How should governments address data privacy breaches by digital lenders in the absence of credit infrastructure?
The first time I got a credit card, I stayed up all night anxiously expecting the credit bureau to knock down my door and seize my belongings. I worried so much that I was going to get myself into debt, lose my car and have my name blacklisted all over the country, that for the first month, I refused to use my card even though I could afford to pay it back. In a weird way, I felt exposed and vulnerable – a feeling I had never had using a debit card. Credit was a concept I was aware of, but one I never had to engage with because I spent the first sixteen years of my life in a society where cash was, and is still king.
But times are changing and we have access to information and technology to thank for that. Increasingly, access to credit, be it for the sake of building a credit record or out of necessity is becoming widespread, even in societies like Nigeria where the concept of credit would typically cause discomfort. The digital revolution of the past decade has played a big role in easing people’s relationship with credit. Digital lending apps (DLAs) or fintech apps as they are popularly called, dominate a lot of Nigeria’s digital innovations and provide easy access to credit even for the unbanked in the informal economy. A financial access survey conducted by EFinA in 2020 revealed that 38 million Nigerian adults are completely excluded from banking services, and only 45% of Nigerians are banked. Of those who are banked, only three out of ten have access to financial credit causing a large portion of the populace to turn to digital lending apps. In 2021, there were 144 fintech start-ups in Nigeria and it has been estimated that Nigerian fintech revenues will exceed $500 million in 2022.
In a country where 70% of the banked population lacks credit access, DLAs are the seemingly perfect innovative responses. However, as with most innovations, the lack of timely, holistic and appropriate regulations means that these apps also pose a great risk to Nigerians and have resulted in data privacy breaches with undesirable social and economic consequences.
To grant loans, DLAs collect personal data such as the client’s name, contact information, photograph, home and work address, bank verification number, credit card details and/or bank account details, all of which do not differ from what a traditional bank may request for a similar application. But, in addition, some DLAs require access to clients’ phone contacts, SMS records and in some cases, social media accounts to verify their clients’ identities and to deploy “credit scoring models” to assess creditworthiness. DLAs have justified the collection of non-client data (i.e., the names and phone numbers of individuals on a client’s digital phone book), stating that it increases the number of ways through which they can contact the client. But, the collection of such data has led to abusive tactics by DLAs and breaches of client and non-client privacy.
To recover payments from defaulting clients, DLAs in Nigeria have often employed social-shaming tactics by publicizing their clients’ personal data on social media platforms, sometimes declaring them to be ‘WANTED’ individuals. These platforms have also used non-client data collected through their access to clients’ digital phonebooks and SMS records to harass the acquaintances of defaulting clients. Although the collection of client data is consensual, leakage of personal client data on public social media platforms as a means of debt collection is legally questionable. Additionally, the collection of non-client data through app permissions and the subsequent harassment of non-clients breaches the privacy of the clients and non-clients alike. So how should the government respond?
At first glance, this seems straightforward, but considering additional evidence makes it a tricky situation for a policy response. Firstly, Nigeria lacks a well-established credit infrastructure. This means it is difficult for digital lending apps to verify the credit worthiness of a client through the conventional means many of us take for granted. And secondly, in the absence of identity and credit management systems, some clients can become ‘chronic debtors’, and accumulate debt as they move from one DLA to the next with no means of being brought to book. On the other hand, DLAs, despite their highly questionable and illegal approach to defaulting clients are filling a much-needed banking gap. and have the potential to contribute to economic growth in Nigeria. So what should the government’s priorities be?
Regulatory Responsesin Nigeria
Section 37 of the Nigerian constitution limits the definition of privacy to citizens (which is assumed in this memo to be their physical being), their homes, correspondence, telephonic conversations, and telegraphic communications. This is no longer sufficient and strict data privacy regulations are required as technology continues to change how individuals access services. In response, Nigeria’s data protection bill aims to safeguard citizens’ personal data, and their rights as data subjects, regulate the processing of personal data and safeguard their rights to privacy in relation to the constitution. But a close reading of the bill shows that in its attempt to address issues of privacy, it makes assumptions that do not reflect the true cause of privacy breaches, particularly where DLAs are concerned. For example, section 17 of the bill states that “a data subject has the right to be notified of the data breach affecting him or her within 48 hours”. This stipulation erroneously assumes that privacy breaches are unfortunate exogenous incidents in which both the platforms storing data (i.e., DLAs) and the data subjects (i.e., DLA clients and non-clients) are victims.
The bill further states that sensitive information should not be disclosed to any third party, but specifically defines sensitive information as “personal information relating to a child under parental or guardian control” and “personal data relating to the religious and philosophical beliefs, ethnic origin, race, political opinions, health, sexual life or behaviour of a subject”. These exclude sensitive information such as the financial status of an individual, leaving a loophole for DLAs to exploit as they seek to recover monies from defaulting clients through social shaming. The bill also fails to adequately address the non-consensual collection of non-client data conducted by DLAs as part of their client-vetting process. Although section 6 of the bill states that “where the personal data is not collected directly from the data subject, the data controller shall provide the information within a reasonable period but not later than one month or on first communication with the data subject”, it suggests that non-client individuals can be associated with the financial decisions of their acquaintances even when they have not expressed any such desire. Furthermore, section 22 of the bill states that “a data controller shall not provide, use, obtain or procure information related to a data subject for the purposes of direct marketing without the prior written consent of the data subject.” By only prohibiting non-consensual contact when it relates to direct marketing, the bill has created a loophole whereby DLAs can harass unwitting acquaintances of their clients.
Indeed the Nigerian government cannot be accused of not attempting to address data privacy issues, but it is clear that the response is insufficient. Policy responses should conisder the economic contributions of DLAs while balancing the need to improve access to financial services. As with all policy solutions, there will inevitably be winners and losers.
Dr Demilade Fayemiwo is an experienced policy advisor with an interdisciplinary science and policy background. She has a PhD in Engineering from the University of Johannesburg and an MPhil in Public Policy from the University of Cambridge. Her past work has focused on issues of environmental management, water access, climate change and the circular economy; but her skills are applicable in various fields including health, housing and data privacy. She has gained experience in research, government and non-government institutions in the UK, USA and South Africa, and has published technical reports, policy briefs and journal articles.
View all posts by Demilade Fayemiwo
Policy Problems 