By Osasómé C.O
The Nigeria Data Protection Commission (NDPC) has imposed a fine of N555,800,000 (Five Hundred and Fifty-Five Million, Eight Hundred Thousand Naira) on Fidelity Bank PLC following an investigation into breaches of the Nigeria Data Protection Act, 2023, and the Nigeria Data Protection Regulation, 2019. The fine, amounting to 0.1% of the bank’s annual gross revenue in 2023, must be paid within 14 days of receiving the Notice.
RELATED: In 2024, NDPC must apply the stick and strengthen a national privacy culture
According to Babatunde Bamigboye, NDPC’s Head of Legal, Enforcement, and Regulations, the investigation was initiated by a complaint from a data subject whose personal data was unlawfully collected for the purpose of opening an account.
The complaint, lodged in April 2023, led the Commission to review Fidelity Bank’s data processing practices. The findings revealed that in several critical instances, the bank processed personal data without obtaining informed consent from data subjects. This includes the use of data processing tools such as cookies and banking apps, which were deployed in violation of the NDP Act. At the time of the investigation, Fidelity Bank’s app had been downloaded over one million times.
Fidelity Bank reviewing “remediation efforts”
Fidelity Bank PLC has informed IT Edge News that it is reviewing the matter and will continue discussions with the NDPC on “remediation efforts.”
The Commission also found that, in addition to internal non-compliance, Fidelity Bank relied on non-compliant third-party data processors. The law requires organizations to ensure that their vendors, agents, and contractors are also accountable when handling personal data.
The NDPC’s initial decision was issued in July 2023, with a directive to pay the remedial fee following in December 2023. Despite repeated warnings and over ten correspondences exchanged, Fidelity Bank did not provide a satisfactory remedial plan.
Authorities increasingly enforcing compliance with local data protection laws
In a related case, the Federal Competition and Consumer Protection Commission (FCCPC) fined WhatsApp, owned by Meta, $220 million in July following a joint investigation with the NDPC.
Nigerian authorities are increasingly enforcing compliance with local data protection laws, with the NDPC currently investigating several social media companies and financial institutions, including fintech firms.
In January, the NDPC announced it was scrutinizing Zenith, GTB, Fidelity, Leadway Insurance, and Babcock University for alleged unlawful disclosure of banking records and improper processing of personal data.
As Nigerian banks and financial organisations face growing data protection challenges, the NDPC emphasizes the need for strict adherence to the legal framework protecting the personal information of over 219.6 million customers, as reported by the Nigeria Inter-Bank Settlement System Plc (NIBSS) in March 2024.
Dr. Vincent Olatunji, National Commissioner and CEO of the NDPC, urges data controllers and processors to avoid practices that undermine trust in Nigeria’s ability to safeguard data-driven decisions and transactions.
He emphasizes that economic growth relies on the assurance of accountability in data exchange, and that compliance with data protection laws will drive sustainable development in the country.