By Dr Akinola Akintayo

Introduction

We are in a data driven era. From telecommunication to retail, to healthcare, to financial, insurance, healthcare and security services, etc. industries and governments are using data to drive business and governmental functions.[1] The widespread collection and processing of data necessitated by data-driven technologies and approaches have very serious implications for the autonomy, freedom, health and wellbeing of individuals in the society.[2] There is need therefore need to effectively regulate data processing in ways that both foster innovation and protect human rights, especially privacy. The role and place of the courts in this endeavor cannot however be gainsaid. Studies show that even in jurisdictions with expansive data protection frameworks, courts are still needed to effectively protect and advance individual privacy in the face of ever expanding technology. This is more so the case in Nigeria where there is no law yet for the regulation of data processing. Also, the pace of contemporary technology development is such that questions are already being asked whether data protection has not become outdated and obsolete.[3] A proactive and progressive judiciary is therefore needed to ensure that technological development does not leave the law too far behind through proactive interpretation of privacy and other data protection frameworks to effectively protect citizens’ rights and wellbeing. Adequate knowledge and awareness of technology-driven conceptualization of privacy is necessary for the courts to effectively to discharge these critical obligations. There is therefore need to articulate the changing paradigm of privacy in the data-driven era and draw appropriate nexus between privacy and data protection through the correct conceptualization of privacy in the digital age.

There are two schools of thought in the academic literature and judicial decisions regarding the nexus between privacy and data protection in Nigeria.[4] The first maintains a clear distinction between privacy and data protection while the second views data protection as part and parcel of the right to privacy.[5] Thus, while a few of the relevant case affirm the connection between privacy and data protection, a preponderance number of the case law disavow such connection with the attendant conflicts in the decisions of the courts at the High Courts and Court Appeal levels. The need to articulate the changing paradigm of privacy in the data-driven era and chart the appropriate course for Nigerian courts have therefore become more urgent to correctly resolve the conflicting decisions of the courts and foster robust citizens’ rights and freedoms. To identify best practices and learning points for Nigerian courts in this regard, insight is drawn from existing comparative foreign jurisprudence in privacy and data protection.

This short contribution is divided into five sections. Section One is this introduction. Section Two analyses Nigerian case law on privacy and data protection to highlight trends, identify gaps and discuss implications for autonomy and freedoms. Section Three highlights contemporary conceptualization of privacy and best practices from comparative foreign jurisprudence. Section Four highlights the legal conclusions and learning points from comparative foreign jurisprudence for Nigerian courts. Section Five concludes the contribution.

Nigerian courts jurisprudence on privacy and data protection and implications for autonomy and freedoms

Nigeria privacy and data protection framework rests on two principal norms: the Nigerian Constitution via section 37 and the Nigerian Data Protection Regulation, 2019 (NDPR) promulgated by the National Information Technology Development Agency (NITDA) in 2019, Section 37 of the Constitution provides that: ‘[t]he privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected’. The NDPR on its part provides for the principles of data processing, the lawful basis for processing data, rights of data subjects in Nigeria, among others. The journey to regulate data processing in Nigeria is very long. It started with the Nigerian National Policy for Information Technology in 2000 and culminated in the promulgation of the NDPR by NITDA in 2019.[6] The many attempts to regulate data processing is a recognition of the critical place of data privacy in the Fourth Industrial Revolution. Nigeria’s attempt to enact a substantive legislation for privacy and data protection is ongoing. This section examines the trends and implications of Nigerian courts’ jurisprudence on privacy and data protection in order to decipher judicial approaches and attitudes as well as identify gaps in the existing jurisprudence. The next section discusses best practices from comparative foreign jurisprudence and learning points for Nigeria.

As stated in the introduction, there are there are two schools of thought in the conceptualization of the nexus between privacy and data protection in Nigeria. In Ezugwu Emmanuel Anene v. Airtel Nigeria Ltd.,[7] the Applicant, a lawyer; sued Airtel, his service provider, at the FCT High Court, Abuja on ground of countless unsolicited calls and text messages by the Respondent and third parties the Respondent had disseminated his phone number. He claimed the interference with his solitude violated his constitutional right to privacy. The Respondent did not defend the suit. The Court relied on Applicant’s evidence to find the Respondent liable. Five Million Naira (5,000,000.00) damages was awarded by the Court against the Respondent. A similar decision was reached in Godfrey Nya Eneye v MTN Nigeria Communication Ltd.[8] where the Nigerian Court of Appeal held that disclosure and dissemination by the Appellant of Applicant/Respondent’s mobile phone number without his consent and the consequent unsolicited messages were a violation of Applicant/Respondent’s right to privacy. Also, in Emerging Market Telecommunication Services v Barr Godfrey Nya Eneye,[9] the Claimant, a legal practitioner had sued the operators of Etisalat mobile line for unauthorised exposure or dissemination of his phone number to persons/companies that sent him unsolicited text messages and adverts. He claimed this violated his right to privacy under section 37 of the Nigerian Constitution. The Federal High Court found in his favour at first instance. On appeal by Etisalat, the Court of Appeal upheld the decision of the trial Court and held that misuse of personal information of the Applicant is a violation of his right to privacy under section 37 of the Nigerian Constitution. Damages of N1, 000,000.00 (One Million Naira) only was awarded by the Court of Appeal against the Respondent.

However, in Adeyemi Ibironke v. MTN Nigeria Communications Limited,[10] the Appellant had alleged that the Respondent surreptitiously obtained and retained information from her SIM card on Respondent database and that the Respondent send messages to the Appellant’s phone every ten to twenty seconds. The Appellant contended this action violated her right to privacy and amounted to nuisance which unduly interferes with her peaceful use and enjoyment of the MTN line. The Court of Appeal observed thus: ‘…was there any credible evidence to, again on the balance of probabilities, establish any breach of privacy by the messages and notification sent to the Appellants sim card, even if unsolicited…?[11] The Court answered that question in the negative and held that there was no credible and satisfactory evidence to substantiate the breach of Appellant’s privacy by the alleged messages or notifications. The Court appeared more disposed to found that the unsolicited and annoying messages amounted to nuisance but not a breach of privacy. Even then, the Court was of the view that credible evidence have not been adduced to ground the claim of nuisance. According to the Court,

The messages may be inconvenient and sometime irritating or even annoying since they were unsolicited for and may in-appropriate cases, constitute a nuisance that may be actionable, but the Appellant did not set out the details of the messages and notifications which reasonably interfered with his use and enjoyment of the sim card for which he subscribed and was registered with the Respondent.[12]

The Court thus implied that unsolicited messages and incessant messages and notifications sent to Appellant phone that disturbed his peace and solitude does not amount to a violation of his privacy. This posture of the Court clearly misapprehended the nature and scope the changing paradigm of privacy in contemporary times. Such posture will of course not effectively protect privacy in the digital age.

In Incorporated Trustees of Digital Rights Lawyer Initiative and Others v National Identity Management Commission, [13] the Claimant/Appellant date of birth was wrongly recorded. He approached the Respondent to have the information rectified. He was asked to pay N15,000.00 (Fifteen Thousand Naira) only as administrative charges. The Claimant sued the Respondent on the ground that he has a right to have the data rectified without cost to him under section 37 right to privacy provisions of the Nigerian Constitution and Clause 3.1 (7) (h) of the NDPR. At first instance, the trial High Court of Ogun State, per A.A Akinyemi J, interpreted the right to privacy rather restrictively. The trial Court held that the right to privacy relates to the protection of the personal spaces and personal information from intrusion. The Court thus linked the right to privacy under the Constitution to protection of personal information under the NDPR. Notwithstanding the linkage, however, the trial Court held that right to rectification of data under the NDPR is not cognizable under the privacy provisions of section 37 of the Nigerian Constitution. The Court therefore concluded that no intrusion to personal information has been shown by the claimant. Thus, the claim is not within the ambit of section 37 of the Constitution. The case was consequently struck out. The Claimant, dissatisfied with the decision of the trial Court, appealed to the Court of Appeal. On appeal, the Court of Appeal found that personal information protection comes within the scope of section 37 of the Constitution. The Court is also of the view that the NDPR was made in furtherance of the privacy provisions Constitution and is consequently a part thereof. In the final analysis however, the Court agreed with the trial Court that the right to have data rectified under the NDPR is not cognizable under section 37 privacy provisions of the Constitution. The appeal was therefore dismissed for lack of merit. [14] Despite dismissal of the suit by the Court, the pronouncements of the Court of Appeal in relation to the connection between privacy and data protection have been hailed as significant and as representing the current law on the subject.[15] I do not share this optimism about the decision. For one, the decision contradicts the Court of Appeal decision in Adeyemi Ibironke v. MTN Nigeria Communications Limited (supra). This gives trial courts the opportunity to pick and choose between the two. For another, the Court refused to vindicate the data protection right in issue in the case. The clear implication of this decision is that the data subject rights provided for in the NDPR are not cognizable under section 37 of the Constitution and cannot be enforced via the FREP Rules. In other words, they do not amount to fundamental human rights.

Finally, in Daniel John Daniel v True Software Scandinavia AB (Truecaller),[16] the Applicant sued the Respondent for the publication of his phone number to users of Respondent’s software without his consent. He contended that the unauthorized publication and disclosure of his telephone number violates section 37 of the Nigerian Constitution, among others. The High Court of Lagos State, per Bola Okikiolu-Ighile J., held that the publication is not a violation of his right to privacy under section 37 of the Constitution. According to the Court:

A careful review of this shows that the Applicant is not a registered member of the Respondent’s Organization however the publishing of the Applicant’s phone number on the platform of the Respondent software has not shown to me that his right to privacy has been breached. It goes without saying that these facts relied on by the Applicant do not disclose any breach of Fundamental Human Right of the Applicant.[17]

The Court also held that processes were not properly served outside jurisdiction and that the Court has no jurisdiction. The case was thus struck out. The Court’s pronouncement quoted above clearly bellied the Court’s narrow understanding of privacy in the digital age. Many of the Nigerian case law on this subject follow the trend discussed above.

As can be gathered from the above, while a few of the case law apprehended the nexus between privacy and data protection and interpreted privacy liberally, a preponderance of the case law conceived privacy in the more narrowl sense and disavow any connection between the two concepts. As rightly observed by Olumide, the case law is … ‘replete with straightjacketed privacy cases which relate to invasion of homes and offices as opposed to invasion of data privacy stricto sensu.’[18] Even cases that affirmed the connection between privacy and data protection show apparent lack of sufficient and adequate knowledge and appreciation of the technology driven paradigms of privacy in contemporary times. The section below discusses privacy and data protection best practices from comparative foreign jurisprudence and identify pertinent lessons for Nigerian courts for more robust and effective protection of autonomy and freedom in Nigeria.

Changing paradigm of privacy in comparative foreign jurisprudence

The United States Supreme Court have rightly noted that privacy involved the protection of at least two interests: ‘One is the individual interest in avoiding disclosure of personal matters, and another is the interest in independence in making certain kinds of important decisions.’[19] The protection of personal information from disclosure dimension of privacy constitutes privacy second strand and has given rise to the right to informational privacy in the United States of America.[20] Consequently, the protection of personal information is at the core of privacy in the data-driven era.

Thus, long before the Charter of Fundamental Rights of the European Union, 2009 which created a stand-alone right to data protection within the European Union and later the General Data Protection Regulation (GDPR) in 2016, the European Court of Human Rights (ECHR) have been using the privacy provisions of article 8 (1) of the European Convention to protect personal information and engage the rapid evolution and development of ICT technologies within the European Union. [21] This has given rise to a robust and an extensive privacy and data protection jurisprudence of the Court. The first case to be analysed by the Court in this regard is Leander v. Sweden[22] where the Court held that the storing and release of applicant’s personal information in secret police register without giving him the opportunity to refute the information violated his right to respect of private life under article 8 (1) of the European Convention. The Court however concluded that the restriction in that particular case is necessary and justifiable in a democratic society.

Data protection has also been held by the Court to be a fundamental part of the privacy provisions of article 8 (1) of the European Convention. This is reiterated by the Court in Z v. Finland thus: ‘In this connection, the Court will take into account that the protection of personal data, not least medical data, is of fundamental importance to a person’s enjoyment of his or her right to respect for private and family life as guaranteed by Article 8 of the Convention (art. 8)’ [23] In its elaboration of the scope of personal data, the Court relied on Convention 108 of the Council of Europe which define personal data as ‘any information relating to an identified or identifiable individual (“data subject”)’.[24] Thus, information directly identifying a person like names and surnames;[25] as well as information indirectly identifying a person like recording of voice samples,[26] Internet Protocol address,[27] banking details,[28] etc.; have been held to be within the ambit of personal data. Article 8 of the European Convention also covers or protects not only natural persons but also applies to artificial entities where the privacy of their homes or correspondence is deemed to have been violated.[29]

Activities or action that will implicate data protection or qualify as data processing have been interpreted by the Court to include ‘storage of data, carrying out of logical and/or arithmetical operations on those data, their alteration, erasure, retrieval or dissemination’ in terms of the meaning of data processing in Convention 108.[30] Thus, the collection and storage of monitoring data collected via GPS and other surveillance measures,[31] the recording and disclosure of CCTV footage of a person in the process of committing suicide,[32] the disclosure of a patient’s highly confidential medical information by a hospital, etc. have been held to qualify as processing of data within the meaning of article 2 (c) of the Convention 108.

The Court has also recognized that certain categories of data merits heightened protection. These are the categories of data referred to as sensitive data in Convention 108. These includes: ‘Personal data revealing racial origin, political opinions or religious or other beliefs, as well as personal data concerning health or sexual life … [and] personal data relating to criminal convictions’.[33] Consequently, the Court has held that ‘…fingerprints, DNA profiles and cellular samples, constitute personal data….’[34] And that personal information tending to reveal ethnic or racial origin; gender identification; sexual orientation or sexual life etc. belong to a special category of data subject to heightened protection under article 6 of Convention 108.[35] Other categories of personal information like employment record, financial details, meta data of telephone conversations, GPS location data and voice samples, among others, are also subject of special concern and consideration.[36]

The Court has also held that the data protection dimension of article 8 of the European Convention imposes two types of obligations on state parties viz: positive and negative obligations. In Copland v. The United Kingdom[37] where the applicant alleged the unlawful monitoring of her telephone calls, emails and internet usages by her employer, a public higher institution/body for which the respondent state is responsible, the Court held that the case ‘relates to the negative obligation on the State not to interfere with the private life and correspondence of the applicant’ under article 8 of the European Convention.[38] In Söderman v. Sweden,[39] the Court reiterated that article 8 of the European Convention essentially imposes a negative obligation not to arbitrarily interfere with the private and family life of right bearers but that the article also imposes positive obligations on state parties to take measures to secure respect for private life even in relations between individuals inter-se.[40]

In Germany, there are data protection statutes predating the country’s Census case in 1983. The Census’ case, decided by the country’s Constitutional Court, has however been referred to as groundbreaking.[41] The development of data protection law by the German Constitutional Court in the case is rooted in the country’s constitutional concept of human personality.[42] Central to this concept is the protection of individual autonomy, from this flowed the right to individual self-determination and later, the right to informational self-determination formulated by the German Constitutional Court in the Census case to cope with modern development of information and communication technologies. ‘The German right of informational self-determination protects individual from borderless collection, storage, application and transmission of personal data.’[43] The concept prevent the processing of personal data that interferes with or destroys individual capacity for self-governance.[44] At the core of the notion of informational self determination is the requirement that individuals should be able to anticipate who will use their personal data and the purpose to which such data will be deployed. Thus, the right of informational self-determination requires that individuals will know ‘who, what, when and how’ of the processing of their personal data.[45] The right of informational self-determination binds both public and private/corporate entities.[46] The right of informational self-determination has been said to have two corresponding effects: the protection of individuals from interferences in personal matters; it serves as ‘precondition for citizens’ unbiased participation in the political processes of the democratic constitutional state’.[47]

The following legal conclusions were reached by the German Constitutional Court in the Census case: (i) data protection has the status of constitutional fundamental right, any interference with the right must therefore be by an enabling law which meets the high standards of certainty and clarity; (ii) profiling is an unjustified interference with right of individual to decide which personal information to disclose in his/her social environment; (iii) introduction of unique personal identifier for all citizens is a violation of human dignity; (iv) the invention of the concept of informational separation of powers i.e the state cannot be regarded as a single data processor but collection and use of personal data must be in accordance with the competence of public authorities and sharing of collected data with other agencies must be by sanction of law; (v) key data protection principles i.e data minimisation, obligations of data controllers, rights of data subjects, and principles of purpose specification and proportionality are to be mandatorily observed in all data processing.[48]

After a lull of more than two decades, the German Constitutional Court gave three significant decisions in 2008 which extended the frontiers of data protection beyond that contemplated or covered by the Census case. In the first case which concerned the online searching of computers, the German Constitutional Court held that the right to informational self-determination developed in the Census case was not wide enough to cover ‘the peculiarities of IT systems and their relevance for citizens’ everyday lives.’[49] The Court therefore invented a new fundamental right to confidentiality and integrity of information technology systems. This new right protects IT systems that may store or process, or at least, capable of storing or processing personal data so that searching of the systems will disclose personal information about the individual in control of the IT system(s). The new right applies to computers, mobiles phones and other gadgets with similar functions.[50] The right has two components: the confidentiality aspect which covers protection of personal data although with a higher threshold than that applicable to the right informational self-determination; and the integrity of systems aspect which protects against unauthorized use of IT systems’ capacities, functions and memories regardless of whether any personal data is involved.[51] Covert searching of IT systems is justified only if it meets the threshold of limitation of rights that is reasonably justifiable in a democratic society.[52]

The second case concerned automatic number plate recognition. This technology was introduced in many states in Germany in the aftermath of the 9/11 terrorist attack in the United States to track and arrest wanted criminals.[53] The German Constitutional Court held that if the system is used to match drivers against wanted list and the data is immediately deleted without trace or possibility of the data being restored and if that procedure is guaranteed with technical and legal safeguards, then the technology is compatible with the right to informational self-determination but if otherwise, it is not.[54] The Court held that the high impact of this technology on informational self-determination require that the law that will enable its use must have a high degree of clarity and certainty and must pass a very high threshold of being necessary and justifiable in a democratic society.[55] The laws of the German states in issue in the case were found to fall below the required constitutional standards.

The third case concerned the application of the European Directive 2006/24/EC which obliged internet service providers and telecommunication operators to store communication data of users and subscribers for a period of 6–24 months. Germany later introduced the Federal Telecommunications Act which contained more extensive retention and data sharing provisions to implement the Directive. This led to uproar among individuals and NGOs many of who filed lawsuit against the implementation of the Directive in Germany.[56] At the Constitutional Court, the Court allowed narrowed basis for retention of data. The Court held that retention of data can be justified to fight serious crimes like murder, rape, etc. Complete retention of data without justifiable reasons is however incompatible with informational self-determination and sharing of such data with security or law enforcement agencies will severely affect personality rights of citizens. Interim injunction against sharing of retained data with security agencies was therefore granted by the Court pending the determination of the substantive case against the Directive filed against Ireland which was then pending before the European Court of Human Rights.

German current data protection regime is based on the GDPR as a member of the EU. Germany was the first EU Member State to domesticate the GDPR through the enactment of the German Federal Data Protection Act (Bundesdatenschutzgesetz – ‘BDSG’) which came into effect with the GDPR on 25 May 2018.[57] Germany passed the Second Data Protection Adaptation and Implementation Act to adapt data protection rules of area specific laws in the country to the GPDR in November 2019. Thus, the expansive data protection rules of GDPR as adapted by the Adaptation Acts constitute the principal regime for data protection in Germany.

Like Germany, India has plethora of statutes and subsidiary legislation regulating the processing of data in the country before 2017 when the Indian Supreme Court extended the frontiers of privacy in its world renowned decision in Justice K.S.Puttaswamy (Retd.) v. Union of India.[58] In Puttaswamy’ s case, the Supreme Court of India found the existing data protection regime inadequate in effectively protecting privacy and personal data of Indians. The Court held that although not expressly provided for under the Constitution of India, privacy is implied and can be derived from the right to life and personal liberty in article 21 of the Constitution of India. The Court held that privacy is a natural and fundamental human right inherent in all human beings and constitutes important core of any individual existence because it is a necessary condition for dignified enjoyment of other fundamental human rights.[59]

Furthermore, the Court notes that privacy has, at least, three dimensions viz: protection of individuals; physical body from intrusion, informational privacy and privacy of choice. According to the Court, informational privacy is an important aspect of the right to privacy. The Court reasoned that:

The old adage that knowledge is power’ has stark implications for the position of individual where data is ubiquitous, an all-encompassing presence. Every transaction of an individual user leaves electronic tracks without her knowledge. Individually these information silos may seem inconsequential. In aggregation, information provides a picture of the beings. The challenges which big data poses to privacy emanate from both State and non-State entities.’[60]

The Court therefore underlined the need to regulate the extent to which personal information can be stored and processed by state and non-state actor alike if the balance of power between individuals and state and non-state actors alike is to be maintained.[61] The Court opined: ‘The concept of “invasion of privacy” is not the early conventional thought process of “poking ones nose in another person’s affairs” It is not so simplistic. In today’s world, privacy is a limit on the Government’s power as well as the power of private sector entities.’[62]

The Court held that privacy is not an absolute right but can be restricted by a just, fair and reasonable law that passes the test of proportionality and serve a legitimate governmental aim.[63] On this basis, the Court validated the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (Aadhaar Act) and its many regulations. The Act and its regulations compel the registration and collection of biometric, etc. data of citizens for the purpose of issuing them unique identification numbers as basis for delivery of benefits and entitlements under the Aadhaar Act. The Court held that although the Act and subsidiary legislation contained wide ranging provisions invasive of privacy, they are however held to be constitutional because they serve a legitimate governmental purpose of providing subsidies, benefits and services to needy members of Indian society. A bill, Personal Data Protection Bill 2019, to implement the far-reaching decision of the Supreme Court of India on privacy and data protection in Puttaswamy was initially pending before the Indian parliament. The Bill was, however, withdrawn on 3 August 2022 in order to incorporate a long list of recommendations of the Joint Parliamentary Committee of the Indian Parliament.[64]

Legal conclusions from comparative foreign jurisprudence

A number of legal conclusions are deducible from comparative foreign jurisprudence analysed above. One is that autonomy and liberty feature very strongly in the jurisprudence of the different courts. Two, privacy has two strands: individual interest in avoiding disclosure of personal matters and the independence of individuals in making certain important life’s decisions. The protection of personal information dimension constitutes privacy’s second strand and has birthed the right to informational privacy in the United States of America and the right to informational self-determination formulated by the German Constitutional Court in the Census case in Germany. Within the European Union, the European Court of Human Rights have also clearly held that protection of personal information is fundamental to the enjoyment of the right to privacy guaranteed under article 8 of the European Convention.

Three, data protection is regarded not only as part and parcel of privacy alone, it has evolved into a stand-alone right. Thus, it is now conceived as a fundamental human right. Four, even in jurisdictions with expansive data protection frameworks, intervention of the courts are often needed to fill gaps in the laws to keep the law apace with developments in technology. Five, comparative foreign jurisprudence recognised that operation performed on personal information that will qualify as data processing include collection, storage, carrying out of logical and/or arithmetical operations on data, alteration, erasure, retrieval, publication or disclosure, etc.

Six, there is recognition of the special and sensitive status of some categories of personal information referred to as sensitive personal information. These are personal information that tends to reveal racial origin, political opinions, and religious or other beliefs and personal information relating to sexual orientation, health status, criminal convictions, etc These category of personal information are entitled to heightened protection and special concerns and consideration because of their tendency to expose data subjects to harmful differentiation and consequences. Seven, retention of data beyond the time and objectives for which the data is required is a negation of the control which data subject should have over their personal information. In the automatic number plate recognition case of the German Constitutional Court, the Court held that inordinate retention of data without justifiable reasons is incompatible with the right of informational self-determination.

Eight, data protection must be underpinned by four important values: (i) privacy – this requires that the identity and personal information of individuals must be protected at all times (ii) autonomy – this requires the presence of informed consent and will of individuals in the processing of personal data; (iii) transparency – this requires data controllers and processors to be transparent in their handling and processing of personal data; and, (iv) non-discrimination – this requires processing of personal data and its impact on persons must be non-discriminatory. Lastly, comparative foreign jurisprudence also recognized that data protection imposes two levels of obligations on states: negative obligation not to arbitrarily interfere with private and family life, correspondence and personal information; and, positive obligation to take measures to secure respect and provide necessary facilities and enabling environment for the protection and full enjoyment of rights from depredations and violations by third parties.

The above discussed conclusions are pertinent features of comparative foreign jurisprudence on privacy and data protection that Nigerian courts can learn from for a robust and effective data protection regime in Nigeria.

Conclusion

This contribution interrogates the trends, approaches and implications for autonomy and freedom of Nigerian courts’ privacy and data protection jurisprudence. The rationale and importance of the interrogation are set out in Section. Section Two analyses Nigerian case law on privacy and data protection. It was found that while a few cases interpreted privacy liberally and affirmed the connection between privacy and data protection, a preponderance of the case law follow the straight jacketed and traditional conception of privacy and disavowed any such connection. Even cases that appear to be more progressive show apparent lack of awareness and understanding of the changes that have taken place in the conceptualization of privacy in the digital age. Section Three discusses best practices in comparative foreign jurisprudence. Section Four discusses the legal conclusions derivable from comparative foreign jurisprudence which Nigerian courts can borrow from to enhance Nigeria’s privacy and data protection regime for the expansion of the rights and freedoms of the citizens.

The courts have a critical role to play in the development of the privacy and data protection norms of any country in the current data-driven era. No framework, no matter how explicit and expansive will keep pace with the current level of development in technology. The mantle therefore will often fall on the courts to apply the law to particular and live cases and thereby develop the law in an ongoing basis. The courts will be able to do this only if seized of the appropriate conception of privacy and data protection. The identified best practices discussed in this contribution are commended to the Nigerian courts as it will equip them with the appropriate approaches to discharge the critical burden they bear in this regard.

Dr Akinola Akintayo is privacy and emerging technologies expert, senior lecturer and legal consultant at the Faculty of Law, University of Lagos, Akoka-Yaba, Lagos. Email: [email protected]

[1] W Kim et al ‘A Taxonomy of Dirty Data’ (2003) 7 Data Mining and Knowledge Discovery 81 – 82.

[2] See for instance, Y Milner and A Traub Data capitalism + Algorithm racism (2021); Tristan Harris ‘How Technology is Hijacking Your Mind — from a Magician and Google Design Ethicist’ (18 May 2016) available at https://medium.com/thrive-global/how-technology-hijacks-peoples-minds-from-a-magician-and-google-s-design-ethicist-56d62ef5edf3 (accessed 2 June 2022).

[3] D Hallinan et al ‘Neurodata and Neuroprivacy: Data Protection Outdated?’ (2014) 12 (1) Surveillance & Society 55

[4] O Babalola ‘Privacy versus data protection debate in Nigeria: The two schools of thought’ (31 January 2021) available at https://thenigerialawyer.com/privacy-versus-data-protection-debate-in-nigeria-the-two-schools-of-thought/ (accessed 7 August 2022).

[5] As above.

[6] S Musa and S Ngwu Towards a data protection legislative framework in Nigeria: Assessing the regulatory and legislative attempts to enact a data protection law (2021)

[7] Suit No: FCT/HC/CV/545/2015 (Unreported).

[8] Appeal No: CA/A/689/2013 (Unreported)

[9] (2018) LPELR-46193.

[10] (2019) LPELR – 47483

[11] As above 32

[12] As above 32 – 33.

[13] Incorporated Trustees of Digital Rights Lawyer Initiative and Others v National Identity Management Commission Suit No. AB/83/2020 (Unreported) Judgment delivered 15 July 2020.

[14] (2021) LPELR-55623(CA)

[15] S Okedara et al (eds) Digital rights in Nigeria: Through the cases (2022) 84

[16] Suit No: LH/5868MFHR/2017 (Unreported)

[17] As above 8.

[18] O Babalola ‘Nigeria: Data protection and privacy challenges in Nigeria (Legal Issues)’ (9 March 2020) available at https://www.mondaq.com/nigeria/data-protection/901494/data-protection-and-privacy-challenges-in-nigeria-legal-issues- (accessed 11 May 2022).

[19] Whalen v. Roe 429 U.S. 589 (1977) at 599.

[20] C P Moniodis ‘Moving from Nixon to Nasa: Privacy’s second strand—a right to informational privacy’ (2012) Yale Journal of Law and Technology 139.

[21] Article 8 (1) of the ECHR provides thus: ‘Everyone has the right to respect for his private and family life, his home and his correspondence’.

[22] (Application no. 9248/81)

[23] Application no. 22009/93 para 95.

[24] Article 2 (a) of Convention108 of the Council of Europe.

[25] Mentzen v Latvia (Application mo. 71074/01 (Dec. 2004).

[26] P.G. and J.H. v The United Kingdom (Application no. 44787/98) (Sept. 2001)

[27] Benedik v. Slovenia (Application no. 62357/14) (July 2018).

[28] M.N. and Others v. San Marino (Application no. 28005/12) (0ct, 2015).

[29] Liberty and Others v. The United Kingdom (Application no. 58243/00) (2008)

[30] Article 2 (c) of Convention108 of the Council of Europe.

[31] Uzun v. Germany (Application no. 35623/05) (Sept. 2010)

[32] Peck v UK [2003] EHRR 287 (App. No. 00044647/98).

[33] Article 6 of Convention 108 of the Council of Europe

[34] S. and Marper v. The United Kingdom (Applications nos. 30562/04 and 30566/04) (Dec. 2008) para 68

[35] As above paras 66 – 67.

[36] See for instance, G.S.B. v. SSwitzerland (Application no. 28601/11) (Dec. 2015).

[37](Application no. 62617/00) (April 2007).

[38] As above para 39.

[39] (Application no. 5786/08)

[40] As above para 78.

[41] G Hornung & C Schnabel ‘Data protection in Germany I: The population census decision and the right to informational self-determination’ (2009) 25 (1) Computer Law & Security Report 84.

[42] P Schwartz ‘The computer in German and American constitutional law: Towards an American right of informational self-determination’ (1989) 37 American Journal of Comparative Law 675.

[43] Above at 689 – 690.

[44] As above

[45] As above 690 = 691.

[46] As above.

[47] G Hornung & C Schnabel (note 41 above) 86.

[48] As above 86 – 87.

[49] G Hornung & C Schnabel ‘Data protection in Germany II: Recent decisions on online-searching of computers, automatic number plate recognition and data retention’ (2009) 25 Computer Law & Security Review 115 at 116.

[50] As above.

[51] As above.

[52] As above 117.

[53] As above 118.

[54] As above

[55] As above.

[56] As above 119 – 121

[57] One Trust DataGuidance ‘Germany – Data Protection Overview’ available at https://www.dataguidance.com/notes/germany-data-protection-overview#:~:text=Germany%20has%20both%20a%20federal,remains%20the%20BfDI%20in%20Bonn. (accessed 5 July 2022).

[58] [Writ Petition No. 494/ 2012].

[59] As above 125 – 126.

[60] As above, 150.

[61] As above 155.

[62] As above.

[63] As above 158.

[64] DLA Piper ‘India: Government withdraws long-awaited Personal Data Protection Bill’ (4 August 2022) available at https://blogs.dlapiper.com/privacymatters/india-government-withdraws-long-awaited-personal-data-protection-bill/?utm_source=mailpoet&utm_medium=email&utm_campaign=privacy-matters-newsletter (accessed 4 August 2022).