By Olasupo Habeebulah Morakinyo

PREAMBLE

Apart from the popular and deadly diseases like HIV AIDS, there is even a deadlier one known as the “Corona Virus” also known as “Covid-19”.

It is a global disease now declared a pandemic that broke out in the Chinese city of Wuhan late 2019 which attacks and weakens the respiratory system of its carriers. It is a contagious disease that is communicable by mere close and body contact with anyone who is infected with it, though on a 6 feet distance and it can also be contacted through the respiratory droplets of an infected person who coughs or sneezes, or from touching objects that have touched or contaminated by an infected person. It is sad that it is communicable on an easy slack or mistake.[1]. The outbreak and quick spread of the feared[2] Covid-19 has affected the economy of Nigeria due to the lockdowns by both the state and federal governments, investors are running away and this came at a time when the Nigerian economy is on the verge of collapse.

The Nigerian Governments have taken serious measures to curtail the spread of the virus ranging from restriction of movement of people, closure of markets, prevention of certain number of assembly of people, restriction of religious and social gatherings[3]. However, an important aspect of the government’s action being Fundamental Human Rights of persons and citizens of Nigeria (freedom of movement[4], rights to peaceful assembly and association[5], rights to personal liberty[6], rights to privacy[7] among others). However, the focus of this article is on whether some of the actions of the government have infringed upon the rights to privacy of citizens, whether the infringement is justified? Whether Data Processing can be done without the consent of the data subject. In answering the above questions, this article shall examine whether or not rights to privacy is related to data protection within the purview of the laws on data protection in Nigeria.

DATA PROTECTION AND RIGHTS TO PRIVACY: ANY NEXUS?

Rights to privacy presupposes that the privacy of citizens, their homes, correspondences, telephone conversations and telegraphic communications is guaranteed and protected. Invariably, the Nigerian Constitution is the fons et origo of all laws in the country. It forms the basis of the Nigerian laws. In fact, other laws derive their validities therefrom. One wonders whether rights to privacy as mentioned in the Constitution is narrowly and succinctly couched, that compare to its broader concept of data protection. The former deals with just the privacy of citizens[8] not all persons in Nigeria and the concept of data privacy is universal not restricted to a particular geographical location. Equally, it is restricted to their homes, correspondences[9] telephone conversations and telegraphic communications, this in my opinion cannot be said to include data simpliciter. Personal Data has been defined in different subsidiary legislations regulating data privacy and protection. However, the connotation given under the Nigeria Data Protection Regulation, 2019 which shall herein thereafter be referred to as the Regulation. Regulation 1.1 of the defines Personal data as

“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM and others”

It is clear from the above provision that data protection is more detailed than the rights to privacy which has been clearly seen from the definition of personal data. Applying the literal rule of interpretation to the provision, it is error-free to conclude that the definition is detailed and sufficiently comprehensive. While it is obvious that data protection is thorough, but the provision of the Constitution[10] cannot be said to be large enough to accommodate the above definition of personal data in the Regulation. In short, rights to privacy and data protection are interrelated. This takes us to the laws that are regulating data protection and privacy in Nigeria.

DATA PROTECTION AND PRIVACY IN NIGERIA: AN OUTLINE OF THE REGULATORY LAWS.

Truth must be told that although, Nigeria does not have a specific statute[11] regulating Data Privacy and protection, the National Information Technology Development Agency (NITDA) commendably came up with the Nigeria Data Protection Regulations (NDPR, the Regulation) in 2019[12] which specifically addresses Data Privacy and Protection in Nigeria. Asides from the NDPR, there are other few laws which touch on Data Privacy and Protection in Nigeria, some of which are briefly outlined below in seriatim.

The Constitution of the Federal Republic of Nigeria. [13]
The NCC Consumer Code of Practice Regulation 2007[14]
The NCC Registration of Telephone Subscribers Regulation 2011[15]
The Freedom of Information Act 2011[16]
The Cybercrimes (Prohibition, Prevention, etc.) Act 2015[17]
There are other laws on data protection and privacy in Nigeria but most of the laws are industries-based except the most comprehensive one among them which is Nigeria Data Protection Regulations (NDPR, the Regulation) in 2019. Although, the Nigerian legislative chambers still have a lot to do in this regard in coming up with a comprehensive legislation on data protection and privacy.

COVID 19 AND THE RIGHTS TO PRIVACY AND DATA PROTECTION OF PERSONS IN NIGERIA.

The crux of the matter is that people have been receiving different text messages from organizations, individuals and governmental bodies on the measures to be taken for the prevention of the virus. The most popular among the governmental body is the almost daily messages from the NCDC- Nigeria Centre for Disease Control. There has been transmission of medical records for research and monitoring purposes, which is also an aspect of data privacy that is connected to the prevention of virus. A concerned citizen will wonder how and where the NCDC got the data from. How lawful is the breach of this rights considering the effects on Covid 19 on our health?

Fundamental Human Rights are not absolute. They are qualified rights. Section 45 of the Constitution of the Federal Republic of Nigeria being the grundnorm under which rights to privacy exist states as follows:

“Nothing in sections 37, 38, 39, 40 and 41 of this Constitution shall invalidate any law that is reasonably justified in a democratic society-

In the interest of defence, public safety, public order, public morality or PUBLIC HEALTH; or
For the purpose of protecting the rights and freedom of other persons.”
Going by the provisions of section 45 of the Constitution, rights to privacy can be curtailed provided that there is a law that is reasonably justified for several purposes which PUBLIC HEALTH is not an exception. Is there any law that has been made for this purpose? Yes, there is an existence of Nigeria Data Protection Regulations, 2019. This Regulation provides for how data can be processed through lawful and accepted modes and how and when the data can be transmitted by extension.

DATA PROCESSING UNDER THE NIGERIAN DATA PROTECTION REGULATIONS, 2019

Data Processing simply connotes operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.[18]. Processing here extends to disclosure of personal data of data subject[19].

There are different principles covering Data Processing under the Regulation. One of the germane principles here is that anyone who is entrusted with the personal data of a data subject or who is in possession of the personal data of a data subject owes a duty of care to the said data subject, that is the data Administrator must guide the personal data of the data subject against theft cyber-attack, viral attack, dissemination, manipulations of any kind, damage by rain, fire or exposure to other natural elements.[20]

There are lawful means through which the data of Nigerians can be disclosed to a third party, that is lawful means of data processing. Regulation 2.2. of the Regulation provides as follows

“…………Processing shall be lawful if at least one of the following applies:

The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
Processing is necessary for compliance with a legal obligation to which the Controller is subject;
Processing is necessary in order to protect the vital interests of the data subject or of another natural person and
Processing is necessary for the performance of a task carried out in the PUBLIC INTEREST OR IN THE EXERCISE OF OFFICIAL PUBLIC MANDATE VESTED IN THE CONTROLLER.
The concern of this article shall be restricted to the paragraph (e) of 2.2 of the Regulation. It is debate-free from the above provision that data can be processed(disclosed) for the purpose of public interest. Covid-19 is a global disease without respect to anyone whether rich or poor, powerful or less privileged, it is spreading and easy to contract at slightest chance of exposure to an infected carrier or even surface.

In application of the above exception to the disclosure of the data of the data subject by either different telecommunication companies, financial institutions, some from our security institutions are conditionally valid. Disclosing the Nigerian Data in order to prevent the spread of the Covid 19 is for the public interest and equally public health as envisaged by section 45 of the Constitution of Federal Republic of Nigeria.

As clear as Regulation 2.2(e) of the Regulation is, there is a condition “post-cedent” after the processing of the data of the data subject, which is notification of the data subjects about the data processing. Regulation 2.13.1 of the Regulation provides as follows:

“The Controller shall take appropriate measures to provide any information relating to processing to the Data Subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the Data Subject, the information may be provided orally, provided that the identity of the Data Subject is proven by other means”

The above provision is very clear and unambiguous and it is trite law that where the contents and words of the constitution are clear, plain and unambiguous, the literal rule of interpretation should be applicable, as it was held in OKUNGBOWA V.GOV., EDO STATE (2015)10 NWLR (PT. 1467) 365 C.A, MUHAMMED ABACHA V FEDERAL REPUBLIC OF NIGERIA (2014) 6 NWLR (PT 1402) 43 S.C. The court holding is not different in cases of EVEMILI V. STATE (2014) 17 NWLR (PT. 1437) 421 C.A ANS DAPIANLONG V. DARIYE (2007) 8 NWLR (PT 1036). By extension, it means that the natural, grammatical and ordinary meaning of the words used in the statute should be ascribed to them was as also held in OGAGA V. UMUKORO (2011)18 NWLR (PT 1279) 924 that “no matter how, no other secondary meanings of the clear words used in the constitution or any other statute be ascribed to them.”

By Application, it is the responsibility of the Data Controller to put measures to provide any information in connection with the data processing to the data subjects and the manner through which the information can be sent to the data subjects. This duty which the data controller has not performed is very vital but same cannot said to invalidate the data processing as there is no time frame within which same must be done.

CONCLUSION AND RECOMMEDATION

From the foregoing backdrop, data privacy is one the emerging legal issues in Nigeria. It is very obvious that the lack of comprehensive legal framework for data privacy protection accounts for the massive data privacy infringement in the country. Although the NDPR is a very good regulatory framework, it however hasn’t gained serious compliance as we have demonstrated in the crux of this article that the NCDC, an agency of the federal government has “apparently” processed data of Nigerians without due process. There is however still an expectation of compliance with Regulation 2.13.1 of the Regulation. In the wake of the covid-19 pandemic which of course qualifies as a “public interest and public health” factor in the justification for data processing, it is expected that the agency or the controller of these data would do the needful within a reasonable timeframe as far as notification of the data subjects about data processing is concerned. All in all, it is recommended that concerted effort be made by the National Assembly to overhaul and promulgate a comprehensive legislation for data privacy protection. In the same vein, all stakeholders like the NCC, NITDA, FCC and others should continue to create further awareness on data and privacy protection in Nigeria. When things are done right and right things are done only then we can have a good data privacy protection in Nigeria.

Similarly, it is recommended that the data already processed(disclosed) to different agencies for the prevention of the spread of the virus should be deleted from the database of these institutions after the pandemic is over, this is in compliance with Regulation 2. 6 of the Regulation.

Olasupo Habeebulah Morakinyo is a Lagos-Based Legal Practitioner. He is an Associate at M.J. ONIGBANJO & CO. He can be reached on Facebook: Morakinyo Olasupo with twitter handle @MORAKINYO_SUPO, phone number +2348162239050 and email address: [email protected]

[1] In fact, there are many other ways through which the disease can be contacted. It is that bad.

[2] The famous Columnist of the THISDAY, Onikepo Braithwaite once said that “the fear of Coronavirus aka Covid 19 is the beginning of all wisdom for now! THISDAY Tuesday 24 March, 2020 Vol. 25. No 9115. P. 3.

[3] These moves are in line with the provision of section 14(2) b of the Constitution that the security and the welfare of the people shall be the primary purpose of government.

[4] Section 41 of the Constitution of Federal Republic of Nigeria.

[5] Section 40 (supra)

[6] Section 35 (supra)

[7] Section 34 (supra).

[8] The concept of citizenship in Nigeria excludes foreigners, that is those are not citizens by birth, registration as contained in sections 25, 26 and 27 of the Constitution.

[9] Correspondences are just conversations or communications which can be oral or written based.

[10] Although before the NDPR, breaches of privacy related matters were brought under the section 37 of the Constitution. See Barr. Ezugwu Emmanuel Anene v. Airtel Nigeria Ltd, Suit No: FCT/HC/CV/545/2015 (Unreported)

[11] The opinion of the writer here is with reference to Act of the National Assembly or Laws of States.

[12] The Regulation extensively describes and talks on principles of data processing, the requirement of Data Compliance Officers, requirement of data subject’s consent for collecting and processing data, requirements for international transfers of data and rights of data subjects, among others. It also prescribes penalty for non-compliance with the regulation

[13] It has been submitted above that that section 37 of the Constitution constitutes the Principal Law through which other laws derive their validities.

[14] This Regulation deals with the protection of consumers’ data in the telecoms sector, that is personal data of subscribers with different network providers. In this same Regulation, Regulation 35 requires all licensees to take reasonable steps to protect the information of their customers against improper or accidental disclosures. It prescribes that licensees shall not transfer this information to a third party except as permitted by the consumer or commission or by other applicable laws or regulation. Data collected by the licensee must be such that is reasonably required for business purposes and not to be kept for longer than necessary.

[15] In this regard, Regulations 9 and 10 of the Regulation deals with the data privacy and protection of subscribers. It provides for confidentiality of personal information of subscribers stored in the central database or a licensee’s database. It also provides that these pieces of information shall not be released to a third party nor transferred outside Nigeria without the prior written consent of the subscriber (data subject) and commission, respectively.

[16] Section 14 of the Freedom of Information Act,2011 protects personal data. It restricts the disclosure of information which contains personal information by public institutions except where the involved data subject consents to its disclosure or where the information is publicly available. The Act also provides that a public institution may deny the application for disclosure of information that is deemed privileged by law like the professional communication between client and legal practitioner. See section 192 of the Evidence Act, 2011.

[17] This Act can be said to be the first and principal legislation on the criminalization of cyber rimes and other related offences. The Act prescribes that anyone or service provider in possession of any person’s personal data shall take appropriate measures to safeguard such data

[18] Regulation 1.3(r) of the Regulation.

[19] Data Subject means an identifiable person; one who can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. See Regulation 1.3(k) of the Regulation.

[20] Regulation 2.1 of the Regulation for other principle of data processing.