Navigating Data Privacy Laws In The Era Of Evolving Technology: Issues And Implications -By Oyetola Muyiwa Atoyebi & Anthony Akejelu

INTRODUCTION:

In Nigeria, the intersection of data privacy laws and rapidly evolving technology has given rise to a complex legal landscape. This dynamic interplay presents multifaceted challenges and opportunities for individuals, businesses, and the legal system. This delves into the intricate realm of navigating data privacy laws within this context, with a focus on issues and their consequential implications.

As technology continues to reshape how data is collected, processed, and shared, legal frameworks must adapt to safeguard individuals’ rights and privacy. Various issues have played a pivotal role in shaping the interpretation and enforcement of data protection regulations in Nigeria. Analyzing these issues provides insights into the legal precedents established, offering guidance on compliance for organizations and individuals alike.

This exploration underscores the significance of understanding data privacy regulations in the Nigerian context and also emphasizes the role of the legal framework in shaping the contours of data privacy and protection in an era of technological evolution[1].

LEGAL FRAMEWORK FOR DATA PROTECTION REGULATIONS IN NIGERIA

The Governing Board of the National Information Technology Development Agency (NITDA) functions as the highest authority for overseeing various aspects of information technology development in Nigeria. This includes data privacy and protection regulations. It is worth noting that NITDA holds a significant role in this domain; however, its authority is not absolute.

As the Agency of the Federal Government, saddled with the responsibility of developing and regulating Information Technology in Nigeria, the National Information Technology Development Agency is empowered by its enabling Act[2] to create a framework for the planning, research, development, standardization, application, coordination, monitoring, evaluation and regulation of Information Technology practices in Nigeria by developing standards, guidelines and regulations for that purpose. This piece of legislation provides for the establishment of the National Information Technology Development Agency (NITDA) to address the breadth of its mandates.

It’s worth emphasizing that the regulations outlined by NITDA do not negate or infringe upon the existing rights of individuals, particularly Nigerian citizens. These rights remain intact under any other applicable laws, regulations, policies, or contractual agreements. Some of them are:

1. NIGERIA DATA PROTECTION ACT, 2023

President Bola Ahmed Tinubu on June 12, 2023, signed the Nigeria Data Protection Act (NDPA) 2023 into law, making it the first Data Protection Act in Nigeria. Prior to the enactment of the Act, the Nigeria Data Protection Regulations (NDPR) 2019, was the only piece of legislation dedicated to data privacy and protection in Nigeria. At a time when there have been calls by stakeholders for proper legislation as opposed to the NDPR which is most viewed as a mere regulation, the enactment of the NDPA appears to be a step in the right direction.

The objective of the Act is to safeguard the fundamental rights and freedoms, and the interests of data subjects, as guaranteed under the Constitution of the Federal Republic of Nigeria, 1999[3], an objective wider than what obtains under the NDPR.

Application of The Act: 

The provisions of the Act apply to the processing of personal data, whether by automated means or not[4].  Also, the Act governs the processing of data where the data controller or data processor is domiciled in, resident in, or operating in Nigeria; the processing of personal data occurs within Nigeria; or the data controller or the data processor is not domiciled in, resident in, or operating in Nigeria, but is processing personal data of a data subject in Nigeria.[5]

The scope of application of the Act is more comprehensive than what obtains under the NDPR which limits its application to natural persons residing in Nigeria or residing outside Nigeria who are citizens of Nigeria.

However, where the processing of data is solely for personal or household purposes, the provisions of the Act shall not apply[6]. Other exemptions/limitations of the scope of application of the Act bothering on public interest grounds are also contained in the Act.[7]

2.1999 CONSTITUTION OF NIGERIA

In many jurisdictions, including Nigeria, the framework for data privacy and protection derives from the core legal document of the country, which is the Constitution of the Federal Republic of Nigeria 1999, with subsequent amendments (“the Constitution”). Within this framework, the Constitution[8]plays a pivotal role in safeguarding the privacy rights of citizens, encompassing not only their privacy but also the confidentiality of their residences, communications, telephone discussions, and telegraphic exchanges. Consequently, the concepts of data privacy and data protection are natural extensions of the broader constitutional right to privacy granted to every Nigerian citizen.

3.CHILD RIGHTS ACT, 2003

In 2003, Nigeria enacted the Child Rights Act (CRA) with the aim of adapting the principles outlined in the United Nations Convention on the Rights of the Child into domestic law. The CRA is designed to ensure that children’s civil, economic, political, social, health, and cultural rights are protected. This act is intended to safeguard the rights of Nigerian children, legally defined as individuals below 18 years of age.

One noteworthy provision of the CRA is found in Part II, where the contents of Chapter IV of the Constitution are incorporated by reference. Chapter IV of the Constitution outlines the fundamental rights granted to citizens.

Furthermore, the CRA[9] delves into the rights of a child concerning their private and family life. It explicitly asserts that a child possesses the entitlement to privacy, family life, home, the confidentiality of correspondence, telephone conversations, and telegraphic communication.

4.CYBERCRIMES (PROHIBITION, PREVENTION ETC) ACT 2015 (CPPA)

The primary objective of the Cybercrimes Prevention and Prohibition Act (CPPA) is to create a structured system for preventing, detecting, prosecuting, and penalizing cybercrimes within Nigeria. It establishes guidelines that mandate mobile networks, computer companies, and communication service providers to maintain and store subscriber data for a duration of two years. Notably, this act emphasizes the importance of respecting an individual’s constitutional right to privacy and mandates service providers to actively ensure the security and confidentiality of processed data.

ISSUES WITH DATA PRIVACY IN NIGERIA

1. Rapid Technological Advancements Outpacing Legislation:One significant challenge is that technology is evolving at a pace that often outstrips the ability of lawmakers to create comprehensive data privacy regulations. As new technologies like artificial intelligence, biometrics, and IoT devices emerge, there might be a lag in updating existing laws or creating new ones that address their unique privacy implications.
2. 2. Global Discrepancies in Data Privacy Laws: Data is often transmitted across borders due to the global nature of technology companies and online services. However, different countries have varying approaches to data privacy, leading to conflicts and confusion for businesses and individuals operating across jurisdictions. Navigating these discrepancies and ensuring compliance with multiple regulatory frameworks can be complex.
3. User Consent and Control: The issue of obtaining informed and meaningful user consent becomes more intricate as technology evolves. With the rise of complex data processing systems, ensuring that individuals understand how their data will be used and giving them meaningful control over their data can be challenging. Balancing user convenience with data protection becomes crucial[10].
4. Emergence of New Data Types: As technology evolves, new forms of data are being generated and collected, such as biometric data, behavioural patterns, and AI-generated insights. The legal definitions and protections for these data types might not be well-established, leading to uncertainties about how they should be regulated and safeguarded.

RECOMMENDATIONS:

1. Stay Informed and Updated: Given the evolving nature of data privacy laws, individuals and organizations must stay informed about the latest changes and developments. Regularly monitor official government sources, legal publications, and industry updates to ensure compliance with the most recent regulations.
2. Prioritize Consent and Transparency:Acquire explicit permission from individuals prior to gathering their personal information, and furnish them with straightforward and easily comprehensible details regarding the intended utilization of their data.Transparency builds trust and is a fundamental aspect of complying with data privacy laws.

CONCLUSION

In an era of rapidly evolving technology, data privacy has become a critical concern for individuals, businesses, and governments alike. The article has delved into the complexities surrounding data privacy laws and their implications as well as highlighted the challenges posed by advancements in technology.

As technology continues to advance, so will the intricacies of data privacy laws. Navigating this landscape requires a proactive approach that prioritizes not only legal compliance but also the ethical treatment of personal data. By staying informed, implementing robust data governance practices, respecting consent and transparency, and fostering a culture of privacy, organizations can navigate the intricate web of data privacy laws successfully.

SNIPPET: The National Information Technology Development Agency is empowered by its enabling Act to create a framework for the planning, research, development, standardization, application, coordination, monitoring, evaluation and regulation of Information Technology practices in Nigeria by developing standards, guidelines and regulations for that purpose.

KEYWORDS:Data Privacy,Data Protection, Pseudonymization

AUTHOR: Oyetola Muyiwa Atoyebi, SAN FCIArb. (U.K)

Mr. Oyetola Muyiwa Atoyebi, SAN is the Managing Partner of O. M. Atoyebi, S.A.N & Partners (OMAPLEX Law Firm).

Mr. Atoyebi has expertise in and vast knowledge of Technology Law and Practice and this has seen him advise and represent his vast clientele in a myriad of high-level transactions.  He holds the honour of being the youngest lawyer in Nigeria’s history to be conferred with the rank of Senior Advocate of Nigeria.

He can be reached at atoyebi@omaplex.com.ng

CONTRIBUTOR: Anthony Akejelu

Anthonyis a member of the Dispute Resolution Team at OMAPLEX Law Firm. He also holds commendable legal expertise in Technology Law.

He can be reached at anthony.akejelu@omaplex.com.ng

[1] Fang, Z. 2002, E-Government in Digital Era: Concept, Practice and Development. International Journal of the Computer Vol. 10(2), pp1-22.

[2]NITDA Act 2007 Edition 1

[3] The Nigeria Data Protection Regulation 2019: Implementation Framework, 2020 was also released in 2020 to amplify the NDPR

[4] Section 1 NDPA 2023

[5] Section 2(1) NDPA 2023

[6] Section 3(1) NDPA 2023

[7] Section 3(2) NDPA 2023

[8] Section 37 CFRN 1999 as amended

[9] Section 8 Child Rights Act

[10] U.V. Obi: Data Privacy and Data Protection Law in Nigeria Accessible at <https://www.mondaq.com/nigeria/privacy-protection/1183140/data-privacy-and-data-protection-law-in-nigeria>

Last accessed on 12^th August, 2023.