- Only the law will decide once the law is put to test – Lawyer
The Central Bank of Nigeria (CBN) will not assume responsibility or incur liability for any data breach that may happen in the course of using the eNaira by any customer.
While the financial regulator assured that it has the right technology and operational procedures in place to safeguard against data breaches or abuses, it states that |the CBN accepts no responsibility or liability whatsoever with regard to the material on this website” potentially inciting debate as to the limit of application of the Nigerian Data Protection Regulation (NDPR), the main data protection regulation in Nigeria.
The NDPR was issued by the National Information Technology Development Agency (NITDA) in January 2019 pursuant to Section 6 (a,c) of the NITDA Act 2007.
The Regulation is aimed at protecting the right to privacy, creating the right environment for job creation, improving information management practices in Nigeria and digital transactions , which covers eNaira operation by the CBN.
“The NDPR is currently Nigeria’s singular most comprehensive body of rules that govern data privacy and protection, albeit a subsidiary legislation birthed through powers granted under the NITDA Act,” notes Uche Val Obi (Alliance Law Firm, Nigeria).
Obi adds: NDPR represents the most significant sector-specific law regulating data in Nigeria and is clearly more comprehensive than the NITDA Guidelines.”
In its ‘Frequently Asked Question’ section, the financial regulator states: “Yes. Similar to the privacy enjoyed by current online banking patrons, the eNaira system has been designed to ensure data and user privacy. There are also operational policies and procedures in place to protect users’ identity and privacy.”
But it then states under its ‘Terms of Service’ that:
“The CBN is committed to observing high standards of information security. While we use reasonable physical, electronic and procedural safeguards to protect your personal information from loss, misuse, unauthorised access or disclosure, alteration and destruction, please be advised that we do not accept responsibility for the security of any data transmitted over the eNaira website or information stored, posted or provided directly to a third party website, which is governed by that third party’s policies.”
It further states: “The CBN maintains this website to enhance public access to information about eNaira by providing timely and accurate information. However, the CBN accepts no responsibility or liability whatsoever with regard to the material on this website. All the materials on eNaira’s Website are provided “as is”.
“CBN makes no warranties, be it expressed or implied. Furthermore, CBN does not make any representations concerning the accuracy or reliability of the use of the materials on its website or otherwise relating to such materials or any sites linked to this Website. CBN or its service providers will not be held accountable for any damages that arises with the use or inability to use the materials on eNaira’s Website, even if CBN or its authorized representative has been notified, orally or in writing, of the possibility of such damage.”
Put the law to test
An Abuja based legal expert argued that only a competent law court can either validate or invalidate the CBN’s position if a customer with reasons to believe that his data privacy has been breached and decides to put the law to test.
NITDA has recently imposed sanctions on erring organizations who failed to meet the NDPR benchmarks on data protection. The regulator imposed a five million naira fine on Electronic Settlement Limited (ESL) among other sanctions for breach of personal data by the fintech company to signal its increasing zero tolerance for data protection breaches as defined under the NDPR.