Dr. Vincent Olatunji, the National Commissioner of the Nigeria Data Protection Bureau, has announced that the Commission will take legal action against the Chief Executive Officers (CEOs) of government agencies responsible for data breaches.
Speaking at a press conference in Abuja on Monday, Dr. Olatunji shed light on the Nigeria Data Protection Law 2023 and expressed concern over the low level of data compliance among government agencies.
Compliance rates have only increased from four percent to nine percent following training sessions, awareness campaigns, and issuing a circular last year.
Dr. Olatunji emphasized that while private organizations can be fined for data breaches, it becomes problematic when a government agency is fined because it essentially means the government is penalizing itself. Instead of imposing fines, the agency’s CEO will be subject to prosecution for the breach.
He stated, “According to the current law if we want to fine a government organization, it means using government funds to penalize the government.
Therefore, we are proposing the prosecution of the CEO, as stipulated in the law. So, if you are a CEO and claim to be a government official, you cannot escape responsibility. In the event of a data breach, the CEO will be prosecuted, not the government.”
Dr. Olatunji also mentioned plans to conduct training programs to promote awareness and compliance in both the private and public sectors.
Regarding ongoing investigations, the NDPC boss revealed that over 100 organizations, mainly lending platforms, are being scrutinized. Sanctions have been imposed on some organizations, although their names were not disclosed.
Dr. Olatunji stated, “Since our inception, we have investigated over 100 organizations, primarily lending apps. We have taken serious action against them.
We have issued fines to Sokoloan, a significant player in this sector, and we are in discussions with them. We have also investigated seven banks. Some cases are ongoing, while we have concluded some investigations and issued sanctions to those found guilty.”
Regarding the fines imposed for breaches, Dr. Olatunji clarified that although the law stipulates that organizations found guilty should pay two percent of their gross earnings, the Commission considers the extent of the damage and the impact on data subjects when determining the fines.
He explained, “According to the law, they should pay two percent of their gross earnings, but considering the state of our economy in Nigeria and our focus on improving the ease of doing business, imposing such fines would lead to severe consequences for some organizations.
They have confessed that imposing such fines would result in the dismissal of several top-level management staff. Therefore, we consider the breach’s impact on the data subjects before determining the appropriate penalties.”
Dr. Olatunji also revealed that the Commission had generated over N200 million through licenses and breaches, with more than N50 million derived solely from data breaches.
“We have raised over N50 million from breaches alone. Since our establishment, even without a law, we have generated over N200 million for the government through licenses and other means,” he concluded.