With the advent of the Nigerian Data Protection Regulation 2019, personal data and data privacy have become key issues in the digital economy. Though the regulation has been extant for over 2 years, there is a lack of knowledge on the part of most data subjects as to the extent of their data protection and what constitutes breach of data. While the NDPR has played a huge role in stimulating the digital economy, this has restricted the impact of the regulation.

In espousing its objective, the Nigerian Data Protection Regulation provides that it was made in recognition of the fact that many private and public bodies have migrated their respective businesses and other information systems online, and these information systems have thus become critical information infrastructure which must be safeguarded, regulated and protected against atrocious breaches.[1] The principle guiding the NDPR also stipulates that personal data shall be collected and processed in accordance with specific, legitimate and lawful purpose consented to by the Data Subject.

In recent times there has been a proliferation of digital retail lenders within the lending space in Nigeria, and this has helped to bridge the financial inclusion gap, as report from the Financial Inclusion Secretariat shows that formal sector credit penetration as a ratio of the adult population in Nigeria was below 5.3% in 2017[2].  The rise in digital lending can be linked to the widespread use of mobile phones, high demand for credit and a fragmented regulatory landscape for industry players. Traditionally banks have been averse to retail lending, because the risk appetite of banks do not extend to retail loans and also, the process of applying for a bank loan is rather complex, often involving lengthy paperwork and delays.

On the contrary, it is abstruse why banks/financial institutions that have held and processed data of customers for more than ‘10 years’ are unable to offer loan/overdraft facilities to such customers, based on the data they have alone, yet digital lending companies employ simpler processes and no paperwork to make this possible.

These companies are able to leverage payment data to determine lending risk more easily and utilize smartphones as a distribution channel. Some have gone ahead to leverage alternative credit-scoring algorithms to provide instant, unsecured, short-term loans to individuals. This sort of lending is attractive not only to existing customers, but also to first time borrowers who would otherwise be shut out due to lack of a credit history.

Consequently, the transfer of personal data and financial information through digital channels raises concerns of data privacy and there is strict responsibility on the part of digital lenders to process these data lawfully, as a result of the digital business model which they have adopted. It has become customary practice for some digital lending companies to use non financial data and mined phone data to engage in debt shaming of debtors/loanees by informing their family, friends and employers of the existing debt.

In a recent development, Sokoloan, a digital lending company was fined N10million by NITDA for alleged privacy invasion. Aside processing data of data subjects without their consent, NITDA further determined that the company embeds trackers that share data with third parties inside its mobile application without providing users information about it or using the appropriate lawful basis. The company was said to be in violation of the following: Use of non-conforming privacy notice, contrary to Article 2.5 and 3.1(7) of the NDPR; Insufficient lawful basis for processing personal data, contrary to Articles 2.2 and 2.3 of the NDPR; Illegal data sharing without appropriate lawful basis, contrary to Article 2.2 of the NDPR and Non-filing of NDPR Audit reports through a licensed Data Protection Compliance Organisation (DPCO), contrary to Article 4.1(7) of the NDPR amongst others.[3]

In processing the personal data of a data subject, and by requesting access to the contacts of the loan customer, digital lenders also have access to the personal data of the ‘contacts’ of the customer. It is worthy of note that consent to process personal data of the customer cannot include consent to process personal data of another data subject which forms part of the data that was collected from the customer.

According to the NDPR, prior to collecting personal data from a data subject, the Controller shall provide the data subject – through a privacy policy – with the following information;

• Purpose of the processing for which the personal data are intended as well as the legal basis for processing
• Period for which personal data will be stored
• Existence of right of data subject to withdraw consent anytime
• Existence of the right to request access to, rectification or erasure of the personal data
• How the data will be processed
• Type of data collected etc

Therefore digital lenders are not at liberty to process data from a customer’s phone, unless they have informed the customer. Also lenders ought to specify all the data that they intend to collect and how they want to use it. The use should be in line with what is reasonably expected by the data subject. For instance, it is reasonable expected that a lender would obtain the customer’s name and phone number for purposes of records, and possibly collect data relating to call records, browsing history, phone model, GPS data and communication pattern for purpose of credit scoring. However it is unreasonable for a lender to obtain contacts of ‘data subjects’ from a customer’s phone for the purpose of calling them and engaging them to recover outstanding debts.

The NDPR defines personal data as any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or tone or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. It can be anything from a name, address, a photo, email address, bank details, posts on social networking sites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM, Personal Identifiable Information (PII) and others.[4]

For data controllers/digital lenders, one way of complying with NDPR means sending an email to every single person in a customer’s contact list to either get consent for you to hold and process their data, and to explain how they exercise their rights under NDPR.

Furthermore, if a digital lender were found to be processing “personal data” belonging to a data subject on a loanee’s contact list (or any other person whose information is uploaded to their server through the action of another person) they would find it difficult to contend that the processing was lawful, because the activity doesn’t prima facie satisfy any of the criteria for lawfulness in Article 2.2 (a – e) of the NDPR.

It is interesting to note that the ‘loanee’s’ contact has not given consent for the lending app to process her personal data for any purpose. She has merely given the loanee consent to process her personal data to the extent that the loanee has stored it in his phone, but that consent presumably does not extend to the lending app uploading that data to its server and calling or texting such person when the loanee is in default.

In Kenya, the Data Protection Act is set to revolutionize digital lending privacy and put an end to debtor shaming and collection of data from undisclosed sources[5]. In essence, digital lending companies need to be aware of the far reaching implications of the provisions of the Nigerian Data Protection Regulation, while we await a substantive legislation for data protection. As data protection becomes more rooted in the fabric of the digital economy, there is bound to be a rise in reports and fines/awards against erring data controllers. Therefore digital lenders need to fully grasp compliance obligations under the NDPR including conducting regular data audits and appointing a DPCO, and come up with an appropriate compliance policy framework.

References

• [1] Preamble to Nigerian Data Protection Regulation 2019
• [2] https://www.cbn.gov.ng/Out/2018/CCD/FINANCIAL%20INCLUSION.PDF
• [3] https://nitda.gov.ng/nitda-sanctions-soko-loan-for-privacy-invasion/
• [4] Article 1.3 (xiv) Nigerian Data Protection Regulations 2019
• [5] https://www.mutie-advocates.com/how-the-data-protection-act-will-impact-digital-lending-in-kenya/

 A very simple logic: demand is high, why not work to provide more supply? That is business and economics 101. So, the postulation by John Mc Keown that Nigeria could go into microfabrication business to take advantage of the broad high prices of chips, while a good call at superficial level, will certainly struggle at a deeper level.

First, the condition precedent for Nigeria for a chip factory is not there. Yes, we cannot run a foundry with generators. Secondly, our universities are not there to produce the knowledge workforce to design chips and fabricate them. Thirdly, the comparative advantages are against Nigeria with silica, etc (be at least as good as TSMC to have opportunities in markets). You can add more challenges.

This is what Nigeria needs now in the semiconductor business: a clone of MOSIS. MOSIS is a service funded by the US military research unit which connects all universities and small chip design companies together, making it easier for people to create prototypes at largely zero cost. So, magically, a Stanford student can design a chip and send it to MOSIS and within 3 months will get five samples. Through MOSIS, the US government took out the burden of schools needing to build  $1 billion factories, and got them to focus on designs.

What is happening to GTBank (yes, GTCO)? It is losing steam across the board. Begin with the cost-to-income ratio which used to be industry leading at sub-40%. Now, it has jacked it up to 47% (I guess the holdco setup could have caused that). From gross earnings to profitability, Access and Zenith are there. Access is becoming a critical banking institution; look at the interest income.

There is a pattern I am seeing: improved marginal cost is a solid competitive advantage and being big will work for these relatively big and geographically positioned institutions, as the new era of African commerce begins. Nigerian banking will be totally different in 5 years.

Access and Zenith are on to something; GTBank has to watch itself well.

China goes to break Ant Group’s Alipay as the nation continues to push for new ordinance for digital firms: “The Financial Times reported Monday, citing sources, that Beijing is moving to break up Alipay, and create a separate app for the company’s highly profitable loans business.”

Africa: do not follow China. China is scoring an own-goal and over the next few years, if this trajectory is not reversed, will begin to fade. As I wrote in Harvard Business Review, China transformed its economy by becoming the manufacturing capital of the world. China, despite that success, is not yet a high-income country. Yes, despite its aggregate wealth, China remains a developing economy. China’s per capita income is around (nominal) $9,000 while the US hits $60,000. In short, Chile is better than China (Nigeria is about $2,000).

Few countries have moved into the high-income status and in all those countries, one thing has been a constant: democracy and free markets. Yes, even if you produce for the world, without a free market system for capital to organize other factors of production based on market forces, you will struggle to get there.

Fair rule, transparency, democratic systems, retrenchment of states for the flourishing of the private sector, predictable and fairly applied regulations, and cardinal rule of law,  are some of the factors that enable economic redesign, towards high-income status. From Japan to South Korea to Taiwan and to potential newcomers into the high-income countries, there was and will always be constant: what worked when you were poor to mid-income, will not work for you to move from mid-income to high-income. 

At a poor state level, you need the government to create order, but quickly the government must retrench for markets, to drive productivity and improve the efficiency of the utilization of factors of production. It is through productivity in an evidently complex national system that nations move to high-income level. In my study of economic systems, only markets have the ability to allocate the factors of production at this level! No politician has any chance. President Xi is not helping China unless he never wants the nation to move to high-income status.

Yes, China is blowing the playbook thinking that what worked from its poor state to mid-income will work for it to move to high-income. Simply, China is scoring own-goals and it would be lucky to stay in mid-income. It has no chance of transitioning into high-income unless the Xi nation changes course.

China Moves to Break Up Ant Group’s Alipay

China’s tech crackdown, which has eventually developed the “common prosperity” wing, is about to claim another victim.

The Financial Times reported Monday, citing sources, that Beijing is moving to break up Alipay, and create a separate app for the company’s highly profitable loans business.

The crackdown started with focus on the fintech industry, with Beijing aiming to curtail the extravagance of the industry players who had enjoyed uncommon freedom under President Xi’s leadership. The Ant Group, whose halted IPO was gearing up to be the largest in history, with $37 billion raised for a post-IPO valuation of $300 billion, was the starting point of what has now escalated to other sectors, including edtech and ride-hailing.

The report said that Chinese regulators have already ordered Ant to separate the back end of its two lending businesses, Huabei, which is similar to a traditional credit card, and Jiebei, which makes small unsecured loans, from the rest of its financial offerings and bring in outside shareholders.

“The government believes big tech’s monopoly power comes from their control of data,” said one person close to financial regulators in Beijing. “It wants to end that.”

Alipay has more than one billion users whose data have been collected by the payment service. With the crackdown shifting focus on how the tech firms manage private data, Beijing looks to be moving to break up companies in possession of millions of users’ data.

The report said officials now want the two businesses to be split into an independent app as well. The plan would also require Ant to turn over the user data that underpins its lending decisions to a new credit scoring joint-venture which would be partly state-owned, according to two people familiar with the process.

Under the new rules, the companies affected will no longer be at the helm of decision making, as the responsibility will be shared by stakeholders appointed by the government.

Per FT, Ant has been struggling with regulators for control of the new joint venture, but a compromise was reached under which state-owned companies in its home province, including the Zhejiang Tourism Investment Group, would hold a majority stake.

The people said pushing for local state-owned groups to become Ant’s new partners was a favor from the provincial government.

“Given the mutual trust between Ant and Zhejiang, the fintech group will have a big say on how the new JV (joint venture) operates,” said a former official at the People’s Bank of China. “But the new set-up will also make sure that Ant listens to the party when it comes to critical decision-making.”

Ant is believed to have the upper hand in decision making because its partner doesn’t know a thing about fintech.

According to the report, a person close to Ant said that for the time being Ma’s team would be at the helm of the new venture. “What does Zhejiang Tourism Investment Group know about credit scoring — nothing,” the person said, while noting Ant executives were still concerned they could lose control in the future.

This whirlwind of misfortune is the latest major blow to Ant since its IPO was halted late last year. Watching its shares divided among government appointed stakeholders and having a little say in decision making was not the future the company foresaw.

In an earlier report, Reuters had revealed the make-up of the joint venture, reporting that Ant and Zhejiang Tourism Group would each take 35 percent stakes with other state-owned and private partners allocated smaller shares.

Financial Times reported that the new venture will apply for a consumer credit scoring license, which Ant has long coveted. China’s central bank has issued only three licenses — all to state-run operations — preventing Ant from fully monetizing the vast reams of data it has collected on Chinese citizens, the report said.

Credit scoring companies have now become part of lending business in China under the new rules. This means, apart from Ant, other lending companies will go through the third party credit scoring process to have their customers loans approved. This summer the central bank told industry players that lending decisions must be made based on data from an approved credit scoring company rather than proprietary data, one of the people said.

Per FT, this means that a future Alipay user in need of credit would see their request first routed to the new joint venture credit scoring company where their credit profile is held and then on to the new Huabei and Jiebei lending app to issue the credit.

The new rules, among other things, will hamper the swiftness with which Alipay executes transactions due to the creditworthiness process that is entirely integrated within Alipay. Ant said it made “credit decisions within seconds” in its prospectus for its suspended IPO. But there is more, Ant’s value will suffer long term consequences emanating from these changes.