The Nigeria Data Protection Commission (NDPC) has deemed the recent directive issued by the Central Bank of Nigeria (CBN) requiring banks to obtain customers’ social media handles as part of enhanced Customer Due Diligence (CDD) regulations to be unlawful.
The commission is currently in discussions with the central bank regarding this matter, as there are fundamental principles that must be upheld when collecting citizens’ data. Dr. Vincent Olatunji, the National Commissioner of NDPC, conveyed this information in a statement released by Mr. Itunu Dosekun, the commission’s Head of Media, on Thursday in Abuja.
Olatunji disclosed that before the enactment of the Nigerian Data Protection Act (NDPA) on June 12, the indiscriminate collection of citizens’ data by Data Controller Organizations was not treated with due seriousness.
Tekedia Mini-MBA edition 16 (Feb 10 – May 3, 2025) opens registrations; register today for early bird discounts.
Tekedia AI in Business Masterclass opens registrations here.
Join Tekedia Capital Syndicate and invest in Africa’s finest startups here.
The NDPA, signed into law by President Tinubu, includes crucial guidelines for the processing of personal data. These guidelines stipulate that data collection must be conducted in a fair, lawful, and transparent manner. Furthermore, data collection should be limited to the minimum necessary for the intended purpose and should not be retained for longer than necessary.
He explained that there are prerequisite steps that every Data Controller must follow before collecting data from data subjects. Failure to comply with these steps constitutes a violation of the law and can result in a data breach, which may incur penalties.
“There are provisions in the law to go against any data controller be it private or government office, NGOs, hotels, because we are pro-citizens.
“The whole idea of this law is to protect the rights, the interests of Nigerians who are data subjects.
“We are already engaging with the CBN to let them know that what they have done is against the law because there are basic principles you must meet when you want to collect citizens’ data.
“There is data minimization, meaning you don’t collect data beyond the purpose for which it was intended, purpose limitation, what purpose is it for,’’ he said.
According to Olatunji, the requirement for bank customers to provide their social media handles is unnecessary.
However, he acknowledged that if the collection of social media handles was based on public interest, such as monitoring certain transactions, proper awareness should be given to customers.
Olatunji also stated that they would investigate the reasons behind the implementation of the Customer Due Diligence (CDD) regulation and work towards resolving the issue in alignment with international best practices.
Last week, the CBN published a document, ‘Central Bank of Nigeria (Customer Due Diligence) Regulations, 2023’, mandating financial institutions to obtain social media information of customers as part of their Know Your Customer (KYC) exercise. This is in addition to the requirement to obtain email addresses, telephone numbers, and residential addresses.
The apex bank said the key objective of the new regulation is to enforce compliance with relevant provisions of the laws designed to checkmate money laundering and terrorism financing.
However, the move has drawn criticism from civil rights advocates and the general public, who believe it is another attempt by the government to censor social media users.