Nigeria: The Online Lending Boom And Data Privacy Concerns In Nigeria

Introduction

The proliferation of online loan apps has become a necessary evil for many low-income Nigerians, who feel compelled to borrow to shield against the effects of the harsh economic realities in the country, especially since the COVID-19 pandemic. The requirements for tangible or non-tangible collaterals including proper documentation for any loan transaction by traditional banks are becoming less patronised, and therefore such loans which can be easily accessed online becomes a preferred choice for many.

However, in recent times, these digital lending platforms have resorted to unprofessional measures of harassment, cyberbullying, and breach of data privacy of their customers who may have defaulted in their loan(s) repayment.¹ In light of these events, personal data protection and privacy have become issues of great concern for a number of stakeholders. In a bid to address this issue and tailor the legal guidelines responsible for regulating this development, this article seeks to examine relevant provisions of the Nigeria Data Protection Regulations (NDPR) and other data protection and privacy laws that provides a regulatory framework for transactions that implicate personal data and related enforcement actions for breach. In order to prevent money loan companies from further exploitation of their customers' personal information, compromising their privacy, and granting unauthorized disclosures of personal data to third parties upon default of loan(s) repayment, we make recommendations for addressing the breach of privacy laws impacted by the conduct of these digital lending platforms.

The Legal Framework of Data Privacy and Protection Laws in Nigeria

Section 37 of the Nigerian Constitution² provides a foundation on data privacy rights and protection in Nigeria. Section 37 guarantees and protects the right of Nigerians to privacy with respect to their homes, correspondence, telephone conversations and telegraphic communications. Thus, Privacy is deemed a fundamental human right and is enforceable in a court of law when breached. Prior to the NDPR, most cases of data privacy breaches were enforced under this section.

It is pertinent to note that Nigeria does not have a specific federal statute regulating data privacy and protection. On 25 January 2019, the NITDA commendably issued the NDPR³ - a subsidiary federal regulation pursuant to its powers under the NITDA Act.⁴ The NDPR specifically addresses Data Privacy and Protection in Nigeria. The Regulation, in a bid to regulate the constituents of data protection and privacy, introduced novel methods in ensuring compliance with its innovative data protection and privacy framework for organizations that collect, process, store, transfer and retain personal data.⁵

The NDPR applies to all transactions intended for the processing of personal data, to the processing of Personal Data notwithstanding the means by which the data processing is being conducted or intended to be conducted in respect of natural persons in Nigeria.⁶ It also applies to natural persons residing in Nigeria or Nigerian citizens residing in foreign jurisdictions.⁷ Based on the definition section of the NDPR, data processing means "any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction".⁸

Part of the objectives of the NDPR aims to safeguard the rights of natural persons to data privacy, preventing manipulation of personal data and fostering confidence through the safe conduct of transactions involving exchange of personal data.⁹

The NDPR also specifically confers certain rights on persons (described as Data Subjects) that provide their personal data to ensure that they exercise certain control over the use of their personal data. Regulation 3.1 of the NDPR outlines the rights of data subjects to include the right to information about their personal data, right to access their personal data, right of rectification of their personal data information, right to withdraw consent, right to object, right to data portability and right to be forgotten.

Enforcement Actions against breach of the NDPR

The Nigeria Information Technology Development Agency (NITDA), by virtue of the NITDA Act and NDPR, is empowered to implement and undertake any enforcement actions upon breach of the NDPR provisions.

In August 2021, after receiving a series of complaints against Soko Lending Company Limited (Soko Loans), an online lending platform, NITDA sanctioned the company for privacy invasion. This action was taken against Soko Loans for unauthorized disclosures, failure to protect customers' personal data, defamation of character as well as failure to carry out the necessary due diligence as enshrined in the Nigeria Data Protection Regulation (NDPR).

Soko Loans grants its customers uncollateralised loans via its digital medium as it requires a loanee to download its mobile application on their phone and activate a direct debit in the company's favour. The app gains access to the loanee's phone contacts after the loanee has consented to the illegal terms and conditions of Soko Loan App.¹⁰ The Agency's investigation further revealed that the company embeds trackers that share data with third parties within its mobile application without providing users information about it or using the appropriate lawful basis for processing and sharing of such data.¹¹

NITDA therefore found Soko Loans and its entities in violation of the following legal provisions:

1. Use of non-conforming privacy notice,¹²
2. Insufficient lawful basis for processing personal data,¹³
3. Illegal data sharing without appropriate lawful basis,¹⁴
4. Unwillingness to cooperate with the Data Protection Authority;¹⁵ and
5. Non-filing of NDPR Audit reports through a licensed Data Protection Compliance Organisation (DPCO),¹⁶

In view of the foregoing and in consideration of its implication on the privacy of Nigerians and erosion of public trust in the digital economy, NITDA thereby:

1. Imposed a monetary sanction of Ten Million Naira (N10,000,000) on Soko Lending Company Limited;
2. Directed that no further privacy invading messages be sent to any Nigerian until the company and its entities show full compliance with the NDPR;
3. Directed the company to pay for the conduct of a Data Protection Impact Assessment by a NITDA-appointed DPCO on its operation; and
4. Imposed a mandatory Information Technology and Data Protection oversight for 9 months.

As a result of this enforcement action by NITDA fully implementing the provisions of the NDPR, NITDA has been able to restore the confidence of potential Nigerian data subjects in its enforcement mechanism, by safeguarding their rights to privacy and ensuring their trust in the Nigeria digital economy. This action also serves as a strong deterrent to all Nigerian businesses who are data controllers and/or administrators from processing third party data collected in an unauthorized manner. Furthermore, this serves to emphasise the importance of engaging a NITDA-licensed Data Protection Compliance Organisation (DPCO) for guidance on compliance with the data protection laws in the country to avoid breach.

Conclusion

It is commendable that Nigerian authorities through their laws and various regulations are taking bold steps to protect the personal data of her citizens. However, despite the array of laws and regulations on data privacy and protection, the only law that specifically and comprehensively deals with this matter is the NDPR issued by NITDA. With the efforts embarked on by the government to curtail the many excesses of these lending platforms from further breaches of Nigerian data privacy, experts¹⁷ say there is a need for the government to take more rigorous steps on the matter to ensure that the unethical practices of these lending platforms are monitored and curtailed.

The National Assembly needs to consider enacting a federal Act or an enabling statute that strictly addresses data protection and privacy pursuant to Section 37 of the Nigerian Constitution with stringent penalties to serve as deterrence to defaulting entities that compromise sensitive data of customers with unorthodox methods of debt recovery. At this juncture, it is pertinent to question why no traction has been witnessed on the legislative review and approval of the draft Federal Data Protection Bill 2020 which was circulated to various stakeholders in the Nigerian cybersecurity space for input. Despite the wide applause this garnered in terms of the bill meeting global standards, this was subsequently abandoned. Earlier, the Nigeria Data Protection Bill 2018, which went through a similar process, was not signed by President Muhammadu Buhari in 2019. The Nigeria Data Protection Bill 2020 was drafted by an interagency committee to improve the Nigeria Data Protection Bill 2018 and be harmonised with the NDPR 2019.

The current joint efforts between NITDA and other collaborating agencies such as Federal Competition and Consumer Protection Commission (FCCPC)¹⁸ to address the increasing rates of data privacy abuse by money lending operators, particularly for financial technology companies (fintech) is laudable and a step in the right direction to forestall further nefarious activities of money lending companies and its effect on families, relationships, and the society at large, as some of the complainants had contemplated suicide and other extreme measures, indicating that the government needed to do more to protect vulnerable Nigerians.¹⁹ NITDA can also improve on its enforcement measures and monitoring to ensure compliance by securing more government resources and employing more staff to ensure that it is well equipped to take the necessary action against such lending companies. Furthermore, by deploying the monitoring functions of the DPCOs the NITDA will have further assistance in ensuring compliance with the NDPR or any foreign Data Protection Law or Regulation having effect in Nigeria.

Footnotes

1. https://www.premiumtimesng.com/news/headlines/499999-investigation-how-digital-loan-providers-breach-data-privacy-violate-rights-of-nigerians.html, accessed on 3rd February 2022.

2. The Constitution of the Federal Republic of Nigeria 1999 (as amended). Act No. 24, 5 May 1999.

3. See Nigeria Data Protection Regulation (NDPR), 2019, available at: https://ndpr.nitda.gov.ng/Content/Doc/NigeriaDataProtectionRegulation.pdf, accessed on

3rd February 2022.

4. NITDA is empowered by section 6(a) of the NITDA Act (2007) "to create a framework for the planning, research...evaluation and regulation of Information Technology practices, activities and systems in Nigeria."

5. See para. 4.2 NDPR Implementation Framework.

6. Article 1.2 (a) NDPR.

7. Article 1.2 (b) NDPR.

8. Article 1.3 (xxi) NDPR.

9. Article 1.1 NDPR.

10. https://www.premiumtimesng.com/news/headlines/499999-investigation-how-digital-loan-providers-breach-data-privacy-violate-rights-of-nigerians.html accessed on 3rd February 2022.

11. Enforcement basis available at: https://nitda.gov.ng/nitda-sanctions-soko-loan-for-privacy-invasion/ accessed on 3rd February 2022.

12. This is contrary to Article 2.5 and 3.1(7) of the NDPR.

13. This is contrary to Articles 2.2 and 2.3 of the NDPR.

14. This is contrary to Article 2.2 of the NDPR.

15. This is contrary to Article 3.1 (1) of Data Protection Implementation Framework.

16. This is contrary to Article 4.1(7) of the NDPR.

17. Mr. Lekan Afolabi, a Data Privacy expert, proffered that government agencies such as the Ministry of Digital Economy and NITDA should ensure awareness programmes are carried out to educate Nigerians on data privacy and protection.
https://www.premiumtimesng.com/news/headlines/499999-investigation-how-digital-loan-providers-breach-data-privacy-violate-rights-of-nigerians.html accessed on 3rd February 2022.

18. https://nitda.gov.ng/nitda-collaborates-with-the-federal-competition-and-consumer-commission-fccpc-to-tackle-data-abuse-by-money-lending-operations/ accessed 2nd March 2022

19. U.J Ifeanyi, "NITDA, FCCPC to sanction money lending FinTechs for abuse of customers' data privacy", available at https://nairametrics.com/2021/11/12/353469/ accessed 7th February 2022.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.