LEGAL FRAMEWORK AND CHALLENGES OF DATA PROTECTION/PRIVACY IN NIGERIA. By OMOBOLAJI O. OYENIRAN ESQ.

The prevalence of data processing in the modern global economy has made it imperative for its protection. Presently, data protection is regarded as an extension of fundamental human rights which is aptly protected under the Constitution of the Federal Republic of Nigeria, 1999 (as amended) and other statutes. This article gives an insight on the nitty-gritty of data protection as well as an overview of the legal regime of data protection in Nigeria. It further outlines the legal issues involved in protecting data in the country as well as the challenges faced by data controllers/administrators in protecting the personal information in their care. The article concludes with workable solutions for data controllers/administrators as well as regulatory bodies on methods to adopt in protecting people’s data.

DEFINITION OF TERMS

1. Data: Generally, data is information collected to be used to help in decision-making or information in an electronic form that can be stored and used by a computer.

The Nigeria Data Protection Regulation 2019 (NDPR) defines the word as:

“Characters, symbols and binary on which operations are performed by a computer, which may be stored or transmitted in the form of electronic signals, stored in any format or any device”

2. Personal Data: Personal data is defined by Section of the NDPR 2019 as:

“Any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM, Personal Identifiable Information (PII) and others.”

From the above, the personal data of a natural person is any information serving as an identifier of that person, whether with reference to their name, identification number, location, their physical appearance, information regarding their physiology, genetics, mental health, economic/finances, culture or social identity. It could be a name, address, photo, email address, bank details, medical information, posts on social media website. It extends to MAC address, IP address, IMEI number, SIM card, and any other unique identifiers.

3. Data Collector: A data collector is someone that enters information into a database and ensures that the data collection sources are accurate.
4. Data Processor: The data processor processes personal data only on behalf of the controller. The data processor is usually a third party external to the company.
5. Data Controller: The data controller determines the purposes for which and the means by which personal data is processed.
6. Data Subject: A data subject is the person whose personal data is being processed. The NDPR 2019 defines it as “an identified or identifiable natural person”

DATA PROTECTION/PRIVACY: Data protection is the process of safeguarding important information from corruption, compromise or loss.  It “includes mechanisms, laws and regulations that make it illegal to store or share some types of information about people without their knowledge or permission.”

Data privacy, otherwise known as ‘Information Privacy’ deals with the ability a person has to control his personal data shared with third parties.

The need for data protection arises with the upsurge in the creation and storage of data in the global community. The internet has brought the whole world together through exchange of information and most of the world’s organizations have resorted to digital operations of their activities thus increasing the amount of data stored.

The aim of protecting the data of a person (whether natural or corporate) is to minimize the risk of identity theft, exploitation, and manipulation, and the objective of data protection is to enable individuals and companies to control the dissemination of their personal information, that is, to enjoy data privacy.

LEGAL FRAMEWORK OF DATA PROTECTION/PRIVACY IN NIGERIA

Currently, the major statutes for the enforcement of data protection and privacy in Nigeria are the Constitution of the Federal Republic of Nigeria, 1999 (as amended) and the Nigeria Data Protection Regulation 2019 which may be used correlatively to achieve a common purpose. However, there are minor provisions scattered in several legislations on data protection in the country. These provisions are adumbrated below:

1. The Constitution of the Federal Republic of Nigeria, 1999 (as amended): Section 37 of the 1999 Constitution provides that:

“The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected.”

Even though the provision above does not specifically mention “data”, it argued that information on homes, correspondences and telephone conversations are captured in the definition of personal data. This provision was given judicial credence in the case of Emerging Market Telecommunication Services v Barr Godfrey Nya Eneye (2018) LPELR-46193 in which the Claimant/Respondent (a legal practitioner) sued the Defendant/Appellant (operators of Etisalat mobile line) for sending his telephone number to persons which sent him unsolicited text messages in violation of section 37 of the Constitution. The Court of Appeal, upholding the judgment of the Federal High Court held that the Appellant company, by giving the phone number of the respondent to a third party, who sends unsolicited messages to the respondent, has breached the fundamental right of Privacy of the Respondent.

2. The Nigeria Data Protection Regulation (NDPR) 2019: This regulation was issued by the National Information Development Technology Agency (NITDA) on the 25^th day of January 2019, with the aim of safeguarding the rights of natural persons to data privacy; foster safe conduct for transactions involving the exchange of Personal Data; and to prevent manipulation of Personal Data. Highlighted below are salient provisions of the Regulation:

1. Definition of data and personal data – section 1.3(iv) and(xix)
2. Duty of care owed by data controllers/administrators to data subjects – section 2.1(2)
3. Consent: No data must be obtained except the purpose is known to the data subject – section 2.3 Consent must be obtained with fraud/coercion
4. Privacy Policy – Data collectors must publish privacy policy to reflect
5. Description of personal information collected
6. Technical methods used to collect
7. Remedies in the event of violation etc – section 2.5
8. Objection to data processing – section 2.8
9. Advancement of right to privacy – section 2.9
10. Penalty of 2% of annual gross revenue of data controller. – section 2.10
11. Rights of data subject: This includes the right to access to information on data free of charge, right to request rectification, right to withdraw consent, right to information on further processing, right to request deletion (an encapsulation of right to be forgotten)

3. Freedom of Information Act No. 4 of 2011: Generally, the Act stipulates that Public institutions are to make information available to anyone who applies for it. However, under section 14 of the Act, information that relates to private/personal data of individuals are excluded from the category of the information that should be made available.

4. The Child Rights Act of 2003: Section 8 of the Act provides for the right to privacy of a child in Nigeria.

5. The HIV and AIDS (Anti-Discrimination Act) 2014: Section 13 (1) provides that:

“All persons living with HIV or affected by AIDS shall have the right to protection of data with respect to their health and medical records.”

Any violation of this provision amounts to an offence, and the offender, upon  conviction, can be liable to fine or/and imprisonment.

6.The Cybercrimes (Prohibition, Prevention etc.) Act of 2015: Section 14 and 16 of the Cybercrimes Act prohibits the dealing of data stored on a computer or in a network in a fraudulent manner and for fraudulent purposes.

7.The National Identity Management Commission (NIMC) Act: By virtue of Section 26 of the Act, prior authorisation of the NIMC must be obtained before accessing data or information contained in the National Identity Database.

8. The National Health Act, 2014: Section 26 (1) of the Act prohibits the disclosure of the information of a health care user without the consent of such user. It provides:

“All information concerning a user, including information relating to his or her health status, treatment or stay in a health establishment is confidential.”

9. The Immigration Act, 2015: Under section 101 of the Act, the Immigration Service is mandated to treat as confidential the identity and information provided by a volunteer and to take all reasonable measures to protect such information.

10. The Credit Reporting Act, 2017: Under section 9 of the Act, the right of a data subject to privacy and confidentiality with respect to his/her credit information , is guaranteed. 

11. The Consumer Code of Practice Regulations 2007 issued by the Nigerian Communications Commission (NCC) mandates the licensees in the telecommunication sector to ensure adequate protection of customers information.

LEGAL ISSUES IN DATA PROTECTION/PRIVACY

1. Ignorance of Data Privacy Rights/Laws: The primary factor mitigating against the protection of data privacy in Nigeria is the lack of knowledge about rights and the institutions in charge of its protection, as well as the inadequate understanding of the gain attached to the enjoyment of such rights. It is so sad that even some government agencies in charge of collection/processing of Nigerian data are totally oblivious of the existence of a data protection law in the country.

How then do Nigerians enforce rights they are not aware if they are aware of such rights? How then will the agencies in charge of data processing obey these laws when they are oblivious of their existence? 

We believe that the National Information Technology Development Agency (NITDA) which is the agency saddled with the responsibility of coordinating and monitoring the processing of electronic data in Nigeria can tackle the above issue with massive sensitization of the citizenry through workshops, seminars, education on popular radio stations across the nation, newsletters, and discuss on popular TV stations.

Furthermore, the agency can mandate other stakeholders in the industry, such as the Data Protection Compliance Organizations (DPCR) to engage in active sensitization of Data Subjects of their rights while educating date processors of their duties under the NDPR.

2. Limited Data Privacy and Protection Legislation: As it stands, the primary legislations on data protection and privacy are the CFRN 1999 and the NDPR 2019. However, these laws do not provide a comprehensive legal framework for the protection of data privacy and the enforcement of the rights where there is a violation. For instance, the NDPR is limited to electronic data thereby leaving paper-based data violations without remedies or protection.

This is important to note that the NITDA can further issue more regulations to address this lacuna. 

3. Lack of Judicial Decisions on Data Privacy Violations: The Nigerian judiciary thrives on judicial precedent whereby the lower courts rely on the decisions of the upper courts in making their own decisions. Currently, there are few judicial precedents on data protection which makes it difficult both the bar and the bench to find judicial authorities to rely on in deciding cases on data protecting. 

However, we are of the opinion that the Nigerian court could address this issue by making reference to authorities from other Common Law jurisdictions like the United Kingdom. Even though these authorities are not binding on Nigerian courts, they however have persuasive effect. 

CHALLENGES FACED BY DATA COLLECTOR/ADMINISTRATOR.

Section 2.1 of the NDPR stipulates that data controllers/administrators owe the data subject duty of care which in turn makes it compulsory for the former not to breach data privacy of the latter. However, there are some factors that make it difficult, if not impossible, for a data collector collector/administrator to maintain the duty of care behoved on him.  Adumbrated below are some challenges faced by data collectors in protecting personal data in their care:

1. Unethical usage of data storage hardware such as sharing of flash drives, external hard drives, computer and other gadgets.
2. Lack of restrictions and security codes mechanisms to data storage hardware which encourages third-party breach.
3. Power blackouts and failures which affect the functionality and efficiency of software and hardware like processors & servers. 
4. High Costs of the technological expertise and infrastructure to fulfill the obligations reposed on SMEs by the various data protection regulations.

RECOMMENDATIONS

In conclusion, the writer here suggests the following remedies to the legal issues raised:

1. In managing the Ignorance of  Data Privacy Rights/Laws in the country, there needs to be adequate sensitization on the existence of the laws and its content. Targeted informative sessions need to be organized by the gatekeepers of the law, so as not to allow web-stalkers freely prey on unsuspecting users of data facilities and mediums.
2. Specialized courts need to be set up to support the task force that may/not be in existence to implement the content of the law. Some other MDAs with seemingly specialized areas of focus have been able to see to the designating of judges within certain jurisdictions of the Federal presence of the Judiciary to fast-track cases within their spheres of endeavor (i.e. such as the AMCON law that allows for certain divisions of the Federal high courts to Designate judges for the hearing of their matters). 
3. On the Limitations posed by the inadequacy of the existing Data Protection Legislations. There will be a need to consistently and frequently lobby for an upward review of the laws to ensure that they come up to par with the ever evolving online regulations passed in advanced climes such as the EU and Americas. Because, asides from the agitation across the globe for data protection to be viewed as a fundamental right, it is a novel area that consistently faces masked attacks by identity thieves who cause a lot of damage, and it behoves on various countries and continental authorities to ensure that these liberties are protected at all costs.
4. Considering that our jurisprudence is a creature of Precedents, we as legal practitioners need not be shy in testing the waters to create precedents that push the limits of the law and its ability to accommodate our juxterpositions.

CONCLUSION

This article has successfully reviewed the meaning of data protection, the legal framework of data protection in Nigeria, and the challenges faced by stakeholders in protecting data in the country. It further provides recommendations for stakeholders in resolving the challenges highlighted. 

In conclusion, the writer believes that even though data privacy is an emerging area in Nigeria, the stakeholders in the sector should be at the top of their games in ensuring progressive monitoring and coordination of the processing of data, protection of data, and easy access to the enforcement of data privacy in the country.

Omobolaji O. Oyeniran Esq is an Associate at Path Solicitors.