THE Nigeria Data Protection Commission (NDPC) has faulted the Central Bank of Nigeria’s (CBN) recent directive that banks should obtain and verify customers’ social media handles.
The Commission described the directive as illegal, noting that it violated privacy laws.
The apex bank had on June 26, directed banks to obtain the social media handles of customers as part of enhanced Customer Due Diligence (CDD) regulations.
It explained that the move was geared towards bolstering bank customers’ compliance with anti-money laundering (AML) and counter-terrorism financing (CFT) provisions, while aligning with international best practices.
However, in a statement on Thursday, June 29, the NDPC said it was currently engaging with the CBN on the directive, stressing that there is need to adhere to fundamental principles when collecting citizens’ data.
NDPC national commissioner Vincent Olatunji, who reacted to the directive in the statement, highlighted the significance of the Nigerian Data Protection Act (NDPA), which was enacted on June 12, in ensuring the responsible handling of citizens’ data by Data Controller Organisations.
Olatunji said the Act outlines guidelines for the processing of personal data, emphasising fairness, lawfulness, transparency, minimal data collection, and limited retention periods.
He explained that there were prerequisite steps any Data Controller must take prior to the collection of data from data subjects.
The NDPC official added that any organisation that defaulted was going against the law and causing a data breach, noting that such would attract a fine.
“We are already engaging with the CBN to let them know that what they have done is against the law because there are basic principles you must meet when you want to collect citizens’ data,” he said.
“There is data minimisation, meaning you don’t collect data beyond the purpose for which it was intended, purpose limitation, what purpose it is for.”
Olatunji stressed that the NDPC’s role is to protect the rights and interests of Nigerian citizens, making it applicable to all data controllers, including private and government offices, NGOs, and hotels.
“The purpose of this law is to safeguard the rights and interests of Nigerians who are data subjects.”
He highlighted key principles, such as data minimization, which mandates that data should only be collected for its intended purpose, and purpose limitation, which specifies the purpose for which data is collected.
Olatunji further argued that requesting social media handles from bank customers was unnecessary.
However, he acknowledged that if the collection of social media handles served a public interest, such as transaction monitoring, customers should be properly informed.