OPINION: Understanding Data Protection, Privacy in Nigeria

7
402
DG, NITDA, Kashifu Abdullahi Inuwa

Between 1760-1840, the world witnessed what was called industrial revolution. It was an event that was characterised by the first-time use of machine in the production of goods.

Then, textiles was the most affected industry. It was an era powered by the steam engine. After this, came the 2nd industrial revolution, characterised by the emergence of new energy sources like electricity, gas and oil to create mass production.

Now, we are in the era of digital technology, the fourth industrial revolution which is building on the successes of the third industrial revolution which is largely about electronics and information technologies to automate mass production.

Today, at the core of the 4th revolution is Artificial Intelligence(AI) which is been driven by data. Data is liken to be the blood or life of the AI. Data is what powers AI- whether it is Robotics, or Machine Learning,etc. They all rely on data to make meaning.

What is data?

Data is simply a piece of detail about just anything. It is anything about a person, place or thing. It is as simple as your first name, surname or even date of birth. It is the pieces that are put together to drive intelligence about any subject of interest.

A subject of interest could be a bank account owner. A bank can rely on the data collected from or about an account owner over time to determine his or her credit risk rating, what kind of product advert should pop up in the mailbox or mobile app or even sent as SMS.

These are just a few intelligence that data owners like the bank can gather from the piece of data you share with them or they gather about their customer based on their transactions, et cetra.

Data is now touted as the new oil. If you have data, you are in charge; you control a lot. Companies like Google, Facebook, Yahoo, Microsoft, Apple are big data owners. They have gargantuan amount of data residing on their geographically distributed servers.

They rely on this data they have gathered from different sources including people’s activities on their platforms or affiliate systems to predict customer’s behaviour, to determine what kind or type of advert that should be pushed to them, and like in the Cambridge Analytica/Facebook case, how people are likely going to vote in an election.

These underscore how powerful those with data are and the reason businesses go all out to get data. Data protection and privacy is therefore very key.

Data Privacy

They are different types of data. While some data are public, others are personal. Government budgetry data, contract information, etc are examples of public data. As a result, they should be available in the public domain for consumption.

Whereas, data like people’s names, phone numbers, email address, medical records or bank details, etc are all private. When they are shared some level of authorization is required for a third party to access them. Otherwise, it amounts to data privacy violation.

Data privacy requires that data should only be accessible by parties that have authorization to access them. In order words, data privacy seeks to determine which data in an organisation’s or individual’s computer should be accessible by or shared with a third party.

The implication of this is that information systems should have access levels that determines what information is accessible by the different user groups. For instance, in a health information system, that houses the medical records of a hospital patients, a receptionist or nurse should not have same authorization to medical records as a doctor. Even  if you’re a doctor, medical records could still be restricted on the basis of specialty, etc. The same holds for all businesses across the different industries.

“It amounts to data privacy violation if one’s data is used for another purpose other than for which it was collected.”

Simply put, if you register on an e-commerce site for the purpose of shopping and payment, during this registration, you had provided your name, email address and phone number and possibly your home address, then after some days, you start getting SMS or emails from another businesses, etc, because the e-commerce site had share your data with a third party without your consent, it means that as a customer on the e-commerce site, your data privacy has been violated by that business.

In countries like the UK and USA, they have robust data privacy laws that protect the data privacy and integrity of people whether online or offline. In the USA for instance, there are different pieces of legislation for different sectors.

For example, there is the Health Insurance Portability and Accountability Act that guarantees patient confidentiality for all data related to their health-care; there is also the Gramm-Leach-Bliley Act which stipulates how financial instititutions handle individuals’ private information; just to mention for a few.

Data Protection

To guarantee data privacy, structures must be in place to ensure the protection of data. The UK for instance has a Data Protection Act 2018 which is an implementation of the European Union(EU) General Data Protection Regulation (GDPR).

The act defines how personal information is used by organisations, businesses or the government. It stipulates the principles of using personal data. It highlights the principles of fair, lawful and transparent usage; it also stipulates the explicit specification of purpose of use amongst others.

Relevant law in Nigeria

Today, Nigeria has data protection regulation called the Nigeria Data Protection Regulation 2019. This regulation is issued by the National Informaton Technology Development Agency(NITDA) by virtue of the NITDA Act 2007.

According to the regulation, the objectives includes: “safeguarding the rights of natural persons to data privacy; fostering safe conduct for transactions involving the exchange of Personal Data; preventing the manipulation of Personal Data; and ensuring that Nigerian businesses remain competitive in international trade through the safe-guards afforded by a just and equitable legal regulatory framework on data protection and which is in tune with best practice.”

Based on the NITDA Act, the NITDA is empowered by law to investigate, and prosecute personal data protection violation. We have seen them do this in the Truecaller case.

Recall that on October 4th, 2019, Kashifu Abdullahi Innwa, the Director General, NITDA had reported in a press statement that the agency was commencing an investigation into a potential breach of privacy rights of Nigerians by the Truecaller service.

In this press statement, the NITDA had indicated that the Truecaller Privacy Policy is not in compliance with global data protection laws and the Nigeria Data Protection Regulation(NDPR).

The caller ID service which has over seven millions Nigerians active users was accused of not complying with the valid consent specificity requirement for share personal data.

This requirement demands that before a person’s personal data is shared with a third party, his/her consent must be sort and the specific reason for which the data is being used must be clearly known by the data owner.

The other point which the NITDA raised was that Truecaller collects excessive personal data which are not relevant to the provisioning of the caller ID service itself.

Examples of such data according to the NITDA include: geo-location; your IP address; device ID or unique identifier; device manufacturer and type; device and hardware settings; SIM card usage; applications installed on your device; ID for advertising; ad data, operating system; web browser; operator; IMSI; connection information; screen resolution; usage statistics; default communication applications; access to device address book; device log and event information; logs, keywords and meta data of incoming and outgoing calls and messages; version of the Services you use and other information based on your interaction with our Services such as how the Services are being accessed (via another service, web site or a search engine); the pages You visit and features you use on the Services”.

Finally, the NITDA pointed out that the Truecaller as shown on her privacy page, shares personal data of her users with “third party advertisers, agencies and networks. Such third parties may use this information for analytical and marketing purposes.”

This clearly is a breach of the global best practice which requires that users must be informed of which third-party processors’ information may be shared with and for what purpose. This practise also violates the NDPR.

After this press release, the NITDA boss, in an interview during the 39th GITEX Technology Week in Dubai reported that Truecaller had writen to the agency indicating willingness to harmonise its Nigerian subscribers data in line with the country’s data protection regulation.

I think that the NITDA has done well to have brought to the fore the privacy violation of the millions of Nigerians using this service. Beyond this we want to see more companies getting sanctioned for such gross violations.

“nigerians will love to see the NITDA carry on more investigations, report, and possibly prosecute businesses/organisations that recklessly violate our people by exposing their personal data unduly.”

It will also be great if the NITDA engage in more public awareness about the importance of data protection, educate and encourage people to report any violation.

Beyond the NITDA Date Protection Regulation, Nigeria has other laws that impact on data protection. These include:
i. The freedom of information(FoI) Act 2011: The FoI Act provides guide to how to access public records and information in Nigeria. Even though it is not a data protection law, section 14 of the FoI Act protects personal data.

ii. The Nigerian Communications Act(NCA) 2003: The Nigerian Communications Commission(NCC) draws it power to regulate the telecommunications industry from the NCA 2003. The NCC through the NCA also make regulations that borders on data protection within the telcos industry.

iii. The Child Rights Act 2003: The Child Rights Act 2003 reinforces the rights of the child including rights to privacy as provided for under section 37 in the 1999 Nigerian constitution. The Nigerian child’s right to privacy, family life, home, telephone conversation, etc are catered for under section 8 of the Child Rights Act.

iv. The National Identity Management Commission(NIMC) Act 2007: The NIMC is empowered by the NIMC Act to make regulations regarding the collection, collation and processing of data about the citizens of Nigeria. This data include personal information.

v. Certain sections of the 1999 Constitution of the Federal Republic of Nigeria (as amended)

Apeh Jonathan Apeh writes from Lagos State

7 COMMENTS

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.