Wema Bank PLC and KC Gaming Networks (Bet Naija) face fines and hefty sanctions over privacy breaches if investigations currently being carried by the Nigeria Data Protection Bureau (NDPB – the Bureau) find them liable.
Under the Nigerian Data Protection Regulation {NDPR}, the country’s principal legislation on data protection enforceable since January 2019, the maximum penalty for breaches of data privacy rights can be up to N10M or 2% of annual gross revenue of the preceding year, whichever is higher and based on the number of Data Subjects dealt with.
The NDPR applies to all storage and processing of personal data conducted in respect of Nigerian citizens and residents and it covers transactions intended for the processing of personal data and to actual processing of personal data and person(s) residing in Nigeria or residing outside Nigeria but of Nigeria nationality.
In an official statement this week, the NDPB announced through its Legal, Enforcement & Regulations Lead, Babatunde B. Bamigboye that it was investigating Wema Bank and BetNaija, two data controllers, “in line with Section 37 of the 1999 Constitution and the provisions of Nigeria Data Protection Regulation (NDPR) 2019 – particularly Articles 2.1(2)-(3), 2.6 and Article 4 of the NDPR.”
The NDPR imposes several responsibilities on data controllers and processors to enable them lawfully obtain and process data including getting the consent of the data subjects “without undue influence” and filing of Data Protection Audit annually.
As Francis Ololuo, lawyer and data protection expert with S.P.A. Ajibade & Co. noted, “the NDPR mandates all organizations that process the personal data of more than 1000 data subjects in a period of 6 months and 2000 Data Subjects in a period of 12 months to submit a Data Protection Audit report to NITDA not later than 15th March every year.10 This involves the organization’s audit of its data privacy and protection practices. Audits are meant to show that the data controller or processor complies with the law.”
Litigation and data protection expert, Onwuchekwa Agwu, stressed that the NDPR prescribes two categories of penalties –
- For data controllers dealing with more than 10,000 data subjects, the violation can result in penalties up to 2% of the organization’s annual gross profit of the preceding year or payment of the sum of 10 million Naira, whichever is greater.
- For data controllers dealing with less than 10,000 data subjects, a violation can result in penalties up to 1% of the organization’s annual gross profit of the preceding year or payment of the sum of 2 million Naira, whichever is greater.
Since January 2019, NDPR has issued the following fines for breach of data protection regulations –
- Lagos State Inland Revenue Service – 1 million Naira fine.
- Electronic Settlement Limited – 5 million Naira fine.
Notably in August 2021, Nigerian authorities imposed a fine of N10 million among other sanctions on Soko Lending Company Limited (SokoLoan) for violating the NDPR. Following series of complaints against SokoLoan, investigation had revealed that the company carried out unauthorised disclosures, failed to protect customers’ personal data, did not demonstrate compliance to necessary requirement for data diligence as enshrined in the NDPR.
“We expect that things will change quite a bit, as more companies become aware of the regulation and with the supervisory authorities stepping up, issuing heavier fines, adding more pressure on organizations to invest in their NDPR compliance,” added Ololuo.
RELATED: Privacy watchdog NDPB probing Wema Bank for possible abuse of customers’ data
The NDPB states in its official announcement: “It will be recalled that sometime in May 2022, some customers of Wema Bank PLC complained of breach of their rights to data privacy and protection by the Bank. This data processing, according to the complaints against the Bank, involves using their personal data to open accounts.
“The Bureau is also investigating report of breach of data privacy at KC Gaming Networks. The breach in this case involved alleged external attack on the KC Gaming Networks.
“At this stage, the objectives of these investigations as directed by the National Commissioner/CEO of the Bureau, Dr. Vincent Olatunji, are to determine the impact of the breaches on the affected data subjects and the remedial actions taken by the concerned data controllers. The Bureau assures members of the general public that it will ensure proper accountability of the data controllers in the ongoing investigations.”
The objectives of the NDPR include:
- To safeguard the rights of natural persons to data privacy;
- To foster safe conduct for transactions involving the exchange of Personal Data;
- To prevent manipulation of Personal Data; and
- To ensure that Nigerian businesses remain competitive in international trade through the safe-guards afforded by a sound data protection regulation.