NITDA’S SANCTION OF ONLINE LENDING PLATFORM: A CAUTIONARY TALE FOR FINTECHS

September 6, 2021

NITDA’S SANCTION OF ONLINE LENDING PLATFORM: A CAUTIONARY TALE FOR FINTECHS

Download PDF

The National Information Technology Development Agency (NITDA), the governmental agency responsible for the growth and development of information technology in Nigeria which includes regulation of the use and protection of personal data in Nigeria has been at the forefront of data privacy and protection in Nigeria. NITDA since the release of the Nigeria Data Protection Regulation 2019 (NDPR) has continued to establish and enhance the framework for the use and protection of private data. In recent times, the agency has had course to exercise its powers by imposing sanctions on errant companies.

In the Fintech space, companies such as Electronic Settlement Ltd and recently Soko Lending Company Ltd have been penalized for non-compliance with the NDPR.

In the case of Soko Lending Company Ltd, creator of online loan product Sokoloan, NITDA in its press release indicated that the fintech company was sanctioned for the following infractions: –

  • Use of non-conforming privacy notice (contrary to Article 2.5 and 3.1(7) of the NDPR);
  • Insufficient lawful basis for processing personal data (contrary to Articles 2.2 and 2.3 of the NDPR);
  • Illegal data sharing without appropriate lawful basis (contrary to Article 2.2 of the NDPR);
  • Unwillingness to cooperate with the Data Protection Authority (contrary to Article 3.1 (1) of Data Protection Implementation Framework); and
  • Non-filing of NDPR Audit reports through a licensed Data Protection Compliance Organisation (DPCO) (contrary to Article 4.1(7) of the NDPR).

 

Each contravention will be treated below considering provisions of the NDPR and NDPR Implementation Framework (“the Regulations”):

Privacy policy

The Regulations requires all organisations to publicly display its privacy policy in any medium for data collection. Such mediums include websites and mobile applications. A Fintech’s privacy policy should cover the following points:

  • Description of personal data and what is considered consent,
  • Methods used to collect personal data
  • contact information of the organisation, its DPO,
  • purpose and legal basis for processing personal information
  • the recipients of personal data and if there will be transfer of data abroad
  • criteria for retaining data/retention period
  • various rights of data subject: to withdraw consent, to request for personal data held to object to data processing, to lodge complaint etc.

Any failure to include the specifications required to be in the privacy policy may open up a Fintech to criminal and civil liabilities. The penalty for entities in breach of data subjects’ privacy rights range from 1- 2% of their Annual Gross Revenue or 2 -10 million naira whichever is greater, in addition to criminal liability.

READ MORE