National Information Technology Development Agency (NITDA) has imposed a sanction of N10 million on an online lending platform, Soko Lending Company Limited (Soko Loans), for data privacy invasion.
This was made known in a press release by NITDA’s spokesperson, Hadizar Umah.
According to NITDA, it received a series of complaints against the company, including ‘unauthorized disclosures, failure to protect customers’ personal data, and defamation of character.
“One of such complaints filed by Bloomgate Solicitors on behalf of its client, the data subject, was received on Monday, 11th November 2019. NITDA, as part of its due diligence process, commenced investigation over the alleged infractions of the provisions of the NDPR.”
NITDA said its investigations showed that Soko Loans grants its customers uncollateralized loans and requires a loanee to download its mobile application on their phone and activate a direct debit in the company’s favour which grants the application access to the loanee’s phone contacts.
“According to the complainants, when he failed to meet up with his repayment obligations due to insufficient credit in his account on the date the direct debit was to take effect, the company unilaterally sent privacy-invading messages to the complainant’s contacts,” the statement read in part.
NITDA also said that it found that Soko loans also embeds trackers that share data with third parties inside its mobile application without providing users information about it or using the appropriate lawful basis.
After its investigation, NITDA stated that it found Soko loans guilty of using non-conforming privacy notice, insufficient lawful basis for processing personal data, illegal data sharing without appropriate lawful basis, contrary to Nigeria Data Protection Regulation.
NITDA also said Soko loans was guilty of unwillingness to cooperate with the Data Protection Authority, contrary to Article 3.1 (1) of Data Protection Implementation Framework; and non-filing of NDPR Audit reports through a licensed Data Protection Compliance Organisation (DPCO), contrary to Article 4.1(7) of the NDPR.
Aside N10 million sanction, NITDA ordered that no further privacy-invading messages be sent to any Nigerian until the company and its entities show full compliance with the NDPR and directed Soko loan to pay for the conduct of a Data Protection Impact Assessment by a NITDA appointed DPCO on its operation.
The agency also placed a mandatory Information Technology and Data Protection oversight for 9 months on Soko loans.
NITDA said the criminal aspects of the investigation had been deposited with the Nigeria Police Force to determine if the executives of the company are liable to imprisonment for violating Section 17 of the NITDA Act, 2007.
“NITDA, therefore, uses this medium to remind all Nigerian businesses and data controllers of their obligation to engage NITDA-licensed Data Protection Compliance Organisations (DPCO) to guide them towards compliance with the data protection law.”
Why this matters
Soko Loans is not the only online lending company that invades user privacy. Most loan apps and micro-lending companies use this method as an easy way to ensure that people repay their loans to avoid embarrassment. This is because one of their major selling points is zero collateral loans.
This move by NITDA will force these loan apps to devise new means of getting their money back that does not involve privacy invasion.