Recently, the Central Bank of Nigeria (“CBN”) issued a directive to commercial banks that they publish the personal information of customers that breaches the provisions of its PTA/BTA guidelines (“Guideline(s)”) on their websites. Now, from a data protection standpoint, this raises all sorts of red flags because an individual’s name and Bank Verification Number (BVN) are classified as Personal Data, the processing of which should be done in line with the provisions of the Nigerian Data Protection Regulation (NDPR). In addition, there is a constitutional guarantee to every individual, pursuant to the provisions of section 37 of the Nigerian 1999 Constitution, of his/her privacy and private life, including the right to keep his/her information private.
This article seeks to clarify whether the publication of the personal data of defaulting bank customers is in line with the provisions of the NDPR and other consumer data protection provisions.
At law, the relationship between a bank and its customer is contractual in nature and is often characterized as that of a debtor – creditor with super imposed duties and obligation, from the bank’s side. One of such superimposed duty is the duty of secrecy or confidentiality. Put simply, a bank is required to keep the affairs of its customer secret. This duty is not restricted to account transactions – it extends to all the information that the bank has about the customer. This duty is however not absolute and exceptions include where the bank is required by law to make disclosure; and where the customer consents to the disclosure.
Furthermore, the NDPR, with a view to safeguarding the rights of natural persons to data privacy, amongst other objective, provides strict guideline for processing of personal data. In this regard, the NDPR stipulated that there must be legal basis for processing of personal data and identified five legal basis – Consent, Legal Obligation, Vital Interest, Performance of Contract and Public Interest. Publication of customer information on the bank’s website as required by the Guidelines constitutes “processing” of personal data under the NDPR. Therefore, the question arises whether CBN’s directive to publish the names of defaulters under the Guideline constitute a valid basis under the NDPR. For the purpose of this article and in line with the Bill of Rights, the focus will be on two out of the five legal bases provided for by the NDPR; Consent and legal Obligation.
Legal Obligation – required by law to make disclosure
As established in the case of UBA Plc v Bakare Wasiu, the bank in possession of a customer’s money can be seen as a trustee and therefore owes its customer a duty of secrecy in relation to that customer’s account details and related matters. However, where the bank is required by law to disclose a customers’ information, the customer’s right to privacy and confidentiality does not apply. For example, section 31 of the Anti-Money Laundering Regulations provides that where the bank suspects a customer’s account of being used for fraudulent activities, it has the legal obligation to transmit that information to the appropriate authorities for criminal investigation. This is also in line with the provisions of the Article 2.1 of the NDPR Implementation Framework that exempts the applicability of the provisions of the NDPR in instances of transmission of Personal Data to regulatory agencies for the purpose of criminal investigations and tax offences, among others.
However, the publication of the personal data of defaulters under the Guidelines does not fall under the transmission of data to regulatory authorities for criminal investigations and tax offences as envisaged by the NDPR. Consequently, this particular processing will need to identify one of the other legal bases for processing as provided in Article 2.2 of the NDPR in order to accord with the requirements of the NDPR.
Section 33 of the Central Bank of Nigeria Act, 2007 provides that the Central Bank of Nigeria (CBN) may issue guidelines to any person and institution under its supervision. In addition, the Bank and Other Financial Institutions Act (BOFIA) gives the Governor of the CBN power to make regulations for the operation and control of all institutions under the supervision of the CBN. By virtue of the power conferred on the CBN to make regulations or issue guidelines by the CBN Act and BOFIA, it can be deduced that commercial banks have the legal obligation to comply with the guidelines issued by the CBN in exercise of its statutory powers to avoid applicable sanctions for non-compliance.
Further to the foregoing, where commercial banks decide to publish the personal data of defaulters under the Guideline on their websites, they may rely on Legal Obligation, that is processing was necessary for compliance with a legal obligation to which the commercial banks are subject, under Article 2.2(c) as the legal basis for such processing of the customer’s personal data.
Consent – customer consents to the disclosure
Another possible legal basis for the publication of customer’s bank details of the commercial bank’s website is Consent. Under the NDPR, consent is the default legal basis for valid processing of personal data. In this regard, Article 2.1 of the NDPR stipulates that …Personal Data shall be collected and processed in accordance with specific, legitimate and lawful purpose consented to by the Data Subject. Accordingly, data controllers (commercial banks, in this instance) have the obligation to ensure that customers consent to each processing activity (including publication of their personal information on their website) and such consent must be informed and has been obtained without fraud, coercion or undue influence. Further, the Bill of Rights, permits commercial banks to disclose a customer’s account information where the customer has consented to such disclosure. Under the NDPR, for this processing to be based on consent, each customer would have, at the time of applying for PTA or BTA, been informed of all the possible uses of their personal data for the purposes of obtaining the PTA or BTA, including the publication of their personal information on banks’ website where they default under the Guidelines, and obtain a waiver of the customers’ right to confidentiality in such event together with express consent to such publication. Where the foregoing condition is satisfied, the publication of the personal data of defaulting customers under the Guideline, will be deemed to be have been done on the basis of consent and therefore not in contravention with the provisions of the NDPR.
While every individual is entitled to privacy and should be able to protect his/her private information from disclosure to the public, personal information can be published under certain circumstances without infringing such individual’s right to the privacy/private life. Such exceptional instance include where banks publish the personal data of defaulting customers under the Guideline in compliance with the directives of the CBN, as the CBN is the regulator of the Banking Industry and is vested with powers to issue guidelines to any person and any institutions under its supervision, who are bound to comply in order to promote a sound financial system in Nigeria. Therefore, where commercial banks are advised to update their data protection policy documents, including data protection notices, to include Legal Obligation or Consent as basis for the publication of the details of defaulters under the Guidelines to ensure compliance with the provisions of the NDPR.