By Olumide Babalola
The Nigeria Data Protection Regulation (NDPR) is gradually becoming a household name to Nigerian businesses, especially the financial institutions which daily process all sorts of (sensitive) personal data of their respective and prospective customers. One of the objectives of the NDPR is “to ensure businesses remain competitive in international trade through safeguards affordable by a just and equitable legal regulatory framework on data protection and which is in tune with best practices” (see reg, 1.1 (d), hence, data controllers (the commercial banks in this context) are duty-bound to fulfill their numerous obligations under the regulation to achieve this objective. This article briefly examines Nigerian commercial banks’ obligation (as data controllers) to inform data subjects (customers/users) of the existence of decision making, especially the deployment of cash dispensing machines (automated teller machines (ATMs) in the light of their empirical pro-active compliance or otherwise by their privacy notices/policies published on their respective websites.
2. What is automated decision making?
Academics and commentators are unsettled on the nature of automated decision-making as a data subject’s right or data controller’s obligation/prohibition. This uncertainty is owed to the wording of the relevant legislation, for example, article 15(1) of the repealed EU Data Protection Directive 95/46/EC (DPP) created a right “not to be subjected to automated decision making” with exceptions but the GDPR goes further to assign controllers a duty to inform data subjects of automated decision making concerning them (see article 13(2)(7) in addition to a corresponding data subject’s rights not to be subject to automated decision making. (see art. 22(1) GDPR).
However, neither the NDPR nor GDPR defines the term ‘automated decision making’ but Article 29 Working Party defines it as ‘decisions based solely on automated processing where there is no human involvement’ (see A29 WP, Guidelines on Automated Individual Decision-Making and Profiling < https://ec.europa.eu/newsroom/article29/items/612053>). The UK Information Commissioner’s Office (ICO) also defines it as ‘the process of making a decision by automated means without any human involvement.’ The ICO further gives examples of automated decision making to include online decision to award loan or aptitude test for recruitment which uses pre-programmed algorithms and criteria. (see ICO, ‘Rights related to automated decision-making including profiling’ <https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/rights-related-to-automated-decision-making-including-profiling/> )
In the case of Nigerian banks, while this author is not aware of automated decision making for loans, it is undeniable that, all the commercial banks deploy (directly or through processors) ATMs to dispense cash to their teaming customers/users by virtue of CBN’s Standards and Guidelines on Automated Teller Machine (ATM) Operations in Nigeria.
3. Does the use of automated teller machines (ATM) constitute automated decision making?
The NDPR does not give any insight into what constitutes automated decision-making however, clause 16 of its Implementation Framework 2020 allows resort to the GDPR in the event of lacuna. Thus, from the provision of article 22(1) GDPR, for there to be automated decision-making, there must be: (a) a decision (b) such decision must be made by automated means (c) the decision must have legal effect on ‘data subject’ (See Christopher Kuner et al, (eds) The European Data Protection Regulation (GDPR). A Commentary (Oxford University Press, 2020) 148.)
The next question is – do ATMs make decision? In this context, Dr. Michelle Finck, a Senior Research Fellow at Planck Institute for Innovation and Competition, Munich, argued that, once the ATM’s activities lead to an outcome (payment of cash or refusal where insufficient) which could have been reached by human decision process then it is a decision within the context of automated decision-making. (See Michelle Finck, ‘Smart contracts as a form of solely automated processing under the GDPR’ (2019) 9(2) International Data Privacy Law, 78, 83).
More so, when customers use the ATM, the machines display the final decision on the screen which could be ‘Take your cash’ or ‘Insufficient balance’ or ‘Temporarily unable dispense cash’, it is indubitable that either of these displays constitute a decision in the context of banking services.
Having said that, it beyond doubt that, such automated decisions have legal effect especially in the event of denial of access to funds. See the Court of Appeal decision in Guaranty Trust Bank v Motunrayo-Tolulope Aleogena (2019) LPELR-46922 (CA)where the legal effect of use of debit cards by customers on banks’ ATMs and how the latter works were considered and the court concluded that refusal of ATMs to dispense cash where users’ account are dully funded constitutes breach of contract. See also the more recent decision Moses Jwan v Ecobank (2021) 10 NWLR (Pt. 1785) 449 where the Court of Appeal ruled on the consequences of decision-making by the ATMs on banks in the case of where the court held a bank liable for failure of ATM to pay a customer upon request.
4. Nigeria banks’ obligation to inform customers of automated decision-making.
The NDPR guarantees a few data subject’s rights including right to be informed of the existence of automated decision making, including profiling, meaningful information about the logic and significance of the decision-making. (see reg. 3.1 (7)(1). In a survey carried out by the Digital Rights Lawyers Initiative (DRLI) in July 2021, it was discovered that out of 22 commercial banks in Nigeria, only 4 of them have disclosed the use of automated decision making in their privacy notice/policy published on their websites while the others surprisingly either blatantly stated that they do not engage in automated decision-making or omitted such disclosure.
This default constitutes interference with ATM users’ right to be so informed as guaranteed by reg. 3.1(7)(l) NDPR which expressly mandates data controllers to, prior to collection of personal data from data subjects, inform data subjects of the existence automated decision making (or profiling) but all commercial banks engage in mobile/internet banking and dispense cash with the use of ATMs yet some of them have failed to make this proactive disclosure on such deployment, logic of processing and consequences for users.
Apart from the fact that this disclosure respects data subject’s right to be informed, it is also a duty imposed on controllers under the NDPR to protect data subjects (ATM users) from the potentially detrimental impact of automation of bank payments by ATMs without human involvement and to ensure that dynamics that might result in inaccuracies of such automated decisions are immediately checked, corrected and such repeated risks, minimized.
Financial services are now substantially automated. From account opening to mobile banking and ultimately, cash dispensing through ATMs and it is these automated processing that impose additional responsibilities on banks under the NDPR to inform their customers/users of the existence of such processing, their logic and consequences as part of data subject’s right to be informed. Hopefully, the banks concerned will review their privacy notices (policies) by making NDPR-compliant disclosures on the use of automated decision-making procedures and respect data subjects’ rights to such information as guaranteed by the NDPR.