Data privacy and protection are assuming a position of great importance globally due to the indispensable nature of personal data to individuals, organizations, entities, corporations, etc in today's world. This has birthed data privacy and protection legislations globally to regulate the handling of personal data of individuals and entities alike. Nigeria is not left alone in this trend as the National Information Technology Development Agency (NITDA) introduced the Nigeria Data Protection Regulation (NDPR) in January 2019 to regulate the handling and processing of personal data of natural persons in Nigeria.
Despite the laudable provisions and innovations of the NDPR, it is not without some shortcomings, however this is not the subject matter of this piece. Nevertheless, the NDPR guaranteed certain rights to data subjects capable of being enforced against data controllers or the regulators in cases of violation of such rights.
Highlighted below are some of these rights:
i. Right to Erasure or Deletion: Also termed the right to be forgotten or right to de-referencing, it relates to a data subject's right to demand erasure or deletion of personal data from a controller. This right is exercisable where:
- the data is no longer necessary in relation to the purpose for which it was collected;
- the data subject withdraws the consent upon which the processing is based;
- the personal data have been unlawfully processed and the data subject objects to continued processing of such data
- the data controller processes data without lawful basis.
The right to deletion gained prominence in the famous case of Google Spain SL, Google Inc v Agencia Esponola de proteccion de Datos, Mario Costeja Gonzalez and has been upheld in several other cases. While the exercise of this right has been criticized on grounds that it tends to hamper the right of the public to access information, the Court has subsequently introduced territorial limitation to the exercise of this right.
ii. Right to Rectification: This relates to a data subject's right to correct or rectify personal data in the hand of the data controller. In other words, it implies a data subject's right to have incorrect or outdated data about him/her corrected or rectified. For example, in the case of Khelili v. Switzerland,a data subject's action to challenge the inaccurate description of her occupation as "prostitution" was upheld.
iii. Right to be Informed: This is a data subject's right to be informed as to the extent of his data in the hand of the controller as well as the purpose to which such data is to be put. This is why most organization's privacy policies contain the type of data collected, reason for collection, storage period, transmission, how such data is handled, etc as data subjects have a right to access to the information collected about them. This right could also be enforced where the data controller intends to further process more data about the data subject which transcends the initial purpose of collection.
iv. Right to Data Portability: This encompasses the right of a data subject to have his personal data transferred from one controller to another where technically feasible. A practical example of this is where XYZ, a graduate of AB university requests his transcript to be transferred to AZ university in the UK. In exercising this right, AB university must transfer the data in a commonly used, well-structured, machine-readable format for such processing to be validly done. The exercise of this right shall however not apply where:
- processing is necessary for the performance of a task carried out in the public interest or;
- processing is necessary for the exercise of official authority vested in the Controller.
v. Right to Object to Processing: Another right guaranteed under the NDPR is the right to object to processing. In exercising this right, a data subject may object to the processing or continued processing of his data even where he had consented to such processing ab-initio.
vi. Right to Complain: A data subject also has the right to lodge complaint with a relevant authority. That is to say, a data subject may approach NITDA to complain about any infraction of his data by a controller under the NDPR. It is pertinent to point out that such right may be exercised without prejudice to the data subject's right to seek redress in a court of law
vii. Right to Withdraw Consent: A data subject is also guaranteed the right to withdraw consent to processing of his personal data by a controller. This is without prejudice to the fact that the data subject had given consent to the latter to process same earlier. Where this is done any further processing of the data subject's data amount to an infraction of his right, the breach of which could be remedied by approaching a court of law for redress. However, the exercise of this right does not affect any processing lawfully done with the data subject's consent prior to the withdrawal.
In light of the court's decision in DRLI v. NIMCdata privacy rights are subsumed under the right to privacy guaranteed and protected under Section 37 of the 1999 constitution of the Federal Republic of Nigeria. Thus, where there is an infraction of data rights, reliefs could be sought under the Constitution, NDPR or both.
iThe most prominent being the EU's General Data Protection Regulation (GDPR).
iiSee Regulation 3.1 (7) (h) of the NDPR
iiiSee Regulation 3.1 (9) of the NDPR
ivCourt of Justice, judgment of 13 May 2014, case C-131/12,Google Spain and Google
vSee the Court of Justice, judgment of 24 September 2019 in case C-507/17,Google Inc. v. Commission nationale de l'informatique et des libertés (CNIL).
viECHR 195 (2011), App no: 16188/07
viiRegulation 3.1 (7) (h) of the NDPR
viiiSee Regulation 3.1 (7) (j) of the NDPR
ixSee Regulation 4.2 (1) of the NDPR
xSee Regulation 3.1 (7) (i) of the NDPR
xiAppeal No: CA/IB/291/2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.