Introduction
In Nigeria, the menace of loan apps abusing personal data has become a significant concern, particularly with the rise of digital lending platforms. These platforms, while providing quick and easy access to loans, often engage in practices that may infringe on the privacy and data protection rights of individuals. The legal framework in Nigeria, including the Nigeria Data Protection Act, 2023, provides a basis for addressing these issues. Under the Nigeria Data Protection Act, 2023, there is a clear mandate for the protection of personal data. Under the Nigerian Data Protection Act, 2023 (sec 65. Interpretation), Personal data means any information relating to an individual, who can be identified or is identifiable, directly or indirectly, by reference to an identifier such as name, an identification number, location data, an online identifier or one or more factors specific to the physical, psychological, genetic, cultural, social or economic identity of that individual.
The prevalent use of Loan Apps in Nigeria has raised concerns regarding data protection and privacy. This stems from the fact that the apps gain access to information of users, including their contacts, location and financial data. Digital lending has almost dominated the traditional banking loans and the rise of technology has made the process seamless.
However, in the course of this transactions, the rights of persons are usually violated by unscrupulous loans shark who resort to unprofessional means of recovering their loans. This Shylock means or tactics may be by criminal defamation, harassment, cyberbully, cyberstalking, death threats, breach of data privacy rights, amongst others. As the implementation of the NDPR gains traction, there has emerged a debate amongst privacy rights activists and data protection enthusiasts regarding the relationship that exists between the rights of a Data Subject under the NDPR and the privacy rights guaranteed under the Constitution of the Federal Republic of Nigeria, 1999 (as amended). Specifically, the debate is whether the rights of the Data Subject under the NDPR may be subsumed under the right to privacy provided in the Constitution, such that the Data Subject, whose rights under the NDPR have been breached may enforce these rights by way of an action brought under the Fundamental Rights (Enforcement Procedure) Rules, 2009 (the “FREP Rules”). The extant FREP Rules were enacted on 1 December 20096 under the authority of Section 46(3)7 of the Constitution and prescribes the procedure for the enforcement of fundamental rights enshrined in Chapter IV of the Constitution as well as the fundamental rights provided for under the African Charter on Human and People’s Rights8 (the “African Charter”). This notion, however, seems misplaced as shall be demonstrated in this article. It will also be shown that a Data Subject’s rights under the NDPR may not necessarily enjoy the same status as the rights specifically guaranteed by the Constitution, and as such, the Data Subject’s rights under the NDPR may not be enforced using the procedure prescribed by the FREP Rules. Some data protection enthusiasts have argued that the rights of the Data Subject under the NDPR are analogous to the right to privacy under Section 37 of the Constitution and as such, those rights can be enforced in the same manner in which fundamental rights guaranteed under the Constitution may be enforced.
The proponents of this view contend that the Data Subject’s rights under the NDPR are a specie of the right to privacy under Section 37 of the Constitution and to that extent, those rights are enforceable the same way the privacy right may be enforced. This contention recently found support in the decision of the Ogun State High Court presided over by the Honourable Justice O. Ogunfowora, in Incorporated Trustees of Digital Rights Lawyers Initiative and L.T Solutions & Multimedia Limited9 (DRLI VS LTSM) where it was held that a Data Subject’s rights under the NDPR may be enforced the same way a Constitutional right is enforced under the FREP Rules. On the flip side, those opposed to this view, however, argue that a Data Subject’s rights under the NDPR are neither constitutional rights nor fundamental human rights under the African Charter, and as such, cannot be enforced under the procedure provided in the FREP Rules. This position received judicial approval in the recent judgment of the Federal High Court of Nigeria (the “FHCN”) presided over by the Honourable Justice Ibrahim Watila delivered on 9 December 2020 in the case between the Incorporated Trustees of Laws and Rights Awareness Initiative and The National Identity Management Commission10 (RAI vs NIMC). It was held in the case that a breach of Data Subject’s right under the NDPR is not necessarily a breach of the right to privacy under the Constitution, so that a claim for interpretation of the provisions of the NDPR is not a fundamental rights action falling within the purview of the FREP Rules. This seems to be the latest judicial decision on the subject.
‘Robertson v. Livingspring Micro Finance Bank Ltd & Anor’ ((2020) LPELR-49600(CA) Pp. 16-24, Paras. A-D) and others, although primarily focused on the enforceability of loan agreements and related issues, indirectly touch upon the obligations of financial institutions to handle personal data responsibly as part of their lending practices. The obligations of data controller and data processor towards data subjects are provided under section 29 of the NDPA 2023. Where a data controller engages the services of a data processor, or a data processor engages the services of another data processor, the data controller or data processor engaging another shall ensure that the engaged data processor:
(a) complies with the principles and obligations set out in this Act as applicable to the data controller;
(b) assists the data controller or data processor, as the case may be, by the use of appropriate technical and organisational measures, in the fulfilment of the data controller’s obligations to honour the rights of a data subject under Part VI;
(c) implements appropriate technical and organisational measures to ensure the security, integrity, and confidentiality of personal data as required in Part VII of the NDPA 2023;
(d) provides the data controller or engaging data processor, where applicable, with information reasonably required to comply and demonstrate compliance with this Act; and
(e) notifies the data controller or engaging data processor, where applicable, when a new data processor is engaged.
Processing of Data and Data Protection
The protection of data raises concerns as to the unauthorized collection and processing of data; lack of transparency in the storage of data; unauthorized and illegal disclosure of sensitive data; and even insufficient data security. Expectedly, Loan apps must obtain explicit and informed consent from users before collecting, using, or sharing their personal data. This consent should be clear, easily understandable, and freely given. It is not unusual for a data subject who is desperate for a loan to give access to his contacts messages and even location at the point of application without understanding the implication. The right of a data subject to withdraw consent after obtaining a loan is governed by the Nigeria Data Protection Regulation (NDPR) issued by the National Information Technology Development Agency (NITDA). According to the NDPR (Sec 35), data subjects have the right to withdraw consent at any time. However, the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
This means that if a data subject withdraws consent after obtaining a loan, the withdrawal does not invalidate the processing of personal data that occurred prior to the withdrawal when the consent was still in effect. The data subject’s withdrawal of consent might affect the continued use of their data for additional processing beyond the original scope agreed upon when the loan was obtained. Financial institutions and lending apps must ensure they have mechanisms in place to allow for the withdrawal of consent in compliance with the NDPR. They must also ensure that they do not use the data for purposes beyond what was initially consented to without obtaining new consent from the data subject. This aligns with the principles of data minimization and purpose limitation under the NDPR. Under the provisions of section 5.5.7 of the CBN Consumers protection Regulations which rightly makes provisions to ensure that debt recovery processes are transparent, courteous and fair, devoid of undue pressure, intimidation, harassment, humiliation or threat. It states that Institutions shall Not engage in any of the following:
A. Contact friends, employer, relatives or neighbours of a customer for any information other than information on employment status, telephone numbers or address, except where:
i. the person has guaranteed the loan; or
ii. the person has consented to be contacted.
B. Require any of the persons listed in (a) above to offset the debt, except where the person has acted as a guarantor.
C. Make telephone or personal contact with customers between the hours of 9.00pm and 8.00am for the purpose of debt recovery, except with the prior consent of the customer.
Loan apps revealing personal data of defaulters to third parties is a significant concern, especially in the context of data protection laws in Nigeria. The Nigeria Data Protection Regulation (NDPR) 2019, which is the primary legislation governing data protection in Nigeria, mandates that personal data must be processed lawfully, fairly, and transparently. It also requires that data processing be done with respect for the privacy and rights of the data subject. Section 33 of the Cybercrimes Act outlines the conditions under which financial institutions can disclose customer information to authorized bodies like the Central Bank of Nigeria or licensed credit bureaus without the customer’s consent, but requires that the customer be notified of such disclosure within a specified timeframe.
Furthermore, the Lagos State High Court Practice Direction on expeditious disposal of civil cases provides a structured approach to debt recovery, emphasizing the need for creditors to furnish debtors with detailed information about the debt and to explore amicable settlement options before resorting to litigation. Violations of data protection laws in the course of debt collection can lead to sanctions by the National Information Technology Development Agency (NITDA), which oversees compliance with the NDPR. NITDA has the authority to impose fines and other penalties on entities that breach data protection regulations.
Under the NDPR, consent is a fundamental aspect of lawful data processing. If a loan app discloses personal data of defaulters to third parties without explicit consent or a legitimate legal basis, such as a court order or compliance with a legal obligation, it could be considered a breach of the NDPR. The penalties for such breaches can include fines and directives to cease processing from the National Information Technology Development Agency (NITDA), which oversees data protection compliance. Furthermore, the Cybercrimes (Prohibition, Prevention, etc.) Act also provides relevant provisions against unlawful disclosure of personal data. Section 38 of this Act criminalizes the disclosure of personal data without proper authorization, which can apply to loan apps disclosing borrower information without consent.
In UNITY BANK v. ZAMAFARA STATE COMPULSORY FREE UBEB (2020) LPELR-52782(CA) Pp. 35-36, Paras. F-E , the court opined that “The Respondent is a stranger to the loan agreement between the Appellant and Zamfara State Government. It is settled law that a third party to a transaction such as loan agreement contained in Exhibit B1 cannot sue or be sued on it even if it is made for its benefit. This is pursuant to the general principle that a contract only affects the parties to it and cannot be enforced by or against a person who is not a party even if the contract is made for his or its benefit. See VIDE NEGBENEBOR VS NEGBENEBOR (1971) 1 ALL NLR 210, IKPEAZU VS AFRICAN CONTINENTAL BANK LTD. (1965) NMLR 374, and OKEOBOR VS EYOBO ENGINEERING SERVICES LTD. (1991) 4 NWLR (pt. 187) 553. ” Per ABUBAKAR MAHMUD TALBA, JCA (Pp 35 – 36 Paras F – E).
According to the CBN consumer protection framework, Section 5.5 debt collection; The CBN shall set guidelines for ethical practices in the industry. These guidelines shall be based on dialogue, respect for the consumer’s privacy, and the longevity of consumer-Financial institution relationships, among other things. Financial institution can adopt the following methods to recover debts:
- COMMUNICATE WITH THE DEBTOR: Try to reach out to the debtor and discuss the situation. You may be able to agree on how the debt can be paid off. If you are unable to resolve the matter through communication, you may want to consider sending a demand letter.
- CONSIDER MEDIATION OR ARBITRATION: If the debtor is unwilling to pay the debt, you may want to consider using alternative dispute resolution methods such as mediation or arbitration. It is less expensive and more efficient than going to court.
- FILE A LAWSUIT: Taking legal action in court for debt collection is the last resort when a debtor fails to pay a debt owed after a Letter of Demand has been issued. Legal action can be taken in Court if the debt is owed as a result of a service contract or loan arrangement. The court has the authority to hear and decide a debt collection case, as well as to compel payment from the debtor. The suitable court to file a legal action is determined by the total amount owing. In general, a debt collection case in Lagos State or most other regions of Nigeria can be initiated through the Magistrate Court, the State High Court, or the Federal High Court. A debt collector must be careful not to employ any of the following means or methods for debt recovery: harassment, abuse or oppression of the debtor, use of threat or violence, use of obscene languages, employ the use of thugs, mystical, occultism or any diabolical methods; and most of all, the use of the police or other security agents to arrest a debtor. The Police are not empowered by any statutes to recover debts, as they are not debt collectors.
Debt Collection Practices: Loan apps must comply with applicable debt collection laws, avoiding harassment, threats, or unfair tactics.
Legal Remedies
A data subject whose right has been violated by a loan app is open to any of the remedies below. The remedies could be through the Regulators and/or the Action for Enforcement of Fundamental Human Right among other remedies.
Petition Regulators
The NDPR
Loan apps must endeavor to comply with the laid down principles of NDPR, they must ensure lawful processing of data (section 2.2), transparency (section 2.3), and data security (section 2.6). This is more so as data subjects have the right to: Request access to their data (Section 3.1); Rectify inaccurate data (Section 3.1(7)(h)); Object to processing (Section 3.1 (11)), and Request deletion (Section 3.1 (9)). To demonstrate how Nigeria has fared since the inception of the NDPR, there has been a plethora of litigations on data protection, which goes to show that data protection is indeed gaining traction, and data subjects are becoming more aware of their rights under the NDPR and other data protection legislation. In Paradigm Initiative for Information Technology v Nigerian Identity Management Commission (NIMC), one of the issues for determination was the right of the Respondent to process personal data without adequate security. This was the first case the Federal High Court took judicial notice of the NDPR as legislation on data protection in Nigeria. Subsequently, Nigerians began enforcing their rights under the NDPR in a court of law. In Confidence Staveley v Access Bank Plc, the applicant sued the respondent for the disclosure and transmission of the applicant’s personal data to a third party without her consent or any other legal basis as provided by the NDPR, thus constituting a breach of confidentiality as well as a breach of the applicant’s rights as provided by the NDPR.
The NITDA
NITDA can investigate complaints (Section 6(c) NITDA Act); Impose fines (Section 17 NITDA Act); and Order data rectification or deletion (Section 18 NITDA Act). A readily made recent example is the fine of “SOKOLOAN”a digital lending company, by NITDA in 2021 following several petitions/complaints regarding breach of its customer’s data.
The Consumer Protection Council
The Council can investigate complaints (Section 3 CPC Act) and order compensation (Section 10 CPC Act).
The Nigeria Data Protection Commission
The Nigerian Data Protection Act provides for a legal framework for the protection of personal information and establishes the Nigeria Data Protection Commission for the regulation of the processing of personal information. Part V of this Act provides for principle and lawful basis governing processing of personal data and part VI provides for the Right of Data subjects. Part X rightly provides for the remedies available to data subjects who are aggrieved by the by the decision, action or inaction of a data controller or data processor in violation of this Act or subsidiary legislation made under this Act.
An Action for Enforcement of Fundamental Human Right
Generally, digital money lenders activities often involve obtaining personal data of customers such as name, address, occupation, data of birth, email address, passport photograph, BVN, etc, to perform risk assessment as well as determine the creditworthiness of the borrowers. By so doing, the lenders become and operate as data controllers who must adhere to the dictates of the Nigeria Data Protection Regulation (NDPR) in the handling and processing of customer’s data. Therefore, it follows that when personal data of a customer is breached by a lender via sending defamatory messages to contacts (third parties) who were not privy to the loan arrangement with the lender, the borrower and such third party can institute an action for the enforcement of their right to privacy as data privacy rights have been held to be subsumed under the right to privacy guaranteed and protected under Section 37 of the 1999 Constitution of the Federal Republic of Nigeria, 1999 as amended.
When this action is taken, the Court may grant reliefs of Injunctions, Damages and/or Declaration. In Emerging Markets Telecomunication Services Ltd v. Eneye (2018) LPELR- 46193(CA), the intermediate Court held that:
“It is my view that by giving those unknown persons and organizations access to the respondent’s Etisalat GSM phone number to send unsolicited text messages into it, amount to violation of the respondent’s right to privacy guaranteed by Section 37 of the Constitution, which includes the right to privacy of a personal telephone line. See Nwali vs. EBSIEC & ors (2015) 2 CAR 477 at 508-510”. See also Incorporated Trustees of Digital Rights Lawyers Initiative & Ors v. NIMC(2021) LPELR- 55623 (CA) (pp.29-32 Paras D-E) and Article 2.9 of the NDPR, 2019.
Justice D.Y. Chandrachud of the Supreme Court of India in the recent case of K. S. Puttaswamy (Retd.) v Union of India (2015) 8 SCC 735, was pungent when he held:
“Informational privacy is a facet of the right to privacy. The dangers to privacy in an age of information can originate not only from the state but from non-state actors as well. We commend to the Union Government the need to examine and put into place a robust regime for data protection. The creation of such a regime requires a careful and sensitive balance between individual interests and legitimate concerns of the state. The legitimate aims of the state would include for instance protecting national security, preventing and investigating crime, encouraging innovation and the spread of knowledge, and preventing the dissipation of social welfare benefits. These are matters of policy to be considered by the Union government while designing a carefully structured regime for the protection of the data. ..”
Action for Defamation
A data subject whose rights has been violated through unprofessional mechanisms of the lender, may institute an action for defamation of character. The person must prove that the imputation complained of is defamatory; It refers to him/her (the customer); and It was published. See with approval the case of See the case of Skye Bank Plc v. Akinpelu (2010) 8 NWLR (Pt. 1198) SC 118; Onu v. Agbese (1985) 1 NWLR (Pt 4) SC 704.
Criminal Defamation
Many a times, this loan sharks go beyond mere defamation. Therefore, when defamation is criminal, it is advised to petition law enforcement agencies like the Nigerian Police, for criminal defamation, cyberbullying, cyberstalking, etc pursuant to the Criminal code or criminal law of the state, Cybercrimes (Prevention and Prohibition Act, 2015, amongst others. This would majorly involve the police inviting the suspect for interrogation, failure of which the suspect may be tracked, and arrested for full blown investigation. Where evidence abounds, the suspect may be charged to Court and prosecuted accordingly.
Civil Actions.
Data subjects can also initiate a civil law suit seeking damages, injunctions or other appropriate relief.
Recommendations
To curb the incessant violation of rights of data subjects, the following recommendations are quite apt:
- Loan apps should conduct data protection impact assessments.
- Implement robust data security measures.
- Provide transparent data processing notices.
- Obtain explicit user consent.
- Data subjects should report suspected data breaches to NITDA or the Consumer Protection Council.
Conclusion
There is an imperative for Loan apps to comply with Nigeria’s data protection laws and regulations. Data subjects have rights and remedies available to address concerns. In the case of DIAMOND BANK & ANOR v. IRECHUKWU & ORS (2018) LPELR-44866(CA) Pp. 11-19, Paras. D-E The question to be answered is “Whether the arrest and detention of a person for failure to repay a bank loan amounts to an infringement of his right to personal liberty?” The issue is;Whether the learned Judge was right when he held that the arrest and detention of the 1st Respondent were inexcusable and constituted a gross violation of the 1st Respondent’s right to personal liberty? Upon considering the facts that gave rise to filing this suit, it is obvious that the transaction between the 1st Respondent and the 1st Appellant is civil in nature as reflected in the letter dated 19/02/2009 written by the 1st Appellant to the 1st Respondent on pages 9 – 11 of the record of appeal. It was held that this issue is answered in the affirmative. The learned trial Judge was right when he held that the arrest and detention of the 1st Respondent cannot be excused as it constituted a violation of the fundamental rights to personal liberty of the 1st Respondent,” Per BITRUS GYARAZAMA SANGA, JCA (Pp 11 – 19 Paras D – E).
Regulatory bodies, such as NITDA, NDPC and the Consumer Protection Council, have powers to investigate and enforce compliance, and also to purge the entire system of the menace of loan apps. By enforcing data protection laws and regulations, Nigeria can mitigate the menace of loan apps and protect citizens’ sensitive information.
Written by:
S. B. Ananah, Esq.
For: Crystalite Solicitors.
Okay this is highly informative.
Great Piece.
Hmmmm. We suppose know all these things o