NDPC Warns CBN Moves on Getting Social Media Handles of Customer as Illegal

The Nigeria Data Protection Commission (NDPC) on Thursday stated that the Central Bank of Nigeria's (CBN) new demand to banks to collect the social media handles of their customers as part of increased Customer Due Diligence (CDD) rules is unlawful.

The commission stated that it's already working with the apex bank on the matter since there are basic procedures that must be followed while collecting data from individuals.

This was made known by the National Commissioner of the NDPC, Dr. Vincent Olatunji, according to a statement published by the commission's Head of Media, Mr. Itunu Dosekun, on Thursday in Abuja.

Olatunji stated that before the introduction of the Nigerian Data Protection Act (NDPA) on June 12, unregulated data gathering by Data Controller Organisations was not taken carefully.

The guidelines for the processing of personal data include that it must be done in a fair, lawful, and honest manner, that it is strictly limited to the minimum necessary for the purpose for which it is collected— it also states that it is not kept for a longer duration than needed. These were major highlights of the bill, which was signed by President Tinubu.

He also highlighted that there are necessary procedures that every Data Controller must follow before obtaining data from individuals and that any organization that fails to do so is breaking the law and risking being punished.

The NDPC report partly reads, 

• “There are provisions in the law to go against any data controller be it private or government office, NGOs, hotels, because we are pro-citizens.

•     “The whole idea of this law is to protect the rights, the interests of Nigerians who are data subjects.

•     “We are already engaging with the CBN to let them know that what they have done is against the law because there are basic principles you must meet when you want to collect citizens’ data.

•     “There is data minimization, meaning you don’t collect data beyond the purpose for which it was intended, purpose limitation, what purpose is it for.’’

Olatunji stated that it is not required to get social media handles from bank customers. He also mentioned that if the collecting of social media handles is to protect the public interest, which may entail monitoring some transactions, customers should be updated. Olatunji stated that they will investigate why the CDD regulation was set up and the best way to handle it to comply with global best practices.