On CBN’s directive to publish delinquent bank debtors – some data privacy ramifications
Nigerian banks are entering a phase of increased regulatory supervision from both banking and non-banking regulators. In particular regard to data privacy compliance, commercial banks in Nigeria may be exposed to an additional layer of legal liability under the Nigerian Data Privacy Regulations (the NDPR), if they continue to comply with the directive from the Central bank of Nigeria (CBN) to publish the names of delinquent borrowers in the newspapers.
In 2015, the CBN issued a directive to all banks and discount Houses (Banks) in Nigeria asking banks to (a) give the delinquent debtors 3 (three) months of grace to turn their accounts from non-performing to performing status (b) publish the list of delinquent debtors that remain non-performing in at least three national daily newspapers quarterly (the Directive). According to the Directive, the delinquent debtors are customers whose accounts have been classified lost and includes related persons, entities, directors, subsidiaries and other related parties. Nigerian banks continue to publish the names of delinquent borrowers in newspapers, in compliance with the Directive. Recently, Access bank issued a notice here to its customers notifying delinquent debtors of the bank’s decision to “publish our debtors’ names in newspapers in two weeks”.
Our considered view is that banks and the CBN may be exposed to a claim for breach of personal data privacy and for monetary damages within the context of the NDPR. Here are some of the legal considerations.
Although a company’s legal name does not constitute personal data under the NDPR, certain other debtor information, publicly revealed by banks constitutes personal data under the NDPR. Some of these include names, location data, I.P. addresses, phone numbers, addresses, photographs, emails and bank details of individual promoters, directors, guarantors, or other obligors (Individual Obligors/Obligor) of such delinquent entities. Additionally, the fact of indebtedness or the very existence of a debt, constitutes credit information and is a form economic identity and by that measure will qualify as personal data under the NDPR.
The act of disclosure or dissemination of the personal data collected by a bank during a loan application or credit evaluation process, to a newspaper/media organisation for publication, qualifies as processing activity as per the statutory definition of “processing” under the NDPR.
Based on 1 and 2 above, a bank will generally stand in the position of a data controller in relation to the personal data of Obligors to the extent that an Individual Obligor is a natural person.
In order to process the information of Individual Obligors in the manner contemplated by the Directive (i.e. publication of a debtors’ list in newspapers), a bank needs to discover the lawful basis for such processing activity as per the provisions of the NDPR. That lawful basis could be “consent” as would be the case where the bank inserts data sharing consent clauses in a commitment or offer letter authorising the bank to make such third-party disclosures in specific circumstances.
Using consent in this instance is fraught with some challenges. We discuss some below:
The insertion of data sharing consent clauses in commitment/offer letters is a relatively recent development in the standard debt financing documentation adapted by banks, meaning that a bank may be unable to claim the benefit of this clause in respect of some Individual Obligors, whose financing or security agreements did not bear those clauses
The model data sharing consent clauses in standard commitment/offer letters usually allows the bank to share credit information only with licensed credit bureaus or with regulators and not in newspapers or on social media.
It is unusual for an Individual Obligor to consent to a publication of his/her name in the newspapers as a debt recovery mechanism. Even if this were possible, such consent could be vitiated as per provisions of the NDPR. It’s important to note that the NDPR (as is the case with global data privacy regulations) sets a high standard for “consent” when used as a proxy for lawful basis. In order to justify processing based on “consent”, a bank would have to, amongst others, show that any such “consent” was expressly given in the form of a clear and specific statement of consent; further that the consent was obtained without fraud, coercion or undue influence. An Individual Obligor may be able to make a case of duress, if made to agree to an unbalanced data sharing clause.
Data sharing consent clauses are usually contained in offer letters and hardly in other standard financing or security agreements. In many cases, Individual Obligors who sign guarantee or indemnity agreements are not within the contemplation of the data consent sharing clauses contained in financing documents. The standard form of the security or indemnity agreements adapted by banks do not typically contain these clauses.
Another option open to a bank would be to rely on legitimate interest as a lawful basis for complying with the Directive. The doctrine of legitimate interest effectively allows data controllers, (the bank, in this case) to process personal data without the necessity of the consent of a data subject (an Individual Obligor, in this case), where such processing is necessary to protect the personal interest of a Data Controller or that of a third party. Such personal interest can broadly include commercial interests of the bank or other broader societal interests. However, we note with some concern that there is no categorical provision in the NDPR which identifies legitimate interest as a lawful basis for processing personal data under the NDPR. This means that technically, banks may not be able to rely on legitimate interest as a lawful basis for processing debtor information in the manner contemplated by the Directive.
A bank may also consider relying on legal obligation as a basis for processing debtor information in the manner contemplated by the Directive. This principle allows the bank to process personal data without the necessity of the consent of an Individual Obligor, where such processing is necessary to comply with a legal obligation. To the extent that the publication of an Obligor’s personal information in the newspaper is in furtherance a directive from the CBN, a bank may seek to rely “legal obligation” as a lawful basis.
Although relying on legal obligation may appear to be a more convincing “lawful basis”, the important point to note is that the determination of the lawful basis of an intended or an actual processing activity, requires critical thought as there may be different considerations for different categories of data, for the same processing activity and in the same data controller organisation. There could also be other legal considerations that go to the root of data privacy activities carried out by regulated entities.
For instance, in this case, the author of the Directive, the CBN, is itself subject to the NDPR and to regulatory supervision by NITDA on data privacy issues. On that basis, the legality of the Directive can be challenged with a reasonable prospect of success. In that event, public interest, a legal doctrine also recognized as a lawful basis for processing an Obligor’s personal data in the absence of consent will likely determine where legal liability rests as well as the provisions of the CBN Act and BOFIA . The CBN may have to demonstrate that the publication of the personal data of Individual Obligors serves a public interest, notwithstanding the fact that the banks have the benefit of security.
Third party liabilities?
Yes. Newspapers or other media organisations who publish the personal data of Individual Obligors may also be exposed to legal liability under the NDPR by publishing the personal data of Individual Obligors. It’s particularly important to note that the NDPR does not provide a specific journalistic exemption for media publishers and their journalist employees. The practical implication of this exclusion is that media organisations may not be able to rely successfully on the premise that such publication was done in the “public interest or in the exercise of press freedom, when faced with a legal action from Nigerian claimants who claim that their personal rights have been infringed by a media company or journalist.
The resolution of some of these issues are not possible without definite administrative guidance from NITDA or a judicial determination on the merits. It is particularly important to note there may also be constitutional law implications. The NDPR specifically made provisions mandating the interpretation of the NDPR in accordance with constitutionally guaranteed principles and enforcement of fundamental rights. This is significant for banks and other data controllers for two primary reasons; Firstly, this provision effectively changes the character of a data privacy claim and subjects’ defendants in a data privacy litigation matter to a higher legal standard in the form of a constitutional obligation. In a sense, provides Nigerian courts with a new canvass for analysing privacy rights as relates to the use and collection of personal data by corporate entities. Secondly, Nigerian courts take fundamental human rights issues very seriously and treat those issues speedily based on special enforcement procedure and evidence rules. In practice, a great majority of fundamental human right breach cases succeed in Nigerian courts.
It helps to contemplate and resolve these issues early on