PRIVACY AND DATA PROTECTION IN THE DIGITAL AGE: DOES NIGERIA NEED A DATA PROTECTION LAW?
Digital communication has revolutionised the communication technology space globally and as a result, we now live in a world that is more dynamic and connected than ever before. With the increasing growth in digital communication technology, lucrative businesses have been setup that collects, process, and monetize data even though they are not directly dealt with.
According to statistics, globally, the number of internet users has increased by nearly 900% from 400 million in 2000 to a total of 5 Billion users today which is about 63% of the world’s total population.
The growth in digital communication technology has proven to transform societies and made it easier to access, use and disseminate information on the go and at speed. This has further led to the increase in information consumption and sharing and this, in turn, leads to little or no consideration for the privacy and security of others including ourselves. However, it has aided the improved access to information on a global level, crime detection, ease of doing business, and domestic and international trade. Digital communication technology has also aided in polarized societies, and increased surveillance and intrusion vulnerabilities.
Due to the benefits of digital communication technology globally, data protection is now at the forefront of global discussions and there is a rising interest among governments, corporate entities, and the society as a whole to address the challenges associated with the protection of private and personal data, especially as a result of so many cases of data breaches. Even Nigeria has not been exempted from privacy issues where Truecaller was being investigated by National Information Technology Development Agency for an alleged breach of the privacy rights of Nigerians as they have been accused of collecting information in excess of what is actually required for the provision of their primary service including the accessing of non-user information.
The development of the digital communication technology space has made it imperative for societies to put in place effective regulatory frameworks to deal with privacy and data protection issues. In order to effectively put laws to that effect in the Nigerian society, the draft Data Protection Bill 2020 was brought before the National Assembly. The Bill provides a comprehensive regulatory framework for protecting the rights of data subjects and processing personal data.
Right to privacy has been in existence globally as far back as 1948 where the Universal Declaration of Human Rights (UDHR) recognized the right to privacy. According to Article 12 of the UDHR:
“No one shall be subjected to arbitrary interference with his privacy, family, home, or correspondence, nor to attacks upon his honour and reputation.”
Many countries including Nigeria has relied on the UDHR provisions either directly or indirectly as a result of UDHR being recognized as the primary source of global human rights standards.
Similarly, Article 17 of the International Covenant on Civil and Political Rights 1966 provides for prevention against unlawful interference with privacy, family, home or correspondence, or attack on one’s honour and reputation. However, interestingly, the African Charter on Human and People’s Rights does not provide for the right to privacy. It is evident that the right to privacy is an internationally recognized fundamental right.
In Nigeria, the internet usage as at 2022 spans out to about 109.2 million, and the rate stands at 51% of the total population and there is still expected growth to 65.3% by 2025. Nigeria is undergoing an increasing growth in digital communication technology and relies heavily on the gathering and processing of personal data. For instance, the capturing of individual data for Bank Verification Number (BVN), National Identity Card System, Subscriber Identification Module (SIM) e.t.c
Apart from NDPR, Nigeria has no specific data protection law. Rather what obtains are a combination of general right to privacy as guaranteed by the 1999 Constitution of Nigeria and a number of other specialized and industry-specific laws and regulations which are:
THE NIGERIAN 1999 CONSTITUTION (as amended)
The right to privacy is one of the fundamental human rights entrenched in Chapter IV of the 1999 Constitution and it provides that the privacy of citizens, their homes, correspondences, telephone conversations, and telegraphic communications is hereby guaranteed and protected. The provision can be said to capture the intent and spirit of the UDHR provision of Article 12. However, it is too narrow to adequately protect our privacy rights. Furthermore, it seems to express that the right to privacy only applies to Nigerian residents in Nigeria to the exclusion of all others but this does not mean that the privacy right of Non-Nigerians is not provided for in other statutes.
FREEDOM OF INFORMATION ACT 2011 (FOI ACT)
This Act governs access to public records and information in Nigeria. Though it is not a data protection law in itself, it provides for areas that protect an individual’s personal information. For instance, section 14 and 16 of the FOI Act provides public institutions shall deny any application for information of personal nature, subject to certain exceptions. The public institution has the discretion to deny such application in respect of privileged information e.g attorney-client privilege. However, this provision is limited to records and information in the custody of public institutions only.
NDPR
Up till 2020, the NDPR is the most robust data protection regulatory framework in Nigeria. The NDPR was issued by virtue of Section 32 of the NITDA Act.
Section 6© of the NITDA Act empowers NITDA to develop guidelines for electronic governance and to monitor the use of electronic data interchange and all other forms of electronic communication transactions. The NDPR, then sets forth guidelines for data processing and the rights of data subjects. The regulation applies to both citizens and residents of Nigeria. However, it does not adequately protect the rights of data subjects, since its scope is limited to automated personal data and electronic-based communications and transactions.
CHILD’S RIGHT ACT 2003 (CRA)
The CRA also protects the privacy of a child by virtue of section 8 of the CRA. The Act also protects the privacy of a child throughout the stages of the child justice administration system according to section 203 (1). Section 205 of the CRA also provides for the protection of a child from the publication of any information that may lead to the identification of a child offender.
However, the Child’s Right Act does not apply in all 36 states of the Nigerian Federation.
VIOLENCE AGAINST PERSONS (PROHIBITION) ACT 2015
The VAAP Act prohibits all forms of violence against persons in both public and private life. The Act makes it mandatory for convicted sex offenders to be registered and the same be made accessible to the public. However, the Act prohibits the publication of certain types of information such as information that may directly or indirectly reveal the identity of any party to proceedings according to section 39(1) of the VAAP Act. However, the VAAP Act is a federal law and only applies to the Federal Capital Territory (FCT). Consequently, the VAPP Act must first be adopted as state legislation before it can become operative in any state. However, only some states have adopted this legislation thereby making its enforceability limited to the states which have adopted it as a state law.
NIGERIAN COMMUNICATION ACT (NCA)
The NCA has a regulatory body known as the Nigerian Communication Commission which has been vested with the powers to make, and publish regulations as may be necessary to give full force and effect of the Act. In 2020, the NCC issued a lawful interception of communication regulation which is quite controversial regarding privacy in Nigeria. Regulation 4 empowered specific law enforcement agencies in Nigeria to intercept any communication provided such interception relates to using communication service provided by NCC licensee to persons within or outside Nigeria. The main concern that the expansion of the government’s access to individual communications creates an opportunity for abuse of power.
CYBERCRIME (PROHIBITION, PREVENTION, ETC) ACT 2015
It is a regulatory framework for prohibiting and prosecuting cybercrime in Nigeria. The Act is a good attempt to ensure Data protection in Nigeria. The Act provides that any data retained, processed, or retrieved by a service provider at the request of law enforcement agency shall only be used for legitimate purposes as may be provided under the Act, any other legislation, regulation or by an order of a court of competent jurisdiction. There are over 30 punishable offences defined in the Cybercrime Act which include: unlawful interception of non-public transmissions of computer data, the transmission of computer data, content or traffic data, and breach of confidence by service providers.
Section 39 of the Act provides for the lawful interception of electronic communications for the purposes of criminal investigations and proceedings and permits a judge under these circumstances to inter alia, order a service provider to intercept, collect, permit or assist competent authorities with the collection or recording of content data and/or traffic data. However, the Act fails to define the nature of crimes in respect of which a request for lawful interception may be granted and seems to leave this entirely to the judge’s discretion.
CREDIT REPORTING 2017
The Act regulates access to credit information within the Nigerian Financial sector. Section 9(1) of the Act allows for the privacy of data subjects, and the confidentiality, and protection of their credit information. However, the Act also provides for the permission to disclose the credit information of a data subject without his/her prior consent in specific circumstances. For instance, in cases of financial or credit-related malpractices involving data subjects.
NATIONAL HEALTH ACT 2014 (NHA)
This Act regulates the National Health System and delivery of health services in Nigeria. All the information of the health service users are considered confidential and disclosure of such information is not permitted except in certain circumstances such as where there is a written consent of the user, where it is in compliance with court order or law, e.t.c.
NATIONAL IDENTITY MANAGEMENT COMMISSION ACT 2007
The NIMCA provides for creating, managing and maintaining a national identity database for Nigeria. The NIMCA however prohibits access to the data or information of a registered individual entry contained in the national identity database. There are exceptions to this such as where the application for information is made by or with the authority of the registered individual concerned, where the provision of such information is in the interest of national security, or necessary for the prevention or detection of crime or any other purpose specified by the Act.
When Nigeria is compared with European countries and how valuable data is to their society, the effort put in the protection of public and private data, and the punishments attached to law offenders and violators of such data, it is evident that more needs to be done to strengthen the existing regulatory frameworks that protect data in Nigeria. Furthermore, it is important that just like other jurisdictions, Nigeria needs to ensure that the exercise of right to privacy is balanced against public interest, public safety and against other competing rights.
The main criticism of the Nigerian legislations and regulations above explained are inadequacy, inconsistency, or it is too niche or industry-focused to effectively protect our privacy with respect to data in the current clime.
In conclusion, in order to address the salient problems in data protection and the fact that there is inadequacy in the legislations provided to regulate data protection in Nigeria, it is recommended that the laws in Nigeria be reviewed to meet up to the existing clime. This would require a collaborative approach from government, industries, and individuals. It is the duty of the regulatory bodies to use its powers to make laws that will better protect data usage, possession in Nigeria. At the same time, individuals can also contribute in making these legislations effective by being more conscious and deliberate about the information they choose to share and generally take responsibility for their own privacy.
The proposed Data Protection Bill 2020 is promising and seeks to establish an efficient regulatory framework for the protection, usage of data in Nigeria. However, this does not total absolve Nigeria of any ills associated with the issue of data protection. It will only act as a form of mitigating means from the chances of falling victim to violation of data. It is indeed imperative for Nigeria to have legislations that would regulate data protection in her society.
Culled from the Book "Nigerian Current Law Review (2020- 2021)" read full book here.
Comments 0