The National Information Technology Development Agency (NITDA), the Nigerian government agency charged with coordinating information technology development in the country, has fined an online lending firm, Soko Lending Company Limited (Soko Loans), N10 million for breach of the privacy of its customers and the Nigeria Data Protection Regulations, 2019 (NDPR).
NITDA fined Soko Loan after it received series of complaints against the company for unauthorized disclosures, failure to protect customers’ personal data and defamation of character as well as not carrying out the necessary due diligence as enshrined in the Nigeria Data Protection Regulation (NDPR).
In one of such breaches, Bloomgate Solicitors filed a complaint on behalf of its client, which NITDA received on November 11, 2019 and as part of its due diligence process, the agency commenced investigation into the allegation of infractions of the provisions of the NDPR. It discovered that Soko Loan grants its customers uncollateralised loans but requires loanees to download its mobile application on their phone and activate a direct debit in the company’s favour. The app however, also gains access to loanees’ phone contacts.
A complainants disclosed that when he failed to meet up with his repayment obligations due to insufficient credit in his account on the date the direct debit was to take effect, Soko Loans unilaterally sent privacy invading messages to his contacts who were neither parties to the loan transaction nor consented to the processing of their data.
NITDA said it made strident efforts to get Soko Loan to change the unethical practice but to no avail. Thereafter, its investigation team secured a lien order on one of the company’s accounts by which it could come up with privacy enhancing solutions for its business model, but Soko Loan decided to rebrand and directed its customers to pay into its other business accounts.
The Agency said its investigation further revealed that Soko Loan embedded trackers inside its mobile application that share customers’ data with third parties without providing users information about it or using the appropriate lawful basis.
As a result, NITDA found Soko Loan and its entities in violation of the following legal provisions:
Use of non-conforming privacy notice, contrary to Article 2.5 and 3.1(7) of the NDPR;
Insufficient lawful basis for processing personal data, contrary to Articles 2.2 and 2.3 of the NDPR;
Illegal data sharing without appropriate lawful basis, contrary to Article 2.2 of the NDPR;
Unwillingness to cooperate with the Data Protection Authority, contrary to Article 3.1 (1) of Data Protection Implementation Framework; and
Non-filing of NDPR Audit reports through a licensed Data Protection Compliance Organisation (DPCO), contrary to Article 4.1(7) of the NDPR.
In addition to fining Soko Loan N10 million, NITDA also directed that no further privacy invading messages be sent to any Nigerian until the company and its entities show full compliance with the NDPR; directed Soko Loan to pay for the conduct of a Data Protection Impact Assessment by a NITDA appointed DPCO on its operation; and placement on a mandatory Information Technology and Data Protection oversight for nine months.
NITDA disclosed that it has deposited criminal aspects of this investigation with the Nigeria Police to determine if the executives of the company are liable to imprisonment for violating Section 17 of the NITDA Act, 2007.
The National Information Technology Development Agency (NITDA) is the apex regulator for Information Technology in Nigeria under the supervision of the Federal Ministry of Communication and Digital Economy. The Agency is empowered by Section 6(c) of the NITDA Act, 2007 to develop guidelines for electronic governance and monitor the use of electronic data interchange and other forms of electronic communication transactions in Nigeria. It issued the Nigeria Data Protection Regulation (NDPR) as Nigeria’s first comprehensive framework for the protection of personal data. The NDPR provides the principles and framework for the protection and processing of personal data of Nigerians and residents.
