LEGITIMATE DATA PROCESSING IN THE FINTECH SECTOR AND THE RIGHTS OF A DATA SUBJECT IN NIGERIA; THE NIGERIA DATA PROTECTION REGULATION IN FOCUS
Introduction
Data has been popularly referred to as the “gold of the 21st century”, with many technology companies showing that raw data can be mined to become precious. Data-driven platforms are on the rise, and the FinTech sector is probably the most data-intensive sector in the global economy. Due to increasing and changing customer expectations and the increased competition of Fintech players, FinTech Companies can simply not permit themselves to leave huge amounts of data unexploited. “Big Data” is the collective term used to refer to the methodologies and technologies used to collect, organize, process, and analyse large, diverse (structured and unstructured) and complex sets of data.
With the evolution of the Internet of Things, and the introduction of more advanced authentication techniques, a number of platforms require customers to submit personal data (such as users’ name, location records, bank account details, and email addresses) and/or sensitive data (such as information relating to sexual orientation, ethnicity, race, religious belief, credit information, criminal records, political views, online banking credentials and other sensitive personal information), either of themselves or of a third-party.
Misuse or abuse of data by the data collectors and processors can be of great harm to the data subject and can expose data controllers to expensive liability. Data Protection and Privacy laws emerged to impose a minimum standard on personal data processing and storage. Internationally, the General Data Protection Regulation (GDPR) presents the most robust set of legislation when it comes to personal data protection on a global scale. Nationally, there are several laws that contain provisions on data protection; the Constitution of the Federal Republic of Nigeria 1999 (as amended), the Cybercrimes (Prohibition, Prevention, etc.) Act, 2015, the National Identity Management Commission Act, 2007 and most importantly, the Nigerian Data Protection Regulation[1] which protects the personal data of the Nigerian citizenry.
Data Protection Under the Nigeria Data Protection Regulation
The Nigerian Data Protection Regulation (NDPR) is Nigeria’s principal legislation which prescribes the minimum data protection requirement for the collection, storage, processing, management, operation, and control of personal data in Nigeria. The National Information Technology Development Agency (NITDA) issued it. It applies to all transactions intended for the processing of personal data, and to the actual processing of personal data, in respect of natural persons residing in Nigeria or residing outside Nigeria but of Nigerian descent.
The NDPR defines Personal Data as any information relating to an identifiable natural person. An identifiable natural person is one who can be identified by reference to an identifier such as name, address, phone number, gender, marital status, medical information, etc.
FinTech entities, such as Venture Garden Nigeria Limited and its subsidiaries, are under the categories of “data controllers” or “data administrators/processors.” They determine the purposes for and the manner in which personal data is processed or is to be processed. They also process personal data through automated means of collection, recording, organising, structuring, storage, adaptation, consultation, use, or destruction. Data controllers and processors are bound by the provisions of the NDPR, and as such, before they collect data from any consumer (also known as the “data subject”), they are required to notify the consumer of the specific reason(s) for which their data is being collected. A data subject’s consent is arguably the most integral requirement to obtain and process data. FinTech companies must ensure that the consent is given freely and unambiguously, by a firm affirmative action[2].
Article 2 of the NDPR provides the governing principles for data protection which are that: Personal Data must be lawfully collected and processed with the consent of the Data Subject, used in accordance with the purposes for which it was collected, be adequate, relevant, and without prejudice to the dignity of human person, be kept for no longer than is necessary, and also be kept against all foreseeable hazards.
The NDPR applies to Personal data processed within Nigeria or transferred outside Nigeria and imposes a strict liability duty of care on data controllers. It mandates the Data Protection Officer (DPO) to provide the privacy policy of the Data Controller, the overview of the encryption method, data security standards and other details that will guarantee the safety of the Personal Data.
Rights of A Data Subject
The NDPR confers certain rights on Data subjects including the right to be informed of the processing of data, the right to complain or send a request to the data controller, right to withdraw consent, the right to be informed of the appropriate safeguards for data protection within the organisation, the right to request the data controller to delete his/her personal data, the right to restrict or object the processing of his/her data, the right o rectification, the right to be informed about the transfer of his/her data to another country, the right to complain to a relevant authority, the right to receive the personal data of the data subject in a structured, commonly used and machine-readable format and the right to data portability.
The data subject’s right to privacy is also protected by the Constitution of the Federal Republic of Nigeria, as a fundamental human right. It states that the privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is guaranteed and protected[3]. The Constitution however does not define what the term “privacy’ means.
The NDPR also applies to employers. Thus, they also have a duty to ensure that the data of employees are safe.
Consequence of Data Breach and Responsibilities of a Data Controller
A data breach is an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. Non-compliance with the NDPR may also constitute a breach.
According to the NDPR, where a data breach is reported and the data controller is found guilty, they are liable to a payment of a fine of 1% of the annual gross revenue of the preceding year or payment of the sum of N2,000,000 (whichever is greater) where the data controller deals with less than 10,000 data subjects. On the other hand, where it is a controller of more than 10,000 data subjects, they are liable to a fine of 2% of the annual gross revenue of the preceding year or a payment of the sum of N10,000,000 (whichever is greater).
A report must be made upon knowledge of the breach. Where a complaint of breach is filed, The NDPR imposes certain time-bound actions for compliance, including detailed audit of the privacy and data protection practices, on data controllers. The NDPR provides for an Administrative Redress Panel to investigate (within a maximum of 28 working days) alleged breach(es) of the NDPR; invite parties as necessary, issue requisite administrative orders and make determination of appropriate redress[4].
If unsatisfied with the decision of the Administrative Redress Panel, the alleged violator may challenge their decision in court.
Where the data controller, self-reports the breach, it is a major consideration in determining the amount of fine to be levied. Therefore, where a breach occurs due to negligent or unforeseen circumstances, a data controller must take decisive remedial action to notify NITDA immediately.
Comparing NDPR and GDPR
Although the NDPR and GDPR are similar in many ways, and have identical mandates of Data Protection, there are key differences between the territorial and material scope of the NDPR and GDPR. The NDPR applies to Nigerian citizens and non-Nigerian residents while the GDPR applies to data processing of EU residents by a controller or processor who is not established in the EU. For material scope, there are no limitations under the NDPR, unlike the GDPR, the NDPR can apply to a household activity, such as text messaging.
Under the GDPR, data controllers must report a data breach within 72 hours after becoming aware of such a breach. Additionally, data subjects must be notified without undue delay. On the other hand, it appears that the reporting obligation under the NDPR is less clear. Article 4.1 (5)(i)) of the NDPR requires an organisation to conduct an audit of procedures to report and monitor privacy, whilst Article 10 of the Data Protection Implementation Framework(DPIF) also issued by NITDA[5] states that there is a reporting obligation and advises a 72-hour timeframe for the issuance of a report to NITDA and notice must be given to the data subject within 7 working days.
Penalties under the NDPR vary depending on the number of data subjects a company deals with. For instance, financial penalties can amount to 2% of an organisation’s annual gross revenue of the preceding year, or payment of NGN 10 million, whichever figure is greater, but only if an organisation handles over 10,000 data subjects. On the other hand, national supervisory authorities in Europe can fine an organisation up to 4% of annual gross revenue under the GDPR.
Conclusion
The NDPR requires data controllers to collect data for legitimate purposes only. It protects the rights of data subject by ensuring the data processing matches users’ reasonable expectations and are given the option to determine which third party should receive their data.
Data controllers should see the Regulation as an opportunity, not a threat. Not only does the law obligate data controllers to refrain from arbitrarily commoditizing consumers’ data, but it also encourages Data controllers to be proactive about compliance with Data protection, which can build or strengthen positive brand affinity among consumers.
[1] Issued by the National Information Technology Development Agency pursuant to Section 32 of the National Information Technology Development Agency ACT 2007 (NITDA)
[2] Article 2.2(a) of the NDPR
[3] Section 37 of the Constitution of the Federal Republic of Nigeria 1999, as amended
[4] See Article 4.2 of the NDPR
[5] Issued as an Implementation Framework for NDPR by NITDA in March 2020.
