The president’s refusal to accent to the Digital Rights and Freedom bill is worrisome, writes Tope Akinyode

In the era before the advent of sophisticated technology, collating information required distributing plenty papers by way of questionnaires for a feedback. Through that means, people had considerable control over what information to disclose and what not to. That era has since gone for good. Right now, the mechanics of new technologies such as spywares, cookies, web-bugs, malwares, phishing, etc., has opened up the internet space in a way that sensitive information of the people who surf the net may be collated with neither their knowledge nor consent.

The growing dependence of the world on the internet of things, and on the digital space, as a whole, comes alongside serious threat of privacy intrusion with very minimal regulation or no regulation at all. The ease of collating and processing personal data mirrors the difficulty to find out effective legal measures to protect privacy.

With a host of companies; and a case in study is America’s Netflix, making use of data to drive success, anybody is no longer in doubt that data is golden. But as valuable as it is, ineffective protective measures may occasion scandal, loss of job, loss of goodwill, mischief, fraud and many other hazards. Therefore, technological architectures must adopt specific standards to safeguard personal information.

There is a broad-spectrum of two methods to solve the problem: a harmonized data legislation, first of all and incorporation of minimum security measures into the digital architectures.

All Nigerians have right to privacy as encoded under Section 37 of the 1999 Constitution. Apart from the constitution, there are industry-specific regulations on privacy rights. The Nigerian Communications Commission Consumer Code of Practice Regulations, 2007 mandates all telecommunications service providers to protect consumers’ data against accidental disclosure.

There is a thing about this “accidental disclosure” which fascinates. Ordinarily, accidental disclosure is a form of negligence under the Law of Tort and the position of the law is that unless negligence has directly occasioned harm, it cannot become actionable in a law court. This refers to the principle of causation which has formed the reasoning of court in many cases like Nigeria Airways Ltd. V. Abe (1988) 4 NWLR (PT. 90) 524; Anyah V. Imo Concorde Hotels Ltd. (2002) 18 NWLR (PT.799) 377, Universal Trust Bank of Nigeria V. Fidelia Ozoemena (2007) 3 NWLR (PT. 1022) 448; (2007) 1-2 SC (PT. 11) 211. However, with the NCC regulations, “accidental disclosure” becomes industry-specific without even causing harm and can be sanctioned through the 2005 Nigerian Communication’s Regulations (Enforcement Processes, etc.).

Another notable regulation is the Central Bank of Nigeria’s Consumer Protection Framework of 2016. The framework compels banks to organize training for members of staff on data protection. We must indeed admit that there is a technical side to the digital operations. For example, no one acquires knowledge of cloud computing at child birth. So, various data regulations must cohere to compel data controllers to update knowledge according to technological trends.

In number, many legislations foray into privacy right issues which include The Child Rights Act, 2003, The Freedom of Information Act No. 4 of 2011, the Cybercrimes Act, 2015 and some others but none bears any direct significance, in terms of protecting privacy in the digital space, as much as the National Information Technology Development Agency Regulations.

The National Information Technology Development Agency (NITDA) is empowered by law to regulate electronic governance and to monitor the use of electronic data interchange in Nigeria. In January, 2019, the NITDA created a guideline for data protection upon eight principles which bear international similitude. Under the regulation, organizations must employ data security officers to ensure internal compliance with the provisions of the regulation. It further compels organizations to develop and publish a data privacy policy statement in line with the eight principles of the guidelines.

On 20th March 2019, Nigeria’s president declined assent to the Digital Rights and Freedom Bill. From a fundamental standpoint, laws which govern data protection in Nigeria are dispersed and mostly industry-specific. Also, the NITDA regulation which is Nigeria’ most comprehensive data regulation is a delegated legislation. A delegated legislation derives authority from a superior or parent enabling statute, the delegated legislation cannot give powers that its parent statute does not give. See Psychiatric Hospital Management Board V. Ejitagha(2000) 11 NWLR (PT.677)154; (2000) 6 S.C (PT. II) 1; (2000) LPELR-2930(SC). Nigeria needs harmonized stand-alone data legislation and the president’s refusal to accent to the bill is worrisome.

Furthermore, privacy sensitive principles should be incorporated into the digital space while non-compliance should be criminalized. Cookies and other intercepting technologies should be user friendly to enable data privacy options. The wordings of the anticipated harmonized legislation should not be permissive like the existing regulations. It should compel a uniform standard of anti-virus software, back-up procedures, and physical measures like burglar or fire alarms installation for all offices where data are stored.

Technology offers opportunities and risks both at once. Citizen privacy in the digital age is possible in Nigeria if proactive laws are implemented. We need to keep in mind that data privacy is not a privilege but a full-fledged right.

Akinyode is a Lagos-based Legal practitioner