(Being the text of a speech delivered at the 17th SPA Ajibade & Co.’s Annual Business Luncheon held on the 5th day of December 2024 in Lagos, Nigeria)
Preliminaries
By a letter dated 30th September 2024 and signed by Dr. Babatunde Ajibade, SAN, I was graciously invited by S.P.A Ajibade & Co., one of the oldest law firms in Nigeria, to deliver the keynote address at their Annual Business Luncheon – an event that has, over the years, become a platform for the discourse of burning socio-political legal issues. Hence, I am grateful to the learned Silk and his team for this invitation for two reasons: First, the topic revolves around data protection – a concept that has driven my law practice, revved up my passion and enjoyed my undivided attention for the better part of the last decade. Secondly, the topic also provides us with another opportunity to critically look at our noble profession in light of the issues militating against rancour-free transitions and associational succession plans.
Introduction
Three (3) years after the International Bar Association (IBA) African Regional Forum’s release of a Data Protection/Privacy Guide for Lawyers in Africa, the Nigerian Bar Association (NBA) is increasingly giving data protection its desired attention. Interestingly, speaking on the document, Mr Ajibade, SAN is quoted to have observed thus:
“Data protection is of great importance to us all. There are many related rights for individuals, including the right to access, rectification and erasure, all of which must be safeguarded by individuals who have a firm understanding of their legal and moral obligation to ensure the necessity of protection. I am delighted that the IBA African Regional Forum is at the forefront of an initiative to provide guidance to lawyers and bar associations on the new data protection regimes across the continent and the importance of protecting personal data and privacy for individuals and business.”
In the last four years, with every opportunity provided, I have consistently spoken about the NBA’s need to take data protection seriously starting with the publication of a privacy policy on the Association’s website and this yielded some fruits recently. (For a few of my previous advocacies on this issue, read them here and here). As further indicators of this new consciousness of the bar towards data protection, the Nigerian Bar Association (NBA) through the Section on Law issued two privacy and data protection-centric documents titled ‘Privacy Guidance for Lawyers in Nigeria’ and NBA Cybersecurity Guidelines.
Following the release of the Nigeria Data Protection Regulation (NDPR) in 2019 and the passage of the Nigeria Data Protection Act in 2023, it has become more important than ever for the Nigerian bar to actively engage with both the technical and regulatory frameworks that govern privacy and data protection in their practices, most importantly in electing the bar leaders.
During a telephone call with Dr Ajibade, SAN on the objectives and essentials of this occasion, it became crystal clear that the theme was inspired by the post-2024 bar election disputes which have somewhat become a biennial expectation especially since the introduction of the e-voting system in 2016. For ease of readership, this paper is structured into five parts. The first part introduces the purpose and focus of this academic but practicable intervention. The second part is a typical overview of privacy and data protection concerns over e-voting systems. Since the 2024 NBA election is the crux of the paper, the third part analyses the privacy and data protection issues addressed by the Electoral Committee of the NBA (ECNBA) in their documented response to the contestants after the elections. The fourth part offers some practical recommendations for future NBA elections from a privacy and data protection perspective. The fifth part concludes with the arguments made in the paper.
Privacy and data protection concerns in e-voting systems
Electronic voting or e-voting has been interchangeably referenced as ‘remote voting’ ‘online voting’ ‘Internet voting’ ‘i-voting’ or ‘cyber voting.’ Irrespective of the preferred term, e-voting has been defined as follows:
- the election or voting system that relies on ‘some electronic technology for their correct functionality’[i]
- ‘the use of electronic systems and technologies in elections to cast and count votes’[ii]
- a ‘systems that allow the eligible voter to cast their votes via a computer normally connected to the internet or intranet from anywhere like home or office.’[iii] and
- ‘a system of voting where the voters cast their votes from a remote Internet-enabled computer or another access device.’[iv]
Expectedly, e-voting like other activities migrated to digital platforms, is faced with some privacy and data protection concerns briefly discussed below:
- Privacy concerns
Under the Nigerian Constitution, the right to privacy, among other interests, embodies the freedom to vote for the candidate of one’s choice and the autonomy to keep such decisions private, especially in secret balloting. Theoretically, the interests protected by privacy include
- intrusion upon an individual’s seclusion or solitude
- the appropriation of a person’s name or likeness
- publicity which places a person in a false light; and
- public disclosure of private facts about the plaintiff
For elections, the unjustified disclosure of a person’s vote or electoral choices intrudes into the person’s seclusion or solitude. In Nwali v EBSIEC, the Court of Appeal idenetified the nexus between elections and the right to privacy thus:
“… the privacy of his choice of that candidate and the privacy of his voting for that candidate constitute part of his “privacy” as a citizen. The appellant was entitled to the privacy of his decision to vote for a particular candidate, his choice of that candidate and his casting his vote for that candidate. Therefore requiring or compelling him to vote openly in the public watch and knowledge by queuing in front of the poster carrying the portrait of the candidate he has decided to vote for intrudes into, interferes with, and invades the privacy of his said decision, choice and voting, completely removing that privacy, therefore amounting to a clear violation of his fundamental right to the privacy of a citizen guaranteed him and protected by Section 37 of the 1999 Constitution.”[v]
Visit www.legalnaija.com/store
In the context of elections, privacy ensures the confidentiality of the identity of the voters (voter anonymity) vis a vis the choices made or votes cast. Voter anonymity also known as ‘voter privacy’ is an assurance given to voters that their electoral choices during and after the elections remain private and undisclosed without authorization. While anonymity is mostly seamless in paper-based elections where the electorate physically visits the polling booths to get accredited to cast their votes into the boxes. Afterwards, the ballot papers are procedurally separated from the identity of the voters. The only identifiers are fingerprints which are not immediately attributable to any individuals except they go through some forensic process revealing the identities. However, in an e-voting system, it is practically impossible to digitally separate voters from their respective votes. This continues to be a source of concern!
- Data protection concerns
Apart from privacy, which is contextually distinguishable from data protection, e-voting systems also generally raise some data protection concerns as follows:
- Obtaining informed consent
Under most data protection laws across the world, consent is one of the legal bases for the processing of personal data. Where personal data is processed based on consent, the subjects of such processing must understand the intricacies of the activities to which they voluntarily and explicitly agree. In electronic voting systems, seeking and obtaining informed and explicit consent is not only a legal requirement but also crucial for maintaining the integrity of the democratic process.
Since e-voting systems constitute an unusual way of casting ballots, voters’ consent to use their personal data in unconventional ways must be validly sought and obtained. Statutorily, voters, like other data subjects, must also have the option to withdraw consent, although, in the case of electronic voting, this is almost impossible, once a vote is cast, as it is practically irreversible to ensure election integrity. Ultimately, the voting system must balance the need for free, informed consent within the technical constraints of vote finality.
- Confidentiality and integrity threats
One of the principles of data protection is – integrity and confidentiality. For e-voting, the principle mandates the electoral umpire to ensure the protection of voters’ personal data by ensuring that voter identities and their choices remain private and secure from unauthorised access, manipulation, alteration or destruction. The principle demands that the votes cast are accurately captured, recorded, transmitted, and counted correctly, without alterations or manipulations. In e-voting systems, the breach of data integrity invariably leads to manipulation of election results, casting doubt on the legitimacy of the outcomes. Since the principle of confidentiality and integrity forms the spine of safe and trustworthy e-voting systems, they are potentially under attack by cybercriminal activities, hence the necessity for robust security mechanisms.
Visit www.legalnaija.com/store
- Cross-border data transfers
From the definition or description, e-voting systems are digital, hence they are hosted on the Internet and often rely on cloud storage services, data processing centres, and other IT infrastructures that are usually spread across multiple countries. This decentralization of infrastructure introduces the challenge of cross-border data transfers, where voter data flows across national boundaries for storage, processing, or backup. While this globalized infrastructure can increase the efficiency and scalability of e-voting systems, it also introduces legal, privacy, and security risks. These cross-border data flows raise the issues of data sovereignty, adequacy of level of protection, jurisdictional complexities, third-party vendor compliance and associated risks, data security threats, and foreign interference. etc.
- Data retention
Storage limitation is a principle of data processing requiring personal data to be stored within a certain time limit – as long as it is necessary for the initial purpose of collection or otherwise processing. Data retention focuses on the period during which personal data is stored and the processes by which it is deleted or anonymized after it is no longer needed. In e-voting, the length of time voter data is retained can have significant privacy implications i.e increased vulnerability to misuse, compromise and other ills. E-voting systems often store personal information (such as voter IDs and login details) to verify election results or for audit purposes. Retaining this data for unregulated periods creates vulnerabilities, especially in the event of a cyberattack or unauthorized access. While it is important to ensure the integrity of the election, retaining detailed voting records could expose sensitive information, such as how individuals voted, undermining voter privacy.
- Transparency
Various categories of personal data are processed by the e-voting systems, hence the (joint)controllers of the e-voting systems ought to proactively provide information to the users on the functionality of the platforms especially as it relates to the use, purpose(s), transmission, security and retention of the personal data collected. E-voting systems are complex and not easily understandable by the general public or even election administrators. This creates a “black box” problem where voters, candidates and observers cannot easily see how their votes are processed. Transparency is breached when the vulnerabilities of voting platforms are downplayed or not fully disclosed to the public. When security vulnerabilities are kept secret or poorly communicated, voters cannot be sure that their votes are safe from manipulation.
Privacy and data protection challenges in NBA e-voting
The NBA adopted e-voting for its general elections for the first time in 2016 under the leadership of Augustine Alegeh, SAN. The outcome of the election was reportedly challenged because many eligible lawyers were allegedly disenfranchised owing to some functional irregularities. Since 2016 till date, the successive outcomes of the electronic elections conducted by the NBA have been challenged on similar grounds including the repeated requests for post-election audit exercise.
The outcome of the 2024 NBA elections added a twist. The election was conducted on Election Buddy Inc. – a Canadian platform that describes itself as “online voting software ensures your electronic voting is accurate and secure.” After the elections and declaration of results, the 1st and 2nd runners-up (the complainants) called for an audit of the elections on the grounds of double voting, identity theft, and manipulation of votes, but that was not the twist. In a 28-paged robust response to the letters written by the complainant, NBA’s electoral body – the Electoral Committee of the Nigerian Bar Association (ECNBA) or (the Umpire), declined the request for an audit with reasons – chief of which are the enforcement of privacy and data protection rights of voters and other non-NBA users of the e-voting platform. In this part, I briefly analyse some of the issues bordering on privacy and data protection as decipherable from ECNBA’s letter dated 25th July 2024 titled ‘Re: Request for Access to Critical Information Regarding The 2024 NBA National Elections.’ (See the letter here.
- Access to servers and application logs
The ECNBA denied the complainants ‘access to server and application log files used during the election period’ because it is contrary to the GDPR, NDPA/NDPR and ‘Election Buddy Inc provides its services to tons of organizations and nations globally using the same servers and application files, hence giving one user access clearly compromises the entire credibility of their servers carrying other users’ data.’ Curiously, the umpire’s letter does not contain any specific provision of the referenced laws that would be violated if the complainants are granted access to the servers and application logs but the starting point is a confirmation of the nature of personal data borne by the servers and application logs on one hand and the use of such information on the other hand. Are they personal data, anonymised or pseudonymised data?.
From a data protection perspective, this is part of the information that should have been proactively provided to the users of Election Buddy’s e-voting systems and the members of the NBA before personal data are migrated to the platforms for electioneering purposes. Under the GDPR and NDPA alike, at the point of collection of personal data, data controllers (Election Buddy[vi] and ECNBA) are duty-bound to provide certain information about the nature of the data collected, its use and entire governance.
While the GDPR does not expressly state how this obligation is to be fulfilled, its Nigerian counterpart specifically provides for the use of a privacy policy to convey this set of information. On Election Buddy’s website, their privacy policy interestingly states that they use personal data for “Investigating and protecting against fraudulent, harmful, unauthorized, or illegal activity.” The complainants have alleged identity theft, double voting, electoral manipulation etc. All these point towards illegality – and they have called for an investigation in the mould of an audit, hence the ECNBA and Election Buddy have valid and lawful grounds to grant access to servers and application logs to unravel the alleged illegalities (if any).
Situating this within the relevant provisions of the GDPR, data protection rights and controllers’ obligations are restricted for the investigation and detection of crime[vii] and ‘the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions.’ The legal profession is a highly regulated one, hence any allegation of manipulation of its general elections is worth investigating. Under the NDPA, certain data protection rules and obligations are not applicable to the processing of data necessary for the establishment of legal claims whether in court or out of court.
Legitimate interest is one of the lawful grounds on which controllers can rely to process personal data. The lawful basis allows organizations to process personal data without needing explicit consent from the data subjects where the former has a compelling reason or “legitimate interest” to do so, provided that it does not adversely prejudice the data subjects’ rights and freedoms. Legitimate interest is not defined under the NDPR, however the GDPR gives a little bit of clarity on the concept. This legal basis concerns the processing of data for the purpose of interests legitimately pursued a ‘controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.’ According to Ferretti, “The legitimate interest of data controllers or that of third parties is known as the “balance of interest” clause…Therefore, the legitimate interest clause is considered the criterion upon which the majority of personal data processing takes place, at times the default position, especially for commercial transactions. Under this condition, the processing must be necessary for the purpose, which must be a legitimate interest of the controller or a third party to whom the data is disclosed, provided that such legitimate interests do not impinge upon the fundamental rights and freedoms of individuals.[viii]
Section 25(2) of the NDPA requires an assessment to be conducted where legitimate interest is to be relied on. Hence, the three-part test ought to be applied by asking the salient questions:
(a) Purpose test – is there a reasonably expected legitimate purpose behind the processing?
(b) Necessity test – is the processing necessary and compatible with that purpose? and
(c) Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms.?
For the impugned elections, the complainants have only demanded access to the server and application logs pertaining to NBA elections. Considering the weighty allegations, both ECNBA, Election Buddy and the complainants (as third parties) have legitimate interests in preventing electoral fraud by establishing credibility and accuracy of the election results by granting access to the information required for this proof – the purpose. Secondly, this is reasonably necessary to build voter trust, ensure transparency in the succession procedure of the association and to prevent the subversion of Nigerian lawyers’ choice of their leaders – the necessity. In other words, the voters expect their votes to count, hence an audit establishing such accuracy is reasonably expected. In balancing the competing interests, the duty of the Association towards holding credible elections and entrenching the rule of law overrides an individual’s right to privacy on one hand and it is the expectation and hope of every member of the NBA that the election results reflect the true wishes of the electorate, hence they are not averse to election audits confirming the accuracy of such results.
- Consent of voters to the sharing of election transactions
In response to allegations of identity theft leading to double voting, the umpire requests the complainants to seek and obtain the consent of their supporters that alleged identity theft so the umpire ‘can also unveil their said privately cast votes for transparency in our investigation.’ Again, while answering a request for voting transactions, the umpire responds that the provision of such information is a violation of voter privacy except the complainants provide ‘consent letters of the voters’ concerned. These answers have repeatedly elevated ‘consent’ above all other legal bases and statutorily allowed derogations. From a privacy or data protection perspective, the umpire is not required to rely on voters’ consent before processing their data to defend the integrity and accuracy of the elections it conducts. This much is confirmed in Election Buddy’s privacy policy thus:
“For operational and legal purposes, we may share your personal information with certain entities as outlined below:… Authorities and others: Law enforcement, government authorities, and private parties, as we believe in good faith to be necessary or appropriate for the compliance and protection purposes described above.”
As argued earlier, relying on legitimate interest and public interest, the ECNBA can validly disclose the voting transactions to the complainants without voters’ consent as contemplated by the relevant data protection legislation.
References
[i] J Paul Gibson and others, ‘A Review of E-Voting: The Past, Present and Future’ (2016) 71 Annals of Telecommunications 279.
[ii] Ghizlane Ikrissi and Tomader Mazri, ‘Electronic Voting: Review and Challenges’ in Mohamed Ben Ahmed and others (eds), Innovations in Smart Cities Applications Volume 7 (Springer Nature Switzerland 2024).
[iii] Mahdi Alhaji Musa and Farouk Muhammad Aliyu, ‘Design of Electronic Voting Systems for Reducing Election Process’ (2013) 2.
[iv] Piret Ehin, ‘Internet Voting in Estonia 2005–2019: Evidence from Eleven Elections’ (2022) 39 Government Information Quarterly 101718.
[v] Hon. Peter Nwali v. Ebonyi State Independent Electoral Commission (2014) LPELR–23682(CA).
[vi] In their privacy policy accessible at: https://electionbuddy.com/privacy-policy, Election Buddy admits that there are instances where they act as controllers with respect to voters’ information.
[vii] GDPR, article 23(1)(d).
[viii] Federico Ferretti, ‘Data Protection and the Legitimate Interest of Data Controllers: Much Ado about Nothing or the Winter of Rights?’ (2014) 51 Common Market Law Review <https://kluwerlawonline.com/api/Product/CitationPDFURL?file=Journals\COLA\COLA2014063.pdf> accessed 19 June 2023.
Olumide Babalola
(PhD Researcher, University of Portsmouth; Member, Author, Privacy and Data Protection Law in Nigeria; Co-Author, Annotated Nigeria Data Protection Act 2023; Co-Founder, The Privacy Academy)