Data Privacy simply describes the practices which safeguard user data against intrusion, loss, threats, and unintended use.
With the ever-growing technological innovations in all aspects of human life, data privacy is getting more complex and an issue of concern. All over the world, the right of individuals to have control over how their data is collected and used has become a significant consumer protection issue today.
At the national level, data privacy is the right of a citizen to have control over how personal information is collected and used. In fact, according to United Nations (UN), 132 out of 194 countries have enacted Data Protection and Privacy laws to protect their citizens’ data. The UN also reports that out of 54 African countries, 27 have enacted Data Protection Legislation, 9 possess draft Data Protection Legislation, and 13 have no Legislation.
Data Privacy Laws
There are several Data Privacy laws in Nigeria. One example is the Nigerian Communications Commission (NCC) Act 2007 which ensures the protection of consumers’ data in the telecommunications sector. Other examples include the Cybercrimes Act 2015 which criminalizes data privacy breaches; the Central Bank of Nigeria’s Consumer Protection Framework 2016 which prohibits financial institutions from disclosing the personal information of their customers; and the National Identity Management Commission Act 2007 which empowers the NIMC to collect, collate and process data of Nigerian citizens and residents.
Before 2019, there was no specific statute regulating Data Privacy and Protection in Nigeria as most laws were industry-specific. However, in 2019, the National Information Technology Development Agency (NITDA) enacted the “Nigeria Data Protection Regulations (NDPR)” and presented a “draft Data Protection Bill” for stakeholders review in May 2020.
It is, however, important to note that Nigeria’s data privacy and data protection laws are extensions of citizens’ rights to privacy as provided in the Constitution of the Federal Republic of Nigeria 1999, as amended. Section 37 of the constitution protects citizens’ rights to their privacy.
Data Privacy Breaches and Risks
One notable data privacy breach in Nigeria is the 2019 case between NITDA and TrueCaller. The Sweden-based caller identification app, TrueCaller, was investigated for a “potential breach of privacy rights of Nigerians.” NITDA claimed the app’s privacy policy contained “illegitimate provisions” that contravened Article 2.1(b) and Article 1.3(iii) of Nigeria Data Protection Regulations (NDPR) and “collects far more information than it needs to provide its primary service.”
Another example is the 2013 case involving MTN Nigeria Communications Ltd. V. Barr. Godfrey Eneye. The latter had accused the telecommunications operator of revealing his registered private MTN phone number without permission.
The reasons for most data breaches include loosely-defined breach reporting requirements between data controllers and data processors as well as a lack of clarity on what constitutes a data breach. The alleged cases of data breaches above, however, reiterate the need for Nigeria’s citizens and residents to be aware of the laws governing Data Privacy and Protection in the country. This includes the scope of rights, duties, and responsibilities available to them.
Bottom Line
Data Privacy and Protection is integral to securing the personal data of citizens. It is the responsibility of data controllers and data processors to secure data by ensuring adequate cyber and information security controls.
With the NDPR applying solely to “personal data and natural persons,” organizations that handle data need to evaluate the risks of processing to minimize the risks of data breach and data loss.
Also, given the number of security inadequacies reported across many organizations’ systems, organizations with personal data, processed data, or stored data have to do more to implement adequate controls to secure critical data.