DATA PRIVACY AND PROTECTION UNDER THE NIGERIAN LAW1
The 21st century, commonly dubbed "the information age" with its greatest invention, the internet, has brought about fast and easy dispensation of personal information or data. With an estimated 2.96 billion social media users worldwide, social media is the greatest accomplice to the speedy dispensation of personal information around the world.2 Virtually everybody on the planet has their personal data i.e., name, address, pictures, email address, bank details, or medical information online. These data reveal sensitive personal information that can be exploited to harm users unscrupulously for economic gain. Thus, it is has become important to protect these data and regulate the way data is used. One should be able to decide whether or not they want to share some information, who has access to it, for how long, for what reason and to be able to modify some of this information, if necessary.3
The information age has seen data exchange become a common feature and an integral part of commercial transactions. Considering that five of the six largest companies in the world (Apple, Microsoft, Amazon, Google and Facebook) deal in data and profit off processing the data of its consumers,4 it has become imperative to regulate how that vast amount of personally identifiable data is managed. For instance, the Google-owned YouTube's algorithm feeds off personal data (e.g. user information, likes, searches, etc.) to suggest what videos users may like or find interesting.
- "Knowledge is power, information is power."
1.1 This statement by Robin Morgan became more glaring and profound in the light of the Facebook-Cambridge Analytica Data Privacy Scandal5 that shook the world in 2018. Here, Cambridge Analytica, a political consulting and strategic communication firm was found to have illicitly collected the personal data and information of about 87 million Facebook users without their consent for political advertising purposes (especially in the run-up to the 2016 US Presidential elections). This scandal amongst other previous data privacy breaches6 signaled the urgent need to protect personal data. It prompted the immediate implementation of the EU General Data Protection Regulation (GDPR)7 in 2018.
1.2 In similar vein, Nigeria has had its own fair share of data privacy breaches. Notably, the recent case between NITDA8 and TrueCaller (2019) as well as the case involving MTN Nigeria Communications Ltd v Barr. Godfrey Eneye (2013) are a few instances.9 Data protection is becoming a risk issue discussed at negotiation stages between companies in different jurisdictions and data protection has become a tool to encourage confidence in businesses. In essence, it is important that companies and persons in Nigeria know the laws governing Data Privacy and Protection in Nigeria and the scope of rights, duties and responsibilities available to them.
- The Legal Framework of Data Privacy and Protection Laws in Nigeria
Although Nigeria does not have a specific statute regulating Data Privacy and protection, the NITDA commendably came up with the Nigeria Data Protection Regulations (NDPR) in 2019 which specifically addresses Data Privacy and Protection in Nigeria. Asides from the NDPR, there are other laws which touch on Data Privacy and Protection in Nigeria, which are briefly highlighted below.
- The Constitution10
Section 37 of Nigeria's 1999 constitution forms the foundation of data privacy rights and protection in Nigeria. Section 37 guarantees and protects the right of Nigerians to privacy with respect to their homes, correspondence, telephone conversations and telegraphic communications. It deems Privacy in this respect a fundamental right which is enforceable in a court of law when breached. Prior to the NDPR, most cases of data privacy breaches were enforced under this section.11
- The Nigeria Data Protection Regulation (NDPR) 201912
Albeit a subsidiary legislation, the NDPR is the major law specifically aimed at addressing data privacy and protection in Nigeria. The regulation was issued by the National Information Technology Development Agency (NITDA) in 2019 to comprehensively regulate and control the use of data in Nigeria.13 A copycat of the EU GDPR, the regulation touches on principles of data processing, the requirement of Data Compliance Officers, requirement of data subject's consent for collecting and processing data, requirements for international transfers of data and rights of data subjects, inter alia. It also prescribes penalty for non-compliance with the regulation. 14
- The NCC Consumer Code of Practice Regulation 200715
Part VI of the Nigerian Communications Commission (NCC) regulation, generally deals with the protection of consumers' data in the telecoms sector. Reg. 35 requires all licensees to take reasonable steps to protect the information of their customers against improper or accidental disclosures. It prescribes that licensees shall not transfer this information to a third party except as permitted by the consumer or commission or by other applicable laws or regulation. Data collected by the licensee must be such that is reasonably required for business purposes and not to be kept for longer than necessary. This law extends not only to electronic or written data but also to verbal data recorded by the licensee.16 It also provides for notification of the consumer of the use and disclosure of data obtained from them.
- The NCC Registration of Telephone Subscribers Regulation 201117
Regulation 9 and 10 of the NCC Registration of Telephone Subscribers Regulation 2011, deals with the data privacy and protection of subscribers. It provides for confidentiality of personal information of subscribers stored in the central database or a licensee's database.18 It also provides that these information shall not be released to a third party nor transferred outside Nigeria without the prior written consent of the subscriber and commission, respectively. This regulation also regards the information stored in the Central Database as the property of the federal government of Nigeria.19
- The Freedom of Information Act 201120
Section 14 of the Freedom of Information Act protects personal data. It restricts the disclosure of information which contains personal information by public institutions except where the involved data subject consents to its disclosure or where the information is publicly available. The Act also provides that a public institution may deny the application for disclosure of information that is deemed privileged by law (e.g. Attorney-client privilege, doctor-client privilege).
- The Cybercrimes (Prohibition, Prevention, etc.) Act 201521
The Cybercrimes (Prohibition, Prevention, etc.) Act, Nigeria's foremost law on cybercrimes criminalizes data privacy breaches. Generally, this Act prohibits, prevents and punishes cybercrimes in Nigeria. It prescribes that anyone or service provider in possession of any person's personal data shall take appropriate measures to safeguard such data. 22
- The Child Rights Act 200323
The Child Rights Act protects the privacy rights of children.24 The Act protects and guarantees the right of every child to privacy, family life, home, correspondence, telephone conversation and telegraphic communications subject to the supervision or control of the parents or guardians.25
- The Consumer Protection Framework 201626
The Central Bank of Nigeria's Consumer Protection Framework prohibits financial institutions from disclosing the personal information of their customers. It also ensures that these financial institutions take appropriate measures to safeguard customers' data and necessitates the prior written consent of their customers before sharing these data with anyone.
- The National Identity Management Commission (NIMC) Act 200727
Section 26 of this Act requires the approval of the Commission before a corporate body or anybody can have access to data stored in their database. The Act also empowers the NIMC to collect, collate and process data of Nigerian citizens and residents.
- The National Health Act (NHA)201428
The NHA which regulates health users and healthcare personnel restricts the disclosure of the personal information of users of health services in their records. It also ensures that healthcare providers take the necessary steps to safeguard such data.
- The Federal Competition and Consumer Protection Act 201929
This Act stipulates that the Federal Competition and Consumer Commission shall ensure that business secrets of all parties concerned in investigations conducted by it are adequately protected during all stages of the investigation or inquiry.30
- Case Laws
Just like many other common law jurisdictions, judicial decisions are an integral source of law in Nigeria and although, very few, there are court decisions on data privacy and protection. Some of these include the cases of Godfrey Nya Eneye v MTN Nigeria Communication Ltd31 and Barr. Ezugwu Anene v Airtel Nigeria Ltd.32 In the former case, the court held that the unauthorized disclosure of the claimant's mobile phone number by his telecommunications service provider (the defendant) and subsequent unsolicited text messages he received from unknown third parties were violations of his constitutional right to privacy. A similar verdict was given in the latter case. Both claimants were awarded damages of N5,000,000 (five million naira), respectively.
15.1 It is laudable that Nigerian authorities through their laws and various regulations are taking bold steps to protect the personal data of her citizens. However, despite the array of laws and regulations on data privacy and protection, the only law that specifically and comprehensively deals with this phenomenon is the recently announced NDPR by NITDA.
15.2 Prior to the NDPR, most laws on data privacy and protection in Nigeria were industry specific. For instance, the various NCC regulations protect consumers in the telecommunications sector; the provisions in the Child Rights Act protects persons under the age of 18 and the Freedom of Information Act protects personal data in records of public institutions. Therefore, the establishment of a data privacy and protection law in the form of the NDPR that transcends industries and category of persons is highly commendable.
15.3 The quick implementation and enforcement of the NDPR by NITDA has shown its seriousness in ensuring compliance with data privacy and protection laws by data controllers and processors in Nigeria. 33 Another evidence of this is the current investigation of TrueCaller by NITDA for data privacy breaches34 alongside the recent investigation of the Lagos Internal Revenue Service (LIRS) for publishing some Lagos State taxpayers' personal information on its website.35 The establishment of the NDPR and the activities of NITDA have also helped create awareness about data privacy and protection amongst Nigerians.
15.4 Despite being a huge step in the right direction, the NDPR is not without criticism. The regulation solely "applies to all transactions intended for the processing of personal data and to actual processing of personal data... and to natural persons residing in Nigeria or residing outside Nigeria but of Nigerian descent."36 The NDPR applying solely to personal data and natural persons means the regulation excludes other forms of data and corporate organisations respectively.
15.5 Furthermore, some quarters believe the NDPR being a regulation and not a statute enacted by the National Assembly lacks the requisite force of law sufficient for addressing such an important subject. Some also believe the NITDA is not empowered by law within the ambit of Section 6 of the NITDA Act to make such a regulation.
15.6 Nonetheless, Nigeria is one of the few countries that can boast of having data privacy and protection laws in the world.37 It is thus apparent the country is heading in the right direction although there is still room for improvement.
1 Francis Ololuo, Associate Intern Intellectual Property & Technology Law Department, SPA Ajibade & Co., Lagos, Nigeria.
2 https://www.statista.com/statistics/278414/number-of-worldwide-social-network-users/accessed on January 20, 2020.
3 Estelle Masse "Data Protection: Why it matters and how to protect it" (January 25, 2018) available online at: https://www.accessnow.org/data-protection-matters-protect/accessed on January 20, 2020.
4 https://www.statista.com/statistics/263264/top-companies-in-the-world-by-market-value/ accessed on January 20, 2020.
5 "Facebook data privacy scandal: A cheat sheet" by James Sanders and Dan Patterson (July 24, 2019) available online at: https://www.techrepublic.com/article/facebook-data-privacy-scandal-a-cheat-sheet/ accessed on January 20, 2020.
6 For instance, in 2014 the personal information of over 3billion Yahoo users was unlawfully accessed by hackers – CNN Business: "Every Single Yahoo Account was Hacked – 3 Billion in all" (October 4, 2017) available online at https://money.cnn.com/2017/10/03/technology/business/yahoo-breach-3-billion-accounts/index.html/ accessed on 4TH February, 2020
7 The European Union General Data Protection Regulation 2016/679 is the EU's major law on Data Protection and Privacy is aimed at protecting natural persons within the EU with respect to the processing of personal data and on the transfer of such data outside the EU.
8 National Information Technology Development Agency (NITDA) is Nigeria's foremost agency responsible for regulating data privacy and protection in Nigeria.
9 CA/A/689/2013 (Unreported).
10 The Constitution of the Federal Republic of Nigeria 1999 (as amended). Act No. 24, 5 May 1999.
11 See the case of Barr. Ezugwu Emmanuel Anene v. Airtel Nigeria Ltd, Suit No: FCT/HC/CV/545/2015 (Unreported).
12 A regulation made by the NITDA pursuant to Section 6 of the NITDA Act. Available on https://nitda.gov.ng/wp-content/uploads/2019/01/NigeriaDataProtectionRegulation.pdf accessed on 27th January, 2020.
13 NITDA is empowered by section 6(a) of the NITDA Act (2007) "to create a framework for the planning, research...evaluation and regulation of Information Technology practices, activities and systems in Nigeria.".
14 For a review of the NDPR, see "Data Protection Regulation 2019 – The New Law" by Yimika Ketiku and Dolapo Bolu, available online at: http://www.spaajibade.com/resources/data-protection-regulation-2019-the-new-law-yimika-ketiku-and-dolapo-bolu/ accessed on January 20, 2020.
15 Nigerian Communications Act 2003, Federal Republic of Nigeria Official Gazette No. 87 (10th July, 2007) Vol. 94.
16 Regulation 35(3), CPC 2007.
17 Federal Republic of Nigeria Official Gazette No. 101 (7th November 2011) Vol. 98.
18 Regulation 9(2).
19 Regulation 5.
20 Federal Republic of Nigeria Official Gazette (28th May) Vol.98. Available on https://www.cbn.gov.ng/FOI/Freedom%20Of%20Information%20Act.pdf accessed on 28th January, 2020.
21 Federal Republic of Nigeria Official Gazette (15th May) Vol. 102. Available on https://cert.gov.ng/ngcert/resources/CyberCrime__Prohibition_Prevention_etc__Act__2015.pdf accessed on 28th January, 2020.
22 Section 21.
24 persons under the age of 18.
25 Section 8.
26 Pursuant to its powers under section 2(a) and 33(1)(b) of the CBN Act 2007, the CBN released the Consumer Protection Framework 2016 on 7th November 2016. Available on https://www.cbn.gov.ng/out/2016/cfpd/consumer%20protection%20framework%20 (final).pdf accessed on 28th January, 2020.
27 National Identity Management Commission Act No 23 of 2007 (Federal Republic of Nigeria Official Gazette No 23, Vol. 94). Available on https://www.nimc.gov.ng/docs/reports/nimc_act.pdf accessed on 28th January, 2020.
28 Federal Republic of Nigeria Official Gazette No. 145 (27th October, 2014) Vol. 101.
30 Section 34(6).
31 Appeal No: CA/A/689/2013 (Unreported).
32 Suit No: FCT/HC/CV/545/2015 (Unreported).
33 In December 2019, NITDA threatened to issue a Notice of Non-compliance and to publish the names of companies that default in filing their Initial Data Protection Audit Report within the prescribed timeline. See https://andersentax.ng/nitda-to-issue-non-compliance-notices-to-defaulting- organizations/, accessed on 30th January, 2020.
34 Wole Olayinka "The People v Big Tech: Nigerian takes TrueCaller to Court for Alleged Violation of Privacy Rights" 30th September 2019 https://techcabal.com/2019/09/30/the-people-v-big-tech-nigerian-takes-truecaller-to-court-for-alleged-violation-of-privacy-rights/ accessed on 30th January,2020.
35 James Kwen "NITDA says LIRS breaches Nigeria Data Protection Regulation" 27th December, 2019 https://businessday.ng/news/article/nitda-says-lirs-breaches-nigeria-data-protection-regulation/ accessed on 30th January, 2020.
36 Article 1.2 of the NDPR 2019.
37 Other countries/regions include the EU, Canada, Brazil, China, Angola, Argentina, Australia and Cape Verde.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.