Nigeria’s data privacy authority has fined Fidelity Bank $358,580 for violating the country’s data protection laws. The fine, amounting to 0.1% of the bank’s 2023 revenue, is the largest ever imposed by the Nigeria Data Protection Commission (NDPC) for data breaches. This decision has sparked a dispute, with Fidelity Bank challenging the commission’s findings and the hefty penalty.
The NDPC’s investigation into Fidelity Bank began in April 2023 following a complaint from a customer. The customer alleged that the bank had illegally collected personal data to open an account without proper consent. After thorough scrutiny, the NDPC concluded that Fidelity Bank had indeed breached data protection laws. The commission ordered the mid-tier lender to pay 555,800,000 naira, equivalent to $358,580, within fourteen days.
The NDPC’s findings revealed that Fidelity Bank had processed personal data without obtaining the informed consent of the affected individuals. This is a critical violation under Nigerian data protection regulations, which require clear and explicit consent from data subjects before collecting or processing their information. The commission identified several instances where the bank’s practices fell short of these legal requirements, leading to the imposition of the substantial fine.
Despite the NDPC’s findings, Fidelity Bank has denied any wrongdoing. In a statement issued on Thursday, the bank asserted that there was no actual data breach, as the account opening process for the customer in question was never completed. The bank emphasized its commitment to compliance with data protection laws and expressed its intent to resolve the matter amicably with the NDPC. “As a bank, we remain in discussions with the NDPC over an amicable resolution to this matter,” Fidelity’s statement read, indicating the ongoing negotiations between the two parties.
The NDPC, however, has maintained its stance, highlighting the importance of strict adherence to data privacy regulations. In its review of Fidelity Bank’s data processing practices, the commission uncovered multiple violations beyond the specific complaint. These included the use of cookies and banking applications without adequate disclosure or consent from users. The NDPC pointed out that such practices are not only unlawful but also compromise the privacy and security of personal data, which are fundamental rights under Nigeria’s data protection framework.