DATA-MISUSE, DATA-THEFT AND DATA PROTECTION IN NIGERIA
Under section 37 of the 1999 Constitution of the Federal Republic of Nigeria (CFRN), the privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is guaranteed and protected.
OUR STORY
Quality, not quantity
We have made quality our habit. It’s not something that we just strive for – we live by this principle every day.
DATA-MISUSE, DATA-THEFT AND DATA PROTECTION IN NIGERIA
Under section 37 of the 1999 Constitution of the Federal Republic of Nigeria (CFRN), the privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is guaranteed and protected. However, the right to privacy does not seem to include individual data or consider the internet and its complexities, which has brought to prominence the importance of this provision. Thus, this omission has created a vacuum left to be filled by new and existing laws, particularly those of other jurisdictions. The only available regulatory framework in Nigeria is the Nigeria Data Protection Regulation (NDPR) issued by the National Information Technology Development Agency (NITDA) in 2019.
DATA MISUSE
Data misuse is the use of information in ways in which it is not intended (Sham, 2020). Generally, the use of data is governed by agreements, policies, laws and regulations and where such data is used outside the scope of these laws, data misuse occurs. This could be exemplified by improper data handling practices like copying company confidential information to personal devices, thereby leaving them open for others to see and steal; improper filing systems, which could lead to collecting the wrong data from customers, or loss of data; and using data outside the given scope of authority.
An example is Truecaller, a popular caller identity app that in 2019 was investigated by the NITDA for breaching the NDPR Article 1.1 of Truecaller’s privacy policy, allowed Truecaller to give user information to third parties, contravening Article 2.1(b) and Article 1.2 (iii) of the NDPR. The app was also asking for more information than necessary, including their geo-location, IP address, device ID, SIM card usage, applications installed on users’ devices, screen resolution, device address book, browser, operating system, and more. This was in actual violation of Article 2.3 (2)(d) of the NDPR, a testament to the company’s flagrant misuse of user data.
DATA THEFT
It is the act of stealing information from databases, devices and servers. It usually entails a cyberattack or the collection of the data without the owner’s consent and could present terrible repercussions to the business, and the reputation of not only the owner but stakeholders to the business, which in many circumstances includes millions of users. Data theft could result from having ineffective passwords, unsecured servers, faulty networks, the use of publicly available information, terrible practices like creating fake websites and compromised wifi servers or links. With the internet growing in complexity, so also has the diversification of theft measures. In 2016, Yahoo! revealed that the data of 500 million users had been compromised in a breach that had occurred in 2014).
They claimed that this breach occurred through third-party forging cookies that were once accepted by the company’s users, granting the Russian hackers’ access to their accounts without the use of passwords.
Data privacy protection entails the regulation of the use and dissemination of information. The concept of data privacy is recognized globally. Many states in the international community recognize data privacy as a right. According to the United Nations Conference on Trade and Development (UNCTAD), over 128 countries in the world have set in place data protection and privacy legislation to ensure that their citizens’ data are safe including Nigeria. Being the most populated country in Africa, with industries that are developing to accommodate the rapidly evolving digital world, it is expedient that the data protection laws in Nigeria are detailed enough to protect the information of the country’s people. To this effect, the following legislative framework discussed below exists.
Uniformity in law is the first important step. While Nigeria has several legislative documents that mention data privacy, and the NDPR was enacted also to this effect, the NDPR is inadequate in substance and being. A proper law protecting the right to privacy is required, not a regulation. And its contents should portray adequate definitions to encompass the ever-changing reality we live in. Adequate penalties and remedies for data breach and misuse should be stipulated by the act, and it should cover the data privacy of bodies both real and constructive.
The Data Protection Bill 2020” has been passed into law with the objective of improving upon the NDPR. This Act aims to protect personal data, minimize the harmful effect of personal data misuse and establish a functional regulatory organ and ensure that personal data is protected in a transparent, fair and lawful manner. However, like the NDPR, it does not accord any protection for corporations or institutions which might fall victim to data misuse or theft. Nevertheless, this Bill promises to solve some of the issues raised above. For the uniformity in data protection laws, part 1(a) of the Bill stipulates that it aims to promote a code of practice that ensures the privacy and protection of data subject’s data without unduly undermining the legitimate interests of commercial organizations and government security agencies for such personal data. And as regards the compensation of victims, the Bill makes provision for a court of law to grant orders for the compensation of victims of offenses by convicted persons, an element that is missing in the NDPR among other improvements.
It is also important to educate Users about the importance of their data, their rights under existing laws, and the best ways to ensure they are protected from misuse. This education should also be prioritized in companies. Practicing professionals should be adequately trained on the content of the laws, how to apply them, and the ethics of responsibility. Companies should ensure that systems of checks and balances are in place, as seen in the Uber case stated above. And routine previews are done on their clouds to ensure that the privacy of their information and those of their clients are safe.
A constitutional amendment is required to ensure that data privacy is enshrined in the country’s most essential legislative document. This is the first step in ensuring that the State has made advancements towards prioritizing the protection of personal data. The NDPR could be reviewed to address some of the issues that have hindered its efficient implementation. Efforts should be made to ensure that the document stays up to date with whatever new challenges may arise as the data protection scene expands to accommodate modern reality.
Finally, all these efforts will be useless without sufficient plans for implementation. In the wake of a revised act, the NITDA could award incentives and sanctions for cooperation or the lack thereof to public and private bodies involved. They could also implement a body that ensures that companies are conducting ethical practices with the data they collect from others, and issue guidelines as to the level of cyber protection they should meet in exchange for certifications that improve their goodwill before the country. This way, the motivation to take data protection and privacy more seriously would be encouraged.
NB: This article is not a legal advice, and under no circumstance should you take it as such. All information provided are for general purpose only. For information, please contact chamanlawfirm@gmail.com
WRITTEN BY CHAMAN LAW FIRM TEAM
EMAIL: chamanlawfirm@gmail.com
TEL: 08065553671, 08024230080