By Ifeoma Peters
In its effort to stem the crisis in the foreign exchange (FX) market and curb the devaluation of naira, Nigeria’s federal government has taken several drastic measures. In February, 2024, the government issued a directive to the Office of the National Security Adviser (ONSA) and Central Bank of Nigeria (CBN) to join forces to address the challenges posed to the national economy by the speculative FX activities. Equally, the government deployed the Nigeria Police, Economic and Financial Crimes Commission (EFCC), Nigeria Customs Service (NCS), and Nigerian Financial Intelligence Unit (NFIU) to fight the menace.
One of the early measures deployed following this directive, was to restrict access by Nigerians to the website of some cryptocurrency firms, including Binance.
Binance, which had stated that its platform is not used for currency pricing, sent two of its executives to Nigeria on a fact-finding visit regarding the development. It was reported that these two executives were arrested and detained.
Further to the above, on Monday, 18th March, 2024, the EFCC obtained an ex parte order from a Federal High Court in Abuja directing Binance to disclose data of all its Nigeria users. This development raises critical questions regarding legal obligations in data privacy and the potential ramifications for data controllers. However, amidst the challenges of trying to comply with a valid order of court, there are procedures within the Nigerian Data Protection Act (the Act) which Binance and any data controllers faced with complying with legal obligation can leverage upon to navigate the complex situation without compromising individual privacy rights.
It is important to state at this point that a valid order of court that is not varied and not challenged must be obeyed. It is no gainsaying that the EFCC and indeed all law enforcement agencies are empowered to combat crime and protect the peace and stability of Nigeria. It is also trite that in doing so, they are empowered in appropriate cases to take steps which may interfere with the fundamental right of Nigerians. These steps sometimes include obtaining an order of court to restrict or intrude in personal privacy. However, these are done in strict compliance with laid down procedures.
It has been argued, and I agree that the sweeping order handed down to the EFCC by the Federal High Court may set a dangerous precedent for data privacy in Nigeria.
In recent times, more attention is shifting to the importance of safeguarding personal information all over the world. Joining in this move, Nigeria became one of the few African countries to enact a comprehensive law on data protection. The implication of this, is that all agencies of government including the courts must be circumspect in dealing with the personal information of Nigerians. The ex parte order of court granted to the EFCC by a Federal High Court to compel Binance to release ALL data of its Nigerian users is sweeping and may if not well handled set a dangerous precedent for data protection in Nigeria.
First, the order was made on the speculations of the EFCC that there are some Nigerians who use Binance to carry out nefarious activities. The question that begs the answer is; how many of Nigeria users of Binance are in this category? What happens to the privacy of the other Nigerians who do not use Binance to carry out nefarious activities?
With regards to the order of the Federal High Court, what measures did the court set in view of Sections 24, 25, 27 and 29 of the Act to ensure that while the EFCC carries out the voyage of discovery, the privacy of innocent users of Binance are protected?
In its application, EFCC stated that some users of Binance platform are involved in money laundering. Does this justify the grant of an ex parte order by Federal High Court mandating Binance to release all personal data of Nigerians in its custody to the EFCC? What justification would Binance rely on to release the personal information? Would this have been justified under legal obligation as a lawful basis for processing all the personal data of its users? Would the release of these personal data not violate the principles of processing of personal data as provided for under Section 24 of the Act?
It is taken for granted that to process personal information, a data controller must identify a legal basis. However, it is also important to note that there are procedures that must be adhered to, while relying on any of the lawful basis for processing. These procedures are important and must be considered. For instance, a controller that secures the consent of a data subject must not ignore the right of a data subject to withdraw such consent. He must also ensure that while relying on consent, the principles of processing must be strictly adhered to. So also, is the obligation on data controller who places reliance on legal obligation.
If Binance decided to release the data of all its Nigeria users without first ensuring that the relevant principles of processing are adhered to, it may end up violating the right of data subjects while complying with an order of court.
Legal obligation under the Act, include duty imposed by law, order of court or a responsibility incidental to an obligation imposed by law. Clearly, Binance is obligated by virtue of the order of court to release the personal information of its Nigeria users by virtue of an order of court if it does not take further steps to vary the order.
In complying with legal obligation, the Act provides that a data controller must ensure that it adhere to the principles of processing under Section 24 of the Act. For instance, the processing must be strictly limited to the minimum requirement under the Act and shall not be used for a voyage of discovery into the privacy of a data subject or in circumstances of establishing a speculative claim.
Ordinarily, the court imposing a legal obligation on a data controller ought to have taken into account less intrusive method of processing. It ought to have also taken into account the measures provided for the protection of personal data under Section 24 of the Act, the scope of the processing as contained in the prayer seeking the order of court, and access of data subjects to applicable data subject right in Part VI of the Act.
In the absence of the above measures prior to the grand of the order, Binance is left with the task of ensuring that it takes adequate measure to respect the privacy of the personal data of its Nigeria users.
As earlier stated, an order of court remains binding and subsisting against the party it is directed to regardless of the propriety of same until it is varied or set aside. Binance would be within its right under the Act to seek a review of the order handed down by the Federal High Court. The application of Binance may not necessarily be to vacate the order, it may be to seek that the request by the EFCC be a targeted, specific and reveal real possibility of such targeted individuals being culpable or the likelihood thereof.
A variation of the order of court issued by the Federal High Court will put in proper perspective the request of EFCC and ensure that only personal information of those who are reasonably suspected to have been using the platform to perpetrate fraud are released. Where Binance proceeds to release the data of all its Nigeria users without obtaining a review from court, an action will lie against Binance for breach of the provisions of the Act by data subjects who are able to prove that they do not have suspicious activities in their platform.
Another step which Binance is empowered by the law to take is to rely on Section 27 and 29 of the Act to inform all its Nigeria users of the existence of the order of court. The duty imposed on data controllers and data processors under these sections is to inform data subjects of such request and their rights to seek judicial review of such order.
Finally, in confronting the EFCC’s court order, Binance faces a delicate balancing act between legal compliance and ethical data processing. By adhering to the provisions of the Act, pursuing judicial review, and notifying affected individuals, Binance can navigate this challenging terrain while upholding the privacy rights of Nigeria users. This case underscores the importance of ethical data practices in an increasingly digital world and highlights the critical role of legislation in safeguarding individual privacy rights.