With the increasing reliance on digital technology and the internet, data privacy has become a critical concern worldwide. In Nigeria, the protection of personal data is governed primarily by the Nigeria Data Protection Act, 2023, (NDPA) and the Nigeria Data Protection Regulation (NDPR), which was issued by the National Information Technology Development Agency (NITDA) in 2019. These legislations outline the rights of data subjects and the obligations of data controllers and processors in ensuring that data subjects' rights are preserved and protected. Despite the lofty provisions in these laws, data privacy violations still occur, and it is essential to understand the legal recourse available for such breaches and violations.
It is against this background that this piece aims to analyze data privacy violations and the legal remedies to be explored when they occur.
UNDERSTANDING DATA PRIVACY VIOLATIONS
Although a data privacy violation is not defined under the NDPA, the Act makes provision for what is meant by a data breach.
By virtue of Section 65 of the NDPA, a personal data breach refers to a breach of security of a data controller or data processor leading to or likely to lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.1
Going by the above definition of a data breach, it is safe to define a data privacy violation as one that occurs when there is unauthorized access, collection, use, disclosure, or disposal of personal data. These violations often result in significant damage to the data subjects and affected individuals including identity theft, financial loss, and reputational damage. It is in order to safeguard and protect the data subjects that their rights are guaranteed and protected under the extant privacy legislations including provisions containing compliance metrics and obligations to be met by data controllers and processors.
LEGAL REMEDIES FOR DATA PRIVACY VIOLATIONS
When a data privacy violation occurs, it is imperative to follow the below-highlighted prompts in order to get optimal result and seek redress to the full extent of the law for such violations. The steps to be taken include but is not limited to:
- Engage a Privacy Lawyer: Data privacy and protection is a broad aspect of law and there are legal practitioners who are experts/specialists in this field. Engaging the services of a data privacy lawyer would allow for proper counsel and direction on the nature of the breach, implication on the affected data subject, steps to be taken to forestall further violation, action to be taken, etc.
- File a complaint with the Nigeria Data Protection Commission (NDPC): The NDPC is the regulatory body created under the NDPA to regulate the processing of personal data and related matters in Nigeria.2 When a data privacy violation occurs, a data subject has the right to file a complaint with the Commission.3 When this is done, the commission may cause an investigation into the complaint to determine the truth or otherwise of the allegations contained in the complaint by:
- Ordering the alleged violator to attend at a specified time and place for the purpose of orally examining them in relation to the complaint
- Requesting the production of a document, record, or article as may be required with respect to a matter related to the investigated complaint
- Requesting the alleged violator to furnish a statement in writing made under oath or an affirmation setting out all information related to the complaint.
- Requesting access to a document, minutes, or mechanical or electronic device from the alleged violator for the purpose of investigating the complaint.4
Where the Commission is satisfied that there is a privacy violation or likelihood of a violation, it may make a compliance order against the data controller or processor (violator) including but not limited to:
- A warning
- An order to comply with the provisions of the Act or specific request of a data subject
- Cease and desist order
- An order to remedy the violation
- An order to compensate the data subject for losses suffered
- An order to account for the profit realized from the violation
- An order to pay a penalty or remedial fee5
- A civil action in court: An aggrieved data subject who suffers injury, loss, or harm as a result of the violation of his data may also approach the court for an action in damages against the data controller or processor.
- An action for the Enforcement of Fundamental Human Rights: An aggrieved data subject may also commence an action for the enforcement of his fundamental human right in the face of a privacy violation especially where it offends one of his rights as guaranteed under the NDPA and NDPR. This is because the courts have held that the right to data privacy is subsumed under the right to privacy guaranteed and protected under the 1999 Constitution of the Federal Republic of Nigeria (As Amended).
In the case of INCORPORATED TRUSTEES OF DIGITAL RIGHTS LAWYERS INITIATIVE & ORS v. NIMC6, the appellate court in affirming this position had this to say:
“………..As observed above by His Lordship Agim, JCA (as he then was), the privacy of the home, correspondence, telephone, and telegraphic communications protected by the Section are clearly definable and determinable as to their nature and scope. However, the meaning and scope of “privacy of citizens” as guaranteed by the Section has not received a clear definition/interpretation in the Constitution. The trial Court had, in my view, rightly held above, that the right to “privacy of citizens” as guaranteed under the Section includes the right to protection of personal information and personal data.” Per ABBA BELLO MOHAMMED, JCA (Pp 25 – 27 Paras E – D)
CONCLUSION
Data privacy violations can have serious consequences for individuals and organizations. In Nigeria, the NDPA, NDPR, and other extant legislations provide a comprehensive framework for protecting personal data and offer several avenues for legal recourse in the event of a breach. By understanding their rights and the available legal remedies, data subjects can take appropriate action to seek redress and hold violators accountable. At the same time, adopting preventive measures and best practices can help minimize the risk of data privacy violations and ensure compliance with the extant law on privacy and data protection.
Foonotes
1. Section 65 of the NDPA
2. See the NDPA
3. See Section 46 of the NDPA
4. See generally Sections 46(4), (5) (6) and (7) of the NDPA
5. See generally Section 48 of the NDPA
6. (2021) LPELR-55623(CA)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.