WEDNESDAY EDITORIAL
Data breaches should be criminalised
In recent years, many Nigerians have turned to online lenders and other “soft loan” companies for assistance. While these loans are easy to secure, they come with very stiff interest rates and stringent terms and conditions that desperate borrowers never pay attention to. The bitter part therefore comes when there is a default in repayment. This is when the online lenders use criminal and unauthorised methods to compel the borrower to pay. They not only name and shame but also deploy the services of thugs. One of their common tactics involves hacking into debtors’ phone contacts and then texting or calling those friends, families, and business associates with threatening messages.
We consider this to be an abuse of personal data, a breach of privacy, and a betrayal of trust. More disturbing is that data breaches are becoming rampant as a growing number of private companies use the personal information of Nigerians for marketing or other reasons unrelated to those for which it was originally obtained. This is obviously a violation of the fundamental human rights of such individuals. In recognition of this offence, the United Nations, in a resolution adopted by the General Assembly on 18 December 2013, titled ‘The right to privacy in the digital age’, called on member States to institute laws to put an end to illegal data collection and abuse of individual privacy.
According to the UN, unlawful or arbitrary collection (and misuse) of personal data are highly intrusive acts that violate the rights to privacy and freedom of expression and may contradict the tenets of a democratic society. It therefore calls on all countries to respect and protect the right to privacy, including in the context of digital communication; take measures to put an end to violations of those rights and create the conditions to prevent such violations. Such recommended measures include ensuring that relevant national legislation complies with their obligations under international human rights law and enacting appropriate legislation regarding the surveillance of communications, their interception and the collection of personal data.
Earlier this year, the Nigeria Data Protection Bureau (NDPB) announced that it was investigating two frontline banks in connection with alleged “unlawful disclosure of banking records to a third party, unlawful access, and processing of personal data.” At about the same period, the Bureau said it was investigating 110 companies for what it called “data breach”, stating that these firms included online lending companies, banks, telecom companies, and gaming companies. We do not know what has happened to that investigation, but this is now a challenge we must tackle.
Ordinarily, Nigeria is expected to have a law to criminalise the unwholesome activities of data intruders. Last month, President Muhammadu Buhari sent the Nigeria Data Protection B ill, 2023 to the National Assembly for consideration and passage. The Senate passed the bill this month and it is expected to have speedy consideration by the House of Representatives and signed by President Buhari before May 29. The bill provides a legal framework for the protection of personal information, to fulfill the fundamental rights and freedom of individuals guaranteed in the 1999 Nigerian Constitution.
The enforcer of the proposed law is the Nigeria Data Protection Commission with “powers to make compliance and enforcement orders against data controllers or processors in the event of the violation of the provisions of the bill or related subsidiary legislation.” Failure to comply with the orders of the commission is punishable by a fine and or imprisonment. While the Minister of Digital Economy, Isa Pantami, may be seeking to exploit the legislation for power mongering as being speculated by industry experts, there is an urgent need for a regime of data protection in Nigeria.
