Data privacy is a new realm of human right which comes with the unprecedented innovations of technology. This article argues that right to privacy albeit guaranteed under the Constitution of the Federal Republic of Nigeria and some legislations, majorly sector specific, is inadequate for the data protection as is currently required in Nigeria and expected in view of internationally accepted best practices and the data protection laws in other jurisdictions. It concludes that Nigeria needs to enact a more comprehensive data protection law whilst applauding the attempt already made in this regard.

Emma Ndiyo, a legal practitioner, writes from Lagos. ndiyoemma@yahoo.com

INTRODUCTION

Every now and then, personal information of Nigerians are collected and processed by both private and public institutions. These institutions that collect individual’s personal information include the National Identity Management Commission (NIMC) through the exercise of issuance of the National Identity Number (NIN) pursuant to the provisions of National Identity Management Commission Act (NIMC Act) 2007; the Central Bank of Nigeria (CBN) and other financial banks, which in 2014 commenced the collection of the biometrics and other personal information of Nigerians for the issuance of the Bank Verification Number (BVN), the Independent National Electoral Commission (INEC) which issues the Permanent Voters Card (PVC) required for participation in voting exercise Nationwide; the Nigerian Communications Commission (NCC) with their Subscriber Identity Module (SIM) registration initiative in partnership with telecommunication companies in Nigeria.

Personal Data is defined under the National Information Technology Development Agency NITDA Guidelines as:

“Any information relating to an identified or identifiable natural person (data subject); information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address”.

Information privacy, or data privacy (or data protection), is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, and the legal and political issues surrounding them. Thus, as much as a state for several reasons including national security may require the personal data of an individual, such individual should within the reasonable bounds of his freedom of privacy, have the prerogative to determine what personal data they are willing to give away and to what extent and for what reasons such personal data may be used for as well as the ability to recall such personal data by demanding that they be destroyed and or returned to him or her.

Personal data is a priced commodity all over the world and the effects of getting into the wrong hands is of significant concern. It may lead to crimes such as identity theft and other cybercrimes and most importantly, a breach of an individual’s right to privacy. A very relatable instance of breach to personal data is the receipt of unsolicited email and the disturbing pop up adverts resulting from the activities of technology companies through behavioral targeting of data subject. There is no telling the consequences of the nonexistence of a data protection law, hence the urgent need for one.

DATA PROTECTION IN NIGERIA

Despite the increasing number of personal data collected and managed by some institutions as earlier stated, and the sensitivity of these data; it is worrisome that there is currently no comprehensive data protection law in Nigeria catering for the data privacy needs of the citizenry.

Section 37 of the constitution of the Federal Republic of Nigeria 1999 (as amended) provides that:

“The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected”

It is opined that data privacy is sui generis as it transcends the right of privacy as traditionally known to us and guaranteed under the constitution of the Federal Republic of Nigeria. Therefore, it should be accorded a special level of attention.

In addition to the provision of the constitution, there are some regulations which have been put in place to regulate in part the data collection and management of Nigerian citizens. Some of these regulations/laws are:

• The draft “Data Protection Guidelines” of the NITDA
• Cybercrime {prohibition, prevention etc} Act 2015
• The child rights Act
• The Registration of Telephone Subscribers (RTS) Regulation 2011
• The Nigerian Communication Commission (NCC) Act 2003
• The Freedom of Information (FOI) Act 2011
• The National Identity Management Commission Act (NIMC) Act 2007

We shall now discuss some of the provisions of these regulations which do not suffice as data protection laws in Nigeria. Whilst the Child Rights Act merely reiterates the provisions of the constitution as to the right to privacy in relation to a child, Section 26 of the NIMC Act provides that no person or corporate body shall have access to data or information contained in the Database with respect to a registered individual entry without the authorization of the Commission. However, the Commission is empowered to provide a third party with information recorded in an individual’s entry in the Database without the individual’s consent, provided it is in the interest of National Security.

The FOI Act 2011 is an Act enacted to make public records and information freely available and accessible to the public. In doing this however, there is a provision for the protection of personal information of individuals. Thus, section 12 (1) (v) of the Act provides that “A public institution may deny an application for any information which constitute an invasion of personal privacy under Section 15 of this Act, except, where the interest of the public would be better served by having such record being made available”. Section 15 referred to in this provision makes reference to just a limited scope of private information to wit, information that deals with trade secrets and contractual relations of individuals. This, clearly, is not all encompassing and cannot pass as a data protection law in Nigeria.

The Cybercrime {Prohibition, Prevention etc} Act 2015 in seeking the prohibition, prevention, detection, prosecution and punishment of cybercrimes in Nigeria through its requirement for the retention of traffic data by service providers under the act also makes provision in section 38 of the Act for the protection of data such that any data retained, processed or retrieved by the service provider at the request of any law enforcement agency under the Act is expected to be utilized only for legitimate purposes as may be provided for under the Act any other legislation, regulation or by an order of a court of competent jurisdiction.

“Service provider” under The Cybercrime {Prohibition, Prevention etc} Act means:

(i)     any public or private entity that provides to users of its services the ability to communicate by means of a computer system, electronic communication devices, mobile networks; and

(ii)    any other entity that processes or stores computer data on behalf of such communication service or users of such service.

As the name of the Act implies, it does not make any provision for damages which may be claimed by an aggrieved data subject. It merely provides for a punitive consequence for contravention of the provisions of section 38 of the Act.

An ideal data protection law should have the eight international principles and best practices for data protection laws namely:

• Personal data must be processed fairly and lawfully.
• Personal data must be processed only for a limited and identified purpose.
• Personal data being processed must be relevant, adequate and not excessive.
• Personal data should be (This includes the need for frequent update of the data).
• Personal data should not be kept for no longer than is necessary.
• Personal data should be processed in accordance with the rights of data subjects.
• Personal data should be protected against improper and accidental disclosure.
• Personal data should be not to be transferred to a third parties/outside the country without the consent of the data subject.

NITDA Data Protection Guidelines is one of the regulations in Nigeria which has these principles incorporated in it. The NITDA, established pursuant to the NITDA Act of 2007, is mandated to develop Information Technology in Nigeria through regulatory policies, guidelines, standards, and incentives. Part of the obligation is to ensure the safety and protection of the Nigerian Citizens’ Personal Data. In furtherance of this mandate, the “Data Protection Guidelines” was in 2013 put in place by the NITDA. It ought to apply to data controllers in the public and private sectors and covers the processing of personal data of data subjects.

This Guideline, though laudable subsidiary to the NITDA Act, is arguably an insufficient data protection model. According to learned writers, Jemilohun and Akomolede, the Guidelines were drawn “with little or nothing to show legislative authority or thoughtfulness.” The Guideline is presently being reviewed. Beyond this, what we really need is a clear legislative framework and not some guidelines or regulations. Arguably, a guideline or regulation made pursuant to an enabling law enjoys the force of law. Nevertheless, such guideline does not rank in the status of a statute properly so called.

DATA PROTECTION IN THE EUROPEAN UNION

The European Union (EU) has made an elaborate data protection law applicable in all EU countries: the EU General Data Protection Regulation (GDPR) which has gone through a two year transition. The regulation was adopted on 27^th April 2016 and it became enforceable from 25^th May 2018. Being a regulation as opposed to a directive, it supersedes the Data Protection Directive of 1995 as it commands coercive force all over the EU countries rather than lay down expected results.

The GDPR is a model data protection legislation being the first of its kind. The effects of the regulation are far reaching as it is not territorially bound. It applies to organizations which process the personal data of EU citizens whether such organizations are located within the EU countries or otherwise.

The GDPR gives the data subject extensive control over their data privacy. There is a requirement for active consent of data subject and a documentation of such consent by data processors (the entity processing personal data) and data controller (the entity that decides the purposes and means of that data processing). The consent of the data subject can also be withdrawn and where notice of such withdrawal (right to erasure/right to be forgotten) is indicated to the controller or processor, the data subject’s personal data should within one month be deleted. The data subject also has the right to access their data in the possession of the data controller or the data processor as well as rectify them where inaccurate. These are captured in Articles 16-19 of the GDPR.

By the provisions of Article 37, a controller and processor of data is required to appoint a Data Protection Officer (DPO) if the processor or collector is a public authority or body; or their core activities involve regular and systematic monitoring of data subjects on a large scale or if they conduct large-scale processing of special categories of personal data (such as data about race, ethnic origin, political opinions, and religious beliefs) or personal data relating to criminal convictions and offences.

With its imminent enforcement date and compliance requirements of the GDPR, several processors of EU citizens’ private data are making efforts to ensure that there is no contravention of the requirements of the regulation due majorly to the repercussions for non compliance which is as much as 4% of a company’s annual global turnover or an equivalent of Twenty Million Euros (€20 Million).

Beyond the punitive fine provided in respect of the contravention of the GDPR, there is a provision for class actions by data subjects whose data privacy is breached.

CONCLUSION

As much as we applaud these data protection provisions as highlighted above, we are of the opinion that Nigeria needs a more comprehensive data protection law as are made available in the other jurisdictions with the EU countries as a case study. As at December 2017, the implementation of the BVN project recorded 31,426,091 registered BVNs and 43,959,282 accounts linked with BVN. This is just an instance compared to the other data collecting institutions discussed in this paper. The effects of these in the absence of an adequate data protection law include fraud, phishing scams, and identity theft which are the very reason some of the government regulated data collecting agencies such as the SIM card registration initiative were established. It is therefore recommended that there should be enacted an all encompassing data protection legislation applicable in Nigeria.