Being text of a lecture delivered at the Nigerian School of Internet Governance on the 9th day of July 2019 at NIRA Office in Lagos

Introduction

Data protection and privacy are almost alien to the Nigerian society. Data subjects are, mostly, oblivious of their property rights in data and Data collectors/administrators are numb to their corresponding duty to protect and/or respect the privacy data entrusted in their hands. Ultimately, there seems or seemed to be a deafening complicit silence or absence of regulators in this field.

Up until the emergence of negligible few civil societies which recently made data privacy and protection their core concerns, Nigerians have never really bordered about whatever happened to their data so long their other economic/physical rights remained undisturbed.

In this short session, I will run through the definitions of some keywords concerning data privacy and protection, the current state of our laws on data privacy and protection; some legal issues and I conclude subject to my thoughts on all these.

I understand the session is meant to be introductory and elementary, especially for non-lawyer fellows here present and I shall thrive to make it so.

DEFINITIONS

The Nigerian Supreme Court has held that where a word or phrase has been defined in an enactment (law), the meaning given must be adhered to.1 It is on this premise that, I will restrict myself to the definitions provided in the applicable laws except where the words and/or phrases are not so provided.

Data: The Nigeria Data Protection Regulation 2019 (NDPR) defines the word as:

"Characters, symbols and binary on which operations are performed by a computer, which may be stored or transmitted in the form of electronic signals, stored in any format or any device"

The NDPR also goes ahead to define "Personal Data" as:

"Any information relating to an identified or identifiable natural person ('Data Subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM, Personal Identifiable Information (PII) and others."

Data Protection: The NDPR does not specifically define the phrase "Data Protection" and it is for this reason we can resort to dictionaries in search of its meaning2

TechTarget.com defines data protection as:

"The process of safeguarding important information from corruption, compromise or loss.3

In a Report published by Web Foundation and Paradigm Initiative in March 2018 titled "Data Protection in Nigeria", the term is defined as:

"The legal mechanism that ensures privacy."

Data Privacy: Data privacy, also called information privacy, deals with the ability an organization or individual has to determine what data can be shared with third parties.4

CURRENT LEGAL REGIME ON DATA PRIVACY AND PROTECTION IN NIGERIA

Up until January 25, 2019, Nigeria did not have any dedicated general legislation on data privacy and protection apart from the 1999 Constitution (as amended) which has not been particularly useful for this purpose especially when considering our courts' somewhat restrictive approach to the interpretation of the relevant section on privacy.

Currently, as our laws stand, for the enforcement of data protection and privacy in Nigeria, we now have section 37 of the Constitution of the Federal Republic of Nigeria, 1999 (as amended) and the Nigeria Data Protection Regulation 2019 which may be used correlatively to achieve a common purpose.

The Constitution

Section 37 of the 1999 Constitution provides that:

"The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected."

Although the provision above does not specifically mention "data", it is arguable that information on homes, correspondences and telephone conversations are captured in the definition of personal data, hence, the above provision can be used to safeguard such breach.

This contention was favoured by the Court of Appeal in the decision in Emerging Market Telecommunication Services v Barr Godfrey Nya Eneye (2018) LPELR-46193. In the case, Mr. Eneye, a legal practitioner sued the operators of Etisalat mobile line for sending exposing his telephone number to persons/companies which sent him unsolicited text messages in violation of section 37 of the Constitution. The Federal High Court awarded him damages of N8, 000, 000 (Eight Million Naira).

When the operators of Etisalat (Emerging Market Telcoms) appealed, the Court of Appeal held that:

"Section 37 of the Constitution under which the respondent instituted the action at the lower Court provides: "The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected." Contrary to the submissions of the appellant, the respondent suit was properly initiated before the trial Court under Sections 37 and 39 of the Constitution. ... Learned counsel for the appellant submitted that the unsolicited messages do not constitute an infringement of the respondent's right to privacy to entitle the respondent commence an action under the Fundamental Rights Enforcement Procedure Rules. ..... It is my view that by giving those unknown persons and organizations access to the respondent's Etisalat GSM phone number to send unsolicited text messages into it, amount to violation of the respondent's right to privacy guaranteed by Section 37 of the Constitution, which includes the right to the privacy of a personal's telephone line. (Emphasis mine)

This very remarkable and commendable decision stands alone, to my knowledge, as it was decided after our own class action currently pending at the Court of Appeal was struck out by the High Court of Lagos for not being cognizable under section 37 of the Constitution on facts that fall on all fours with Eneye's case.

The Nigeria Data Protection Regulation 2019

On the 25th day of January 2019, the National Information Development Technology Agency (NITDA) issued a regulation titled "Nigeria Data Protection Regulation" to achieve the following objectives

  • to safeguard the rights of natural persons to data privacy;
  • to foster safe conduct for transactions involving the exchange of Personal Data;
  • to prevent manipulation of Personal Data; and
  • to ensure that Nigerian businesses remain competitive in international trade
  • through the safe-guards afforded by a just and equitable legal regulatory
  • framework on data protection and which is in tune with best practice.

Without prejudice to the reservations I have for the NDPR, it remains Nigeria's most comprehensive and useful data protection and privacy legislation till date.

Salient provisions

  • Definition of data and personal data – section 1.3(iv) and(xix)
  • Duty of care owed by data controllers/administrators to data subjects - section 2.1(2)
  • Consent:
  1. No data must be obtained except the purpose is known to the data subject – section 2.3
  2. Consent must be obtained with fraud/coercion
  • Privacy Policy – Data collectors must publish privacy policy to reflect
  1. What constitutes consent
  2. Description of personal information collected
  3. Purpose
  4. Technical methods used to collect
  5. Remedies in the event of violation etc – section 2.5
  • Objection to data processing – section 2.8
  • Advancement of right to privacy – section 2.9
  • Penalty of 2% of annual gross revenue of data controller. – section 2.10
  • Rights of data subject
  1. to access to information on data free of charge – section 3.1(3)
  2. right to request rectification
  3. withdraw consent
  4. right to information on further processing
  5. right to request deletion (an encapsulation of right to be forgotten)– section 3(9)

Other non-dedicated specific Data Protection laws:

  1. Federal Competition and Consumer Protection Act
  2. National Identity Management Commission Act
  3. Freedom of Information Act
  4. Cybercrime (Prohibition, Prevention, etc) Act
  5. Child's Rights Act

LEGAL ISSUES MILITATING AGAINST DATA PRIVACY AND PROTECTION IN NIGERIA

The stunted growth of data privacy and protection in Nigeria is traceable to certain legal issues, chief of which are:

  1. Inadequacy of data privacy and protection legislation:

Even in spite of NITDA's commendable issuance of NDPR in January 2019, it still does not completely solve data privacy concerns. In an article titled "My thoughts on the NDPR5", I expressed my reservation on the inadequacies/shortcomings of the NDPR especially on its restrictive objectives and definition of data, absence of provision on remedies to victims etc.

The NDPR is, sadly, limited to electronic data thereby leaving paper-based data violations without remedies or protection. Recourse may however be had to section 37 of the Constitution but reliance thereon is not without its own nuances especially when faced with a narrow-minder court as we have seen in the past, where clear cases on infringement of privacy have been struck out because the court concerned preferred to deal with them as tort of nuisance.

Worthy of mention, is the effort of Paradigm Initiative6 at sponsoring the Digital Rights Protection Bill which was however rejected by the President. Its passage would have eased the inadequacies of section 37 and the NDPR on data protection issues.

  1. Deplorable consciousness of data privacy rights/laws:

If ignorance of the law is not an excuse what do we say about ignorance of rights? In a 2000 report of International Tolerance Network7, it was stated thus:

"Within the national and the international contexts of Human Rights Education (HRE), four typical difficulties of HRE can be identified. We call them the four Big I´s of HRE: ignorance, incompetence, indifference and intolerance."

Ignorance: this means the lack of knowledge about human rights and the institutions of human rights protection, as well as the inadequate understanding of the gain with regard to civilisation, of the idea of freedom and equality of human rights."

How do you demand and/or enforce rights you are not aware of? To sum up Nigerians' awareness of their data privacy rights, we were briefed by Paradigm Initiative sometime early January 2019 to file an action against the National Identification Management Commission preventing them from enforcing the National Identification Number until a data protection legislation was put in place.

NIMC briefed a lawyer later in February 2019 but they were unaware that NITDA had issued the NDPR which was the crux of our case. The matter surprisingly went on for over three months and both parties never mentioned the NDPR. On our part, we initially decided to keep mum until we discovered that NIMC's lawyer had not been informed even up till the last day of hearing and I had to inform him.

It was that bad. Government agencies which deal with citizens' data are not even aware of the NDPR!!!

  1. Lack of enforcement-will/drive

Commendably, NITDA took the initiative to issue NDPR but it ought not end there. The NDPR, though issued on the 25th day of January 2019, it was meant to take effect from 25th April 2019, at least with the Data Collectors publishing their privacy policies are mandatorily required by section 2.5 of NDPR.

April 25 came and left, neither have the numerous Data Collectors published their privacy policies to our knowledge nor did NITDA penalize them as provided under section 2.10 of the NDPR thereby giving a rebuttable impression that the regulators are treating them with kid gloves.

There are other provisions requiring immediate and continuous compliance, for instance, section 4.1(2) requires every Data Controller to designate Data Protection Officers but this is sadly non-existent and remains unforced by the regulator.

A very pronounced recent breach of the NDPR was the Nigeria Immigration Service's publication of the international passport data page of a Nigerian resident in the UK. The data was published on the Service's social media pages without the Data subject's consent but we are not aware of any sanction meted to the Immigration Service under NDPR. I won't say much on this, as Paradigm Initiative and Digital Rights Lawyers Initiative have given pre-action notice to the Nigerian Immigration Service in preparation for law suit on the strength of section 4.1(8) of NDPR which empowers civil societies to uphold accountability and foster the objectives of this Regulation.

  1. Dearth of judicial decisions on data privacy violations

The Nigerian judiciary, like its counterpart elsewhere, thrives on judicial precedents, especially when the lower courts are confronted with somewhat novel cases.

Our case law is however replete with straightjacketed privacy cases which relate to invasion of homes and offices as opposed to invasion of data privacy stricto sensu. Apart from the decision in Emerging Market v Eneye (supra), I am not aware of any other appellate court decision on invasion of telephone (data) privacy. Hence, it is increasingly difficult for practitioners and judges to find authorities on which they can rely on while granting reprieve to data violation victims although this should not be an excuse to do justice even when no precedents exist.

CONCLUSION

A journey of a thousand miles, they say, always begins with a step, however warped it may be. Data privacy and protection, as human rights, are increasingly becoming serious legal conundrum that must be given adequate legislative and judicial coverage, consideration and deliberation in Nigeria, otherwise, our recent resolve to do things differently will continue to be a terrible phantasm.

Footnotes

1 Nosiru Attah v State (1993) LPELR-598(SC)

2 In Attorney General of Bendel State v Chief C.O.M. Agbofodoh (1999) LPELR-616(SC), it was held that: "Dictionaries are not generally resorted to as means of elucidating the construction of statutes. They may however afford some help...... it is for the court to interpret the statute as best as it can. In so doing, the courts may no doubt assist themselves in the discharge of the duty by any literary help they can find, including of course, the consultation of standard authors and reference to well-known and authoritative dictionaries."

6 Paradigm Initiative is a social enterprise that builds an ICT-enabled support system and advocates digital rights in order to improve livelihoods for under-served youth.

7 http://www.human-rights-education.org/images/pubhrhre.pdf

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.