INTRODUCTION
The
novel coronavirus struck in December 2019, and by March 2020, the World Health
Organisation (WHO) declared it a pandemic[1].
This declaration inspired nations to impose a lockdown, thus disrupting
patterns and methods of living. Although for the good of all, this act was a
great inconvenience to people. Ranging from education, to movement, to economic
activities, everything stood still. But life is progressive, and as COVID
became the world’s new normal, technology and digitalisation were utilised for
the advancement of society. Schools for instance embraced online learning, dispute
resolution employed the virtual space, social interactions, commercial
transactions, webinars, colloquium etc., all recruited internet
applications. Remarkably, the effective
operation of all of these is hinged on the processing and security of an
essential element called Data. It is the manner of protection afforded to a
vital substance like this in Nigeria that is the crux of this work.
WHAT IS DATA?
Data
elevates from minor details easily divulged about ourselves such as our names,
age, sex etc. to classified information such as our medical history, trade
secrets, credentials etc. however, data in itself is meaningless, it is
empowered upon processing. The likes of Facebook, Google, Microsoft, Amazon
etc., exemplify the economic benefits to be realised from proper processing of
data. Even artificial intelligence owes its efficiency to data processing, but
data means different things for different persons.
The
National Aeronautics and Space Administration (NASA) defines data to include: observation data ,metadata, products, information,
algorithms, including scientific source code, documentation, models, images,
and research results.[2]
A basic definition provided by the Cambridge dictionary is that: data is information, especially facts or numbers, collected to
be examined and considered and used
to help decision-making or information in
an electronic form that can be stored and used by
a computer[3]
Alarming then it is to know that while such an
element could yield beneficial results, misplacement or unauthorised
divulgement of it could wreak a great havoc. Does this mean that data should be
withheld, unprocessed? No. Instead it should be ensured that persons are
informed of who has access to and control over their data. This is of utmost
importance because data protection is an extension of the internationally,
regionally and nationally guaranteed right to privacy. [4]
Data protection has been unanimously agreed to be a measure necessary to deter
and curb the abuse of the personal information of individuals, especially children(whom
are the most vulnerable category), either by natural or artificial persons;
including the government.[5]
The non-protection of data is tantamount to the violation of privacy.[6]
So dire is the need for this, that in
some climes, data protection has been conferred the status of a right.[7]
FRAMEWORK FOR THE
PROTECTION OF DATA
Asides
from instruments guaranteeing the right to privacy, some instruments
specifically govern the protection of data and they include:
•
Organisation for Economic
Co-operation and Development (OECD)
•
OECD Guidelines Governing
the Protection of Privacy and Trans Border Flows of Personal Data 2013
•
African Union Convention
on Cyber Security and Personal Data Protection 2014
- The
Economic Community of West African States Data Protection Act 2010 - The
European General Data Protection Regulations (GDPR)
Thus
far, the European GDPR is adjudged the most comprehensive data protection
legislation because it fully empowers citizens right to access and erasure of
their data. It subjects all data controllers to a legal obligation and
penalties for breach of this obligation. Put shortly, this Regulation contains
the eight principles of data protection, considered to be the foundation of all
data protection legislations. This has earned the Regulation the status of a
model for other legislations.
In
my dear country Nigeria, data is protected by a plethora of legislations; all
limited to an extent. Some of them include: Section 37 of the 1999 Constitution
of the Federal Republic of Nigeria, the Freedom of Information Act, the
Cybercrimes Act 2011, The Consumer Protection Framework, the National Identity
Management Commission Act, Child’s Right Act etc.
However, a rather notable framework is the
National Data Protection Regulation (NDPR) formulated by the National
Information Technology Development Agency (NITDA). Clause 1 of this regulation
states that it is to safeguard the rights of natural persons to data privacy,
to ensure the safe conduct of transactions involving the exchange of personal
data, to prevent manipulation of personal data, to ensure that Nigerian
businesses remain competitive in international trade; through the safeguards,
afforded by a just and equitable legal regulatory framework on data protection
and which regulatory framework is in tune with global practices.
The
above provision explicitly shows that the drafters of this regulation set out
to achieve a regulation strong enough to respond to the global challenges of
data protection. To a large extent, this was achieved for as it stands now the
Regulation is the most comprehensive legislation on data protection that the
country can boast of. Regrettably, it
too is not without flaws.
CRITICISMS
In
order to spell out the loops in the country’s data protection legislation, it
is important that we trace it to its roots. Which in this case would be the
constitution, the grundnorm. section
37 of the constitution expressly provides that the privacy of citizens, their homes, correspondence, telephone
conversations and telegraphic communications is hereby guaranteed and
protected. This provision is incomprehensive because it does not explicitly
mention data protection. Only a liberal interpretation of this guarantees data
protection. But unfortunately, asides from cases such as and MTN Nigeria Communications Ltd v Barr.
Godfrey Eneye[8], there is a dearth of such application.
The NITDA is a very beautiful initiative
enacted in 2007, but as clearly stated in section 6 (c) the act only monitors
electronic dissemination of information. This directive was reiterated again in
the preamble of the NDPR. The distress here is thus that in a society like
Nigeria where citizens are predominantly illiterate and lack access to
technology, this Regulation neglects paper-based communications; the manual
mode of doing things.
Section
1(a) of the NDPR gives the objective of the Regulation to be the safeguarding
of the rights of natural persons to data privacy, but our law also recognises
artificial persons to be entitled to legal rights. It would thus be required
that as they engaged in digital transactions entailing the transfer of
information, they are afforded the protection of the law in securing the data.
Section 1 (2) (b) also states that this
Regulation applies to natural persons of Nigerian descent only. Such provision
might hamper the development of the nation’s economy as multinationals are
likely to invest in nations with strong data protection laws to guarantee their
data security.
Also
sections 1 (3) (l) and 2 (13) (3) (a) mention that the data subjects may be
requested to pay a reasonable fee for some services. It is uncomfortable that
in cognisance of Nigeria’s history of corruption in numerous sectors, such
provision should be included without a fixed amount or criteria for arriving at
this reasonable amount. Such provision will only lead to the encouragement of
bribery amongst the officials and the exploitation of the masses.
RECOMMENDATION
The
first suggestion is that our courts adopt a liberal approach to section 37.
Courts should dismiss the claims of citizens to their rights under this
section, as section 6(6)(b) of the constitution empowers the judiciary to act
upon all actions and proceedings relating to the determination of any question
as to the civil rights and obligations of that person.
As
regards the payment of fees by data subjects, it is suggested that the NITDA
explicitly states a standard fee to be paid or a standard formula for the
calculation of this. This will be resourceful in preventing the extortion of
citizens as well as promoting transparency and accountability amongst
officials.
In
all ramifications, the NDPR is not a holistic legislation because it does not
contain the basic eight principles of data protection. it is therefore
suggested that there should be the enactment of a data protection act which not
only comprises these essentials, makes provisions for children and foreign
residents, but also, provides remedies for data subjects when their rights are
violated. After all, it is ubu jus, ibi
remedium.
Lastly,
there should be a defined mechanism for enforcement. This lies in the arm of
the executive arm of the government and I suggest that this should be allocated
to a neutral body and not the police force since the latter is yet to undergo a
reform for the proper discharge of its duties and the protection of lives.
CONCLUSION
The
right to privacy and digital protection is jealously guarded because it is
fundamental to the security of life, property and reputation of individuals and
even organisations. But as the world becomes a global village and data transfer
cuts across geographical boundaries, the violation of this right is highly
plausible. Data scandals are reportedly very embarrassing and brand denigrating
situations to experience. To prevent further occurrences, it is necessary that
Nigeria puts in place robust data protection laws and an effective mechanism.
This will defend the rights of citizens and rekindle their passion for the
country. Entrenchment of data protection is also a great boost for foreign
investment and the revival of the economy.
*Law student of the University of
Lagos
[1] Archived: WHO
Timeline-COVID-19, 27 April 2020 https://www.who.int/news-room/detail/27-04-2020-who-timeline—covid-19
(accessed 27th September 2020)
[2] EOSDIS GLOSSARY https://earthdata.nasa.gov/learn/user-resources/glossary
(accessed 27th September 2020)
[3][3] DATA https://dictionary.cambridge.org/dictionary/english/data
(accessed 27th September 2020)
[4]Article 12 of the Universal Declaration of Human Rights, Article 17
of the International Covenant on Civil and Political Rights, Article 8 of the
European Convention on Human Rights etc.
[5] GVZH ADVOCATES Data
protection vs. the right to privacy https://www.gvzh.com.mt/malta-law/data-protection/vs-the-right-to-privacy/
(accessed 27th September 2020)
[6] Yvonne McDermott, 2017, Conceptualising
the right to data protection in an era of Big Data, SAGE Journals, journals.sagepub.com/home/bds
[7] Article 8 of the European Convention on Human Rights for instance
[8] CA/A/689/2013
(unreported)