The rising trend of loan sharks exploiting customer data has sparked a pressing demand for the strict enforcement of data protection laws, writes SAMI OLATUNJI
Data breaches are becoming increasingly concerning as a growing number of private companies abuse the personal information of Nigerians by using it for marketing or other reasons unrelated to those for which it was originally obtained.
In recent years, as people’s financial situations have worsened, many have turned to online lenders and other “soft loan” companies for assistance. However, they are the primary perpetrators of data theft since they have recently developed a taste for abusing the private information of Nigerians. One common tactic involves hacking into debtors’ phone contacts and then texting those friends with the news that the debtor has defaulted on the loan’s repayment. Those who were not a part of the original deal they sealed with clients are unduly disturbed by calls and threatening messages, which is an abuse of personal data, a breach of privacy, and a betrayal of trust.
In the Nigerian Data Protection Regulation Performance Report 2020-2021, it was disclosed that Nigerians made 1,350 calls to report data breaches in 2021. That year, the National Information Technology Development Agency engaged in 17 data breach investigations and issued N15m fines afterwards. By 2022, the Nigeria Data Protection Bureau revealed that it was investigating over 110 data controllers and data processors for their data processing activities.
The National Commissioner/Chief Executive Officer of NDPB, Dr Vincent Olatunji, said, “We are investigating over 110 data controllers and data processors for various degrees of data privacy and protection breaches.
“The most worrisome are those in the financial and the telecom sectors. Four banks, online lending companies, one telecom company and one gaming company are being investigated. The vulnerabilities in these sectors are high partly due to the capabilities of intrusive mobile apps.
“When you factor in lack of due diligence on the part of data controllers in engaging data processors or vendors who have access to personal data of customers, what you see in some cases is a pattern of abuses in violation of the Nigeria Data Protection Regulation and Section 37 of the 1999 Constitution of the Federal Republic of Nigeria.”
The risk of a data breach was recently highlighted by Minister of Communications and Digital Economy, Prof Isa Pantami, at the National Privacy Week 2023.
The minister said, “If you look at it, the quantity of data that is being generated today, if there is no data privacy compliance in place, definitely it will compromise global security. If you have a mobile phone, you will discover that with some applications, if care is not taken, the information the controllers of these gadgets have about you, you do not even know it. They know more about you than you know about yourselves.
“With our situation today, local and international companies are illegally and secretly commercialising citizens’ data without their knowledge.
The minister further stressed the need for principal legislation for data protection in the country.
He said, “The law about data protection is not in any way to punish our citizens, but rather to create awareness so that we will all be data compliant.
“That is why it is important. We are urged to comply, and today because of awareness creation, reaching out to other institutions, sanctions and interrogating others, you will discover that the compliance rate is going higher.”
He added that the introduction of data protection law will boost the confidence of foreign investors in the nation’s economy and propels them to do business in Nigeria.
In the wake of the rapid growth of the digital economy, the World Bank and stakeholders have advised the Federal Government of Nigeria to enact a data protection and privacy law as soon as possible.
At a two-day policy dialogue on Nigeria’s Data Protection law, World Bank’s Country Director for Nigeria, Shubham Chaudhuri, urged the Nigerian government to take urgent steps toward legislating a data protection law for the country.
According to Chaudhuri, digital identification is a key to unlocking the potential of nations, and a data protection law was crucial for Nigeria.
“Digital identification is key to unlocking the potential of nations. A data protection law is very critical for Nigeria. Nigeria’s potential for a digital economy is high. We are hopeful that Nigeria will be able to enact a data protection and privacy law soon.”
To ensure that citizens’ private data remains secure when applied to “digital things,” the Nigerian government formed the National Data Protection Bureau in 2022. The NDPB’s efforts to pass data protection legislation have been significant. The Minister of Communication and Digital Economy presented the Nigeria Data Protection Bill to the Federal Executive Council in January 2023, and the Council unanimously supported sending the bill to the National Assembly for further consideration.
The 8th Assembly had already enacted the draft Data Protection Bill, but President Major General Muhammadu Buhari (retd.) did not sign it. This was a result of issues brought up by relevant parties about certain provisions of the previous bill. Nigeria’s Digital Identification for Development Project and the NDPB have met with key stakeholders and policymakers to solve these issues and fine-tune the current bill at the National Assembly.
The NDPR will be replaced as soon as the Data Protection Bill passes the National Assembly. The bill’s stated goal is to establish guidelines for the proper handling of private information in order to constitutionally protect the rights and freedom of individuals whose data is being processed.
It is, therefore, essential to note that the Federal Government is already taking action to prevent further data breaches by online lenders. For instance, recently, a group led by the Executive Vice Chairman of the Federal Competition and Consumer Protection Commission, Mr Babatunde Irukera, swooped down on alleged operators of illegal online lending apps.
In Opebi, Ikeja, in Lagos State, the FCCPC, the Independent Corrupt Practices and Other Related Offences Commission, and the NITDA conducted a joint raid on a number of accused online lenders, including GoCash, Easy Credit, Speedy Choice, Kash Kash, Easy Moni, Sokoloan, and All Cash.
Also, after initially announcing 106 players would be allowed to operate in Nigeria, the FCCPC has since expanded that number to 173. The total number of approved lenders is 119, with another 54 receiving “conditional approval.”
In order to ensure that all digital lenders are legitimate, the FCCPC is updating its list and following its “Limited Interim Regulatory/ Registration Framework and Guidelines for Digital Lending 2022.” In August 2022, while sanctions and calls to Nigerian fintech were being made to prevent predatory digital lenders, the framework was released. After the news broke, digital lenders were given until January 31, 2023, to apply for regulatory clearance.
In addition, as of May 31, 2023, loan apps available through the Play Store would no longer have access to users’ contact information or media files. Google’s latest policy is in line with the Nigerian government’s efforts to limit the invasion of its citizens’ privacy by loan app providers, therefore, the Federal Government has announced that it will enforce the policy. According to Google’s updated policies in April 2023, people in Nigeria and other countries who have become accustomed to the rudimentary loan retrieval methods used by most lending apps will finally get some relief.
Speaking recently on Arise TV on how the recent registration drive of the commission will protect the privacy of Nigerians, Irukera stated, “We also want to restrain what kind of information they can pull off people’s phones and what they can do with that information, especially with respect to making contact with people on the contact list, and their loan recovery practices; the kind of language the times they call, what kind of things they say.”
All the steps taken by the government need to be guided by a principal law, which is the National Data Protection Law. Unquestionably, Nigeria is in dire need of a data protection law, as citizens have had one form or another of their data compromised without easy retrieval, resulting in enormous financial losses, reputational harm, revenue losses, and other forms of abuse.
The establishment of this law is essential, particularly in light of the rising incidence of identity theft, cyberstalking, data mining, theft, and internet fraud, as well as the growing number of reported cases of financial information abuse by financial institutions, mobile service providers and telecom companies, and unregulated loan credit companies, among others.
It becomes pertinent that the current National Assembly should pass the data protection law for the president to sign it. This will provide an additional layer of protection for the nation’s digital identity ecosystem and, in no small measure, safeguard the nation’s rapidly expanding digital economy, boost investor confidence, and ensure robust protection and safeguarding of personal information from being stolen and misused for fraudulent purposes, thereby reducing the incidence of identity theft and fraud and serving as a buffer for the privacy of citizens’ personal data.
The Association of Licenced Data Protection Organisations of Nigeria has recently advocated for a national data protection law to reduce concerns about data leakage, ensure the confidentiality and privacy of data, and advance the nation’s digital transformation efforts. Mr Ivan Anya, the chairman of the association, stated that the Data Protection bill if enacted into law will also facilitate effective data flow and stimulate economic growth in the country.