NDPC investigates Optasia’s data policies over privacy concerns

Joy Agwunobi

The Nigeria Data Protection Commission (NDPC) has launched a full-scale investigation into the data processing practices of Optasia, which operates in Nigeria as Nairtime Nigeria Ltd.

The probe comes after concerns over potential non-compliance with Nigerian data protection regulations were flagged during routine oversight of major data controllers and processors in the country.

Optasia, a financial technology company  that uses artificial intelligence (AI) to provide financial services to underserved markets, was founded by Bassim Haidar, a Nigerian-born Lebanese entrepreneur. The company, which focuses on mobile financial services and fintech solutions, has operational footprints in Nigeria, South Africa, and the United Arab Emirates (UAE).

Vincent Olatunji, the National Commissioner and CEO of the NDPC, ordered the investigation following the discovery of patterns of suspected non-compliant data processing by Optasia.

According to Olatunji, the NDPC’s decision to investigate was triggered by “a pattern of suspected non-compliant data processing” uncovered during the Commission’s routine regulatory oversight activities.

In a statement signed by Babatunde Bamigboye, Head,  Legal, Enforcement & Regulations at the NDPC, the Commission expressed concern about the use of invasive technologies by Optasia to process personal data for purposes such as marketing and credit scoring.

The statement read, “The Commission notes with grave concern that Optasia deploys privacy-invading technologies to process personal data for the purposes of marketing, credit scoring, and other financial solutions in the country.”

The investigation will scrutinise how Optasia and similar companies handle sensitive personal data, particularly focusing on financial institutions, telecommunications companies, and insurance firms that process citizens’ data for credit scoring and other purposes, emphasising the need for accountability among these data processors.

The NDPC further urged all data controllers and processors of significant importance, who rely on third parties to handle personal data, and ensure that those third-party entities are registered with the commission.

The statement stressed that this step is essential to protect Nigeria’s data sovereignty and strengthen the country’s data security framework.

“Data controllers and data processors must ensure that any third parties involved in processing Nigerian citizens’ personal data are duly registered with the Commission. This measure will ensure accountability, strengthen data security architecture, and protect Nigeria’s data sovereignty,” the NDPC stated.