AN OVERVIEW OF DATA PRIVACY AND PROTECTION IN NIGERIA
“Today we give all our data away all day long while aiming to maintain our privacy”
There is a recent burgeoning appetite, in both the public and private sectors, for collecting, using and sharing data for a host of commercial and governmental purposes. Individual efforts made to protect personal data are insufficient. As such, ensuring the privacy and protection of individual information and data has become the responsibility of government. There has been significant global and national advancement in this regard during the past 40 or 50 years, with proliferation of national, sub-national and international legislation, the development of rights-based jurisprudence, and a plethora of regulatory initiatives and practical measures to safeguard ‘personal data’ or ‘personally identifiable information’.
Data Privacy in Nigeria:
It is necessary to start the discourse by answering the question; what is worth protecting as private? Legal protection ensues from a clear conception of what subjects are to be protected and the nature and scope of the protections employed. Dr Roger Clarke, a Visiting Professor of Computer Science at the Australian National University identified four subjects that are worth keeping private and protected. They are the person; his behaviour; his data; and his communication. The categories above were developed along certain human rights principles. They are also predicated on identified tortious and contractual issues in the processing of such information. The present article treats data privacy, which comprise of the last two aspects developed by Dr Clarke – the individual’s data and communication.
In Nigeria, data privacy is predicated on the individual’s right to privacy and personal life. Section 37 of the 1999 Constitution of the Federal Republic of Nigeria provides that “The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected.” Despite having a pride of place in the Constitution, this is one right which has not received much legal attention. Considering the myriad of our national challenges and the level of citizens’ education, one may be tempted to conclude that Nigerians do not attach much importance to the privacy and protection of their data. But this is not essentially so.
Modern computing technologies and the internet have generated the capacity to gather, manipulate, and share massive quantities of personal data. Computers today track our telephone calls, credit-card spending, plane flights, educational and employment records, medical histories, and more. Someone with access to this information could piece together a coherent picture of our lives. The shibboleth – ‘Information rules the world’ entails that personal information is an important currency in the new millennium; sometimes worthless to individual owners but invaluable to government and private entities who have spawn them into a booming trade. Personal data is a commodity which can be owned, transferred and traded for value. Many people fear the loss of their privacy in a computerized “Naked Society”. Individual who own this information (also called Data subjects) thus have a right to protect its collection, storage and use. The aim is to keep such information private and regulate its use.
Data Protection in Nigeria:
Laws for the privacy and protection of data are found in common law, the Constitution and spates of legislation made by the National Assembly. Given Nigeria’s English colonial legal heritage, the tortious liability of breach of confidence constitutes part of our legal framework for ensuring data privacy and protection. In Campbell v MGN Ltd  UKHL 22 the House of Lords noted that “the courts of equity have long afforded protection to the wrongful use of private information by means of the cause of action which became known as breach of confidence”. However, a tortious liability can only arise in the following circumstances:
- Where the information has the necessary quality of confidence about it;
- The information must have been imparted in circumstances importing an obligation of confidence; and
- There must be an unauthorised use or disclosure of that information to the detriment of the party communicating it.
The extent to which this medium has been used to protect the use of data in Nigeria is arguably not sufficient. Judging from Nigeria’s civil law procedure, the frequency and mode of infraction, instituting a tortious action becomes a tedious exercise.
As we stated earlier, the Section 37 of the Constitution guarantees the privacy (and protection) of personal information. A textual consideration of section 37 reveals a general right to privacy of citizens on the subject of their homes, correspondence, telephone conversations and telegraphic communications. It is noteworthy that no reference is made in the Constitution on the manner in which such citizen’s data is obtained, traded or shared. It is safe to assume that the citizen’s right in this regard is actionable where the data is shared or traded to his knowledge. It seems more valid that infringement under the Constitution is contemplated with respect to the disturbance, harassment and interference with the manner in which the individual lives in his home. In this case, privacy clearly equates with being left alone. But the world has gone beyond that. There is need to actively regulate the many entities that deal and trade with data amongst themselves in such a form that is not an infringement under the Constitution. Section 37 of the Constitution is not absolute as it is limited by the provisions of Section 45 in view of public health, morality, protection and the rights of others.
There are splinters of data privacy and protection legislations at the national level. For instance, the Cybercrime (Prohibition, Prevention, etc) Act criminalises unlawful interception of non-public data. It provided for a penalty for the offenders under Section 12. Although the Act does not mention the word ‘privacy’, it provides for the retention and protection of data in computer-based system by financial institutions and criminalises the interception of electronic communications in financial institutions. Other legislation includes the Terrorism Prevention Act 2013, Freedom of Information Act 2013 and the Nigeria Communications Commission Act 2003. These legislations do not provide for the protection of personal information in the custody of private organisations or non- governmental organisations, for example financial service firms such as banks, insurance companies, brokers, and other private organisations that process personal data.
However, a separate law on the subject is necessary. Such law should focus on the establishment of regulatory bodies and rules governing the collection and handling of personal data, and the security and privacy of mail, telephones, email and other forms of communication. At the time of writing this article, the National Assembly is in the process of passing the Personal Information and Data Protection Bill 2015. The Bill, when passed will establish rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organisations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. Noteworthy is the provisions for the office of a Privacy Commissioner to address violations under the legislation.
Thankfully, the subject is not without legal protection in Nigeria. Notable is the Nigeria Data Protection Regulation which was issued on 25th January, 2019, by the National Information Technology Development Agency (NITDA). The NITDA is the national authority for planning, developing and promoting the use of information technology in Nigeria. The Regulation was modelled after the General Data Protection Regulation (GDPR) applicable to data subject within the European Economic Union. The GDPR “lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data”. The GDPR under its Article 5 provides for the principles relating to personal data, especially as regards transparent processing, collection, use, accuracy and storage of data.
The Nigerian Data Protection Regulation also serves to regulate and control the use of data in Nigeria with the objectives of safeguarding the rights of natural persons to data privacy, fostering safe conduct of transactions involving the exchange of personal data and preventing manipulation of personal data.
The Regulation defines a Data Subject as an identifiable person; one who can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. Under the regulation the data subject can sue for the infringement of his privacy by juristic and natural persons with access to such information. Under the Regulation, a Data Subject has the following rights:
- Right of Consent
The Regulation gives a Data subject the right to be informed of the collection, storage, use and sharing of his data. He also has the right to withdraw his consent at any time. Such consent must be specific, legitimate and lawful which means there shall no element of coercion, undue influence or duress involved. The regulation also places a duty of care on any person entrusted with the possession of the personal data of a data subject. Duty imposed under this right also applies when such personal data is to be transferred to a foreign country or entity. Article 2.12 makes the consent of the Data Subject a condition precedent for transfer of such data.
- Right to Privacy
As was mentioned earlier, the right to data privacy is provided in Chapter IV of the 1999 Constitution of the Federal Republic of Nigeria. The Regulation safeguards this fundamental right to privacy by imposing penalties where a Data Subject’s right is breached. Accordingly, in the event of breach, a Data Controller dealing with more than 10,000 Data Subjects is liable a fine of 2% of its annual gross revenue of the preceding year or payment of the sum of 10 million naira whichever is greater. A corresponding penalty applies to a Data Controller depending on the number of Data Subjects in its portfolio.
Other rights as provided under the Regulation are right of Information to be processed in a concise, transparent, intelligible and easily accessible form, right to provision of information free of charge, right of notification on failure to take action on request of a data subject, right to be informed of appropriate safeguards for data protection where personal data is to be transferred to a foreign country or to an international organisation, right of rectification of personal data, right to delete personal data, right to receive personal data in a structured, commonly used and machine-readable format, right of Data portability, right of access to data or copies of data provided to the controller.
Data privacy and protection is an issue of global concern. The importance is evidenced in the manner in which the aspects of the right continue to expand and evolve to adapt to societal needs and technological development. The advent of new technologies capable of easily infringing our private affairs has forced us to recognise the pressing need to establish with clarity high level of government-backed protection with respect to our right to privacy. Pending the passing of the Personal Information and Data Protection Bill 2015, Nigeria will continue to grapple with an insufficient legal framework in the face of a fast-developing sector. It is hoped that the said Bill is reviewed to enable it tackle recent developments on data privacy before it will be passed and assented to by the President.
 Will.I.Am (Musician and Data Analyst) 2008
 David Wright & Charles Raab (2014) Privacy principles, risks and harms, International Review of Law, Computers & Technology, 28:3, 277-298, DOI: 10.1080/13600869.2014.913874
Internationally, 28th January is designated Data Privacy Day (known in Europe as Data Protection Day). The purpose is to raise awareness and promote privacy and data protection best practices.
 Clarke, R. 1997. “Introduction to ‘Dataveillance’ and Information Privacy, and Definitions of Terms.” Xamax Consultancy, Aug. [Online] Accessed June 22, 2013. http://www.rogerclarke.com/DV/ Intro.html
 Vance Packard, ‘The Naked Society’ (1964)
 Coco v AN Clark (Engineers) Ltd  RPC 41, 47
 Article 1.3 of the Nigeria Data Protection Regulations 2019
 Article 2.3(ii)(c) of the Nigeria Data Protection Regulations 2019.
 Article 2.3 of the Regulation
 Article 2.1
 Article 2.3 (ii)
 Article 2.10.
 Article 2.13.3.
 Article 2.13.3.
 Article 2.13.7
 Article 2.13.8
 Article 2.13.12