By Christian Nwani Oti

ABSTRACT

The 21st century ushered in high use of information and communication technology. Individuals and businesses are making swift transmission and processing of their data on the internet.

The recognition that the world has become a global community and the rush in the use of social media where many knowingly or otherwise leave hints of their sensitive data, should ordinarily put anybody on the watch in the way he procures and/or disseminate information.

The internet has indeed made life easy, but with this comes the dangers of its use, and the vulnerable state of privacy breach that many do not know where to turn to for remedy. Thus, data protection is a growing concern today. The provisions of the law on data protection in Nigeria, state of data protection, regulatory definitions of the terms, the impediments shall be examined here and recommendations made in conclusion.

INTRODUCTION

At the outset, it must be stated that one of the sacred desire of man is to have his privacy guarded. It is inherent in man, and has been recognized in many international conventions and treaties, including the constitutions of many countries. The objective for the privacy is the protection of his data.

In Nigeria, the right to privacy is copiously enshrined in the constitution and it reads thus[1]:

  “The privacy of citizens, their homes, correspondence, telephone conversations and

    telegraphic communications is hereby guaranteed and protected” 

The protection of citizens’ data vide the law is still in its nascent stage in Nigeria particularly to the understanding of many and its testing in court. Although, there is yet to be enacted a specific law in Nigeria that deals on data protection, there are a handful of statutes that could be explored for data protection presently, not excluding the constitutional provisions on the point. Such laws include the following:[2]

  • The Nigerian Communications Commission Act 2003 – this has enabled the commission to make regulations concerning the telecommunications industry.
  • The Child’s Right Act 2003 – the protection of the privacy of children is guaranteed in Section 8.
  • The Freedom of Information Act 2011 – this expressly rules out the personal information of people in its bid to give public information to the citizens.
  • The Central Bank Act 2007 – it protects the financial details of persons from being disclosed by financial institutions without consent.
  • National Health Act 2014 – this Act requires establishment to maintain and ensure the privacy of health records of every user of health care.
  • The Cybercrimes (Prohibition, Prevention, etc.) Act 2015 – it provides for the criminalization of data privacy breaches.

However, the principal data protection legislation (Subsidiary) currently is the Nigeria Data Protection Regulation 2019 (“NDPR”). This regulation was made by the National Information Technology Development (“NITDA/the Agency”) on 25th January, 2019 pursuant to the NITDA Act 2007.[3] The Act establishes the government agency or body to plan, develop, promote and regulate the use of information technology in Nigeria. The section provides thus:[4]

The board may make such regulations as in its opinion are necessary or expedient for giving full effect to the provisions of the Act and for the due administration of its provision”.

This notwithstanding, it is noteworthy that there is a Data Protection Bill, 2020 that contains comprehensive details to the principles of data protection. Nigerians awaits same to become law in earnest.

SALIENT REGULATORY DEFINITIONS OF TERMS IN DATA PROTECTION

The Nigeria Data Protection Regulation 2019 defines the following terms as:

  • “Data” means characters, symbols and binary on which operations are performed by a computer, which may be stored or transmitted in the form of electronic signals is stored in any format or any device;
  • “Personal Data” means any information relating to an identified or identifiable natural person (“Data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, generic, mental, economic, cultural or social identity of that natural person. It can be anything from a name, address, a photo, an email address, bank details, post on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, SIM and others;
  • “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
  • “Data Administrator” means a person or organization that processes data;
  • “Data Controller” means a person who either alone or jointly with other persons or in common with other persons or as a statutory body determines the purposes for and the manner in which personal data is processed or is to be processed;
  • “Computer” means information technology systems and devices, whether networked or not;
  • “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
  • “Third Party” means any natural or legal person, public authority, establishment or any other body other than the Data Subject, the Data Controller, the Data Administrator and the persons who are engaged by the Data Controller or the Data Administrator to process personal data;
  • “Data Protection” The NDPR does not specifically define the phrase; recourse is made to dictionaries for its meaning. com defines data protection as: “the process of safeguarding important information from corruption, compromise or loss.[5]
  • “Data Privacy” also called information privacy, deals with the ability an organization or individual has to determine what data can be shared with third parties.[6]

DATA PROTECTION BILL, 2020  

At the call for a more comprehensive legislation came this bill passed already by the National Assembly. A brief review shall be made here to show the steps being made in data protection in Nigeria:

The Act seeks to establish the Data Protection Commission charged with the responsibility for the protection of personal data, rights of data subjects, regulation of the processing of personal data, and particularly to[7] –

Objectives:

  • Promote a code of practice that ensures the privacy and protection of data subject’s data without unduly undermining the legitimate interests of commercial organizations and government security agencies for such personal data;
  • Minimize the harmful effect of personal data misuse or abuse on data subjects and other victims;
  • Establish an impartial, independent and effective regulatory authority that will coordinate data protection and privacy issues and superintend over data controllers and data processors within the private and public sectors;
  • Ensure that personal data is processed in a transparent, fair, and lawful manner, in accordance with the data protection principles stipulated in this Act or any other extant legislation.

Application and Scope:[8] (a) The collection, storage, processing and use of personal data relating to persons residing in Nigeria and persons of Nigerian nationality, by automated and non-automated means, irrespective of residence; (b) personal data processed by entities in the private and public sectors in Nigeria; and (c) a data controller and data processor in respect of personal data where-

  1. The data controller and data processor are both established in Nigeria, and the personal data of data subjects are processed within Nigeria,
  2. The data subject resides within or outside Nigeria,
  3. The data controller is not established in Nigeria but uses equipment or a data processor in Nigeria to process personal data of data subjects who reside within or outside Nigeria, or;
  4. Processing is carried out in respect of information relating to data subjects who reside within or outside Nigeria and personal data which originates partly or wholly from Nigeria.

It is noteworthy that the law does not apply to processing of personal data carried out by a data subject in the course of a purely personal or household activity.[9] But, applies to Data subject who is a Nigerian either in or outside Nigeria; data subject in Nigeria, incorporated or unincorporated bodies and foreign entities targeting persons resident in Nigeria. Any person, who does not fall within these but maintains an office, branch or agency through which business activities are carried out in Nigeria.[10] The category of personal data under this law is stated and same guided under strict principles of consent and transparency.[11]

The bill provides rights for the data subject to be notified of the data breach, right to access personal data by the data subject, rights in respect of questioning automated decision making that affects the data subject without taking his view, and other rights.[12]

CHALLENGES AND SOLUTIONS TO DATA PROTECTION IN NIGERIA

The fact remains that the issues of data protection is quite novel to Nigerians. Many do not realize they have rights in this regard, to be protected. Some lawyers only have exiguous information as well. This leads to a dearth of judicial adjudications on the point. Where the citizens do not challenge privacy breaches in court, the courts will have no opportunity to pronounce on same, thus reducing the consciousness of the people on the subject.

It is urged that awareness campaigns and seminars be made in the urban and rural areas to inform the people on data protection. Law reports fashioned to put out court decisions on data protection should be encouraged. Lawyers should get trained in this area to help them in advising their clients well and take appropriate actions when necessary.

The challenge of adequate legislation on data protection will be cured a great deal when the Data Protection Bill becomes law. To that end, the National Assembly should override the President if he fails or refuse to give his assent.[13]

It suffices to say that, the lack of political will to enforce privacy right is an impediment to the success of data protection in Nigeria. The government must therefore put action to words in ensuring that enforcement of the law in this respect is assured.

Also, officials in private and public sectors who are engaged in data controlling and processing should be trained to facilitate the effective implementation of the dictates of the law, especially in the use of technology. This is as ignorance in technological skills is a bane to data protection. It is believed that privacy breach will reduce in Nigeria if the competence and technological knowledge of officials supersedes those of internet fraudsters.

CONCLUSION

The protection of our personal information is a priority in this fast paced world of the internet. It is a duty placed on each one to take adequate measure to guard his or her personal data. We must be sure of those we give consent to for the procurement of our personal data. The power that knowledge brings is enormous, hence those engaged in handling personal data of individuals or business must adhere strictly to the rules of engagement.

Nigeria has made significant stride in data protection as shown in this paper, however, like the proverbial cup, it is half-full, and a lot more needs to be done. Steps must be taken to accentuate the Data Protection Bill, 2020 to an Act. And as the dynamics of life occurs, the need to adapt the necessary changes for data protection must become our watch word.

DETAILS OF AUTHOR

Written By CHRISTIAN NWANI OTI, PHONE CONTACT: 08141689879, 08114147171, EMAIL: [email protected]

[1] Section 37, (1999) constitution as amended

[2] E Gbahabo; O Akpaibor, Nigeria: Data Protection Laws and Regulations 2020 (https:/iclg.com, published 06/07/20)  accessed 14/09/20

[3] Ibid

[4] Section 32 NITDA Act (2007)

[5] http://searchdatabackup.target.com/definition/data-protection quoted in O. Babalola, Data Protection and Privacy Challenges in Nigeria (Legal Issue) (published on http://mondaq.com, 09/3/20 and accessed 14/09/20

[6] Ibid

[7] See the long title and Section 7 of the Data Protection Bill (2020)

[8] Section 2(1)

[9] Section 2(2)

[10] Section 2(3)

[11] Section 2(4)(5)(6)

[12] See part 5 of the bill; the right of a data subject is limited by Section 38

[13] Section 58(4)(5) 1999 Constitution(as amended)