 2.3 of the NDPR. It is also amounts to “Illegal data sharing without appropriate lawful basis, contrary to Article 2.2 of the NDPR. The firms’ action is also “Unwillingness to cooperate with the Data Protection Authority, contrary to Article 3.1 (1) of Data Protection Implementation Framework and non-filing of NDPR audit reports through a licensed Data Protection Compliance Organisation (DPCO), contrary to Article 4.1(7) of the NDPR.”

Though NITDA said it had made strident efforts to get many of such firms to change their unethical practice, they still do it with impunity.

But the agency said that it has made concerted regulatory approach which would ensure that Nigerians get necessary reprieve from the illegal use of their personal data for money lending operations, and from other firms. It would also partner with other agencies such as the Federal Consumer Protection agency for enforcement and prosecution of offenders of data breach, NITDA’s spokesperson Hadiza Umar had said in a statement.

NITDA had said one of its measures to ensure that data of Nigerians are protected is by issuing licences to data protection companies. The agency said it took the initiative to licence more data protection companies to ensure maximum protection of Nigerians from possible breach and to ensure that Nigeria is not blacklisted from the rest of the world in doing genuine business. The Director General of NITDA Kashifu Inuwa Abdullahi had also said the agency had signed a Memorandum of Understanding (MoU) with the European Union (EU) Data Protection Council, making Nigeria the first African nation to take such a step.

Abdullahi said: ‘‘NITDA is embarking on data protection to make sure that our country is not blacklisted. Eleven companies have been licensed for this purpose and additional 16 licences have been approved. Nigeria had signed a MoU with the EU Data Protection Council to give it international outlook. Data is our new oil . For this reason, NITDA is putting in place an administrative Redress Panel to handle all issues that will arise from the practitioner going forward. NITDA has also set up a legal team to take up any legal issue that may arise. We are also going to have a National Advisory Council to offer advice from time to time where necessary. The data protection advocacy is going to be a continuous thing. All we want to do is to ensure all we do in Nigeria is in line with international best practices,” he said.

A data protection expert, Muili Ologbebe said a lot of data controllers and hosts had been found guilty of breaching peoples’ right. Ologbebe said this has made it imperative for Nigerians to put their foot down to protect themselves from possible data breach, considering its damaging effects.

He said also urged NITDA and other agencies to step up their game and investigate data holders to ensure total compliance with extant laws.

He said many of the contemporary IT Policy were obsolete, and NITDA should take a proactive step to bring in more advances IT policies.

But NITDA said it had begun the process of licensing and partnering with a qualified institution to set standards, prepare exams and issue certifications on data protection skill in the country.

These processes are part of the implementation of the Nigeria Data Protection Regulation (NDPR), a subsidiary of data legislation in the country, it said.

NITDA DG, who disclosed this, also said there was need for Data Protection Officers (DPOs) to keep abreast of trending innovations in order to keep their data credible.

While admonishing DPOs to improve their capacities by adopting best practices for Data Privacy, Abdullahi stated that Artificial Intelligence and Cloud Services are essential elements in safeguarding data from breach thereby enhancing the integrity of data.

He argued that it was pertinent to incorporate artificial intelligence into data protection to enhance its accuracy and consistency. He further disclosed that there is need to sieve and categorize data elements which will determine the cloud adoption strategy to be used.

“One of the ideas we are mulling is to have an industry association for DPOs and the proposed DPO Forum that would be a peer review mechanism and a point of contact with regulators to shape policies and propose standards for the industry”, he said.

According to him, since the issuance of the NDPR in 2019, NITDA has empowered DPOs by drafting, engaging the public, and publishing the NDPR Implementation Framework to shed light on the provisions of the NDPR for easy interpretation and application.

He further noted that the Agency’s partnership with the DPOs has created over 7,600 new job roles in the Data Protection sector. “We envisage that Nigeria would lead Africa by certifying 350,000 persons with local and global competence in data protection by 2024”, he averred.

Editors Note; Written By Zakariyya Adaramola Originally published in Daily trust.