The Effect of Nigeria’s Data Protection Regime on Open Banking (Part II)
In the first part of this article, we examined open banking and its possible effect on fintechs and financial service providers in Nigeria. We also explored the provisions of the Nigeria Data Protection Regulation (NDPR) and its impact on data protection in Nigeria.
In this concluding part, we will examine the implications of the NDPR on the operations of Open Banking in Nigeria.
Implications of the NDPR on the operation of open banking in Nigeria
Below are some of the ways the NDPR impacts the operation of open banking in Nigeria.
a. Consent
Consent is one of the cardinal principles of data rights and is a legal basis for processing personal data. The NDPR provides strict guidelines for the obtainment of consent from data subjects. It states that no data shall be obtained except for a specific purpose made known to the data subject. The procurement of consent must also be without fraud, coercion or undue influence. The NDPR further places an obligation on the Data Controller to demonstrate that the data subject had consented to the processing. The data subject should also be informed of his right to withdraw his consent at any given time.
It is therefore important for participants in open banking who collect data to get specific consent from Data Subjects about sharing of the data collected. Furthermore, it is critical that any customer consent to data practices under open banking is voluntary, explicit, and revocable.
b. Purpose
The NDPR provides that personal data shall only be processed in accordance with the specific, legitimate and lawful purpose for processing data. Therefore, the NDPR envisages that at the point of obtaining consent, the purpose for which the data is being collected is clearly stated and made known to the customer. Participants in open banking in Nigeria will therefore have to inform their customers at the point of obtaining consent that same will be shared with TPPS for the achievement of open banking goals or objectives.
The Regulation further mandates that whenever the Controller intends to further process personal data for a purpose other than that for which the data was collected, the Controller shall provide the data subject prior to that further processing with information on that other purpose, and with any relevant further information.
This is relevant in the case of data obtained by the Controller prior to the implementation of open banking since at the time of collection, sharing with third parties for the purpose of open banking was not stated as one of the purposes for collection. Hence, Controllers will have to inform data subjects of this new purpose.
c. Privacy Policy
The purpose of a Privacy Policy is to notify the individual of what an organization is collecting, using and sharing regarding their data.
The NDPR mandates all medium through which personal data is being collected or processed to display a conspicuous privacy policy that the class of targeted data subjects can understand. The privacy policy shall in addition to any other relevant information contain information such as what constitutes data subject’s consent, description of collectable personal information, purpose of collection of personal data etc.
Privacy policies or notices do not relate specifically to open banking as Controllers would ordinarily have had to comply with the requirement by virtue of collecting and processing data without necessarily sharing. However, for entities with interest in open banking, the aspects of their privacy policies, like purpose of collection of data, access of third parties to personal data and purpose of access have to be updated to reflect the necessary changes.
d. Due Diligence
The NDPR places on all parties to a data processing agreement (other than the data subject), the responsibility of taking necessary measures to ensure that other parties do not have a record of violating or abusing data. Accordingly, any person engaging a third party to process the data obtained from data subjects shall ensure adherence to the Regulation.
Consequently, every Data Controller is liable for the actions of third parties who handle the personal data of data subjects under the NDPR. These set of provisions are particularly apposite for the open banking scenario as they place responsibility on the traditional institutions that are in position to share customer data to conduct extensive due diligence and vet all parties before onboarding them as they will be liable for the actions of all third parties they grant access.
e. Security
The NDPR requires anyone involved in data processing or the control of data to develop security measures to protect data; such measures include protecting systems from hackers, setting up firewalls, storing data securely, employing data encryption technologies, developing organizational policy for handling personal data (and other sensitive or confidential data), protection of emailing systems and continuous capacity building for staff.
If open banking achieves its objective of making customer data sharing easier, it will be held by more entities and more points of storage will increase the number of potential stages at which data can be compromised. It is therefore not enough for data controllers and processors to lawfully obtain data; they must also ensure that they develop standard security systems to protect the data in their possession. The responsibility of putting in place protective infrastructure is placed on the Data Controllers and they will have to develop competence to deal with all foreseeable breaches.
f. Data Subject’s rights The right of a data subject to object to the processing of his data is safeguarded by the NDPR. This is relevant in relation to open banking as some data subjects may have reservations and lack of trust in the notion of their personal data being shared with third parties.
The NDPR also grants data subjects the right to request from the Controller access to and rectification or erasure of personal data. The NDPR further requires that the Controller shall communicate any rectification or erasure of personal data to each recipient to whom the information had been disclosed, unless this proves impossible or involves disproportionate effort. The Controller shall inform the data subject about those recipients if the data subject requests it. Hence, when on the data subject’s demand, data is rectified or erased in an open banking scenario, the Controller is obligated to communicate such rectification or erasure to all parties with whom the data has been shared.
The NDPR also supports data subjects’ right to data portability and states that the data subject shall have the right to have personal data transmitted directly from one controller to another, where technically feasible. This right is very relevant to open banking as it implies that if the data subject requests that his/ her data be shared with a specified third party, the Controller is obligated to honour such a request.
g. Compliance
The NDPR recommends some actions to be taken by data controllers to improve their chances of complying with the requirements under the Regulation. It endorses Data Protection Compliance Organizations (DPCOS) which are professionals that assist organizations in ensuring compliance. Thus, where an organisation processes personal data of 1,000 data subjects in 6 months, or 2,000 data subjects in 12 months, it will be required to engage a DPCO to conduct an audit on its processes and file the report with NITDA.
The NDPR also encourages entities to conduct data protection trainings for their staff by inviting experts such as DPCOS to anchor the process. This way, their employees, especially those responsible for processing data, would be enlightened on how to prevent data breaches.
These directives on ensuring compliance are particularly relevant for participants in open banking in light of the increased risks and it will be reasonable to adopt the recommendations to limit exposure. h. Penalty
The provisions and obligations set out in the Regulation have been backed by penalty for default to ensure compliance. Accordingly, any person subject to the NDPR who breaches the data privacy rights of any Data Subject shall be liable, in addition to any other criminal liability, to, in the case of a Data Controller dealing with more than 10,000 Data Subjects, payment of the fine of 2% of Annual Gross Revenue of the preceding year or payment of the sum of 10 million Naira, whichever is greater; and in the case of a Data Controller dealing with less than 10,000 Data Subjects, payment of the fine of 1% of the Annual Gross Revenue of the preceding year or payment of the sum of 2 million Naira, whichever is greater.
Considering the implementation of open banking’s greater risk of resulting in a breach, it is important that participants ensure absolute compliance with the provisions of the Regulation to avoid penalties.
Conclusion
The benefits of open banking such as enablement of innovative products and services, competition and better customer experience are undoubtedly positives and strong arguments in favour of its adoption. However, at the core of its proposition is wide scale data sharing which raises serious concerns about data privacy and protection. Participants will therefore have to comply strictly with extant laws if the implementation and operation of open banking is to be a success.
Abibu is a full service Commercial C aispute oesolution law firm with offices in Nigeria and Ghana. Contact us: www. aelex.com; @aelexpartners on Linkedin, Twitter. Instagram and Facebook; info@aelex.com