July 25, 2023
The Central Bank of Nigeria (“CBN”) is the apex Bank in Nigeria and the primary regulator for the Financial Services Industry in Nigeria, particularly for banks and other financial institutions. In this regard, the CBN has powers to regulate banks and other financial institutions in the prevention and control of Money Laundering, Financing of Terrorism through the issuance of subsidiary legislation in respect of Anti – Money Laundering, Combating of Financing of Terrorism and Countering Proliferation Financing of Weapons of Mass Destruction (“AML/CFT/ CPF”).
The Banks and Other Financial Institutions Act 2020 empowers the Governor of the CBN to issue regulations, guidelines and policies to fight money laundering and combat financing of terrorism. In line with these powers, on 20 June 2023, the CBN published the Central Bank of Nigeria (Customer Due Diligence) Regulations, 2023 (the “Regulation”).
The Regulation, amongst other things, seeks to assist banks and other financial institutions with the implementation and compliance with the existing AML/ CFT/CPF. It also has prescriptions on Customer Due Diligence (“CDD”). The Regulation introduced a provision on mandatory submission of social media handles by bank customers as a Know Your Customer (“KYC”) requirement. This inclusion has turned out to be controversial and has attracted lots of debates, pushback and commentary. The Regulation introduced the new CDD requirement directing all financial institutions to obtain and verify new and existing customers’ social media handles and this has raised issues around the powers of the CBN and the CBN Governor, the constitutionality of the Regulation, the compatibility of the Regulation with the Nigeria Data Protection Act 2023 and the Nigeria Data Protection Regulation 2019.
Whilst it is not in doubt that the aim of the Regulation is to strengthen and enhance the existing AML/CFT/CPF standards and controls within the financial institutions, the CBN’s new CDD requirement issued to financial institutions has received pushback from key stakeholders such as the National Assembly and the Nigeria Data Protection Commission (“NDPC or Commission”). Some of these stakeholders have criticized the Regulation as being “unnecessary” and “arbitrarily restricting the rights to freedom of expression and privacy” in contravention of the fundamental human right to privacy guaranteed under Section 37 of the Constitution of the Federal Republic of Nigeria, 1999 (as altered). It has also been stated repeatedly that the Regulation offends the principle of minimal data collection (“Data Minimization”) enshrined under extant data protection laws in Nigeria.
The aim of this article is to examine, the right to privacy guaranteed in the Constitution, along with the prescriptions in other privacy legislations. It will also analyze the legal basis for processing data by controllers in the financial services industry within the context of processing of social media type personal data and review the practice in other jurisdiction. Thereafter, it will state our position on the legality of the new Regulation within the context of the privacy regime in Nigeria.
The Constitutional and Statutory Right to Privacy and the Legal Basis for Processing Data in Nigeria
Section 37 of the Nigerian Constitution provides for the right to privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications. This means that the right to privacy is an overriding right that can only be derogated from on the basis of clear prescriptions and exemptions provided in the same Constitution.
One of such constitutional exemptions is Section 45 of the Constitution, which provides that the right to privacy can be overridden if a statute overriding or limiting it can be reasonably justified in a democratic society, is enacted in the interest of defence, public safety, public order, public morality or public health or for the protection of the rights and freedoms of other persons.
In the exercise of his constitutional powers, President Bola Ahmed Tinubu, signed into law, the Nigeria Data Protection Act (“NDPA or Act”) on 12th June, 2023. The NDPA like its predecessor, the Nigeria Data Protection Regulation 2019 (“NDPR”), guarantees and protects the right to privacy in Nigeria and provides details on what privacy rights entail, including its scope, limitation, application, technicalities, etc.
One innovation of the NDPA and the NDPR, like other global privacy laws, is the introduction of the concept of legal basis for processing data. This means that before a data controller or processor can process the data of any individual, they must identify one or more bases for their collection and processing of that data. Failure to support data processing activities with a legal basis is automatically an infraction of the privacy law and individual privacy right of the data subject. The applicable legal bases are as follows: