Nigeria can monitor Meta, Google data activities — Data Commissioner, Olatunji

The National Commissioner for the Nigeria Data Protection Bureau, Dr Vincent Olatunji, speaks with TEMITAYO JAIYEOLA about the new Nigeria Data Protection Act 2023, protecting the data rights of Nigerians, regulating AI, and more

Nigeria now has a data law after many years of collaborative efforts. Please could you break down how this law would impact the average Nigerian?

The major focus of the law is to implement measures that will protect the data rights of Nigerians. That whatever data is being collected, processed, stored, or shared in any manner is done properly.

We didn’t have this before. In addition to that, there are a lot of provisions in the law that put in place measures for data controllers to create adequate safeguards to ensure that the data collected is treated properly.

In terms of safeguarding the rights of Nigerians, if there are any issues, a lot can be done now. They have a commission they can report to.

You have been investigating firms for data breaches. Could you enlighten us on this?

We have investigated so many, especially in the banking sector, telecommunications, consulting, and digital lending companies. We have interrogated their activities.

In the banking sector, we have fined about three banks, and Soko Loans in the digital lending sector. We fined Soko Loans N50m, and they are still sorting out how to pay through compliance. There are other banks that we have fined, but the approach we have been using is for them to pay remediation. If we go all the way, that is the full weight of the law, the fines would be a lot.

What we do now is to make them pay a remediation fee and take them through regulation and compliance. We are trying to improve compliance culture. To encourage companies to make it part of their practices, to make it part of their culture, we take them through compliance. Regarding some of the investigations, they are ongoing, and it takes time.

You announced an investigation into MoMo last year. Has that been concluded?

The investigation into MoMo is still ongoing and we are working with them. Ideally, we don’t make our findings public except when the company is not willing to cooperate with us.

The most important thing for us is to ensure that they do what is right to protect users, and to put in place appropriate safeguards for users. Once they are willing to corporate with us, we do not engage in unnecessary publicity that would attract negative feedback to their businesses. We are talking about the ease of doing business here.

There was an organisation that we launched an investigation into and once that got out, shareholders started withdrawing their shares and customers started withdrawing their money. They were panicking that the bank was in distress, and that was not our intention. We just wanted to correct them and make them do the right thing. So, we are working with all those we are investigating to do the right thing.

When any organisation is not willing to do the right thing, we launch full publicity into what we are doing. We are careful because of what can happen because there is an impact when issues around data breaches get to the public.

Also, how has your conversation with Flutterwave been?

The investigation is still ongoing. We are still doing our due diligence to ensure that our decision is right. We do not want to come to a decision in a hurry and realise we did not do our due diligence. When that is done and depending on the impact and extent of the breach, we will fine them or tell them to pay a remediation fee, to ensure that they take more decisive measures. The Flutterwave investigation is still ongoing and would be finished soon.

You recently said the commission would be blacklisting firms that are not adhering to data privacy laws. How is that process going and when is it likely to be implemented?

When we started that process, there was no law, but now we have a law. What we are doing is to encourage all organisations dealing with data to register with the commission between now and December, to ensure that we capture them.

If we don’t know those we are trying to regulate, how can we effectively regulate them? So, we are starting with registration, after we would have the annual data protection compliance audit report, which would hold between January and March 31.

The backlist is likely to be out by March 2024. The backlist is for organisations, companies, and data processors who do not comply with the provisions of the law. We are saying we do not want people to treat data anyhow again.

What would you say is the biggest issue with data privacy in Nigeria?

It is ignorance and capacity. How many data subjects know their rights and ask for it? How many data controllers and data processors know their jurisdictions and how many of them are doing what they are supposed to be doing? That is one, and we need awareness.

Two is the area of capacity. What is the capability and competence of your data protection staff? Do they understand the point of putting in safeguards and ensuring that there is no unauthorised access and malicious use or damage to the data? All these are major issues that we need to address.

Awareness and capacity are our major challenges in applying the data law in Nigeria. Many Nigerians do not know their data rights. Very soon, we would be coming up with a lot of awareness activities for people to know their rights.

The CBN recently asked banks to get the social media handle of their customers. This is something you and everyone have kicked against. You wrote to the CBN, and they have responded. What are you doing about the regulation now?

They cannot implement the regulation without the consent of the data subjects, who are to give out their social media handles. They need to get their consent. People need to willingly avail you of the right to collect their social media information because these are personal information.

Two, if there is going to be anything of such, there are guidelines they must draw out. Also, the regulation could be in the public interest, which is another basis for data processing. If they are doing so, they need to put in place guidelines to ensure that it remains that way.

These are some of the things we are working on to ensure that there are no ambiguities in the implementation of the regulation. In their regulatory role in the financial sector, they have the right to do a lot of things, but at the same time, that right should not override the rights of Nigerians. This is why we have asked that we work together to look at the best way to handle it.