With the coming into force of the General Data Protection Regulation (GDPR) in the European Union on the 25th of May 2018, the debate on how data is handled/disclosed by governments, corporations, public institutions, etc. has taken the front burner and stakeholders have made serious attempts to ensure that their handling/processing of data is in compliance with the rules and principles contained in the GDPR. In Nigeria, however, the situation is entirely different, as data is consistently breached in very questionable circumstances. This issue is influenced by the lack of a comprehensive data protection regime which has led to the disclosure of subscribers’ and consumers’ data in worrisome circumstances. This situation has led to the compromising of data by corporations, government, public institutions, amongst others. Some classic examples of the questionable disclosure of subscribers’ and consumers’ information, which is a consequence of the lack of a coordinated data protection regime in Nigeria, can be seen in the receipt of incessant promotional calls and text messages by telecom subscribers in Nigeria. These are from telemarketers, disclosure of citizens’ data by governmental agencies in Nigeria to third parties, mishandling of voters’ data by the electoral commission which results in giving out delicate voter information to a third party, the online disclosure of sensitive health details processed by a bank on behalf of a hospital and so many other examples.
The regime for protection of data in Nigeria not only lacks co-ordination and comprehensiveness, it is also not reflective of the current legal trends in the protection of data globally. Its current regime can be found in the protection of the right to privacy by the 1999 Constitution (as amended), and industry-specific data protection legislations/regulations. The protection of the right to privacy can be found in Section 37 of the Constitution, which provides that “The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected”. Although, the Constitution guarantees and protects this right, it has not been properly protected or elucidated upon both in the definition and philosophical basis of. Consequently, in classic cases of disclosure of consumers’ data by leading telecom corporations, the Courts merely rule that there has been a violation of the right to privacy but fail to elucidate on the duties and obligations of those who handle data, the principles guiding data protection, safeguards for the protection of consumers’ data and the rules/principles to be followed before the disclosure of consumers’ data. The industry-specific legislations/regulations also fail to achieve this objective.
The regime described above is incapable of meeting up to the 21st century challenges of protecting data. This situation can have adverse effects on various aspects of the Nigerian national life such as the creation of a medium for criminal groups as well as lawful organizations/corporations to target data of Nigerians, the unlawful disclosure of citizens data by the government to third parties, the moving of data of Nigerians out of Nigeria to support foreign governments to use such data for data profiling of Nigerians, mass monitoring/surveillance of Nigerians by foreign governments and the creation of a barrier to trade due to lack of adequate data protection.
The proposed strategy for addressing this huge data protection problem and preventing an impending data protection disaster of epic proportions is simple. The first step in that direction is the passing of a comprehensive law that captures the data protection principles/safeguards which are reflected in the GDPR and the data protection legislations of developed countries. These are the principles of:
- Fairness and lawfulness,
- Collection of data for one or more specified lawful purposes,
- Use of data in a manner that is adequate, relevant and not excessive in relation to the purpose for which they are processed,
- Handling of data in accordance with data protection rights,
- Prevention of transfer of data outside the country without adequate protection,
- Accuracy of data and where expedient, keeping of data up to date, etc.
On January 25th 2019, Nigeria’s National Information Technology Development Agency (NITDA) issued the Nigeria Data Protection Regulation 2019. Many concepts of the regulation mirror the EU GDPR and will change how organizations process personal information. The key objectives of the regulation include safeguarding the rights of natural persons; fostering safe conduct of transactions involving the exchange of personal data; preventing manipulation of personal data and to ensure that Nigerian business remain competitive in international trade. This would be achieved through a just and equitable legal regulatory framework on data protection and which regulatory framework is in tune with global best practices. The issuance of the regulation by the NITDA is a step in the right direction sin providing the much-needed guidance on data protection in Nigeria.
It is however important that the citizens are aware that their data is protected and not subject to abuse. This can be achieved through the establishment of a data management body by the proposed legislation. The body shall be responsible for sensitizing the citizens on their data protection rights and the establishment of a data management infrastructure to ensure the centralized collation of data by the agency. The body shall also be responsible for liaising with the private sector to ensure compliance with the data protection rules contained in the legislation. This prevents the problem of enacting a comprehensive legislation that stays redundant and fails to achieve its stated objectives.
About the Author
Zainab Olamide Dunmoye is a 400 level student at the faculty of law University of Lagos. She is an avid reader and also likes writing. She is currently the general Secretary at the Maritime Forum, UNILAG and serving as Chair of General Assembly 3 at the Lagos Model United Nations.