DATA PRIVACY: CAN ONLINE RIDE-HAILING COMPANIES LAWFULLY SHARE PERSONAL DATA WITH THE GOVERNMENT AND ITS AGENCIES?
Introduction:
A major concern of State Governments in Nigeria is intra-state transportation. State Governments are responsible for intra-state road mapping/control, construction and safety. Ride hailing companies are increasingly becoming involved in the public transportation system of most States in Nigeria. Using technology, ride hailing companies are displacing the traditional transport system. A major component of their service involves the ‘processing’ of data collected from their customers. The use of personal data is however regulated by the Constitution and other Data Protection regulations and guidelines. This article focuses on the Lagos State Government and/or its agencies, and the laws that regulate their access to, and processing of personal data.
Transportation in Lagos State:
Lagos State is the smallest State in Nigeria by landmass, lying on an area approximately measuring 3,577km2. This would not have mattered except that the State harbours a population of 17.5 million people, which includes residents and daily visitors from surrounding States and satellite towns. The growing population and rapid development of Lagos State have thus placed a strain on the State’s public transport system, resulting in traffic congestion, and pollution. The means of public transportation in Lagos are taxis, buses and commercial motorcycles, known locally as okada.
Public transportation therefore is a thriving enterprise for private transporters and the State Government. The Lagos Metropolitan Area Transport Authority (abbreviated LAMATA) is one of the State government’s transport agencies. The State Chapter of the National Union of Road Transport Workers (NURTW) controls the operation of commercial buses, taxi and motorcycle operators in terms of operational normalcy, fare and revenue generation. Traditional transport operators collect little or no data from their passengers and the NURTW has no concern in this area. Issues surrounding road safety, fair pricing, security and welfare may have received little concern as a result.
Tech Companies to the Solution:
The entrance of multinational ride-hailing companies like Uber, Bolt and the recently banned Gokada changed the landscape in this regard. These companies introduced the safety, security and fair pricing lacking in the traditional transport system. Their mode of operation involves passengers’ use of a software application to order a ride and get the fare quotes. Payment is made at the end of the ride either on the passenger’s pre-selected preferences, such as a debit card on the records or cash. The drivers are independent contractors who use their own vehicles, although they can rent or lease same for use on the platform. The companies regulate the drivers as they must meet requirements for age, health, car age and type, license and must pass a background checks.
Ekocab and LASG Guideline for Ride-hailing Companies:
One of the ride-hailing companies jostling to operate in Lagos State is Node E-hailing Services which was incorporated in Nigeria. The company launched its mobile app called EkoCab in January, 2020.
In March, 2020, its CEO – Mr. Segun Cole stated on his Twitter page, that “Ekocab” intends to host the local yellow taxi drivers in Lagos under its online platform. Mr. Cole also hinted on the State Government’s plan to regulate ride hailing companies like Uber and Bolt on issues including data privacy. It is noteworthy that personal data in this case includes drivers/customers’ name, email address, phone number, place of residence, geolocation and driving routes, information about vehicles (including registration number), driver’s license, photo, profession and identity documents, data about criminal convictions and offences, and financial details. These data are supposed to be processed (a term that includes usage, storage, transmission, transfer, arrangement, etc.) for the purpose of carrying out stated business objectives.
Recently, the Lagos State Government issued the Guidelines for Online Hailing Business Operation of Taxis in Lagos State, 2020 (‘the Online Hailing Business Guideline’). True to Mr. Cole’s earlier hint, the Guideline, among other provisions, gives the State’s Ministry of Transportation access to the database of ride-hailing operators. According to Section 4.2.1 of the Guideline:
“The Ministry and her Agencies shall have access to the data base of the operators/companies operating e-Hailing Taxi Business in Lagos State.”
Data is the new currency. Advertisement, competition, financial privacy and location surveillance are some of the areas where the use of data has become important and where challenges are faced if data is processed in an unregulated manner. It is therefore necessary to consider the conditions under which ride-hailing companies can share their data with the Lagos State Government and its agencies.
Data Privacy & Protection in Nigeria:
Technological progress further highlighted the need for individuals to ensure the privacy of, manage and protect the information that companies and third parties hold about them. This is a constitutional matter, as the 1999 Constitution of the Federal Republic of Nigeria in Section 37 provides that:
“The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected.”
Further to the above, the National Information Technology Development Agency (NITDA) issued the Nigeria Data Protection Regulation 2019 (the NDPR) and the Guideline for the Management of Personal Data by Public Institutions, 2020 (the PI Guideline). The NDPR among other things seeks to safeguard the rights of natural persons to data privacy and protection. It applies to all storage, processing and exchange of Personal Data conducted in respect of Nigerian citizens. However, data processing may be unlawful, like when it is done for corporate gains or disclosure to 3rd Party to the detriment of the data subject.
Under Section 2.2 of the Regulation, a company can lawfully process personal data where any of the following exist:
- a)Consent by the data subject to the processing of his/her personal data for one or more specific purposes;
- b)processing is necessary for the performance of a contract to which the Data subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
- c)Processing is necessary for compliance with a legal obligation to which the Controller is subject;
- d)Processing is necessary in order to protect the vital interests of the data subject or of another natural person, and;
- e)Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official public mandate vested in the controller.
Consequently, it is important to ascertain whether a company can lawfully share with, and transfer personal data to third parties like the State Government or its agencies. Granted that customers and drivers of these ride hailing companies are obligated to sign up to its Privacy Policy, it is imperative that they, as data subjects, be fully informed of the sharing of their data with a 3rd party and the purpose of such sharing. In essence, they must consent to such processing activities beforehand. Even after consent based on full disclosure is given, the ride-hailing companies must ensure the existence of a contract between it and the third party, which will, inter alia, stipulate that shared data would remain protected as statutorily required.
The governing principles of processing data under the NDPR are stated in Section 2.1 which provides that personal data shall be:
- a)Collected and processed in accordance with specific, legitimate and lawful purpose consented to by the Data Subject; provided that: further processing may be done only for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; and any person or entity carrying out or purporting to carry out data processing under the provision of this paragraph (b) shall not transfer any personal data to any person .
- b)Adequate, accurate and without prejudice to the dignity of human person;
- c)Stored only for the period within which it is reasonably needed, and;
- d)Secured against all foreseeable hazards and breaches such as theft, cyberattack, viral attack, dissemination, manipulations of any kind, damage by rain, fire or exposure to other natural elements.
The said Section goes ahead to provide that anyone who is entrusted with the personal data of a data subject (i.e. data controller) or who is in possession of the personal data of a data subject (i.e. data administrator) owes a duty of care to the said data subject and shall be accountable for his acts and omissions in respect of data processing. This duty of care extends to its employees, privies and any other person who obtains such data from it.
Moreover, the PI Guideline recognizes increased Government interest in the personal data of citizens and residents. Section 6.0 thereof provides that any Public Institution seeking to process personal data in public, legal or for vital interest of a data subject shall:
- a)ensure such request is endorsed or signed by a Governor of the State, Minister of the Federal Republic or the Chief Executive Officer of the PI;
- b)state clearly the purpose for such processing and disclose the vital or public interest to be served by such processing;
- c)provide a clear description of the output sought and manner the output shall be applied for the benefit of data subject;
- d)provide proof of compliance of system requirements and;
- e)Provide an undertaking to protect the information shared, avoid any attempt to deanonymize the information shared; and refrain from using the data for any other purpose.
The above obligations on the Government and its agencies are important, especially the need to state the purpose or use of the personal data. Speaking on this issue after a parley with ride-hailing operators on 14th August, 2020, the State’s Transport Commissioner – Dr. Frederic Oladehinde stated as follows;
“We are not asking the e-hailing companies to release detailed data. All we are asking from them data for trip movement, so that we can calculate the right charge and levy due to the Government. This data is to be supplied every week”.
Notwithstanding the above clarification, relevant portions of the Online Hailing Business Guideline are yet to be amended. Moreover, to ensure a foolproof understanding of the obligations of the parties involved, it is necessary that a contract pursuant to Article 2.7 of the NDPR 2019 is executed, and an undertaking pursuant to Article 6.0(e) of the Public Institutions Guidelines 2020 is given by the State Government. Also, a full disclosure of the State Government’s processing activities in this regard should be included in the company’s Data Privacy Policy so that data subjects will be made aware before signing up for services.
In addition to the above, the Lagos State Government and its agencies are obligated under the Public Institutions Guideline to protect personal data to which they have lawful access. According to Article 2.6 of the PI Guideline, such obligation entails compliance with the NDPR 2019 and international information security standards, submission of their Data Protection Impact Assessment (DPIA) to NITDA and retention of a Data Protection Compliance Organization (DPCO). These are to ensure the protection of the personal data generated by the ride-hailing companies which they have access to.
In conclusion, the risks posed by unlawful exposure of personal data in other jurisdictions have created the need to ensure strong legal safeguards on how governments use the data they obtain or process. Surveillance Data, travel history and movement information of customers of ride hailing companies may be susceptible to abuse in the hands of unscrupulous government officials. It will be a breach of Data Protection laws for Online Ride-hailing Companies to process personal data generated from its drivers and customers, and share same with 3rd parties for an unknown purpose, or for storage under a data security platform that is substandard. It is also expected that Ride-hailing companies will henceforth include in their privacy policy statement, the details of any contractual obligation to share personal data with third parties and government entities.
Written by
Tochukwu Itumo
Lexworth Legal Partners
September 2020.
DISCLAIMER: LEXWORTH LEGAL PARTNERS, 2020
This document is intended only as a general discussion on the subject of this article. Please do not regard it as legal advice. We would be delighted to provide additional details or advice about specific queries, if required.
For further enquiries, kindly send an email to: info@lexworthlegal.com.
Did you enjoy this article? Kindly share with those who may find it interesting or useful. Thank you.