KEY PERSONAL DATA PROTECTION CONSIDERATIONS FOR NIGERIA’S CREDIT ECONOMY
Introduction
Nigeria’s President Bola Ahmed Tinubu, during his inaugural address on
May 29, 2023, spoke of his vision of a credit economy as a panacea to
corruption. He had stressed that the good life that Nigerians deserve should
not always be immediately paid for in cash. Today, with the continuation of
various intervention funds in the financial services sector and the
introduction of student loans to ameliorate the demands of increased school
fees, among others, Nigeria may be at the threshold of an expanded credit
economy. Such a credit system will, however, require increased credit reporting
infrastructure and processes, the foundation of which, Nigeria’s Credit
Reporting Act 2017 had set. Cognisant of the overarching role of individuals as
ultimate borrowers in the credit system, that is, regardless of the veils of
corporate borrowing, it is important that credit reporting infrastructure and
processes create that healthy balance between commerce and fundamental freedoms
such as privacy rights.
In this piece, we seek to highlight some personal Data protection
considerations for Nigeria’s credit economy; reviewing the copious personal Data
protection provisions of the Credit Reporting Act 2017 (the CRA)
and emphasizing the responsibilities of the Nigeria Data Protection Commission
(the Commission) in facilitating relevant infrastructure and processes
for the protection of privacy rights, howbeit that the CRA preceded the
Commission’s existence. Conclusively, we seek that the CRA and the needs of the
Nigerian credit economy be brought in conformity with the Nigeria Data
Protection Act, 2023 (the NDPA) which same President Bola Ahmed
Tinubu signed into law on June 12, 2023.
The CRA and the Regulation of the Credit Economy
The CRA provides the framework for the establishment, regulation, and operation of the Nigeria credit reporting function as facilitated by Credit Information Providers (CIPs) and consumed by Credit Information Users (CIUs).
Per the CRA, a CIP is a person or entity who by virtue of a transaction, provides the credit information of a person or organization to a Credit Bureau. A CIP provides information on the creditworthiness of borrowers, especially individuals, to Credit Bureaus. Naturally, CIPs do collect, that is, process personal Data. CIPs include individuals or organisations that provide credit information, for example, banks, other financial institutions, leasing companies, insurance companies, cooperative societies offering credit facilities, asset management companies, goods suppliers, or service providers on a post-paid, deferred or installment service basis, et. al. Accordingly, an independent contractor or an employee of a company may report information on default in payment of remuneration or contractual fees to a Credit Bureau, thereby becoming a CIP. CIUs on the other hand are persons or organisations that the CRA authorizes to collect or process credit information from Credit Bureaus. Rationally, CIPs can be CIUs.
Credit Bureaus sit at the heart of the CRA as they can both be CIPs and CIUs. They are licensed institutions that collect financial information from creditors and available public sources about individuals and businesses and thereon create Credit Reports which are used by CIUs, especially credit providers, to determine creditworthiness. Credit Bureaus are licensed by the Central Bank of Nigeria (CBN) subject to their fulfilment of certain requirements. Prior to the enactment of the CRA, the activities of Credit Bureaus were regulated by the CBN’s Guidelines for the Licensing, Operations, and Regulation of Credit Bureaux and Credit Bureaux Related Transactions in Nigeria 2013 (the Guidelines). The CRA provides that the Guidelines be interpreted in a manner that aligns them with the provisions of the CRA unless the CBN reissues or replaces the Guidelines. Nigeria currently has 3 Credit Bureaus, namely: Credit Registry Plc, FirstCentral Credit Bureau Ltd and CRC Credit Bureau Ltd. Their functions include issuing credit reports, creating and maintaining a database of credit and related information, providing credit application investigation services, et.al.
The CRA in light of the NDPA
Among others, the CRA sets out the applicable standards and conditions for credit information sharing as well as the options open to a potential borrower (in this piece referred to as a Data Subject) where a CIP reports inaccurate credit information. In other words, it is specifically tailored to govern credit reporting activities, focusing on the collection, dissemination, and other processing of credit information by credit reporting agencies. The NDPA on the other hand, has a broader scope encompassing all forms of personal Data processing across various sectors beyond credit reporting. It establishes a comprehensive framework for the protection of personal Data in Nigeria’s digital age.
“Data Subject” is not defined by the CRA but by the Guidelines. Under the Guidelines which, again, came before the CRA, a Data Subject is any person or entity or a guarantor of any person or entity whose credit information is administered by a Credit Bureau. This definition is broader than that of the extant NDPA, under which a Data Subject must be a living natural person thus disqualifying any entity, other than a natural person from being considered a Data Subject.
The CRA emphasizes that Credit Bureaus must not disclose the credit information of a Data Subject to CIUs without the Data Subject’s written consent or a contract (such as Data Processing Agreements or Data Exchange Agreements) executed between such CIU and the Credit Bureau explicitly indicating that such disclosure is for a permissible purpose stipulated by the CRA. In addition, CIUs are prohibited from disclosing any credit information received from a Credit Bureau to any person or using such information for any other purpose other than the permissible purpose without the consent of the Data Subject.
CIPs are however allowed to disclose credit information to Credit Bureaus without obtaining consent from the Data Subject. All confidentiality obligations of CIPs and CIUs to Data Subjects under law or contract can be waived or modified to such extent as to fulfil any obligations stipulated by the CRA. Consequently, CIPs and CIUs can report credit information of any Data Subject on the lawful basis of the legal obligation imposed on them by the CRA.
With the recent enactment of the NDPA as the extant law on personal Data protection in Nigeria, CIPs and CIUs in Nigeria are now obligated to have further personal Data protection considerations by virtue of requirements by both the NDPA and pertinent financial sector regulations, such as the CRA and accompanying Guidelines. A CIP or CIU can lawfully process personal data including credit information under the NDPA if, the:
1. Data Subjects (limited to natural persons) have given explicit consent for the processing of their credit information. Consent should be freely given, specific, informed, and unambiguous;
2. processing is necessary for the performance of a contract with the Data Subject or for taking pre-contractual steps at the Data Subject’s request;
3. processing is necessary for the legitimate interests pursued by the CIP, CIU or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject;
4. processing is necessary to protect the vital interests of the Data Subject or another person;
5. processing is necessary for compliance with a legal obligation to which the CIP or CIU is subject – in which case the obligations placed on CIPs and CIUs by the CRA would apply
6. processing is done in the performance of a task carried out in the public interest.
As stated in the NDPA, there are more lawful bases for CIUs and CIPs to process credit information, especially where it is not required by the law under the CRA. The essence of a CIP or CIU having other lawful bases for personal Data processing was prominent in a recent case of a Nigerian digital lending company, Soko Lending Company. The company was sued for lacking the lawful basis to process the Claimant’s personal Data and infringing on his fundamental human rights to privacy by sending unsolicited text messages informing the Claimant of the indebtedness of one of his contacts. The Court considered the lawful bases as contained in the Nigeria Data Protection Regulation 2019 (NDPR) as well as the guaranteed right to privacy in the Constitution of the Federal Republic of Nigeria 1999 in arriving at the decision that the Defendant had shown insufficient lawful basis for processing the Claimant’s personal Data and awarded the sum of ₦5,000,000 (Five Million Naira), in damages against the company. Furthermore, the National Information Technology Development Agency (NITDA), during its tenure as the regulator of Data protection in Nigeria in 2021, issued a press release (https://nitda.gov.ng/nitda-sanctions-soko-loan-for-privacy-invasion/4914/) stating that it had imposed a monetary sanction of ₦10,000,000 (Ten Million Naira), among other penalties against same Soko Lending Company. This action was reportedly taken after receiving a series of complaints against the company for illegal Data sharing without appropriate lawful basis, unauthorized disclosures, use of a non-conforming privacy notice, among other offenses under the NDPR.
However and observing that the restrictions on the use of unethical and inappropriate loan recovery mechanisms further pose a challenge to CIPs and CIUs (particularly digital banks) who find it difficult to recover loans from defaulters, Nigeria’s Federal Government through the Federal Competition and Consumer Protection Commission (FCCPC) recently announced (https://punchng.com/fg-plans-fresh-regulations-for-fairmoney-soko-loans-others/) its intentions to release more regulations in 2024 for the digital lending space in a bid to offer lenders more efficient loan recovery methods. It is expected that this will assist in curbing the excesses of loan defaulters while ensuring adherence to consumer and personal Data protection standards.
The CRA outlines Data Subject rights specifically related to credit reporting activities, including the right to access and correct credit information. In practice, however, Data Subjects are often unaware of inaccurate or false credit information submitted by CIPs to Credit Bureaus until they seek credit facilities from CIUs. While there are provisions for the Data Subject to seek recourse where credit information has been inaccurately or falsely reported (as will be addressed below), such recourse is typically provided after the Data Subject may have suffered damage due to the inaccurate or falsely reported information resulting in the stalling of credit facilities applications made by the potential borrower. The NDPA grants a broader set of rights to Data Subjects, aligning with international standards. These rights include the right to access, rectification, erasure, and restriction of processing, ensuring Data Subjects have more control over their personal Data. It is expected that the Commission will intervene in the personal Data processing activities conducted by CIUs, CIPs, and other organizations within the financial sector, ensuring that the right to access and rectification is readily available to Data Subjects.
All said, the CBN is Nigeria’s regulator of the formal credit industry as a subset of the financial services sector. The CRA mandates CIPs and Credit Bureaus who are unable to, within 10 (ten) working days, resolve the complaints of a Data Subject on the accuracy, validity, or completeness of the Data Subject’s credit information to refer same to the CBN. Where, however, the CBN fails to resolve the complaint within another 10 working days, such dispute may be referred to a court of competent jurisdiction.
The Commission on the other hand is responsible for enforcing the NDPA and the NDPR. The Commission oversees and regulates how organizations handle personal Data, ensuring that individuals’ privacy rights are protected. It also investigates personal Data protection complaints and can take enforcement actions, including issuing fines for non-compliance. While the punishment for inaccurate reporting, negligence, unauthorized disclosure, alteration or modification, or other credit reporting violation under the CRA, is a fine of not less than N10,000,000 (Ten Million Naira), violations committed against a Data Subject under the NDPA attract punishment depending on the class of the defaulting Data Controller or Data Processor. The two classes are Data Controllers or Data Processors of Major Importance (DMI) and those that are not of major importance (non-DMI). This stratification and those that belong to either is a prerogative of the Commission which is statutorily to be guided by the number of Data Subjects whose personal Data is being processed or the security or economic significance of the personal Data being processed. In the event of a conviction, a DMI is liable to a fine of up to ₦10,000,000 (Ten Million Naira), or 2% of its annual gross revenue in the preceding financial year, whichever is greater; while a non-DMI is liable to a fine of up to N2,000,000 (Two Million Naira) or 2% of its annual gross revenue in the preceding financial year, whichever is greater. A convicted Data Controller or Data Processor who is an individual may also be liable to both the stated fines and imprisonment for a maximum term of one year.
Conclusion
Ultimately, the CBN, the Commission, the FCCPC and other government agencies in the fringes all have overlapping interests in the credit economy and will need to work together in an efficient “one-government policy” framework for the ultimate protection of both Data Subjects and credit services providers. To work in silos is to create confusion in a fledging system that requires healthy attention. The certainty of Data Subjects’ rights and their enforcement is equally as important as the certainty of the obligations of credit services providers. Being Nigeria’s personal data protection Czar, it is anticipated that the Commission will bell the cat by providing the coordinating leadership required for all government agencies to work together in ensuring the protection of the personal Data of credit consumers in Mr. President’s proclaimed renewed hope for Nigeria’s credit economy.
At AO2LAW, we maintain a foremost Data Protection Practice in advisory, representation, and compliance/enforcement management capacities. Situated within our Commercial and Criminal Law Practice Group (CCLP), our Practice brings to bear our expertise in core Commercial Law and Human Rights Law to assist businesses and individuals on their obligations and rights in Nigeria’s Data Protection regime.
For further information on the foregoing (none of which is a legal advice) or related matters, please generally contact us at cclp@ao2law.com
Bidemi Olumide
Managing Partner
bidemi.olumide@ao2law.com
Oghenekaro Isiorho
Associate
oghenekaro.isiorho@ao2law.com
