The National Information Technology Development Agency (NITDA) has slammed a N10 million sanction on an online lending platform, Soko Lending Company Limited (Soko Loans), for privacy invasion.
This was after a series of complaints against the company for unauthorized disclosures, failure to protect customers’ personal data and defamation of character as well as not carrying out the necessary due diligence as enshrined in the Nigeria Data Protection Regulation (NDPR).
NITDA, as part of its due diligence process, commenced investigation over the alleged infractions of the provisions of the NDPR.
Soko Loans grants its customers uncollateralised loans and requires a loanee to download its mobile application on their phone and activate a direct debit in the company’s favour. The app gains access to the loanee’s phone contacts.
According to one of the complainants, when he failed to meet up with his repayment obligations due to insufficient credit in his account on the date the direct debit was to take effect, the company unilaterally sent privacy invading messages to the complainant’s contacts.
Investigation revealed that complainants’ contacts who were neither parties to the loan transaction nor consented to the processing of their data have confirmed the receipt of such messages.
The agency made strident efforts to get Soko Loans to change the unethical practice but to no avail. After the agency’s investigation team secured a lien order on one of the company’s accounts by which it could come up with privacy enhancing solutions for its business model, Soko Loans decided to rebrand and direct its customers to pay into its other business accounts.
NITDA’s investigation further revealed that the company embeds trackers that share data with third parties inside its mobile application without providing user’s information about it or using the appropriate lawful basis.
In a press statement to Daily Sun, NITDA said the agency found Soko Loans and its entities in violation of the following legal provisions:
“Use of non-conforming privacy notice, contrary to Article 2.5 and 3.1(7) of the NDPR; insufficient lawful basis for processing personal data, contrary to Articles 2.2 and 2.3 of the NDPR; illegal data sharing without appropriate lawful basis, contrary to Article 2.2 of the NDPR; unwillingness to cooperate with the Data Protection Authority, contrary to Article 3.1 (1) of Data Protection Implementation Framework; and non-filing of NDPR audit reports through a licensed Data Protection Compliance Organisation, contrary to Article 4.1(7) of the NDPR.”
In view of the foregoing and in consideration of its implication on the privacy of Nigerians and erosion of trust in the digital economy, NITDA imposed a monetary sanction of N10 million on Soko Lending Company Limited and directed that no further privacy-invading messages be sent to any Nigerian until the company and its entities show full compliance with the NDPR.
The agency also directed the company to pay for the conduct of a Data Protection Impact Assessment by a NITDA-appointed DPCO on its operations and placement on a mandatory Information Technology and Data Protection oversight for nine months.
The criminal aspects of the investigation has been deposited with the Nigeria Police to determine if the executives of the company are liable to imprisonment for violating Section 17 of the NITDA Act, 2007.