Ivory Coast, like many countries in Africa, is facing rapid technological change and the growing use of mobile applications for financial services. These mobile applications play an important role in financial inclusion in Ivory Coast. Services such as mobile payments, money transfers and mobile banking are becoming increasingly popular, giving unbanked citizens access to financial services.
However, this development is not without risks relating to the protection of Ivorian citizens’ personal data. Companies operating in the financial sector, given the highly confidential nature of the information they handle, particularly financial data, should be aware of these risks. Unfortunately, in practice, this is not always the case.
By way of concrete illustration, this article refers to the formal notices issued on 8 August 2023 by the Ivory Coast personal data protection authority (ARTCI) against some of these mobile applications, specifically online loans. The applications targeted are: le prêt-prêt d’Argent Mobile, Prêtfacile, Easy, Cash-prêt en ligne, PrêtRapid, djai225-prêt en ligne, MiniPrêt, Joliprêt-application de prêt, Juju argent-prêt en ligne, Hiprêt and CI money.
As well as simply calling for compliance, these formal notices were also intended to alert the public and encourage them to be extremely vigilant with regard to these applications.
ARTCI’s main findings
The applications in question are accused of processing personal data without having completed the necessary formalities with ARTCI to comply with law no. 2013-450 of 19 June 2013 on the protection of personal data in Ivory Coast. This law is considered to be the main legislation on the subject in Ivory Coast. Among other things, it aims to guarantee the security and confidentiality of personal data collected by any natural or legal person. Under Articles 5 to 7, any natural or legal person collecting personal data, depending on their situation, is obliged to declare it or obtain prior formal authorisation to process it from ARTCI.
The ARTCI has also noted that these applications use the information they collect for illegal purposes, in particular to blackmail, harass or extort money. These criminal activities can cause substantial damage to the dignity and life of the individuals concerned, which has led to numerous complaints.
A call for compliance from companies
As a first step, the regulatory authority has invited companies involved in the development and promotion of these online loan applications to contact the relevant departments in order to comply with the requirements of the law within 10 days of Tuesday 8 August 2023. This step is in line with the mandate given to ARTCI as the authority responsible for protecting personal data, in accordance with the law in force in Ivory Coast. Indeed, in accordance with the legal provisions in force, the supervisory authority ensures that the use of information and communication technologies does not infringe the freedoms and privacy of users located on national territory.
Despite an appeal by ARTCI, none of the managers of these online lending platforms has responded to this request for compliance.
ARTCI recommendations
Pending the introduction of regulatory measures to block websites providing access to these applications, the ARTCI has formulated some important recommendations for the public in response to these concerns. Users are encouraged to:
- Review the authorisations granted to applications already installed on their mobile devices and delete those that are causing issues;
- Delete all cached data for these applications from mobile device settings;
- Or completely uninstall these applications from all mobile devices.
These simple measures can help users reduce the risks to their personal data and privacy by eliminating access to their personal information by these non-compliant applications.
Are these recommendations sufficient?
The lack of cooperation from the companies targeted by these formal notices is indicative of the challenges faced by the Ivorian authority in its efforts to ensure compliance with data protection legislation. We must therefore ask ourselves whether, 10 years after the adoption of this law, the time has not come for the ARTCI to take tougher sanctions against companies that do not comply with the law.
Stronger action by ARTCI would not only be justified, but also necessary to strengthen the protection of personal data and the privacy of Ivorian citizens. This stronger approach could involve imposing financial penalties on companies that fail to comply with their data protection obligations. The imposition of dissuasive sanctions would have the effect of encouraging companies to comply with the regulations, thereby creating an environment in which personal data would be better protected.
Nevertheless, it is important to acknowledge the progress made by the ARTCI thanks to these formal notices, one of the aims of which was to raise public awareness of the risks associated with online lending applications, while at the same time encouraging users to be vigilant. This highlights the need to continue raising public awareness of the issues surrounding the protection of personal data and the regulation of its use in the current digital context in Africa. A greater understanding of these issues is essential if citizens are to protect their right to privacy and if businesses are to comply with the regulations in force.
By Jean Marc DIGBLI, jurist IT.