Nigeria’s National Information Technology Development Agency (NITDA) has imposed a sanction of N10 million on an online lending platform, SokoLoan, for data privacy invasion and violation. SokoLoan, like most lending digital startups, uses “shaming” to get borrowers to pay.
Largely, someone borrows money from the firm, and if the person is not paying as agreed, the app sends messages to the person’s contacts, telling everyone that the borrower is on loan default. The government agency thinks that is not correct and has fined the firm N10 million.
I vote for NITDA on this one…startups must find better innovative ways to run their playbooks. This one looks juvenile.
Tekedia Mini-MBA edition 16 (Feb 10 – May 3, 2025) opens registrations; register today for early bird discounts.
Tekedia AI in Business Masterclass opens registrations here.
Join Tekedia Capital Syndicate and invest in Africa’s finest startups here.
— The press release
NITDA Fine SokoLoan N10m for Privacy Invasion
The National Information Technology Development Agency (NITDA) has sanctioned an online lending platform, Soko Lending Company Limited (Soko Loans), for privacy invasion.
This action was taken after receiving series of complaints against the company for unauthorized disclosures, failure to protect customers’ personal data and defamation of character as well as carrying out the necessary due diligence as enshrined in the Nigeria Data Protection Regulation (NDPR).
One of such complaints filed by Bloomgate Solicitors on behalf of its client, the data subject, was received on Monday, 11th November 2019. NITDA, as part of its due diligence process, commenced investigation over the alleged infractions of the provisions of the NDPR.
Soko Loans grants its customers uncollateralised loans and requires a loanee to download its mobile application on their phone and activate a direct debit in the company’s favour. The app gains access to the loanee’s phone contacts.
According to one of the complainants, when he failed to meet up with his repayment obligations due to insufficient credit in his account on the date the direct debit was to take effect, the company unilaterally sent privacy invading messages to the complainant’s contacts.
Investigation revealed that complainants’ contacts who were neither parties to the loan transaction nor consented to the processing of their data have confirmed the receipt of such messages. The Agency made strident efforts to get Soko Loan to change the unethical practice but to no avail. After the Agency’s investigation team secured a lien order on one of the company’s accounts by which it could come up with privacy enhancing solutions for its business model, Soko Loan decided to rebrand and directs its customers to pay into its other business accounts.
The Agency’s investigation further revealed that the company embeds trackers that share data with third parties inside its mobile application without providing users information about it or using the appropriate lawful basis.
NITDA has therefore found Soko Loan and its entities in violation of the following legal provisions:
1. Use of non-conforming privacy notice, contrary to Article 2.5 and 3.1(7) of the NDPR;
2. Insufficient lawful basis for processing personal data, contrary to Articles 2.2 and 2.3 of the NDPR;
3. Illegal data sharing without appropriate lawful basis, contrary to Article 2.2 of the NDPR;
4. Unwillingness to cooperate with the Data Protection Authority, contrary to Article 3.1 (1) of Data Protection Implementation Framework; and
5. Non-filing of NDPR Audit reports through a licensed Data Protection Compliance Organisation (DPCO), contrary to Article 4.1(7) of the NDPR.
In view of the foregoing and in consideration of its implication on the privacy of Nigerians and erosion of trust in the digital economy, NITDA hereby:
a) imposes a monetary sanction of Ten Million Naira (N10,000,000) on Soko Lending Company Limited.
b) directs that no further privacy invading messages be sent to any Nigerian until the company and its entities show full compliance with the NDPR.
c) directs the company to pay for the conduct of a Data Protection Impact Assessment by a NITDA appointed DPCO on its operation; and
d) Placement on a mandatory Information Technology and Data Protection oversight for 9 months.
It may be noted that the criminal aspects of this investigation has been deposited with the Nigeria Police to determine if the executives of the company are liable to imprisonment for violating Section 17 of the NITDA Act, 2007.
NITDA therefore uses this medium to remind all Nigerian businesses and data controllers of their obligation to engage NITDA-licensed Data Protection Compliance Organisations (DPCO) to guide them towards compliance with the data protection law. The Agency is poised to fully enforce the NDPR with the aim of sanitising the operating environment, instilling confidence in the digital economy and protecting the right to privacy of Nigerians.
The National Information Technology Development Agency (NITDA) is the apex regulator for Information Technology in Nigeria under the supervision of the Federal Ministry of Communication and Digital Economy. The Agency is empowered by Section 6(c) of the NITDA Act, 2007 to develop guidelines for electronic governance and monitor the use of electronic data interchange and other forms of electronic communication transactions in Nigeria. The Agency issued the Nigeria Data Protection Regulation (NDPR) as Nigeria’s first comprehensive framework for the protection of personal data. The NDPR provides the principles and framework for the protection and processing of personal data of Nigerians and residents.
Mrs Hadiza Umar, MNIPR, M.APRA, MCIPR
Head, Corporate Affairs and External Relations
---
Register for Tekedia Mini-MBA (Feb 10 - May 3, 2025), and join Prof Ndubuisi Ekekwe and our global faculty; click here.
This is a clear case of when you can write codes, you suddenly think you have qualified to become a company founder! Ethically warped people have no business setting up corporate organisations.
It raises another argument on practical skill vs proper education, some things can be very dangerous…
So, if you fail to meet up with your repayment obligation, a company will start telling your friends and enemies, including your village people, that you are owing it? It is finished!
While we spend plenty time chorusing entrepreneurship and innovation, we still need to educate founders and managers on corporate governance, public relations and purposeful leadership; before we turn civil spaces into war zones, in the name of chasing money.
Something is wrong with a system where NITDA is able to accuse a company, investigate the case and udge the case all by itself.
People who take these loans know the terms and accepted it in order to borrow money. Instead of providing tangibke collateral, they were allowed to borrow with social capital.
But rather than pay back, they prefer to take advantage of our disfunctional systems.
This dishonest practice, which led to the issue of failed banks , is prevalent. Later we will grumble that banks only want to lend to established companies.
Good point here
My problem is not you sending messages to the contacts, my problem is what happens after you have sent does messages to the persons contacts and later the persons pays off there loans will you send back message saying they have paid?
From gatherings so far, I think it actually goes beyond what the borrowers agreed to: the agreement usually provides for maximum of two or three contact persons who either stand as sureties or emergency contacts.
But the lending company goes beyond this in the”shaming” game: within 24hrs of (partial or full) default, it sends messages to as much as 50 persons on borrowers contact list– people who were not part of the loan agreement.
Besides, the messages usually contain bogus lies (eg, that the borrower has specifically given those contact details to the lender; that the borrower has run away or is unreachable).
Another serious issue is that, contrary to the assurance that the borrower’s data is safe and only used for processing the loans, the lending Co embeds trackers in the app (without the knowledge of the borrower) and shares (most likely for a fee) borrowers data, including contact info, with third parties.
That’s the height of poor ethics and customer relations.