The Nigeria Data Protection Commission (NDPC) has imposed a fine of ₦555.8 million ($353,254) on Fidelity Bank Plc for alleged violations of the Nigeria Data Protection Act, 2023.
The fine, announced in a press release by the NDPC, comes after investigations into the bank’s data processing practices.
However, Fidelity Bank has denied any wrongdoing and is contesting the penalty.
According to the NDPC, the investigation was triggered by a complaint lodged in April 2023 by an individual who claimed that their personal data was unlawfully collected by Fidelity Bank to open an account.
The Commission found that in certain critical cases, Fidelity Bank was processing personal data without the informed consent of data subjects.
Additionally, the NDPC alleges that the bank’s banking apps were using cookies and other data processing tools without proper user consent, in violation of the Nigeria Data Protection Act.
While cookies are typically used for authentication and session management, they can also track user behaviour, such as feature usage within an app and they raise significant privacy concerns.
It’s standard practice for organisations to prompt users about cookie usage and obtain consent, which the NDPC claims Fidelity Bank failed to do.
The NDPC also claims that Fidelity Bank relied on some non-compliant third-party data processors, which could compromise the personal data of individuals.
The Commission stated that it had given the bank several opportunities for full accountability over the past year, including warnings and chances to provide satisfactory remedial plans.
However, Fidelity Bank presents a different narrative.
In a statement, the bank denied any data breach, asserting that an internal investigation showed no evidence of wrongdoing.
The bank explained:
“An account opening request was received online, but the account was not operational due to incomplete documentation.”
They further stated, “In compliance with our Data Protection policy, accounts created online without full documentation are not allowed to be operational and are closed after 30 days if the outstanding documents are not provided to authenticate the identity of the person seeking to open the account.”
Fidelity Bank insists it took appropriate action:
“The account was immediately placed on ‘Post No Debit’ status as the applicant was expected to complete the account opening process by providing the outstanding documents for verification within 30 days. This was not done, and the account was eventually closed.”
The bank firmly denies any wrongdoing, stating, “On May 2nd, 2023, we responded to the NDPC that the bank did not violate any law because there was no data breach and that the account opening process was not completed.
On our part, we carried out due diligence by immediately blocking the account and subsequently closing the account when we did not receive the outstanding documents.”
Fidelity Bank also disputes the fine amount, stating that the NDPC had initially demanded a remedial fee of ₦250 million ($158,894) on December 5, 2023.
The bank says it challenged this decision, insisting it had not violated any laws. Despite ongoing negotiations, the NDPC increased the fine to ₦555.8 million on August 20.
The case highlights the growing importance of data protection in Nigeria’s financial sector.
The Nigeria Data Protection Act allows the NDPC to impose fines of up to 2% of an organization’s annual gross revenue from the preceding financial year for non-compliance.
At 0.1% of Fidelity Bank’s revenue, the current fine falls within these limits.
It is worth noting that the scope of the NDPA allows anyone to report a data controller to the commission, potentially prompting an investigation into data processing practices.
The fine imposed on Fidelity Bank surpasses the previous ₦400 million penalty levied against seven companies for similar offences, marking one of the highest penalties under the NDPA Act to date.
As Fidelity Bank disputes the charges and challenges the fine, the case could set a significant precedent in how data protection laws are enforced and interpreted in Nigeria
