Fintech firm OPay, tech giant, Meta Platforms and global courier giant, DHL, are under investigation by the Nigeria Data Protection Commission (NDPC) over separate allegations of data breach.
Nairametrics reports that sources with knowledge of the probe have said the three companies have been summoned by the Commission following the receipt of complaints against them alleging violations of the complainants’ rights.
Under the Nigeria Data Protection Act, the three companies are recognized as data controllers and are expected to observe certain precautions under the law while processing Nigerians’ data.
If found guilty, each of the company risks forfeiting 2% of their gross revenue to the Commission as a penalty as stipulated by the Data Protection Act.
The complaints
According to one of the sources, who spoke with Nairametrics under the condition of anonymity because he was not authorised to speak to the media, each of the companies had different allegations against them, all bothering on the data breach.
- “OPay may be called upon to answer for allegations that it opens bank accounts for data subjects without their consent. If this is true, it would amount to a grave violation of the data privacy rights of affected data subjects. A report attributed to Opay says it has about 40 million data subjects. Investigation shows that Nigeria Data Protection Commission has served each of the data controllers with Notice of Investigation,” the source said.
- “Complaints against Meta touch on behavioural advertising without explicit consent of data subjects. Approximately 40 million Facebook accounts in Nigeria may have been affected by the data processing under investigation. This also has significant implications for the growth of Nigeria’s digital economy.
- “DHL on the other hand is facing investigation for allegedly violating the lawful basis and principles of data protection. According to a Civil Society Organization established to fight violations of citizens’ privacy rights, DHL’s data processing falls short of the confidentiality standard prescribed under the Nigeria Data Protection Act. According to section 24(2) of the Act (2) “A data controller and data processor shall use appropriate technical and organisational measures to ensure confidentiality, integrity, and availability of personal data.”
National Commissioner, Dr. Vincent Olatunji, had, during the Commission’s presentation of the Nigeria Data Protection Act, 2023 reiterated the importance of safeguarding the integrity of Nigeria’s data economy ecosystem and also warned data controllers and processors against all forms of data processing which are not recognized under the Act. A violator of the Act is liable to pay as high as 2% of its gross revenue in the preceding year.
