By Mofoluwawo Oluwapelumi M

The whole world is currently going through what can be described as the scramble for online presence, and Nigeria is not left out. Like never before, and due to the undeniable realities of the Covid-19 pandemic, organizations, businesses and individuals the world over, are trying their best to be technology aligned, and resultantly, internet adapted.

Like never before, the compulsory stay at home conditions have necessitated a shift to e-platforms for the offering of services, sale of goods, corporate meetings, job interviews, religious meetings, even governance. This has translated into the processing of large amounts of personal data across different platforms by organizations, data administrator, data processors, third party processors, and sub processors as the case may be. Alarmingly however, in obtaining personal data, not many of these organizations are taking the necessity of data privacy into contemplation. And this might end in foreseeable data privacy crisis sooner than expected.

On the 25th day of January, 2019, the Nigerian Data Protection Regulation came into force. The regulation, crafted in line with the European Union’s General Data Protection Regulation, was enacted in recognition of the fact that many public and private bodies have migrated their respective businesses and other information systems online. Information solutions in both the private and public sectors now drive service delivery in the country through digital systems. These information systems have thus become critical information infrastructure which must be safeguarded, regulated and protected against atrocious breaches. This regulation was as well made in recognition of the concerns and contributions of stakeholders on the issue of privacy and protection of personal data and upon evaluation of the grave challenges of leaving personal data processing unregulated.[1] While the NDPR is not as encompassing as the GDPR, and is in fact inconsistent with the GDPR in some interpretations, it is a step in the right direction as far as data privacy and security is concerned. More especially as it is first and only regulation of its kind in Nigeria. Interestingly, the first objective of this regulation is to safeguard the rights of natural persons to data privacy, which is the preoccupation of this discourse. What then is data privacy?

Data privacy which can also be termed information privacy or data protection has to do with the proper and efficient handling of data especially as it concerns the collection, storage, and sharing of data with third parties, as well as compliance with data protection regulations. Data Privacy governs how data is collected, shared and used.[2] It also encompasses the protection of individual expectations and preferences for privacy when it comes to data, as well as legal and political data concerns. Noticeably, the NDPR which is the first and only law of its kind as far as data protection is concerned in Nigeria, preoccupies itself with personal data, as this discourse will now do. Personal data is data such as names, home addresses, phone numbers, email addresses and it is being processed on a daily basis. By section 1.3(q) of the NDPR

“Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM and others”

Personal data and how it is processed is very important to both the individual and the organization; the individual because it affects personal safety and dignity, and the organization because data submitted is held in trust as such a fiduciary duty arises on the it’s part towards the data subject.

Without over flogging the issue, the Covid-19 pandemic necessitated the movement of a lot of businesses online. To this end, the world saw an increase in data collection/sharing and data processing. Chief amongst the legal basis for data processing is the collection of personal data for contractual purposes. Many businesses now collect personal data for all sorts of transactional purposes. And by using cookies, which most website users have to accept before they can successfully access needed information or use a website, data such as location, IP addresses, and browser metadata are being collected and processed as well. While the collection of these data is at first instance, mostly for the noble purposes of facilitating smooth transactions, and improving customer/user experience, it is quite worrisome and alarming that in most cases, these sites and the data administrators are not NDPR compliant.

Section 2.5 of the NDPR mandates mediums of data collection to display a data privacy policy which can be easily understood and assented to by data subjects before they proceed to submit personal data.

“Notwithstanding anything contrary in this Regulation or any instrument for the time being in force, any medium through which personal data is being collected or processed shall display a simple and conspicuous privacy policy that the class of Data Subjects being targeted can understand”. S2.5, NDPR

A good number of data processing mediums do not have this privacy policy displayed, leaving users with no choice than to submit personal data, having no inkling of how their data is going to be stored or transferred, for what purpose, if third parties have access to it, their remedy at law for data breach and all the other stipulations of section 2.5 (a – e) of the NDPR. Where privacy policies are displayed, they are sometimes copied and pasted from other platforms, and restrictive (draconian) in drafting, forcing the data subject to consent in order to enjoy the service or transaction being accessed. And in some cases, personal data is then exploited for undisclosed marketing purposes, extended communication with data subject even after the original transaction has ended, spamming of personal emails and social media handles with unsolicited retargeting messages, as well as the distribution or sale of personal data to sub processors; all without the knowledge or consent of the data subject. This defeats the right of the data subject to consent, and the duty of the data administrator to be transparent in processing personal data.

Mishandling of personal data is another privacy issue that needs to be addressed. It is commonplace for organizations to send mass emails copying several email addresses instead of blind copying them, and consequently exposing these addresses obtained in confidence to the public. There are official meeting rooms and discussion groups online where personal data confidentially obtained are precariously exposed to third parties who then manipulate the data as they see fit and contrary to the purpose consented to by the data subject.

Another privacy issue is the collection of excess or unnecessary data. In the current pandemic induced webinar wave, organizations have been observed requesting excess information to register intending participants. How do we explain requiring phone numbers for a zoom or Google hangout meeting (for instance) when a name and email address will just suffice? It is understandable that these data may sometimes be needed for survey purposes but it would probably be more appropriate if the purpose were spelt out.

Obtaining data over an insecure channel or medium could pose another challenge. This is a poser to organizations to verify the technology with which data is being obtained and processed to prevent compromising data subjects’ privacy.

If we were annoyed and appalled in the past at how personal printed data ended up in the hands of suya and groundnut sellers, we are in for a worse experience as electronic data is more portable than hardcopy data. If nothing is done to redress this and enforce compliance with the NDPR, we will sooner or later end up with multiple data privacy breaches, customer disaffection and distrust in organizations, and reputational damage to organizations.

It is therefore hoped that organizations will demonstrate a will to comply with the NDPR going forwards by crafting and conspicuously displaying privacy policies, terms and conditions on their websites and online platforms, and ensuring proper and legal processing of personal data going forwards. It is even more important for the NDPR however nascent, to be reviewed to ensure it is all encompassing and at par with international regulations of its kind. Data subjects must as well hold data administrators accountable to the standards of the NDPR by insisting on and exercising their individual rights (part three rights) as due. Perhaps, the extent and implications of non compliance will only be felt and appreciable when the regulation is tested in the courts of law.

MofOluwawo Oluwapelumi M is a legal practitioner based in Lagos, Nigeria. She runs a content creation outfit called Houseoflivingstones, and as well consults for small businesses on branding and business development. She can be reached at [email protected].

[1] Preamble, Nigerian Data Protection Regulation 2019

[2] Data Privacy Guide: Definitions, Explanations and Legislation. https://www.varonis.com/blog/data-privacy/