Personal data has emerged as the new oil with rising importance being afforded its protection in the society. This has led to the emergence of data privacy and protection legislations to safeguard and protect personal data of individuals. However, while the legislations on data privacy and protection, the NDPR and GDPR inclusive, have been laudable on the extent of the protection afforded to the natural persons, the same cannot be said of artificial persons who majority of the extant legislations fail to protect so far.
This piece aims at examining artificial persons, the likelihood of breach of their data, available protection under the Nigeria Data Protection Regulation (NDPR) and the General Data Protection Regulation (GDPR) as well as the remedies available in case of data breach.
1.0 WHO ARE ARTIFICIAL PERSONS?
An artificial refers to an entity such as corporation, created by law and given certain legal rights and duties of a human being.
These entities in the character of a person assume distinct names, addresses, occupations, date of birth, bank accounts, etc all of which culminates into diverse threshold of personal data capable of being breached, thereby necessitating the need for data privacy and protection legislations to extend their sphere of protection to cover them.
2.0 PROTECTION OF ARTIFICIAL PERSONS UNDER THE NDPR AND GDPR
In Nigeria, the NDPR is the most comprehensive attempt to regulate data privacy and protection of its citizens. Although there are arguments that it is a mere Regulation and not a standard piece of legislation, it nevertheless ranks as the most comprehensive legislative intervention as preceding legislations on the subject matter were sector-specific . The introduction of the NDPR in 2019, came with laudable provisions on the data privacy and protection space in Nigeria. However, one of its major flaws manifests in the express limitation of its scope to natural persons as contained in Regulation 1.2 (c) thus:
"this Regulation applies to natural persons residing in Nigeria or residing outside Nigeria who are citizens of Nigeria"
Flowing from the above, the extent of the protection clearly limits it to natural persons. However, the EU's GDPR which is the most comprehensive data privacy law in the world equally fails to protect artificial persons. By virtue of Article 1 (1) and (2) of the GDPR:
"This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data............... This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data"
This also clearly limits the protection to natural persons. In fact, Recital 14 of the GDPR clearly eliminates the application of the GDPR to artificial persons thus:
"The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data. This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person".
Also, the definition of personal data under the GDPR explicitly limits it to natural persons thus:
'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Flowing from the foregoing, it is apparent that both the GDPR and NDPR expressly excluded artificial persons from the scope of their application.
3.0 STRETCHING THE NDPR AND GDPR TO INPUT PROTECTION OF ARTIFICIAL PERSONS
The provisions of the NDPR could be stretched to imply an application to artificial persons. This is because there appears to be certain inconsistencies in the NDPR because while Regulation 1.2 (c) clearly states that it applies to natural person, there is no express provision exempting its sphere of application to artificial entities unlike the case in other legislations like the GDPR.
For instance, the NDPR, by virtue of the provisions of Regulation 1.3 (xiv) defines a data subject as follows:
"Data Subject" means any person, who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
The above definition could be explored to stress that an artificial person fits into the definition of data subject under Regulation 1.3 (xiv) as it could be identified by reference to an identification number (e.
RC Number), or factors specific to its physical identity (office address), economic factors (e.g banking records, bank account details, etc). Although this clashes with the provision of Regulation 1.2, it creates a loophole that could be leveraged to argue for the protection of artificial persons under the NDPR.
4.0 POSSIBLE ARGUMENTS AGAINST PROTECTION OF ARTIFICIAL PERSONS UNDER THE NDPR AND GDPR
By the very nature of their creation and existence, the information and records of these legal entities are public records and therefore outside the ambit of personal data protected by the NDPR. However, this argument would retain validity/potency only to the extent that such records do not overlap with the data of the human component of the respective artificial entity. A case in point is the provision of the Companies and Allied Matters Act (CAMA), 20203 which safeguards the personal data of company officials4
Although, it may be argued that the protection clearly limits it to personal data of directors and not the company itself as an entity. We humbly submit that there is bound to be many instances of overlap between the data of a natural and artificial persons especially in cases of a single member companies where the sole shareholder/director's data most often appears to be the entity's data. This is based on the provision of single member/shareholders company under CAMA 2020 5 . Thus, where this happens, an infraction of the data right of an artificial person would equate an infraction of the data rights of the sole shareholder/director
Based on the foregoing, the need for the protection of artificial persons under data protection legislations cannot be over-emphasised.
5.0 REMEDIES AVAILABLE TO ARTIFICIAL PERSONS IN CASE OF DATA BREACH
As earlier identified, artificial persons are not protected under the NDPR and the GDPR, which therefore births the question of how they could protect their data in cases of breach. Highlighted below are some of the legal remedies available under the extant laws to avail artificial persons adequate protection in case of breach of their privacy rights:
a. An action for breach of privacy rights: The right to privacy is guaranteed and protected under the 1999 constitution6 . Thus, an artificial entity could maintain an action for breach of its right to privacy where there is a case of breach of its data as the court has held that data privacy rights are subsumed under the right to privacy guaranteed under S. 37 of the constitution7 .
Thus, regardless of the absence of protection under the NDPR, an artificial entity could explore this option to seek redress where there is breach of its data. This is based on the principle that an artificial person could sue to enforce its fundamental right8 as upheld in the case of Dawan v. EFCC & Ors9 where the court had this to say:
"It is also recognized that an artificial person like Taen Nigeria Ltd can sue for enforcement of its fundamental rights."
Although it could be argued that the Fundamental Rights Enforcement Procedure Rules, 2009, do not allow associations or groups to bring fundamental rights enforcement actions, it nevertheless, empowers them to bring such actions on behalf of their members. This could be leveraged upon by artificial persons especially where the data infractions affect its members.
b. An action in tort for negligence: Subject to the successful proof of negligence on the part of a data controller, an artificial entity could maintain an action in negligence for damages owing to breach of its information especially in situations where such negligence results in far-reaching consequences on the entity concerned10.
To maintain a successful case for negligence, there must be a duty of care owed to the artificial person, a breach of that duty and damage resulting from such breach.
c. Contract: An artificial person could also include data protection clauses in its agreement before contracting. This could be leveraged upon to seek redress in court in situations where its personal data eventually gets breached.
Also, a Non-Disclosure Agreement could be used by artificial entities as a weapon to protect themselves in case of breach of their rights.
While the NDPR despite its laudable provision failed to protect artificial persons, such entities could still explore the options listed above to seek redress in cases of data breach. The constitution seems to be the best shot as breach of privacy rights have been pursued through that means even prior to the advent of the NDPR. It is therefore recommended that a more comprehensive piece of legislation on data privacy and protection whose arm of protection extends to artificial persons be codified in order to meet up with global best practices.
In a world where countries are already extending the sphere of their data protection legislations to artificial persons11, the need for other countries to follow suit cannot be over-emphasised.
1 See Blacks Law Dictionary (Ninth Edition) 2009.
2 Examples are The Registration of Telephone Subscribers Regulations, 2011, Electronic Transaction Bill, 2015, Telecommunications Networks Interconnection Regulations, 2007, Consumer Protection Framework, 2016, etc.
3 In fact, CAMA 2020 specifically protects data of directors and proceed to give instances where such may be disclosed. This is to protect inordinate disclosure or access to director's residential address which falls under his personal data under the NDPR.
4 See generally Section 323 – 329 of CAMA 2020
5 See Section 18(2) CAMA 2020
6 See Section 37 of the 1999 constitution as amended
7 See the case of Incorporated Trustees of Digital Rights Lawyers Initiative & Ors v. NIMC (2021) LPELR 55623 CA
8 See the case of Okechukwu v. EFCC (2015) 18 NWLR (Pt. 1490 1 @ 24 E - F
9 (2019) LPELR 48386 CA
10 See the case of Donoghue v. Stevenson (1932) A.C 562 at P. 597
11 Examples of countries that offers data protection to artificial persons includes South Africa, Austria, Norway, Switzerland, Italy and Luxemburg.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.