Meta, DHL, Opay, others face sanctions for data breaches

The federal government has begun probes into the activities of Meta formerly known as Facebook, a haulage company, DHL, and online payment platform OPay for alleged data breaches.

The companies, if found liable, would forfeit two percent of their annual gross revenue to the government.

Findings revealed that there have been a barrage of complaints against the companies by Nigerians over the violation of data subjects’ rights.

It was learnt that the Nigeria Data Protection Commission has opened investigations into the data processing activities of the affected data controllers.

This is the second time the NDPC would open probes into the activities of some companies, banks and universities in the country over alleged data infractions.

It was gathered that the National Commissioner of NDPC, Dr. Vincent Olatunji, had warned during the Commission’s presentation of the Nigeria Data Protection Act, 2023 to the public that infractions would attract penalties in accordance with the letter and spirit of law.

Olatunji said the commission would not hesitate in “safeguarding the integrity of Nigeria data economy ecosystem.”

He warned data controllers and processors against all forms of data processing which are not in tandem with the Act, insisting that the Chief Executive Officers of Ministries, Departments and Agencies of government would be held liable for infractions.

It was learnt that complaints against Meta touch on behavioural advertising without explicit consent of data subjects. Approximately 40 million Facebook accounts in Nigeria might have been affected by the data processing under investigation. This also has significant implication for the growth of Nigeria’s digital economy.

DHL on the other hand is facing investigation for allegedly violating the lawful basis and principles of data protection, it was discovered.

Sources privy to the investigations said DHL’s data processing falls short of the confidentiality standard prescribed under the Nigeria Data Protection Act. The Act in section 24(2) (2) notes that “A data controller and data processor shall use appropriate technical and organisational measures to ensure confidentiality, integrity, and availability of personal data.”

On its part, Opay might be called upon to answer for allegations that it opens bank accounts for data subjects without their consent. If this is true, it would amount to a grave violation of data privacy rights of affected data subjects, our Correspondent gathered.

A report attributed to Opay says the platform has about 40 million data subjects.

Finding by our Correspondent shows that Nigeria Data Protection Commission has served each of the data controllers with Notice of Investigation. The companies, it was learnt, have ample opportunities to defend themselves against the law of the country.