International Conference on Business, Economics, Law, Language and Psychology

. 

rights
  • Facebook
  • Twitter
  • Google+
  • Gmail
  • LinkedIn
Credit: www.shareyouressays.com

Introduction 

Privacy law refers to the laws that deal with the regulatory control, storing, and use of personally identifiable data of individuals, which may be collected by governments, public or private organizations, or other individuals pursuant to certain steps and procedures. The Black’s Law Dictionary defines privacy law as a regulation or law that safeguards the intention of an intention to not be disturbed, and not collate any information pertaining to him/her. 

Privacy laws can be broadly classified into two categories they are: 

General privacy laws which may have an overall bearing on the personal information of individuals and affect the policies that govern many aspects of information. An example is the Constitution of the Federal Republic of Nigeria.

Specific privacy laws that are designed to regulate specific types of information. Some examples include: the Child Rights Act, The Nigerian Communications Commission RTS (Registration of Telephone Subscribers) Regulation 2011 etc. 

  1. Fundamental rights 

Fundamental rights are rights that are regarded to be inherent to man and are protected by the laws of any nation. The Constitution of the Federal Republic of Nigeria under Chapter IV guarantees fundamental human rights and makes a special provision for their enforcement under Section 46. 

A list of the rights guaranteed to persons in Nigeria include 

  1. Right to life 
  1. Right to freedom of movement 
  1. Right to freedom of dignity of human person 
  1. Right to fair and equal hearing 
  1. Right to private and family life 
  1. Right to freedom of expression and the press 
  1. Right to freedom of thought, conscience and religion 
  1. Right to peaceful assembly or association 
  1. Right to personal liberty 
  1. Right to ownership of property 

We would be discussing the issue right to privacy and in doing so we cannot ignore the importance of data protection which is the obvious outcome of privacy law. 

I have therefore enumerated the key principles of data protection regimes which all Nigerian legislation attempting to regulate privacy have tried to emulate; 

• Personal data shall be processed fairly and lawfully; 

• Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes; 

• Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed; 

• Personal data shall be accurate and, where necessary, kept up to date; 

• Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. 

• Personal data shall be processed in accordance with the rights of data subjects under this Act. 

• Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data 

  1. Grand Norm guiding Privacy of Persons In Nigeria  

The Constitution 

The Constitution of the Federal Republic of Nigeria (As Amended 2018) which is the grand norm of all laws in Nigeria protects Nigeria citizen communications. The Constitution in its Section 37 states that 

“The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected” 

However, note that the right to privacy under the 1999 Constitution is not an absolute right because section 45 of the Constitution provides for circumstances that permit derogations from that right. 

For ease of reference Section 45 provides – 

Nothing in section 37 shall invalidate any law that is reasonably justifiable in a democratic society  

(a) in the interest of defence, public safety, public order, public morality or public health; or  

(b) for the purpose of protecting the rights and freedoms of other persons. 

The implications of this section are such that where existing or new legislation relating to health, environment, criminal justice administration, town planning, etc. infringes an individual’s right to privacy, the courts are faced with determining the constitutionality of the law in light of the provisions of section 45. 

  • Specifically, the court must consider the following elements:  
  • was the legislation in question a reasonable one?  
  • Is it justifiable?  
  • Is such legislation necessary and does it presently suit the democratic society in Nigeria?  
  • Is such a legislation in the interest of defence, public safety, public order, public morality or public health? Is such legislation necessary to protect the rights and freedoms of other persons?  

Premised on the above any kind of invasion of privacy that is not backed by law is unconstitutional, the powers therefore lie with the court and not the person enforcing a law to determine whether that law is firstly reasonably justifiable under a constitutional democracy, and secondly, whether it is made in the interest and for any of the purposes outlined under section 45;  

Where the limitation measures proposed by the legislature are considered excessive in relation to the interests protected, the court will pronounce the law unconstitutional; In terms of procedural law, it should matter to the courts how law enforcement officers procure evidence or methods used by the state to investigate infractions of the law, because where breaches of privacy are not checked or discouraged, the state apparatus becomes unduly oppressive – and that cannot be good for any democratic society. 

Right to Privacy:  

There is currently no comprehensive data privacy or personal information protection law in Nigeria that sets out detailed provisions on the protection of the privacy of individuals and citizens apart from Section 37 of the Constitution and Section 8 of the Childs Right Act 2003. An action may be brought for the Tort of Privacy or the Tort of the breach of Confidence, however the law of Tort in Nigeria regarding privacy has not been developed or is virtually non-existent.  

The constitutional  right to privacy often must be balanced against the state’s compelling interests, including the promotion of public safety and improving the quality of life as shall be discussed later in this paper. 

Fundamental Rights (Enforcement) Procedure Rules Procedure 2009 

The Fundamental Rights (Enforcement Procedure) Rules, 2009 (‘the Rules) enjoins the Courts to give expansive and purposeful interpretation to Chapter IV of the Constitution and the African Charter to advance and realize the rights and freedoms contained in them and afford the protections they intended. 

To protect the constitutional right to privacy an aggrieved person can proceed under the Fundamental Rights (Enforcement)Procedure Rules made pursuant to section 46 of the 1999 Constitution.  

The said section provides that any person who alleges that any of the fundamental human rights has been is being or likely to be contravened in any state may apply to the High Court in that state for redress. Because of the relatively easier means of enforcement instituted by the enforcement procedure rules, this remains one of the attractive points of the constitutional right to privacy. Sadly, as we noted above there is no evidence to suggest that this has been recognized or utilized by Nigerians. 

“A party seeking relief under section 46(1) of 1999 Constitution and Order II rules 2 & III (1) of Fundamental Rights (Enforcement Procedure) rules must ensure that the main relief and consequential reliefs point directly to a fundamental right under Chapter IV of the 1999 Constitution and a clear deprivation of the same by the other party being sued.” 

Based on the above and Order I Rule 2 and Order II Rule 1 of the Rules therefore, the fundamental rights enforceable are those provided under Chapter IV of the Constitution and the African Charter. Order 1 Rule 2 defines Fundamental Right to mean any of the rights provided for in Chapter IV of the Constitution and includes any of the rights stipulated in the African Charter on Human and Peoples’ Rights (Ratification and Enforcement) Act. 

Order II Rule 1 further emphasizes this by providing as follows: 

“Any person who alleges that any of the Fundamental Rights provided for in the Constitution or African Charter on Human and Peoples’ Rights (Ratification and Enforcement) Act and to which he is entitled, has been, is being, or is likely to be infringed, may apply to the Court in the State where the infringement occurs or is likely to occur, for redress.” 

In other words, any fundamental rights action filed where the reliefs sought have no connection or the reliefs sought do not fall into any rights stated in Chapter IV of the Constitution and the African Charter, such action will be unsustainable as a fundamental rights action. 

It is however important to note that although the fundamental rights enforceable under the Rules are those stated in Chapter IV of the Constitution and the African Charter, the Rules went further to enjoin the Court in any case to give consideration to other municipal, regional and international bill of rights cited to it or brought to its attention or of which the Court is aware, whether the bills constitute instruments in themselves or form parts of larger documents like the constitution, for the purpose of advancing and not restricting the applicant’s rights and freedoms. 

The bills of which consideration can be given include the Universal Declaration of Human Rights and other Instruments (including Protocols) in the United Nations human rights system as provided for in the Preamble of the Rules although not included not included in Order 2 Rule 1 which identifies the instances when a cause of action may give cause to enforcement of fundamental rights. 

Remedies 

Damages

The combined cases of Shugaba v Minister of Internal Affairs, 2 Abiola v Abacha clearly establish that damages can be awarded for breach of fundamental human rights. In the celebrated case of Obisi v Nigerian Navy 3 The Federal High Court adopted the views of Odunowo J in Ajayi v AG Federation 4that in fixing the amount of damages for infringement of fundamental human rights, the following factors must be taken into consideration:  

  1. the frequency of the type of violation in recent time; the continually depreciating value of the naira;  
  1. the motivation for the violation;  
  1. the status of the applicant;  
  1. the undeserved embarrassment meted out to the applicant, including pecuniary losses, and  
  1. the conduct of the parties generally particularly that of the respondent.  

Other reliefs that may be granted include Declarations, Apology and Injunctions. 

Role of National Human Rights Commission  

Since its establishment the National Human Rights Commission (the “Commission”) has demonstrated an expansive capacity to tackle issues of human rights through various activities, ranging from public enlightenment and education, investigation of complaints, mediation and conciliation, conflict resolution, peace building, research advocacy and training programmes on contemporary issues in the field of human rights.  

These were given effect through an effective complaint treatment mechanism, regular hosting of enlightenment seminars, workshops, rallies and continuous reengineering of strategies which culminated in the National Action Plan (NAP) for the promotion and protection of human rights. The NAP has been deposited with the office of the United Nations High Commissioner for Human Rights (UNHCHR) as a benchmark for assessing Nigeria’s human rights records, as well as government’s commitment towards the promotion and protection of human right.  

The Commission has continually engaged in a series of educational and public enlightenment programmes to raise public awareness on human rights issues. The Commission regularly holds workshops, seminars, conferences and interactive sessions with relevant stakeholders.  

Human Right Protection 

A robust and effective complaint treatment mechanism has been put in place at the Headquarters and all the six Zonal Offices to handle all complaints of human rights violations. All victims of human rights violations can therefore access the services of the Commission free of charge, at any of the Commission’s offices.  

Human Right Enforcement 

There has been a high level of compliance with the decisions of the commission by alleged violators of human rights since its establishment in 1995. The NHRC (Amendment) Act, 2010 has however conferred on the commission express powers to enforce her decisions. Under this provision, decisions of the commission’s Governing Council are registrable as decisions of the High Court. 

  1. Pre-eminence of Law Enforcement I National Security considerations versus Privacy concerns 

National security and privacy: In this data-driven digital age, our every action, our every smart device (including mobile phones and personal computers) and our every application (including social media platforms and web browsers) generate humongous volume of information—ranging from our personal likes and dislikes, to our personal connections, to our financial transaction records, to our shopping, travel and hospital records—with or without our knowledge. 

Complex algorithms could easily bring together seemingly innocuous impersonal information to create unique personal profiles of any individual. Strong data protection and privacy laws, similar to the General Data Protection Regulation (GDPR), introduced in the European Union from the May of 2018 are imperative to ensure that we have control over our own data, and for us to decide with whom we share our personal information. 

That being said, we should not forget that our current times are seeing an exponential increase in cybercrimes, with the internet used as a primary tool for several antisocial activities ranging from smuggling, trafficking and money laundering to recruitment into terror outfits. 

It is the government’s job to secure its citizens’ general welfare. We should always remember that national security should be prioritized over any concerns for personal privacy.  

Namely, the common good outweigh personal preferences. In this case, the common good does include surveillance to prevent attacks against Nigerians or to prevent an attack on Nigerians from being carried out. Better intelligence and security measures will help prevent the loss of life. Is that not a worthwhile reason to allow for reduced privacy? 

National security enables a pluralist, inclusive society 

The wider net of national security measures can identify xenophobes and racially or religiously motivated criminals and act against them before harm is caused to others. For members of minority groups or targeted persons, a loss of privacy can mean a better quality of life, as those who seek to ostracize and harm them are apprehended swiftly – and the hateful teachings being spread via the media are removed from social media platforms and websites. Better surveillance might have prevented the herdsmen attacks in Plateau state or the takeover of several local governments by Boko Haram. 

Terrorist organizations such as ISIS are believed to have started using digital cryptocurrencies such as Bitcoins as the preferred funding mechanism to covertly expand their operations. Data breaches and identity thefts allow a perpetrator to execute any of the above-mentioned activities, with the onus on victims to prove their innocence. 

Privacy concerns are weakening the ability of Nigeria’s counter-terrorism and intelligence units to stay a step ahead in the darkening digital world would have grave long-term consequences. 

Furthermore, measures taken to curb the efforts of the government to collect and analyse data, the primary raw material of our digital economy—while a handful of private corporations colonise the bulk of the planet’s generated data which could undermine the state’s ability to provide quality citizen services, which in turn could create turbulent social and economic disruptions. 

The creation of independent watchdog institutions in concert with media practitioners, Telecoms and ISPs with ample statutory authority to ensure that any public or private organisation working with data complies with stringent data privacy, protection and security regulations, would be ideal. 

However, unchecked and unaccounted data collection and examination, especially by government entities would lay the foundations of a dreaded police and surveillance state, the primary fear of the rights petitioners who have challenged the mandatory. 

The creation of independent watchdog institutions akin to the Electoral Commission or the NHRC, preferably answerable to a parliamentary committee, with ample constitutional authority to oversee and ensure that any public or private organization working with data complies with stringent data privacy, protection and security regulations, would be ideal steps to ensure that our citizens effectively preserve their privacy in the digital age. 

  1. Law Enforcement relationship with Service Providers 

The relationship between law enforcement agencies and service providers (Telecommunications companies and Internet Service Providers) is one that requires consistent communication and support for each other. The law enforcement agencies have a duty under the legislations provided in Nigeria to protect and guide the property and lives of Nigeria. Subject to the protection of Nigerian interests it is pertinent to note that service providers should aid and assist the law enforcement agencies. 

In doing this, a service provider should comply with the laws regarding releasing of information to security agencies. If the proper procedure is not followed in providing information, Service providers could therefore be liable if the improper procedure in holding data of persons are not followed.  

Consequences of failing to follow the proper procedure in protecting data belonging to persons include Damages, Declarations, injunction and other awards granted in fundamental rights enforcement proceeding.                                                                              

  1. Legislations  

Relevant statutory Legislations and regulations relevant in the area of Privacy are listed below: 

  1. Nigerian Communications Act 2003 

The Nigerian Communications (NCA) Act 2003 provides for the creation of the Nigerian Communications Commission (NCC). The NCA Act 2003 is also an important aspect of privacy regulation in Nigeria. It deals basically with the Telecommunication networks and Internet Service Providers.  The NCC grants licenses in the separate frequencies currently available to willing entities seeking to participate in the telecommunications industry.  

The NCC Act in Section 148 provides that  

the Commission may unilaterally order that any communication or class of communications to or from any licensee, person or the general public, relating to any specified subject shall not be communicated or shall be intercepted or detained, or that any such communication or its records shall be disclosed to an authorized officer mentioned in the order cannot for this reason be justified.  

The validity of such intrusion would have been tested in Nigeria if Mr Rickey Tarfa, SAN in 2016 had not quite inexplicably withdrawn a suit he had instituted against one of the service providers alleging unauthorized intrusion into his private telephone records. 

I however seriously doubt its constitutionality has it makes no recourse to the Judicial process in obtaining the data of persons. 

  1. National Information Technology Development Agency (NITDA) Act 2007 

The National Information Technology Development Agency It was mandated by the NITDA Act (2007) to create a framework for the planning, research, development, standardization, application, coordination, monitoring, evaluation and regulation of Information Technology practices, activities and systems in Nigeria. 

Its role therefore is to develop Information technology in the country through regulatory standards, guidelines and policies.  

Additionally, NITDA is the clearing house for all IT projects and infrastructural development in the country. It is the prime Agency for e-government implementation, Internet governance and general IT development in Nigeria. The agency releases the (NITDA) Guidelines on Data Protection which are made pursuant to the NITDA Act. 

The NITDA is the national body responsible for planning, developing, and promoting the use of information technology in Nigeria.  

The NITDA, in performing this duty, issues guidelines which prescribe the minimum data protection requirements for the collection, storage, processing, management, operation, and technical controls for information. The Guidelines are currently the only set of regulations that contain specific and detailed provisions on the protection, storage, transfer, or treatment of personal data in Nigeria. 

The NITDA Guidelines defines “personal data” as: 

“any information relating to an identified or identifiable natural person (data subject); information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address”. 

Generally, the Guidelines contain principles that should be adhered to when dealing with personal data of Nigeria residents including the collection and processing of personal data. Some of these principles are as follows: 

It must be processed lawfully and fairly 

It must only be used for the purpose for which it was collected 

It must be accurate and where necessary kept up to date 

It must be processed in accordance with the rights of data subjects 

Personal data must not be transferred outside Nigeria unless adequate provisions are in place for it to be protected 

The NITDA Guidelines apply to Federal, State and Local Government agencies and institutions as well as private sector organizations that own, use or deploy information systems of the Federal Republic of Nigeria. It also applies to organizations based outside Nigeria where such organizations process personal data of Nigerian residents. However, there has been no indication of it being adopted as the legislative authority that it is. 

In addition to the NITDA act, there are also some sector specific legislations/rules that relate to control of data in Nigeria; 

  1. The Consumer Code of Practice Regulations 2007 

This Regulation provides that all licensees (all telecommunication service providers) must take reasonable steps to protect customer information against “improper or accidental disclosure” and must ensure that such information is securely stored. 

It also provides that customer information must “not be transferred to any party except as otherwise permitted or required by other applicable laws or regulations”. 

It is pertinent to note that the application of the Regulations is not restricted to Nigerian citizens alone; the regulation applies to customer information relating to customers of any nationality that use a licensee’s network. 

  1. The Nigerian Communications Commission RTS (Registration of Telephone Subscribers) Regulation 2011 

In August, 2009, the Nigerian telecommunications regulator, the Nigerian Communications Commission (NCC), in exercise of its regulatory powers under the Nigerian Communications Act (NCA) 2003, issued a directive which was published in 2009 to the effect that as from 1st March, 2010 all new “Subscriber Identity Module” (SIM) cards must be registered before activation. However, these Regulations are not of general application and are not effective to stop the consistent barrage of marketing messages sent directly to subscribers’ mobile phones. 

The Nigerian Communications Commission has earlier referred to in this paper is charged with oversight functions on the telecommunications industry. In line with this duty, it also issued the Registration of Telephone Subscribers Regulation (RTS Regulation) in 2011. 

The Regulation attempts some protection of the data collected, collated, retained, and managed by telecommunication companies operating in Nigeria and independent registration agents in view of their obligations to collate and retain data of subscribers under the Regulation. 

For the purpose above, Section 9 of the RTS Regulation 2011, titled “Data Protection”, states as follows: 

“(1) in furtherance of the rights guaranteed by virtue of section 37 of the Constitution of the Federal Republic of Nigeria 1999 and subject to any reasonable guidelines, terms and conditions that may from time to time be issued by either the Commission or License, any Subscriber whose Personal Information is stored in the Central Database, shall be entitled to view the said information and to request updates and amendments thereto”. 

(2) The Subscriber information contained in the Central Database shall be held on a strictly confidential basis and no persons or entities shall be allowed access to any Subscriber information in the Central Database, except as provided in paragraph 1 above and in paragraph 5 of section 10 of these regulations or by any Act of the National Assembly. Licensees, Independent Registration Agents, and Subscriber Registration Solution Providers shall not under any circumstance, retain, deal in or make copies of any Subscriber Information or store in whatever form any copies of the Subscriber Information for any purpose other than as stipulated in these Regulations or an Act of the National Assembly. 

Further, section 9(5) of the Regulation states that licensees shall utilize personal information in accordance with the Regulations solely for their operations and in accordance with the provisions of Part V of the General Consumer Code Practice for Telecommunications Services and any other instruments of the Commission or any Act of the National Assembly issued from time to time to regulate the specific purposes for which the Personal Information may be used. 

Section 10(4) then provides a blanket rule that the subscribers’ information shall not be transferred outside the Federal Republic of Nigeria, unlike the requirement under the NITDA Guidelines. 

The General Consumer Code Practice for Telecommunications Services referred to above in the RTS Regulation 2011 also set out certain data protection mechanism for consumers of telecommunication services in Nigeria. 

Specifically, section 35 of the General Consumer Code Practice for Telecommunications Services provides that a licensee may collect and maintain information on individual consumers reasonably required for its business purposes. 

But such collection and maintenance of information on individual consumers shall be- 

(a) Fairly and lawfully collected and processed; 

(b) Processed for limited and identified purposes; 

(c) Relevant and not excessive; 

(d) Accurate; 

(e) Not kept longer than necessary; 

(f) Processed in accordance with the Consumer’s other rights; 

(g) Protected against improper or accidental disclosure; and 

(h) Not transferred to any party except as permitted by any terms and conditions agreed with the Consumer, as permitted by any permission or approval of the Commission, or as otherwise permitted or required by other applicable laws or regulations. 

A licensee is required under section 35(2) of the Code to meet generally accepted fair information principles including: 

(a) Providing notice as to that individual consumer information they collect and its use or disclosure; 

(b) The choices consumers have with regard to the collection, use and, disclosure of that information; 

(c) The access consumers have to that information, including to ensure its accuracy; and 

(d) The security measures taken to protect the information and the enforcement and redress mechanisms that are in place to remedy any failure to observe these measures. 

Please note that these rules apply to individual consumer information whether initially provided verbally or in written form, so long as that information is retained by the licensee in any recorded form. 

The penalty for noncompliance is a fine which could range from N200,000–N1,000,000 and perhaps forfeiture of the commercial benefit derived from the unauthorized use of such subscriber information. The Regulations do not treat such breach of the data protection measures as a violation of the individual subscriber’s right to privacy, which may be actionable at the instance of the affected subscriber. Undoubtedly, this diminishes the potency of the data protection provision of the RTS regulation 2011 and renders it helpful only to the commission. 

In the same vein, the provisions of the Consumer Codes can only be enforced in accordance with the “Administrative Fines” set out in Chapter IV of the Nigerian Communications’ (Enforcement Process) Regulation 2005. The administrative fine against such an erring Licensee is they sum of N500,000 and a further sum of N500,000 per day after the expiration of the notice for as long as the contravention persists. 

The above positions have shown the attitude of the Nigerian Government towards data privacy and personal information regulation in Nigeria. An ideal data protection law should be created that guarantees the right of citizens to seek adequate redress in court for any breach occasioned by an act or omission of operators in the sector, including the Nigerian Communications Commission itself.  

  1. The Cybercrimes (Prohibition, prevention Etc.) Act 2015 

The Cybercrimes (Prohibition, prevention Etc.) Act 2015 provides a legal, regulatory and institutional framework for the prohibition, prevention, detection, prosecution and punishment of cybercrimes in Nigeria including identity theft, cybersquatting, hacking and even child pornography.  

It also allows the interception of electronic communication by way of Court Order, where there is reasonable ground to suspect that the content of any electronic communication is reasonably required for the purposes of criminal investigation or proceedings and so on. 

  1. The National Identity Management Commission (NIMC) Act 2007 

The Commission is empowered to establish, operate and manage the National Identity Management System (NIMS), carry out the enrolment of citizens and legal residents, create and operate a National Identity Database, issue Unique National Identification Numbers to qualified citizens and legal residents. 

Section 26 of the NIMC Act provides that no person or corporate body shall have access to data or information contained in the Database with respect to a registered individual entry without the authorization of the Commission. 

However, the Commission is empowered to provide a third party with information recorded in an individual’s entry in the Database without the individual’s consent, provided it is in the interest of National Security. Telecommunication and Media Companies may however partner with NIMC to use information provided to NIMC by persons registered under NIMC, this information is however subject to agreements executed with NIMC.  

  1. Child Rights Act (CRA) 2003 

Every Nigerian child is entitled to his privacy, family life, home, correspondence, telephone conversation and telegraphic communications by the provisions of Section 8 of the Child rights Act, which is a federal legislation and states are expected to domesticate same. 

This Act in Section 8(iii) however grants exception where applicable to legal guardians. Such guidance is necessary as a child privacy is not expected to absolute because the Act recognizes the Child’s right to make informed decision based on the Adults choice. 

  1. The Freedom of Information Act, 2011 (FOI Act) 

The Act seeks to protect personal privacy and it provides that a public institution is obliged to deny an application for information that contains personal information, unless the individual involved consents to the disclosure, or where such information is publicly available.  

The Act also provides that a public institution may deny an application for disclosure of information that is subject to various forms of professional privilege conferred by law (such as lawyer-client privilege, health workers-client privilege, etc.). 

The Act however only protects public officers and not private individuals companies or unelected political persons. 

  1. Cyber Security, Interception, Encryption and Data Retention 

According to the Merriam-Webster dictionary, cybersecurity are measures taken to protect a computer or computer system (as on the internet) against unauthorized access or attack. In simple terms, it is the use of technologies and effective security measures to protect an organization(s) from cybercriminals.  

The effect of a cyber-attack can be very damaging. That is, sensitive and confidential information and documents can be leaked, pilfered used or destroyed by cybercriminals whether or not ransom is involved and the ransom payment is fulfilled.  

The only regulations that mandate data holders to properly secure data and information is the NIMC regulations. With no clear framework for proper management of user data in Nigeria, the only way users can seek remedies against a data processor or controller is through the statute mandates that data and information being processed by encrypted. 

Records retention and protection of data is provided for under the Cybercrime act. The reasons for these are provided under the following legislations referred to below. This legislation recognized the powers and duties of service provider in keeping data belonging to various persons for a period of time  

Section 38 of the Cyber Crime 2015 Act grants law enforcement agencies the powers to monitor data belonging to individuals. This powers are however subject to the powers granted in legislations or orders of the Court granted to the agencies. For ease of reference the section is reproduced below.  

Duties Of Service Providers 

(1)    A service provider shall keep all traffic data and subscriber information as may be prescribed by the relevant authority for the time being, responsible for the regulation of communication services in Nigeria, for a period of 2 years. 

(2)    A service provider shall, at the request of the relevant authority referred to in subsection (1) of this section or any law enforcement agency– 

(a)    preserve, hold or retain any traffic data, subscriber information, non-content information, and content data; or 

(b)    release any information required to be kept under subsection (1) of this section. 

(3)    A law enforcement agency may, through its authorized officer, request for the release of any information in respect of subsection (2) (b) of this section and it shall be the duty of the service provider to comply. 

The Act also provides that any person who contravenes any of the provisions contained in section 38 commits an offence and shall be liable on conviction to imprisonment for a term of not more than 3 years or a fine of not more than N7,000,000.00 or to both fine and imprisonment. 

The Terrorism Prevention Act (TPA) As Amended 2013 provides for instances when interception of communication will be allowed by government agencies. This is however subject to a filing of a motion exparte by the agency at the Federal High Court through the Attorney General of the Federation or the National Security Adviser. 

This however can only be achieved through the judicial process. The TPA further empowers a judge upon an ex parte application to grant an interception of communication order, the order allows for such intrusive measures such as requiring the service provider to intercept and retain a specified communication, authorize relevant law enforcement agency to enter any premises to install devices and execute covert operations. 

In my respectful view, the moderation by the judicial arm as distinct by arbitrary rationalizations by the enforcement agency is a crucial indication of a limitation that is reasonably justifiable in a democratic society. A failure to curtail the powers or excesses of a law enforcement agency by an authority would lead to a police state 

Conclusion:  

In enforcing privacy obligations in Nigeria, it is important that the stake holders in the data protection sector provide key valuable insight and advisory framework for the setting up of a robust data protection regulation. The main data protection regime in Nigeria which is the NITDA Guidelines is not properly backed by a strong legislation particularly regarding imposition of fines and punishment of violators, Section 6 of the act is quite unclear and needs to more specific about the role of the NITDA in administering regulations it passes.

I believe that in ensuring the protection of digital rights of Nigerians, it is advised that a more robust framework should take cognizance of disruptive technology and become adaptive based on the changing privacy landscape. 

In the future, the conversation around data privacy and protection in Nigeria will shift to right of data subject to object to automated individual decision making, data protection by default, communication of data breach to data subject, data protection impact assessment, cross-border transfer of data, e-privacy and more international cooperation and collaboration for protection of personal data. 

We must therefore remember that privacy can be a very powerful tool, but everyone’s privacy may be put in jeopardy by those who abuse it. 

References  

Terrorism Prevention Amendment Act 2013 

Data Privacy Protection in Nigeria By Udo Udoma & Belo-Osagie. 

Right to Privacy and Law Enforcement Text Of A Lecture Presented At The Ogun State Judges ‘conference (OJSC), 27th September 2016 By Professor Adedeji Adekunle SAN 

Josiah Micah & 3 Ors Vs Minister FCT & Nigeria Police Force. Suit No: FCT/HC/M/11140/12 (Unreported) 

Nigerian Courts and The Enforcement Of Fundamental Rights Hon. Justice P.O. Aderemi, Jsc (Rtd) Con 

Proceedings Under the Fundamental Rights (Enforcement) Procedure Rules 2009 A Paper Delivered By Hon. Justice Abdu Aboki 

The Right To Privacy In Nigeria By E.S Nwauche 

Data and Privacy Laws in Nigeria http://nigerianlawtoday.com/data-privacy-laws-nigeria/  

Privacy Is Important But So Is National Security https://www.huffingtonpost.in/anil-k-antony/privacy-is-important-but-so-is-national-security_a_23179175/ 

Does National Security Outweigh the Right To Privacy? By Talia Klein Perez https://www.theperspective.com/debates/living/national-security-outweigh-right-privacy/ 

NHRC Website https://www.nigeriarights.gov.ng/HumanRightsEducation.php 

Consideration of Scope Of Rights Enforceable Under The Fundamental Rights (Enforcement Procedure) Rules, 2009 By Macpherson LLP 

Constitution of the federal Republic of Nigeria 1999 (As Amended 2018) 

Nigerian Communications Act 2003 

National Information Technology Development Agency Act 2007 

Child Rights Act in Nigeria 2003 

Share This

Share this post with your friends!

Share This

Share this post with your friends!