SokoLoan, an online money-lending platform, has been fined N10 million by the National Information Technology Development Agency (NITDA) for breach of privacy.
This was stated in a press statement titled “NITDA Sanctions Soko Loan for Privacy Invasion” issued by NITDA’s spokesperson, Hadiza Umar, on Tuesday.
This action was taken after receiving a series of complaints against the company for “unauthorized disclosures, failing to protect customers’ personal data and defamation and performing the necessary due diligence as set out in the Nigeria Data Protection Regulation (NDPR)” .
One such complaint filed by Bloomgate Solicitors on behalf of its client, the data subject, was received on Monday, November 11, 2019. NITDA said it was opening an investigation into alleged breaches of the provisions of the NDPR as part of its due diligence process.
NITDA said its investigations have revealed that Soko Loans provides unsecured loans to its customers and requires a borrower to download their mobile application on their phone and activate a direct debit in favor of the company, allowing the application to access their phone contacts. the borrower.
“According to one of the complainants, when he failed to meet his repayment obligations due to insufficient funds in his account on the date on which the direct debit would take effect, the company unilaterally sent privacy-violating messages to the complainant’s contacts,” said one of the complainants. complainants. partially read the statement.
Investigations have shown that contact persons of complainants who were neither party to the loan transaction nor consenting to the processing of their data confirmed receipt of such messages. The Agency said it made great efforts to get Soko Loan to change the unethical practice, but to no avail. After the agency’s investigative team secured a lien on one of the company’s accounts, allowing it to come up with privacy-enhancing solutions for its business model, Soko Loan decided to change its brand name and instructed its clients to switch to its other business. to pay bills.
The Agency’s investigation further found that the company is embedding trackers that share data with third parties in its mobile application without providing users with any information about it or using the appropriate legal basis.
After its investigation, NITDA said it found Soko Loans guilty of using non-compliant privacy notice, insufficient legal basis for processing personal data, illegal sharing of data without adequate legal basis, in violation of the Nigeria Data Protection Regulation.
NITDA also said Soko Loans were guilty of reluctance to cooperate with the DPA, in violation of Article 3.1(1) of the Data Protection Implementing Framework; and failure to submit NDPR audit reports through an authorized Data Protection Compliance Organization (DPCO), in violation of Article 4.1(7) of the NDPR.
Aside from the N10 million penalty, NITDA has ordered that no further privacy-violating messages be sent to any Nigerian until the company and its entities are fully compliant with the NDPR and Soko has instructed the loan to pay for conducting a data protection impact assessment by a NITDA DPCO appointed by a NITDA about its operation.
The agency also placed a mandatory 9-month information technology and data protection supervision on Soko loans.
The agency also announced that the criminal aspects of the investigation have been filed with the police to determine whether the company’s executives can face jail time for violating Section 17 of the NITDA Act, 2007.