by Gabriel Eze, Associate

 

Privacy breaches by online lending platforms; the new normal that must be curbed?

 

Data-privacy breaches by a number of online lending platforms in Nigeria appear to be the new normal that must be curbed. Disinterested Nigerians are constantly bombarded with text messages on transactions that they are neither  parties to nor have any interest in. This consequently disturbs their peace, invades their privacy, and quiet enjoyment of their devices. Last month, a similar text was shared on a WhatsApp group I am a member of. The text which disclosed the phone number of the loanee required the recipient “to kindly inform Jack Jill [pseudonym] who is a lying/chronic debtor that he has defaulted in his loan repayment to ABC Lending Company [pseudonym].” The message stated that the defaulter-loanee “has proven to be dubious by constantly avoiding [their] calls.” It threatened to tag the defaulter-loanee as fraudulent and share the unsolicited text to his phone contacts if he did not make payment in 20 minutes. It further stated that the Loanee “cannot be trusted with money which he has shown by his dubious attitude.” 

Sounds familiar? 

Here is how it works: a prospective loanee is required to download the lending platform’s mobile application (App) to secure an uncollateralized loan. Through the App, the lending platform is able to access the loanee’s phone contacts. Upon default in repaying the loan, the lending platform sends unsolicited messages to the phone contacts of the defaulter-loanee. Sometimes, the lending platform  may even threaten to prosecute these third party-contacts if they fail to produce the  defaulter-loanee. Bizzare!

 

Perhaps, Sokoloan didn’t see my earlier precautionary post.

In May 2021, I wrote a precautionary post about businesses that control personal data of Nigerians who are protected as data subjects under the Nigeria Data Protection Regulations (NDPR) 2019. I cited Electronic Settlement Limited as a case in point. The National Information Technology Agency (NITDA) had fined Electronic Settlement Limited N5 Million for data breach. Now, in a similar development, NITDA has fined Sokoloan, an online lending platform, the sum of N10 Million for privacy invasion. I’d like to imagine that if Sokoloan had seen my earlier precaution to players in the industry or had the benefit of proper legal advice, it would have probably made necessary amends or at least actively prepared itself against any punitive measures by NITDA as well as a possible criminal  prosecution  by upholding industry best practices. The likely reputational damage to Sokoloan could have been either avoided or at least better managed. This is one of the reasons  businesses and organizations in Nigeria really need to take user’s data privacy more seriously. 

 

NITDA fines Sokoloan N10 Million for data breach, defamation of character, amongst others.

NITDA imposed a fine of N10 Million on Sokoloan on grounds of unauthorized disclosures, failure to protect customers’ personal data, defamation of character, and failure to carry out  necessary due diligence as enshrined in the NDPR. NITDA reports that when one of the complainants failed to meet up with his repayment obligations due to insufficient credit in his account on the date the direct debit was to take effect, the company unilaterally sent privacy-invading messages to the complainant’s contacts. After investigations, NITDA found Sokoloan and its entities liable and in violation of the following legal provisions:

1. Use of non-conforming privacy notice, contrary to Article 2.5 and 3.1(7) of the NDPR;
2. Insufficient lawful basis for processing personal data, contrary to Articles 2.2 and 2.3 of the NDPR;
3. Illegal data sharing without appropriate lawful basis, contrary to Article 2.2 of the NDPR;
4. Unwillingness to cooperate with the Data Protection Authority, contrary to Article 3.1 (1) of Data Protection Implementation Framework; and
5. Non-filing of NDPR Audit reports through a licensed Data Protection Compliance Organisation (DPCO), contrary to Article 4.1(7) of the NDPR.

 

Lessons for Businesses that control personal data  in Nigeria.

When I wrote on the Electronic Settlement Case, I had hoped—as I imagine NITDA would also have hoped—that the fine NITDA imposed on Electronic Settlement Limited would deter other similar companies who control personal data of Nigerians within NITDA’s threshold to apply themselves accordingly. But I may have been wrong, if Sokoloan’s case is anything to go by. I can’t help but wonder if some of these lending companies are unaware of the NDPR, blatantly disregard it, or are reckless about the consequences of their actions. 

 

Operational recommendations to Businesses that control personal data of Nigerians.

The Regulation requires that within six months after the Regulation is issued, each organization shall conduct a detailed audit of its privacy and data-protection practices. The following information must be stated in the audit personally identifiable information the organisation collects on employees of the organisation and members of the public:

1. any purpose for which the personally identifiable information is collected;
2. any notice given to individuals regarding the collection and use of personal information relating to that individual; any access given to individuals to review, amend, correct, supplement, or delete personal information relating to that individual; and
3. whether or not consent is obtained from an individual before personally identifiable information is collected, used, transferred, or disclosed and any method used to obtain consent to mention a few.

Considering the above, I recommend the following practices to businesses controlling personal data in Nigeria:

1. Ensure that you conduct the statutory audit report for your business in line with data and privacy best practices;
2. Prepare comprehensive data privacy notices, privacy policies and terms of use that align with the NDPR and other sector-specific data laws or regulations;
3. Structure the policies and procedures for assessing the impact of technologies on the stated privacy and security policies of your business; and
4. Avoid illegal data sharing with third parties without lawful basis.

 

Conclusion

Although NITDA has, until recently, prioritized developmental regulation over restrictive regulation, applying its regulatory authority to help create opportunities while also minimizing risks,  its approach does not however mean that it will not enforce compliance where there is a breach. And this it has begun implementing. And increasingly so. 

As NITDA keeps advising, data controllers and businesses within the NDPR’s spectrum should engage competent professionals to guide them towards compliance with the data protection laws and regulations. The Agency  has reiterated its position to “fully enforce the NDPR with the aim of sanitising the operating environment, instilling confidence in the digital economy and protecting the right to privacy of Nigerians.” 

At Infusion Lawyers, we continue to use our expertise and experience in the data protection and data privacy space to preempt businesses in our care from violating  and falling on the wrong side of the law. On the other hand, private individuals whose right to privacy have been violated or is under the threat of being violated, enjoy the benefit of our legal expertise in dealing with such situations on their behalf.