Data protection in Nigeria and European Union

Azeezat Adekunle

Technology changed our world, the way we work and communicate with one another. Each day there is a new technology in order to aid/advance our lives. [1]We can work at home, coffee bars, in airports, on trains using Wi-Fi and 3G telephone services utilising an increasingly diverse range of devices from laptops to tablet computers to smart phones in order to access emails and attend online meetings.

Personal data are more and more processed and archived. [2]There is an inherent security issue with many of these online exchanges which if often overlooked, Emails are not particularly secured. This is the need for Data Protection law/regulation. This article will be discussing in details about data protection regulation in Nigeria and European Union and European Economic Area.

Nigeria does not have a principal act or a law for data protection in the country however, Nigeria has subsidiary data protection legislation the Nigeria Data Protection Regulation (2019), the regulation is made by virtue of National Information Technology Development Agency. The objectives of the regulation are;“[3]

(a) To safeguard the rights of natural persons to data privacy

(b) To foster safe conduct of transactions involving the exchange of personal data

(c) To prevent manipulation of personal data and

(d) to ensure that Nigerian businesses remain competitive in international trade; through the safeguards afforded by a just and equitable legal regulatory framework on data protection and which regulatory framework is in tune with global best practice”.

The European union and European Economic Area data protection law which is currently used is the General Data Protection Regulation 2016/679 which was made on the 14th April 2016 and implemented on the 25^th may 2018. The purpose of this law is to set a standardised data protection laws across all member countries. This will make EU citizens understands how their personal data is being used and also raise any complaints. The subject matter and objectives are as follows“[4]

1- This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.

2- This Regulation protects fundamental rights and freedoms of natural persons and in particular their rights to the protection of personal data.

3- The free movement of personal data within the union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regards to the processing of personal data.

What is data?

[5]Data means character, symbols and binary on which operations are performed by a computer. Which may be stored or transmitted in the form of electronic signals is stored in any format or any device.

What is Personal data?

Article 4(1) of the General Data protection regulation defined personal data as any information relating to an identified or identified natural person.

The Nigerian Data Protection Regulation defined personal data as [6]any information relating to an identified or identifiable natural person (data subject) an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identifier number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

It can be anything from a name, address, a photo, an email address, bank details, posts on social networking, websites, medical information and other unique identifier such as but not limited to mac address, IP address, IMEI number, IMSI number, sim and others.

What is data protection?

Data protection seek to protect personal information and privacy of individuals. It makes provision for a regulatory protection regime around personal data or personal information privacy. The data protection legal rules govern when and how organisations can collect and process personal data.

Importance of data protection?

• There is a large number of recent data loss and data breach incidents. These have involved the personal data of millions of individuals being lost by commercial organisation and trusted government entities. Recently the issue of online abuse, which involved amongst other things privacy and data protection, has also been hitting the news. Tragically, such online abuse does result in and contribute to actual suicide and defamation of character. This is particular concern in relation to children, teenagers and adults.

• [7]“Organisation often fail to realise the data protection compliance is frequently an issue of dual compliance. They need to be looking both inward and outward. Internally they have to be data protection complaint in relation to all of their employees and contractors personal data which traditionally may have related to HR files and employees contracts, but now includes issues of electronic communications, social networking, internet usage, filtering, monitoring abuse, on site activity e.t.c”
• In Uk there are many new cases of data protection breach and fines. [8]“The Brighton and Sussex university hospitals NHS Trust had a fine of £325,000 imposed by ICO in relation to a data loss incident”
• “[9]National data protection authorities are increasingly pro-active and undertake audits of data protection compliance framework, as well as incidents of breaches. Facebook internationally has been audited b one of the EU data protection authorities”.

Legal analysis

Consent

Every citizen has rights to his/her personal data and those rights shall not be violated. Before an individual personal data and information are being given out or being used, there has to be a legal consent. Pursuant to section 4(c) of the Nigerian data protection regulation ‘Consent’ of the data subject means any freely given specific, informed and unambiguous indication of the data subjects wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

The GDPR law has the same exact definition of consent in article Article 37 and specified further un recital 32 of the GDPR. For consent to be valid, there are three element which are Freely which implies that the data subject(individual) must not be under no duress while giving his or her consent, it must be given voluntarily.

Secondly Informed and specific this means the data subject must at least be notified about the controller’s what kind of data will be processed, how it will be used and the purpose of the processing operation. The data subject will be informed about his rights to withdraw. Lastly Unambiguous infers a statement or a clear affirmative act. Consent cannot be implied and it must be given through an opt in, a declaration or a motion so there shall not be any misunderstanding.

Processing and data controller

What is processing?

Processing means [10]any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use disclosure by transmission, dissemination or otherwise making available alignment or combination, restriction, erasure or destruction.

NDPR 2019 laid down principles for processing personal data shall be

“[11] a) collected and processed in accordance with specific, legitimate and lawful purpose     consented to by the data subject provided that

1. a further processing may be done only for archiving purposes or statically purposes
2. any person entity carrying out or purporting to carry out data processing under the provision of this paragraph (b) shall not transfer any personal data to any person
3. b) Adequate, accurate and without prejudice to the dignity of human person
4. c) stored only for the period within which it is reasonably needed and
5. d) secured against all foreseeable hazards and breaches such as theft, cyberattack viral attack, dissemination, manipulation of any kind, damage by rain, fire or exposure to other natural elements.

In the European union article 5 of GDPR also laid down its principles of processing of personal data, they are as follows

1. processed lawfully, fairly and in a transparent manner in relation to the data subject (lawfulness, fairness and transparency)
2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statically purposes shall in accordance with article 89(1) not be considered to incompatible with the initial purpose
3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)
4. accurate and where necessary, kept up to date every reasonable step must be taken to ensure that personal data that are inaccurate having regard to the purpose for which they are proceeded, are erased or rectified without delay
5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data will be processed solely
6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisation measures.

Who is a controller?

[12]“A controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data, where the purposes and means of such processing are determined by union or member state law, the controller or the specific criteria for its nomination may be provided for by union or member state law.”

Duties of a controllers

[13]A controller takes appropriate measures to provide any information relating to processing to the data subject in a concise, transparent, intelligible and easily accessible from using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing or by other means, including, where appropriate, by electronic means.

[14]Where the controller has reasonable doubts concerning the identity of the natural person making the request for information the controller may request the provision of additional information necessary to confirm the identity of the data subject.

[15]Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedom of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this regulation.

Data security

[16]Anyone involved in data processing or the control of data shall develop security measures to protect data, such measures include but not limited to protecting system from hackers, setting up firewalls, storing data securely with access to specific authorized individuals, employing data encryption technologies , developing organization policy for handling personal data (and other sensitive or confidential data) protection of emailing systems and continuous capacity building for staff. [17]

In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosures of or access to personal data transmitted, stored or otherwise processed.

Article 37 of the GDPR states the designation of a data Protection officer has to appointed in every company whether big or small companies. A data protection officer is a person that oversee or make sure the company he/she works for is in compliance with the data protection laws.

He is appointed internally or externally, the company ha to ensure that an internal data protection officer is not subject to conflict of interest and must provide expert professional knowledge of data protection law and IT security.

The data controller designate a data protection officer in Nigeria, section 32(2) of the NDPR states that a data controller shall designate a data protection officer for the purpose of ensuring adherence to this regulation, relevant data privacy instruments and data protection directives of the data controller, provided that a data controller may outsource data protection to a verifiably competent firm or person.

Transfer of data to foreign country

In Nigeria, any transfer of personal data which are undergoing processing or are intending for processing after transfer to a foreign country or to an international organisation shall be subject by the supervision of the honourable attorney general of the federation.

The European Union  general principle of transfer states that any transfer of personal data which are undergoing processing or are intending for processing after transfer to a third country or an international organisation shall take place only if subject, to other provision of the regulation, the conditions laid down and complied with by the controller and processor including for onward transfers of personal data from third country or an international organisation to another third country or to another international organisation.

There are exception to transfer of data to foreign country section 15 of the NDPR states that in the absence of any decision by the agency or the attorney general of federation as to the adequacy of safeguards in a foreign country, a transfer or a set of transfers of personal data to a foreign country or an international organisation shall take place only on one of the following conditions;

1. the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfer for the data subject due to the absence of an adequacy decision and appropriate safeguards and that there are no alternatives
2. The transfer is necessary for the performance of a contract between the data subject and the controller or the Implementation of pre- contractual subject and the controller or the implementation of pre contractual measures taken at the data subject’s request
3. The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and anther natural or legal person
4. The transfer is necessary for important reasons of public interest
5. The transfer is necessary for the establishment, exercise or defence of legal claims

Article 48 GDPR, states that any judgement of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or decision or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the union or a member state, without prejudice to other grounds for transfer.

Rights of data subjects and liabilities /fines

[18]The data subject shall have the rights to request the controller the delete of personal data without delay and the controller shall delete personal date where one of the following grounds applies;

1. the persona data are n longer necessary in relation to the purposes for which they were collected or processed
2. The data subject withdraws consent on which the processing is based
3. The data subject object to the processing and there are no overriding legitimate grounds for the processing
4. The data subject withdraws consent on which the processing is based
5. The data subject object to the processing and there are no overriding legitimate grounds for the processing
6. The personal data have been unlawfully processed and the
7. The personal data have been erased for compliance with a legal obligation in Nigeria

Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information

1. The identity and the contact details of the controller and, where applicable, of the controller’s representatives
2. The contact details of the data protection officer, where applicable
3. The purposes of the processing for which the personal data are intended as well as the legal basis for the processing
4. Where the processing is based on point (f) of article 6(1) the legitimate interest pursued by the controller or by a third party
5. The recipients or categories of recipients of the personal data if any

In Nigeria, any person that violates or breach the rules of data privacy rights of any data subject shall be liable in addition to any other criminal liability. Also [19]without prejudice to the right of a data subject to seek redress in a court of competent jurisdiction, the agency shall set up an administrative redress panel.

In the European Union any person who has suffered material or non-material damages as a result of an infringement of this regulation shall have the right to receive compensation from the controller for damage suffered [20]Member state shall lay down the rules on other penalties applicable to infringements which are not subject to administrative fines pursuant to article 83 and shall take all measures necessary to ensure that they are implemented. Such penalties shall be effective, proportionate and dissuasive.

Conclusion

The data protection regulation by NITDA is a gratifying development and commendable progress for the regulatory framework for the protection of data in Nigeria although there is speculation about the applicability of the law.

The General Date Protection Regulation is very detailed and comprehensive about regulation of data, it tackles privacy and consent, which is key issue in relation to personal data of individuals and go as far how their personal data is being used.

[1] Davis, c editorial communication law (2012) (17) PP 38-59

[2][2] Ferretti, F , a European perspective on data processing consent through the re-conceptation of European Data Protection’s looking glass after the Lisbon treaty; Taking Rights seriously, European Review of Private law,(2012)(20), pp 473-506

[3] Nigerian Data Protection Regulation 2019, chapter one, 1.0

[4] Article 1, General Data Protection Regulation 2016

[5] Nigerian Data Protection Regulation 2019

[6] Ibid

[7] LAMBERT,  A user’s guide to data protection, first edition, Bloomsbury publishing plc,2013, pp 5

[8] See, for example, ‘Largest ever fine for date loss highlights need for audited data wiping ReturnOnIt, available at http://www.theregister.co.uk /largest-ever-fine-for-data-loss-highlights-need-for-audited-data-wiping.php, accessed on 22 August 2019

[9] LAMBERT,  A user’s guide to data protection, first edition, Bloomsbury publishing plc,2013, pp 7

 

[10] Section 4 (r) , Nigeria data protection regulation 2019

[11] Section 5 (part two 2.1) governing principles of data processing, Nigeria data protection regulation 2019

[12] Article 4 (7) General data protection regulation 2016

[13] Section 16 (1) Nigeria data protection regulation 2019

[14] Section 16 (4) Nigeria data protection regulation 2019

[15] Article 24 (1) General data protection regulation 2016

[16] Section 10 Nigeria data protection regulation 2019

[17] Article 32 (2) General data protection regulation 2016

[18] Section 16(8) of the Nigerian data protection regulation 2019

[19] Section39(1) of the Nigerian data protection Regulation 2019

[20] Article 84 general data protection regulation 2016