To print this article, simply register or connect to Mondaq.com.
Recently, the Central Bank of Nigeria (“CBN”) issued a directive to commercial banks that they post the personal information of customers who violate the provisions of its PTA / BTA guidelines (“Directive (s)”) on their website. . Now from a data protection point of view this raises all kinds of red flags as an individual’s name and Bank Verification Number (BVN) is classified as personal data, the processing of which must be carried out in accordance with the provisions of the Nigerian Data Protection Regulation. (NDPR). In addition, there is a constitutional guarantee to every individual, in accordance with the provisions of Article 37 of the Nigerian Constitution of 1999, of their privacy and privacy, including the right to keep their information private.
This article aims to clarify whether the publication of personal data of defaulting bank customers complies with the provisions of the NDPR and other provisions relating to the protection of consumer data.
In law, the relationship between a bank and its customer is contractual in nature and is often characterized as that of a debtor – creditor with superimposed duties and obligations, on the bank’s side. One of these superimposed duties is the duty of secrecy or confidentiality. Simply put, a bank is required to keep the affairs of its customers secret. This obligation is not limited to account transactions – it extends to all information the bank has about the customer. This duty is not absolute, however, and exceptions include where the bank is required by law to make the disclosure; and when the client consents to the disclosure
In addition, the NDPR, with a view to protecting the rights of individuals to data privacy, among other purposes, provides strict guidelines for the processing of personal data. In this regard, the NDPR has stipulated that there must be a legal basis for the processing of personal data and has identified five legal bases – consent, legal obligation, vital interest, contract execution and l public interest. Posting customer information on the bank’s website, as required by the Guidelines, constitutes “processing” of personal data under the NDPR. Therefore, the question arises as to whether CBN’s directive to publish the names of defaulters under the guideline constitutes a valid basis under the NDPR. For the purposes of this article and in accordance with the Bill of Rights, the focus will be on two of the five legal bases provided for by the NDPR; Consent and legal obligation.
Legal obligation – required by law to make the disclosure
As established in the UBA Plc v Bakare Wasiu case1, the bank in possession of a customer’s money may be considered a custodian and therefore owes its customer an obligation of confidentiality with respect to that customer’s account details and related matters. However, where the bank is required by law to disclose a customer’s information, the customer’s right to privacy and confidentiality does not apply. For example, section 31 of the Money Laundering Regulations2 provides that when the bank suspects a customer’s account of being used for fraudulent activities, it has a legal obligation to transmit this information to the competent authorities for criminal investigation. This also complies with the provisions of Article 2.1 of the NDPR Implementation Framework which exempts the applicability of the NDPR provisions in the event of the transmission of personal data to regulatory bodies for the purposes of criminal investigations and tax offenses, among others.
However, the publication of personal data of defaulters under the Guidelines does not fall under the transmission of data to regulatory authorities for criminal investigations and tax offenses as provided by the NDPR. Consequently, this particular processing must identify one of the other legal bases for processing provided for in article 2.2 of the NDPR in order to comply with the requirements of the NDPR.
Section 33 of the Central Bank of Nigeria Act 2007 provides that the Central Bank of Nigeria (CBN) may issue directives to any person and institution under its supervision. In addition, the Banks and Other Financial Institutions Act (BOFIA) gives the Governor of the CBN the power to regulate the operation and control of all institutions under the supervision of the CBN. By virtue of the power conferred on the CBN to enact regulations or to issue directives by the CBN Act and the BOFIA, it can be inferred that commercial banks have a legal obligation to comply with the directives issued by the CBN in the exercise of its statutory powers to avoid penalties applicable in the event of non-compliance.
In addition to the above, when commercial banks decide to publish personal data of defaulters under the Directive on their websites, they may rely on the legal obligation, i.e. the processing was necessary compliance with a legal obligation to which commercial banks are subject, under Article 2.2 (c) as a legal basis for such processing of customer personal data.
Consent – client consents to disclosure
Another possible legal basis for the publication of the customer’s bank details on the website of the commercial bank is consent. Under the NDPR, consent is the default legal basis for valid processing of personal data. In this regard, article 2.1 of the NDPR stipulates that… personal data will be collected and processed in accordance with the specific, legitimate and lawful purpose granted by the data subject. Accordingly, data controllers (commercial banks, in this case) have an obligation to ensure that customers consent to each processing activity (including the publication of their personal information on their website) and that consent must be informed and was obtained without fraud, coercion or undue influence. In addition, the Bill of Rights authorizes commercial banks to disclose a customer’s account information when the customer has consented to such disclosure. Under the NDPR,
For this processing to be based on consent, each client would have, at the time of the PTA or BTA request, been informed of all the possible uses of their personal data for the purposes of obtaining the PTA or BTA, including publication of their personal information on the banks ‘website in the event of non-compliance with the Guidelines, and obtain a waiver of clients’ right to confidentiality in such a case, as well as express consent to such publication. When the previous condition is met, the publication of the personal data of defaulting customers under the Directive will be deemed to have been made on the basis of consent and therefore not in violation of the provisions of the NDPR.
While every individual has the right to privacy and should be able to protect their private information from public disclosure, personal information may be released in certain circumstances without infringing that individual’s right to privacy / privacy. These exceptional cases include cases where banks publish personal data of defaulting customers under the directive in accordance with CBN guidelines, as the CBN is the regulator of the banking industry and is vested with the power to issue directives to any person. and any institution under its supervision, which are required to comply with it in order to promote a sound financial system in Nigeria. Therefore, when commercial banks are advised to update their data protection policy documents, including data protection notices, to include the legal obligation or consent as a basis for the publication of details. defaulters under the guidelines to ensure compliance with NDPR provisions.
1 (2017) 4 NWLR (pt. 1555) 318 CA
2 Central Bank of Nigeria (Anti-Money Laundering and Combating Finance of Terrorism for Banks and Other Financial Institutions in Nigeria), Regulations, 2013.
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.