Re: The CBN Directive to Nigerian Banks on the Publication of the List of Delinquent Debtors in the Dailies: Some Data Privacy Ramifications

Nigerian banks are entering a phase of increased regulatory supervision from both banking and non-banking regulators. In particular regard to data privacy compliance, commercial banks in Nigeria may be exposed to an additional layer of legal liability under the Nigerian Data Privacy Regulations (the “NDPR”), if they continue to comply with the directive from the Central Bank of Nigeria (CBN) to publish the names of delinquent borrowers in the newspapers.

In 2015, the CBN issued a directive to all banks and discount Houses (Banks) in Nigeria asking Banks to (a) give the delinquent debtors 3 (three) months of grace to turn their accounts from non-performing to performing status (b) publish the list of delinquent debtors that remain non-performing in at least three national daily newspapers quarterly (the Directive). According to the Directive, the delinquent debtors are customers whose accounts have been classified as lost and include related persons, entities, directors, subsidiaries, and other related parties. Nigerian Banks continue to publish the names of delinquent borrowers in newspapers, in compliance with the Directive. Recently, Access Bank issued a notice here to its customers notifying delinquent debtors of the Bank’s decision to “publish our debtors' names in newspapers in two weeks”.

Our view is that Banks and the CBN may be exposed to a claim for breach of personal data privacy and for monetary damages within the context of the NDPR. Here are some of the legal considerations[1]

1. Although a company’s legal name does not constitute personal data under the NDPR, certain other debtor information, publicly revealed by Banks, constitutes personal data under the NDPR. Some of these include names, location data, IP addresses, phone numbers, addresses, photographs, emails, and bank details of individual promoters, directors, guarantors, or other obligors (Individual Obligors/Obligor) of such delinquent entities. Additionally, the fact of indebtedness or the very existence of a debt constitutes credit information and is a form of economic identity and, by that measure,e will qualify as personal data under the NDPR.  

2. The act of disclosure or dissemination of the personal data collected by a Bank during a loan application/credit evaluation process, to a newspaper/media organization for publication, qualifies as a processing activity as per the statutory definition of “processing” under the NDPR.  

3. Based on 1 and 2 above, a Bank will generally stand in the position of a data controller in relation to the personal data of Obligors to the extent that an Individual Obligor is a natural person.  

4. In order to process the information of an Individual Obligor in the manner contemplated by the Directive (i.e., publication of a debtor's list in newspapers), a Bank needs to discover the lawful basis for such processing activity as per the provisions of the NDPR. That lawful basis could be “consent,” as would be the case where the Bank inserts data sharing consent clauses in a commitment or offer letter authorizing the Bank to make such third-party disclosures in specific circumstances.

5. Using consent in this instance is fraught with some challenges. We discuss some below:

(a) The insertion of data sharing consent clauses in commitment/offer letters is a relatively recent development in the standard debt financing documentation adapted by Banks, meaning that a Bank may be unable to claim the benefit of this clause in respect of some Individual Obligors, whose financing or security agreements did not bear those clauses.

(b) The model data sharing consent clauses in standard commitment/offer letters usually allow the Bank to share credit information only with licensed credit bureaus or with regulators and not in newspapers or on social media.

(c) It is unusual for an Individual Obligor to consent to a publication of his/her name in the newspapers as a debt recovery mechanism. Even if this were possible, such consent could be vitiated as per the provisions of the NDPR. It’s important to note that the NDPR (as is the case with global data privacy regulations) sets a high standard for “consent” when used as a proxy for lawful basis. In order to justify processing based on “consent”, a Bank would have to, amongst others, show that any such “consent” was expressly given in the form of a clear and specific statement of consent; further that the consent was obtained without fraud, coercion, or undue influence. An Individual Obligor may be able to make a case of duress if made to agree to an unbalanced data sharing clause.

(d) Data sharing consent clauses are usually contained in offer letters and hardly in other standard financing or security agreements. In many cases, Individual Obligors who sign guarantee or indemnity agreements are not within the contemplation of the data consent sharing clauses contained in financing documents. The standard form of the security or indemnity agreements adapted by Banks does not typically contain these clauses.

6. Another option open to a Bank would be to rely on legitimate interest as a lawful basis for complying with the Directive. The doctrine of legitimate interest effectively allows data controllers (the Bank, in this case) to process personal data without the necessity of the consent of a data subject (an Individual Obligor, in this case), where such processing is necessary to protect the personal interest of a Data Controller or that of a third party. Such personal interest can broadly include commercial interests of the Bank or other broader societal interests. However, we note with some concern that there is no categorical provision in the NDPR that identifies legitimate interest as a lawful basis for processing personal data under the NDPR. This means that technically, Banks may not be able to rely on legitimate interest as a lawful basis for processing debtor information in the manner contemplated by the Directive.

7. A Bank may also consider relying on legal obligation as a basis for processing debtor information in the manner contemplated by the Directive. This principle allows the Bank to process personal data without the necessity of the consent of an Individual Obligor, where such processing is necessary to comply with a legal obligation. To the extent that the publication of an Obligor’s personal information in the newspaper is in furtherance of a directive from the CBN, a Bank may seek to rely on “legal obligation” as a lawful basis.

Although relying on legal obligation may appear to be a more convincing “lawful basis”, the important point to note is that the determination of the lawful basis of an intended or an actual processing activity requires critical thought, as there may be different considerations for different categories of data, for the same processing activity, and in the same data controller organization.

There could also be other legal considerations that go to the root of data privacy activities carried out by regulated entities. For instance, in this case, the author of the Directive, the CBN, is itself subject to the NDPR and to regulatory supervision by NITDA on data privacy issues. On that basis, the legality of the Directive can be challenged with a reasonable prospect of success. In that event, public interest, a legal doctrine also recognized as a lawful basis for processing an Obligor’s personal data in the absence of consent, will likely determine where legal liability rests as well as the provisions of the CBN Act and BOFIA[2]. The CBN may have to demonstrate that the publication of the personal data of the Individual Obligor serves a public interest, notwithstanding the fact that the Banks have the benefit of security.

Third Party Liabilities?

Yes. Newspapers or other media organizations that publish the personal data of Individual Obligors may also be exposed to legal liability under the NDPR by publishing the personal data of Individual Obligors. It’s particularly important to note that the NDPR does not provide a specific journalistic exemption for media publishers and their journalist employees. The practical implication of this exclusion is that media organizations may not be able to rely successfully on the premise that any such publication was done in the "public interest or in the exercise of press freedom rights, when faced with a legal action from Nigerian claimants who claim that their personal rights have been infringed by a media company or journalist.

In closing

The resolution of some of these issues is not possible without definite administrative guidance from NITDA or a judicial determination on the merits. It is particularly important to note that there may also be constitutional law implications. The NDPR specifically made provisions mandating the interpretation of the NDPR in accordance with constitutionally guaranteed principles and the enforcement of fundamental rights.

This is significant for Banks and other data controllers for two primary reasons: Firstly, this provision effectively changes the character of a data privacy claim and subjects defendants in a data privacy litigation matter to a higher legal standard in the form of a constitutional obligation.

In a sense, the provision provides Nigerian courts with a new canvas for analyzing privacy rights as relates to the use and collection of personal data by corporate entities. Secondly, Nigerian courts take fundamental human rights issues very seriously and treat those issues speedily based on special enforcement procedures and evidence rules. In practice, a great majority of fundamental human rights breach cases succeed in Nigerian courts. It helps to contemplate and resolve these issues early on.

How We Would Help

[1] For additional analysis, please reach out to your Balogun Harold contact or via support@balogunharold.com  

[2] The CBN Act and the BOFIA are the primary legislation governing the operations of Nigeria’s Central Banker