Being text of a lecture delivered at the
Introduction
Data protection and privacy are almost alien to the Nigerian society. Data subjects are, mostly, oblivious of their property rights in data and Data collectors/administrators are numb to their corresponding duty to protect and/or respect the privacy data entrusted in their hands. Ultimately, there seems or seemed to be a deafening complicit silence or absence of regulators in this field.
Up until the emergence of negligible few civil societies which recently made data privacy and protection their core concerns, Nigerians have never really bordered about whatever happened to their data so long their other economic/physical rights remained undisturbed.
In this short session, I will run through the definitions of some keywords concerning data privacy and protection, the current state of our laws on data privacy and protection; some legal issues and I conclude subject to my thoughts on all these.
I understand the session is meant to be introductory and elementary, especially for non-lawyer fellows here present and I shall thrive to make it so.
DEFINITIONS
Data: The Nigeria Data Protection Regulation 2019 (NDPR) defines the word as:
"Characters, symbols and binary on which operations are performed by a computer, which may be stored or transmitted in the form of electronic signals, stored in any format or any device"
The NDPR also goes ahead to define "Personal Data" as:
"Any information relating to an identified or identifiable natural person ('Data Subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM, Personal Identifiable Information (PII) and others."
Data Protection: The NDPR does not specifically define the phrase "Data Protection" and it is for this reason we can resort to dictionaries in search of its meaning2
TechTarget.com defines data protection as:
"The process of safeguarding important information from corruption, compromise or loss.3
In a Report published by
"The legal mechanism that ensures privacy."
Data Privacy: Data privacy, also called information privacy, deals with the ability an organization or individual has to determine what data can be shared with third parties.4
CURRENT LEGAL REGIME ON DATA PRIVACY AND PROTECTION IN
Up until
Currently, as our laws stand, for the enforcement of data protection and privacy in
The
Section 37 of the 1999
"The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected."
Although the provision above does not specifically mention "data", it is arguable that information on homes, correspondences and telephone conversations are captured in the definition of personal data, hence, the above provision can be used to safeguard such breach.
This contention was favoured by the
When the operators of
"Section 37 of the
This very remarkable and commendable decision stands alone, to my knowledge, as it was decided after our own class action currently pending at the
The Nigeria Data Protection Regulation 2019
On the 25th day of
- to safeguard the rights of natural persons to data privacy;
- to foster safe conduct for transactions involving the exchange of Personal Data;
- to prevent manipulation of Personal Data; and
- to ensure that Nigerian businesses remain competitive in international trade
- through the safe-guards afforded by a just and equitable legal regulatory
- framework on data protection and which is in tune with best practice.
Without prejudice to the reservations I have for the NDPR, it remains
Salient provisions
- Definition of data and personal data - section 1.3(iv) and(xix)
- Duty of care owed by data controllers/administrators to data subjects - section 2.1(2)
- Consent:
- No data must be obtained except the purpose is known to the data subject - section 2.3
- Consent must be obtained with fraud/coercion
- Privacy Policy - Data collectors must publish privacy policy to reflect
- What constitutes consent
- Description of personal information collected
- Purpose
- Technical methods used to collect
- Remedies in the event of violation etc - section 2.5
- Objection to data processing - section 2.8
- Advancement of right to privacy - section 2.9
- Penalty of 2% of annual gross revenue of data controller. - section 2.10
- Rights of data subject
- to access to information on data free of charge - section 3.1(3)
- right to request rectification
- withdraw consent
- right to information on further processing
- right to request deletion (an encapsulation of right to be forgotten)- section 3(9)
Other non-dedicated specific Data Protection laws:
Federal Competition and Consumer Protection Act- National Identity Management Commission Act
- Freedom of Information Act
- Cybercrime (Prohibition, Prevention, etc) Act
- Child's Rights Act
LEGAL ISSUES MILITATING AGAINST DATA PRIVACY AND PROTECTION IN
The stunted growth of data privacy and protection in
- Inadequacy of data privacy and protection legislation:
Even in spite of NITDA's commendable issuance of NDPR in
The NDPR is, sadly, limited to electronic data thereby leaving paper-based data violations without remedies or protection. Recourse may however be had to section 37 of the
Worthy of mention, is the effort of Paradigm Initiative6 at sponsoring the Digital Rights Protection Bill which was however rejected by the President. Its passage would have eased the inadequacies of section 37 and the NDPR on data protection issues.
- Deplorable consciousness of data privacy rights/laws:
If ignorance of the law is not an excuse what do we say about ignorance of rights? In a 2000 report of International Tolerance Network7, it was stated thus:
"Within the national and the international contexts of Human Rights Education (HRE), four typical difficulties of HRE can be identified. We call them the four Big I's of HRE: ignorance, incompetence, indifference and intolerance."
Ignorance: this means the lack of knowledge about human rights and the institutions of human rights protection, as well as the inadequate understanding of the gain with regard to civilisation, of the idea of freedom and equality of human rights."
How do you demand and/or enforce rights you are not aware of? To sum up Nigerians' awareness of their data privacy rights, we were briefed by Paradigm Initiative sometime early
NIMC briefed a lawyer later in
It was that bad. Government agencies which deal with citizens' data are not even aware of the NDPR!!!
- Lack of enforcement-will/drive
Commendably, NITDA took the initiative to issue NDPR but it ought not end there. The NDPR, though issued on the 25th day of
There are other provisions requiring immediate and continuous compliance, for instance, section 4.1(2) requires every Data Controller to designate Data Protection Officers but this is sadly non-existent and remains unforced by the regulator.
A very pronounced recent breach of the NDPR was the Nigeria Immigration Service's publication of the international passport data page of a Nigerian resident in the
- Dearth of judicial decisions on data privacy violations
The Nigerian judiciary, like its counterpart elsewhere, thrives on judicial precedents, especially when the lower courts are confronted with somewhat novel cases.
Our case law is however replete with straightjacketed privacy cases which relate to invasion of homes and offices as opposed to invasion of data privacy stricto sensu. Apart from the decision in Emerging Market v Eneye (supra), I am not aware of any other appellate court decision on invasion of telephone (data) privacy. Hence, it is increasingly difficult for practitioners and judges to find authorities on which they can rely on while granting reprieve to data violation victims although this should not be an excuse to do justice even when no precedents exist.
CONCLUSION
A journey of a thousand miles, they say, always begins with a step, however warped it may be. Data privacy and protection, as human rights, are increasingly becoming serious legal conundrum that must be given adequate legislative and judicial coverage, consideration and deliberation in
Footnotes
1
2 In Attorney General of Bendel State v Chief C.O.M. Agbofodoh (1999) LPELR-616(SC), it was held that: "Dictionaries are not generally resorted to as means of elucidating the construction of statutes. They may however afford some help...... it is for the court to interpret the statute as best as it can. In so doing, the courts may no doubt assist themselves in the discharge of the duty by any literary help they can find, including of course, the consultation of standard authors and reference to well-known and authoritative dictionaries."
3 https://searchdatabackup.techtarget.com/definition/data-protection
4 https://searchcio.techtarget.com/definition/data-privacy-information-privacy
5 https://thenigerialawyer.com/my-thoughts-on-the-nigeria-data-protection-regulation-ndpr-2019-by-olumide-babalola/
6 Paradigm Initiative is a social enterprise that builds an ICT-enabled support system and advocates digital rights in order to improve livelihoods for under-served youth.
7 http://www.human-rights-education.org/images/pubhrhre.pdf
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
Mr
49,
Moloney
E-mail: olumide@olumidebabalolalp.com
URL: www.olumidebabalolalp.com
© Mondaq Ltd, 2020 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source