Data breach in Nigeria is becoming a menace as lots of private organizations now use customers’ information for other purposes rather than what it was intended for hence infringing on the privacy of Nigerians.
Micro-Money lenders are the biggest defaulters in this regard as they have lately developed a fondness for abuse of personal data of Nigerians by muddling through their debtors’ phones to have access to their contact list and afterward send random messages to the contacts about their debtors defaulting in the repayment of the loan.
This act is a data breach of privacy, abuse of the debtors’ personal data, and a betrayal of trust to their customers as people who were not involved in the loan agreement sealed with their customers are now being notified through unnecessary calls and life-threatening messages.
Section 17(a) of the FCCPA, 2019 empowers the National Information Technology Development Agency (NITDA) and the Federal Competition and Consumer Protection Commission (FCCPC) to administer and enforce provisions of every Nigerian law with respect to competition and protection of consumers.
The Commission has hereby stated that they would soon begin to prosecute money lenders who abuse their debtors’ data.
Steps Taken to Curb Data Breach
NITDA is said to have received over 40 petitions from members of the public on the personal data abuse aiding data breach by some micro-money lenders companies. It has recently sanctioned an online lending platform, Soko Lending Company Limited (Soko Loans), for privacy invasion.
NITDA stated that this action was necessary after receiving a series of complaints against the company for unauthorized disclosures, failure to protect customers’ personal data, defamation of character as well as carrying out the necessary due diligence as enshrined in the Nigeria Data Protection Regulation (NDPR).
“Soko Loans grants its customers uncollateralized loans and requires the loanee to download its mobile app on their phone, and activate a direct debit in the company’s favor. This application gains access to the loanee’s phone contacts”, NITDA said
A report from one of the complainants is that when he was unable to meet up with his repayment obligations due to insufficient funds in his account on the agreed date the direct debit was to take effect, the company unilaterally sent privacy-invading messages to the complainant’s contacts.
Thorough findings revealed that a lot of Nigerians who were neither a part of the loan transaction nor gave their consent to the processing of their data have confirmed the receipt of such messages in recent times. Also, the firms are found to embed trackers that share data with third parties in their mobile app without the knowledge of its users about it or using the appropriate lawful basis.
This adds up to “Use of the non-conforming privacy notice, contrary to Article 2.5 and 3.1(7) of the NDPR. And “Insufficient lawful basis for processing personal data, contrary to Articles 2.2 and 2.3 of the NDPR. It also is an “Illegal data sharing without appropriate lawful basis, contrary to Article 2.2 of the NDPR. The firms’ action can as well be sum up to “Unwillingness to cooperate with the Data Protection Authority, contrary to Article 3.1 (1) of Data Protection Implementation Framework and non-filing of NDPR audit reports through a licensed Data Protection Compliance Organisation (DPCO), contrary to Article 4.1(7) of the NDPR.”
Despite NITDA saying it had made strident efforts to get many of such firms to change their unethical practice, they still do it with impunity. The Agency has stated that it will partner with other agencies such as the Federal Consumer Protection agency for enforcement and prosecution of offenders of the data breach and make a concerted regulatory approach that would ensure that Nigerians get required reprieve from the illegal use of their personal data by money lending operations, and other similar firms, NITDA’s spokesperson Hadiza Umar had stated in a statement.
One of the laid down measures by NITDA to ensure the data protection of Nigerians is by issuing licenses to more data protection companies. The Agency said this initiative was necessary to ensure maximum protection from possible data breaches and ensure Nigeria is not blacklisted in doing genuine businesses with the rest of the world. The Director-General of NITDA Kashifu Inuwa Abdullahi has also stated that the agency has signed a Memorandum of Understanding (MoU) with the European Union (EU) Data Protection Council, making Nigeria the first African nation to take such a giant step.
“NITDA is venturing into data protection to make sure that our country is not blacklisted. Eleven (11) companies have been licensed for this purpose and additional 16 licenses have been approved. Nigeria has signed an MoU with the EU Data Protection Council to give it an international outlook. Data is our new oil. For this reason, NITDA is putting in place an administrative Redress Panel to henceforth handle all issues that will arise from the practitioner. NITDA has also set up a legal team to take up any legal issue that may arise. We are also going to have a National Advisory Council to offer advice from time to time where necessary. Data protection advocacy has to be a continuous process. All we want is to ensure that all we do in Nigeria is in line with international best practices,” Abdullahi stated.
Muili Ologbebe a data protection expert said lots of data controllers and hosts are guilty of breaching peoples’ rights. He stated that this has made Nigerians stand up to protect themselves from likely data breaches considering its damage effects.
He as well pointed out that, many contemporary IT policies are obsolete and NITDA should be proactive by incorporating more advanced IT policies. Also, NITDA and other agencies should up their game and do thorough findings regards data holders to ensure total compliance.
NITDA says it has begun the process of licensing and partnering with a qualified institution to set the standards, prepare exams and issue certifications on data protection skills in the country. These processes are part of the implementation of the Nigeria Data Protection Regulation (NDPR), a subsidiary of data legislation in the country, it said.
NITDA DG who revealed this has also stated that to keep abreast of trending innovations in order to keep data credible, there is a need for Data Protection Officers(DPOs) to improve their capacities by adopting the best practices for Data Privacy.
Abdullahi admonished them that Artificial Intelligence and Cloud Services are essential elements in safeguarding data from being breached thereby enhancing the data integrity.
He thereby slated that it was essential to incorporate AI into data protection to ensure its accuracy and consistency. He also said there is a need to filter and categorize data elements that will determine the cloud adoption policy to imbibe.
“One of the ideas we are considering is to have an industry association for DPOs and a proposed DPO Forum that would be a peer review mechanism and a point of contact with regulators to shape policies and propose standards for the industry”, he said.
According to him, since the issuance of the NDPR in 2019, NITDA has empowered DPOs by drafting, engaging the public, and publishing the NDPR Implementation Framework to shed more light on the provisions of the NDPR for ease of interpretation and application.
He further indicated that the Agency’s partnership with the DPOs has created new jobs with over 7,600 roles in the Data Protection sector.
“We look forward to Nigeria leading Africa by certifying 350,000 persons with local and global competence in data protection by 2024”, he stated.