DATA PROTECTION IN NIGERIA PERSPECTIVE

 

INTRODUCTION

Data in this digital age has been referred to “as the oil of the digital era”, it presents “A Trillion Dollar Opportunity for individuals, corporations and sovereign states. This is evidenced in the fact that the five most valuable listed firms/companies are those who deal in data of individuals, Facebook for example, has made millions and is still making millions of dollars over the data of individuals signed up to its platform by offering “advert targeting” to businesses and companies.

In terms of Personal data, privacy issues arises from the exponential growth in consumer and mobile technologies. With an increasingly connected planet and mass cross border data flows, which ordinarily should spur any country to rethink its data protection legislation or, in the case of Nigeria, create a comprehensive legal framework that ensures that fundamental rights are fully protected in today’s digital economy. Data protection is not about technology and the need to develop its use or prevent the abuse thereof but a form of human right protection legislation. A person has the right to determine whether his/her personal data may be disclosed and how it may be used

The NITDA Guidelines define personal data as any information relating to an identified or identifiable natural person (‘data subject’); information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.
Data protection involves the implementation of administrative, technical or physical measures to guard against unauthorised access to any such data listed above. It affords individuals the right to know what information about them is being held; and then provide a framework to ensure that personal information is handled properly; and in the end safeguard the individual’s right to privacy.

DATA PROTECTION LAWS IN NIGERIA?

The constitution provides in Section 37 for the protection and guarantee of the privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications, but clearly does not cover data that are gotten in today’s digital age.
Although Nigeria has industry specific regulations and guidelines on data protection, but she lacks a comprehensive law on data protection. The regulations/guidelines and laws will be discussed below;

1.     CHILD RIGHTS ACT, 2003

The Child Rights Act regulates the protection of children (persons under the age of 18 years). This Act limits access to information relating to children in certain circumstances.

2.     CONSUMER CODE OF PRACTICE REGULATIONS 2007

The NCC Regulations provides that all licensees must take reasonable steps to protect customer’s information against “improper or accidental disclosure” and must ensure that such information is securely stored. It also provides that customer’s information must “not be transferred to any party except as otherwise permitted or required by other applicable laws or regulations“. Unfortunately this code of practice applies only in the Nigerian communications industry.

3.     FREEDOM OF INFORMATION ACT, 2011

The ‘FOI Act’ which seeks to protect personal privacy, provides in Section 14, that a public institution is obliged to deny an application for information that contains personal information unless the individual involved consents to the disclosure, or where such information is publicly available. Also, Section 16 states that a public institution may deny an application for disclosure of information that is subject to various forms of professional privilege conferred by law (such as lawyer-client privilege, health workers-client privilege, etc).

4.     REGULATION OF TELEPHONE SUBSCRIBERS REGULATION (RTS REGULATION) 2011

In 2011, the NCC issued the Registration of Telephone Subscribers Regulations which represented a wider perspective and afforded some protection of the data collected, collated, retained and managed by telecommunication companies and independent agents in respect of their obligations to collate and retain data of subscribers under the Regulations.
Section 9 of the Regulation provides that subscribers information contained in the Central Database shall be held in strict confidentiality basis and no person or entity shall be allowed access to any subscriber’s information that is on the Central Database except as prescribed by the Regulation. The Regulation defined Central Database to mean subscriber information database, containing the biometric and other registration information of all Subscribers. Section 21 of the Regulation provides penal sanctions for violators.

5.     NATIONAL INFORMATION TECHNOLOGY DEVELOPMENT AGENCY GUIDELINES

The NITDA is the national authority that is responsible for planning, developing and promoting the use of information technology in Nigeria. The “NITDA guidelines” prescribe guidelines for organisations that obtain and process personal data of Nigeria residents and citizens within and outside Nigeria for protecting such personal data. It is currently the only set of regulations that contains specific and detailed provisions on the protection, storage, transfer or treatment of personal data in Nigeria. The Guidelines applies to federal, state and local government agencies and institutions as well as private sector organisations that own, use or deploy information systems within the Federal Republic of Nigeria. But a closer look into the guidelines shows that it is not more than a “draft guidelines” with little or nothing to show legislative authority or thoughtfulness as look more like a set of advisory principle that data processors are expected to follow with no coercive sanction or threat of punishment where the guidelines are violated.

6.     CYBERCRIMES (PROHIBITION, PREVENTION, ETC) ACT 2015

The Act in Section 38 provides for the retention and preservation of traffic data and subscriber information[5] by Service providers for a period of 2 years[6], which is a standard practice in developed world. This provision helps law enforcement in carrying out proper investigation on crimes committed with the aid of the internet or to help them in the prosecution of their case in court because through this they can collect evidence from the network data of an accused person or suspect when such evidence is hard to come by from the accused computer system.
The section further provides in subsection (5) that the data retained by these service providers should be accorded the Constitutional right to privacy as enshrined in the constitution and all appropriate measures should be taken to protect the data. The effect of this subsection created a measure of privacy and protection only on the data retained by these Service Providers and not on general data collected, collated and processed by these Service Providers.

PRINCIPLES OF DATA PROTECTION

In countries where Data Protection law exist, there are 8 basic principles enshrined in their law which governs the use of personal information, which companies handling data must comply with[7]. They are called codes of good practice for processing personal data, which ensures that data/information is:

• used fairly and lawfully
• obtained only for one or more specified and lawful purposes
• used in a way that is adequate, relevant and not excessive in relation to the purpose for which they are processed
• accurate, and where necessary, kept up to date
• kept for no longer than is absolutely necessary for that purpose
• handled according to people’s data protection rights
• kept safe and secure against unauthorised or unlawful processing of personal data
• not transferred outside of the country without adequate protection

From the foregoing the need for an ALL encompassing data protection law that sets out the general data protection principles and the machinery of enforcement of any breach thereof by these organisations/companies cannot be over emphasized.
The effect of just having guidelines and industry based regulations is that, they are by nature two-sided documents which are regarded largely as sets of dos and don’ts a party gives to another, meaning that they don’t create rights and liabilities which legislation has, as an enforceable social contract. At best they give a set of expectations that one party has from the other and hardly is a third party allowed to claim any breaches thereby. It is the regulatory agency that may impose sanctions where there are breaches of the regulations.
Lack of a data protection legislation tend to create an avenue for criminal gangs and even legitimate organizations to target data of Nigerians, either by selling the information, or using the information in discriminatory manners. Which results in receiving of unsolicited emails, text messages and phone calls from companies advertising their services or products or even Identity Theft.

DANGERS OF LACK OF DATA PROTECTION AND PRIVACY LAW

Dangers occur in the area of National Security in situations where public and private institutions allow data of Nigerian citizens data to be processed by third parties especially in situations where due diligence has not been undertaken, data loss prevention methods have not been verified, or where such information is transferred outside of Nigeria. No law prevents such organisations to move data out of Nigeria, which can fall subject to foreign countries who can now use such data to target and profile Nigerians traveling to their country.
Also due to the lack of legislation on data protection, it gives foreign nations and organisation an opportunity to conduct mass monitoring and profiling of Nigerians due to their possession of Nigerians’ “location data”. This data can be gleaned from the location services from smartphones, laptops, iPad, smartwatches, smart TVs and even social media posts and updates. This information can be used to identify where an individual Nigerian is, where they have been, who they have been in contact with, and who was situated around them. A perfect example of this is Google’s Location History which shows a map of areas, locations and places an individual has been to. Without a law regulating how this information is being used and also imposing mandatory security measures, poses a major impact on the privacy and security of Nigerians. It is worthy to note that many Nation States have initiated and implemented spying and espionage programs to ensure they maintain a country competitive advantage, which has resulted in profiling campaigns which could be unfavourable to Africans in general. Armed with the Bio-metric (gotten from fingerprint scanners on smartphones), Location, personal and Financial data, countries and organisations can develop algorithms from this information to initiate artificial blocks on Nigerians creating barriers to entry to certain environments. No wonder why some Nigerians where denied entry into America even though they had valid visas to the county and Nigeria not being on the list of countries on the travel ban list.