The National Information Technology Development Agency (NITDA) has sanctioned an online lending platform, Soko Lending Company Limited, otherwise referred to as Soko Loans, for privacy invasion.
A statement signed by Mrs Hadiza Umar, head, Corporate Affairs and External Relations at NITDA, reads that the action was taken after receiving series of complaints against the company for unauthorized disclosures, failure to protect customers’ personal data and defamation of character as well as carrying out the necessary due diligence as enshrined in the Nigeria Data Protection Regulation (NDPR).
“One of such complaints filed by Bloomgate Solicitors on behalf of its client, the data subject, was received on Monday, 11th November 2019”, according to IT regulator in Nigeria.
Continuing, the message reads:
“NITDA, as part of its due diligence process, commenced investigation over the alleged infractions of the provisions of the NDPR.
Soko Loans grants its customers uncollateralised loans and requires a loanee to download its mobile application on their phone and activate a direct debit in the company’s favour. The app gains access to the loanee’s phone contacts.
According to one of the complainants, when he failed to meet up with his repayment obligations due to insufficient credit in his account on the date the direct debit was to take effect, the company unilaterally sent privacy invading messages to the complainant’s contacts.
The Agency made strident efforts to get Soko Loan to change the unethical practice but to no avail. After the Agency’s investigation team secured a lien order on one of the company’s accounts by which it could come up with privacy enhancing solutions for its business model, Soko Loan decided to rebrand and directs its customers to pay in to its other business accounts.
NITDA said that it found Soko Loan and its entities in violation of the following legal provisions:
Use of non-conforming privacy notice, contrary to Article 2.5 and 3.1(7) of the NDPR;
Insufficient lawful basis for processing personal data, contrary to Articles 2.2 and 2.3 of the NDPR;
Illegal data sharing without appropriate lawful basis, contrary to Article 2.2 of the NDPR;
Unwillingness to cooperate with the Data Protection Authority, contrary to Article 3.1 (1) of Data Protection Implementation Framework; and
Non-filing of NDPR Audit reports through a licensed Data Protection Compliance Organisation (DPCO), contrary to Article 4.1(7) of the NDPR.
In view of the foregoing and in consideration of its implication on the privacy of Nigerians and erosion of trust in the digital economy, NITDA imposed the following sanctions on the loan company:
a monetary sanction of Ten Million Naira (N10,000,000) on Soko Lending Company Limited.
directs that no further privacy invading messages be sent to any Nigerian until the company and its entities show full compliance with the NDPR.
directs the company to pay for the conduct of a Data Protection Impact Assessment by a NITDA appointed DPCO on its operation; and
Placement on a mandatory Information Technology and Data Protection oversight for 9 months.
“It may be noted that the criminal aspects of this investigation has been deposited with the Nigeria Police to determine if the executives of the company are liable to imprisonment for violating Section 17 of the NITDA Act, 2007.
“NITDA therefore uses this medium to remind all Nigerian businesses and data controllers of their obligation to engage NITDA-licensed Data Protection Compliance Organisations (DPCO) to guide them towards compliance with the data protection law.
NITDA is the apex regulator for Information Technology in Nigeria under the supervision of the Federal Ministry of Communication and Digital Economy.
The Agency is empowered by Section 6(c) of the NITDA Act, 2007 to develop guidelines for electronic governance and monitor the use of electronic data interchange and other forms of electronic communication transactions in Nigeria.
The Agency issued the Nigeria Data Protection Regulation (NDPR) as Nigeria’s first comprehensive framework for the protection of personal data.
The NDPR provides the principles and framework for the protection and processing of personal data of Nigerians and Residents