Obi Ugochukwu is a Partner (in-charge of ICT & Banking/Finance Group) at Perchstone & Graeys, a leading commercial law firm in Lagos Nigeria .

Data Privacy has explained by  Obi Ugochukwu ,   simply refers to the privacy of information. Essentially, it means that data collected by individuals and organisations should only be used for the purposes agreed to by the data subject (or customers). The expectation here is that organisations should not use, disclose, rent or sell data of customers entrusted to them to third parties without getting prior approval i.e. should be kept private.

He explained further that Data Privacy is often entwined with Data Protection, which is a different, albeit related concept. The concept of Data Protection is the preservation and protection of all personal data collected by any individual or organisation, from being accessed by an unauthorised third party. In applying this concept, individuals and organisations ought to ensure that only required data is collected, data collected is kept safe, and all unnecessary data is destroyed.

On  the  weakness of the current legal frame work on data privacy protection  in Nigeria, he says, Nigeria does not have an omnibus law or comprehensive piece of legislation that provides broad data protection principles with application across all sectors. Instead, save for the Constitution of the Federal Republic of Nigeria 1999 (as amended), legislation concerning data privacy has been largely enacted in a sectoral manner, which means that each law or regulation has been created in response to the needs of a particular industry or section of the economy.  With regards to the Constitution, Section 37 provides that:

“The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected.”

By the above provision, the Constitution bestows the general right of privacy on all citizens, the spectrum of which encompasses data privacy protection as understood in today’s terms. This provision therefore forms the foundation upon which subsequent data protection legislations may be made. The sectoral legislation alluded to earlier, prominent examples, amongst others, include:

1. Child Rights Act No. 26 of 2003;
2. Credit Reporting Act 2017;
3. Cybercrimes (Prohibition, Prevention, Etc.) Act 2015 (the Cybercrimes Act);
4. Consumer Code of Practice Regulations (the Nigerian Communications Commission Consumer Code) 2007;
5. Freedom of Information Act No. 4 of 2011;
6. National Information Technology Development Agency (“NITDA”) Guidelines on Data Protection;

This spate of sectorial provisions establishes an inadequate data privacy protection network wherein certain sectors of the economy/population are left unprotected and creates disharmony of data privacy protection standards in Nigeria. In light of recent scandals of data breaches and misuse, this position is untenable, and there is therefore a pressing need for a unified and comprehensive data protection standard, of general application across all sectors of the Nigerian economy.

 To have a proper or strengthened data privacy law in Nigeria he says…….

 There is an urgent requirement for unified data protection standards in Nigeria. Uniformity in this regard will not only eliminate inconsistencies but will also aid the enforcement of the required standards. The European Union (EU) is the global pace setter for data privacy protection, through its stringent regulations and directives in this regard. Its most recent effort, the General Data Protection Regulation (GDPR) applies a strict compliance regime that imposes a maximum fine of 4% of annual global turnover of the affected companies or €20 Million (whichever is greater) for non-compliance.

The GDPR further stipulates that personal data cannot be transferred to countries outside the European Union unless they guarantee the same level of data protection. The introduction of the GDPR has had an immediate global impact, having forced several organisations around the world to review or strengthen their data privacy and protection policies. This is the standard to which data privacy protection legislation in Nigeria must aspire to. At the moment, Nigeria lacks robust data protection legislation which guarantees the privacy and protection of its citizens’ data.

In the process of enacting such legislation, some of the elementary considerations to be applied include:

Requirement that individuals must expressly consent to the collection and storage of their data;

Requirement that all personal data obtained must be used for the purpose for which they were collected

Requirement of mandatory disclosure at every instance of a breach of data privacy and protection standards.

Protection of the data subject’s right to opt out of data collection and request destruction of all data previously collected.

In general, data handlers should be accountable as to how they obtain, manage, store and process data.

Speaking On the risks/consequences of poor data privacy legislation to any nation, he says  Inadequate data privacy legislation poses a great deal of risk to nations and citizens alike. First, the absence of such legal framework encourages wanton breach and misappropriation of data for unsavoury reasons. Such misappropriation could pose a threat to national security or may result in great personal loss to individuals and organisations. Other risks include:

1. The loss of foreign investment – International organisations may be reluctant to invest within jurisdictions with poor data privacy laws. This risk is now bolstered by the GDPR rules which prohibit organisations from transferring data to jurisdictions which lack similar data protection laws.
2. Monetary loss: Inadequate legislation could increase the exposure to cyber-attacks on bank accounts, electronic wallets and other monetary stores.
3. Data brokerage: Organisations would be free to sell the data of their customers to third parties for profit.

The Cambridge Analytica scandal further exposed the dangers of inadequate data privacy legislation. Cambridge Analytica, a data analytics firm, is said to have used personal information harvested without permission from more than 50 million Facebook profiles, to build a system that could target US voters with personalised political advertisements based on their psychological profiles. These illicit activities aided in the use of social media to impact the United States 2016 general election. Media reports also revealed that Cambridge Analytica and its predecessor, SCL Elections, potentially manipulated the 2015 and 2007 Nigerian general elections using the data of Nigerians. Lax data privacy laws could therefore endanger one of the most important ideals of the modern world: Democracy.

The risks are therefore glaring. Inadequate data privacy legislation poses a plethora of unsavoury risks to individuals, organisations and countries alike.

  After the Facebook/Cambridge Analytica scandal, a lot of attention seemed to    be focused of data privacy globally; do you think Nigeria has paid serious attention to Data privacy issues?

It is true that there has been an increased level of awareness of data privacy issues following the Cambridge Analytica leak. The discussions following this leak, along with the commencement of the GDPR in May 2018 spurred the NITDA’s announcement of a review of its Guidelines on Data protection, with the objective of incorporating the rigorous EU GDPR stipulations into the Guidelines. In addition, the scandal generated renewed interest in the Data Protection Bill 2015 pending before the National Assembly. The National Assembly in response has also marked the Bill as one of the priority Bills that must be passed before the end of the current administration. In light of the global developments, the Bill is currently being reviewed and to meet global standards and requirements whilst harmonizing national interest.

However, four months after the scandal, there has been no real change in the status quo. The data protection framework in Nigeria remains largely inadequate. Whilst there are sectorial laws and provisions which seek to address data privacy and protection, the rights of an individual to seek legal redress for misuse and/or unauthorised access to his/her personal data can only be sufficiently protected through the enactment of unified data protection legislation, which ensures that persons in breach of data regulations are appropriately penalised with prescribed sanctions. It is hoped that the Data Protection Bill is given expeditious treatment at the National Assembly, and when passed, will address these concerns.