Privacy and data protection (as a practice area) is relatively nascent and in its developmental stages in Nigeria: the main legislation are inadequate or inelegantly drafted, the regulator is facing legitimacy and capacity challenges, many professionals are few and ill-equipped, industry practitioners a little bit laid back and ultimately, the government is, regrettably, sluggish with its legislative attempts towards birthing a principal legislation for data protection.
From my experience as a privacy litigator, the first issue that confronts an Applicant in Nigerian courts is, whether or not data protection is actionable as a fundamental right to privacy, or they are to be approached as one of those statutory rights litigable under the regular civil procedure as opposed to the sui generis approach under the Fundamental Rights Enforcement Procedure Rules 2009.
Some notable Nigerian academics and legal practitioners have embraced two schools of thought along the lines of their professional convictions and proclivities, while seemingly situating same on their perceived state of the relevant data protection legislation in Nigeria.
Data Protection is not Privacy (First School)
From an academic perspective, Dr. Adekemi Omotubora, a senior lecturer at the University of Lagos appears, with respect, the most vociferous and consistent Nigerian proponent of this school of thought, who doesn’t spare blushes when expressing her belief that data protection should be distinguished and severed from right to privacy. In the wake of issuance of Nigeria Data Protection Regulation in 2019, the learned academic penned an instructive article on “The NITDA Regulations on Data Protection: A Peculiarly Nigerian Approach?” wherein she asserted that:
“The critical point here is that the assumption underlying an objective to safeguard ‘a right to data privacy’ in the Regulation is misguided if not unconstitutional. It is misguided because it shows lack of understanding of the conceptual differences between privacy and data protection. It is unconstitutional because it aims to safeguard a non-existent right to data privacy. Therefore, unless we can argue, presumably ingeniously, that it is possible for the NITDA Regulation to create a right to data privacy, then the entire Regulation could be challenged for its unconstitutionality.”
Again, in March 2020, she co-authored a scholarly paper titled “Next Generation Privacy” published in Routledge Information and Communications Technology Law Journal where she posited that:
“Perhaps to further underline the distinction between the two concepts, the Charter of Fundamental Rights (CFR) created a separate right to data protection in article 8 although the authorities had already proclaimed that protection of personal data must be seen as fundamental to a person’s enjoyment of his or her right to respect for private and family life as guaranteed by Article 8 of the Convention….While it remains unclear whether and how a new fundamental right to personal data and a change in nomenclature (from privacy to data protection) would herald a new jurisprudence of data protection, it is clear that the EU law now considers the interchangeable use of privacy for data protection an anomaly.”
From the practicing lawyers’ perspective, the Law Firm of Templars (one of Nigeria’s largest commercial law firms) recently released a publication titled “Enforcing Data Subject Right Under Nigeria’s Data Protection Regulation: The Wrong Way (And the Right Way)” wherein they pitched their tent with this school of thought as follows:
“…we would readily throw our weight behind the FHCN’s decision. The reason is not far-fetched. The FHCN’s reasoning that, a breach of a Data Subject’s rights under the NDPR cannot be remedied by way of an action brought under the FREP Rules aligns with the basis for FREP Rules, as a specialized procedure reserved for enforcement of fundamental rights under Chapter IV of the Constitution or the African Charter… In light of the foregoing backdrop, it may not be out of place to adjust the FREP Rules in a way that would make the Rules readily amenable and flexible to accommodate emerging rights, such as the Data Subject’s rights in the NDPR, that are similar to the rights of citizens specifically provided for in the Constitution. But until such an adjustment, it may be important that originating processes with the reliefs sought in an action brought under the FREP Rules, are carefully couched to avoid being thrown out of court at a preliminary stage of the proceedings. The substantive or principal claim must be in relation to a breach of a fundamental right as contained in Chapter IV of the Constitution or African Charter, while the ancillary claim may be a breach of the provisions of the NDPR. Better still, and perhaps, a better approach, would be to make a claim for breach of the NDPR and NITDA Act a stand- alone proceeding, rather than lumping it together with a fundamental right enforcement action under the FREP Rules. That way, any unnecessary controversy with its attendant risks, can be avoided.”
In two separate judgments delivered by the Federal High Court in 2020, the very hardworking late Hon. Justice Ibrahim Watila (God rest his soul) did not mince words when his lordship held that data protection has nothing to do with right to privacy under section 37 of the Nigerian Constitution and actions bordering on data breach cannot be validly brought under fundamental rights procedure. (See the unreported decisions in Suit No. FHC/AB/CS/85/2020 between Digital Rights Lawyers Initiative and Unity Bank and Suit No. FHC/AB/CS/ 79 between Laws and Rights Awareness Initiative and National Identity Management Commission delivered in December 2020.
Data Protection is cognizable under Right to Privacy (Second School)
Dr. Lukman Adekunle Abdulrauf, a lecturer at the University of Ilorin, is arguably Nigeria’s most prolific scholarly writer on data protection with several papers published in local and international journals and length his weight to this school of thought that posits data protection as a human right.
In his co-authored work published in Springer’s Liverpool Law Review titled “Personal Data Protection in Nigeria: Reflections on Opportunities, Options and Challenges to Legal Reforms” he contends that’s:
“Without ignoring the strengths of the arguments in favour of data protection as commercially driven, there is an equally stronger movement in favour of data protection as a human right. The contention is that anchoring data protection on economic success rather than human rights will naturally have the effect of relegating privacy and autonomy to the background…. In spite of the commercial purposes, there is no denying that data protection has its roots in the right to privacy in international human rights instruments like the Universal Declaration of Human Rights (UDHR),57 International Covenant on Civil and Political Rights (ICCPR)58 and European Convention on Human Rights (ECHR).59 Thus, the normative basis of data protection is in human rights instruments which arguably makes it a human right too… Based on the above, data protection can be said to be a composite human right because of its strong attachment to the right to privacy and other human rights.”
In the same school, another prolific academic, Dr. Bernard Jemilohun of the Ekiti State University wrote in his paper “Regulations or Legislation for Data Protection in Nigeria? A Call for a clear legislative Framework” that:
“Data protection legislation is a form of human right protection legislation and it will amount to gainsaying to think all that is about data protection is just about technology and the need to develop its use or prevent the abuse thereof.”
In 2020, the Alliance Law Firm via its erudite principal partner, Mr. Uche Val Obi, SAN (author of Nigeria’s only book on class actions) published a paper titled ” An Extensive Article on Data Privacy and Data Protection Laws in Nigeria” where the learned Silk states that:
“As is applicable to most jurisdictions, Nigeria’s data privacy and data protection regime emanates from the fundamental legislation of the land i.e. the Constitution of the Federal Republic of Nigeria 1999, as amended (“the Constitution”), which, by virtue of section 37 thereof protects the rights of citizens to their privacy and the privacy of their homes, correspondence, telephone conversations and telegraphic communication. Data privacy and protection are thus extensions of a citizen’s constitutional rights to privacy.”
Earlier in 2020, the High Court of Ogun State (per Akinyemi, J. and Ogunfowora, J.) in two separate judgments unequivocally held that right to privacy under the Constitution extends to data protection. (See Suit N. AB/83/2020 between Digital Rights Lawyers Initiative and National Identity Management Commission and Suit No. HCT/262/2020 between Digital Rights Lawyers Initiative and LT Solutions Media Ltd)
I had the privilege of participating in all the judgements referred to in this piece and since they are all subject of pending appeals, I will refrain from stating my position. That said, the law on relationship between data protection and privacy remains unsettled within and outside the Nigerian courts. Hence, anyone can safely pitch his tent with any of the schools of thought and still remain on the right wicket since none of the decisions are yet to be set aside on appeal.
Ultimately, until we have the benefit of an appellate court decision on this all-important industry issue or a remedial legislative intervention, the banters on the nature of data protection rights as fundamental or ancillary claims will continue for a long time and this may not augur well for the stakeholders, especially the courtroom practitioners.