1.0 INTRODUCTION
Nigeria is dealing with a slew of internal security issues, including recurring deadly attacks on villages, kidnappings, robbery, and banditry activities. Following the launch of its biometric verification system, the northeastern Nigerian state of Gombe claims to have detected 668 ghost workers.1 Obtaining the NIN will strengthen Nigeria’s security apparatus because it will be easier to identify and know the personalities of Nigerians, aiding the identification of crooks and lowering the country’s crime rate.2 However, on the other hand, many citizens are concerned about their privacy because mandatory SIM card registration may undermine their ability to communicate anonymously and associate with others, infringing on their rights to privacy, freedom of association, and freedom of expression.
One then wonders which is the lesser evil: data privacy breaches or insecurity augmentation? On this note, it is important to ask the question that because NIN–sim integration violates data privacy rights to apprehend perpetrators, in the first instance, is data privacy right cognizable and duly perceived in Nigerian law? It is also of further importance to consider whether as NIN–sim integration violates data privacy rights to apprehend perpetrators, is NIN–sim integration justiciable in the sense that data privacy right is subsumed under the right to privacy? Thus, this paper considers, respectively, the cognizability and justiciability of NIN-SIM-integration in the age of increased insecurity in Nigeria.
2.0.THE COGNIZABILITY OF NIN–SIM INTEGRATION: AS NIN–SIM INTEGRATION VIOLATES DATA PRIVACY RIGHTS TO APPREHEND INSECURITY PERPETRATORS, IS DATA PRIVACY RIGHT COGNIZABLE AND DULY PERCEIVED IN NIGERIAN LAW?
In 2019, the NITDA commendably issued the Nigeria Data Protection Regulations (NDPR), which specifically address data privacy and protection in Nigeria.3 Aside from the NDPR, other laws in Nigeria deal with data protection. Section 37 of Nigeria’s 1999 constitution serves as the basis for data privacy rights and protection in the country as it guarantees Nigerians’ right to privacy in their homes, correspondence, phone conversations, and telegraphic communications. In this regard, it considers privacy to be a fundamental right that is enforceable in a court of law when violated.
Commentators, however, have described Article 37 as “probably one of the most under–researched, under–litigated, and under–developed rights in the Nigerian Constitution.” 4 Despite the explicit guarantee of privacy in the Constitution, there is no encompassing legislation in Nigeria devoted to the protection of personal information. The majority of data protection rules are made up of discrete provisions found in agency–specific laws (for example, Section 26 of the National Identity Management Commission Act 2007 requires the Commission’s approval before a corporate body or anyone else has access to data stored in their database) as well as industry–specific regulations.5
While there also exists the NCC Consumer Code of Practice Regulation 2007, NCC Registration of Telephone Subscribers Regulation 2011, the Cybercrimes (Prohibition, Prevention, etc.) Act 2015, the Consumer Protection Framework 2016, the National Health Act (NHA) 2014, and the Federal Competition and Consumer Protection Act 2019, Nigeria lacks overarching data protection legislation, and no agency has been charged with overseeing the country’s overall data protection regime.6 According to best practices, an effective data protection regime is dependent on comprehensive data protection legislation as well as the presence of a well–resourced and independent authority to ensure consistent application of rules and accountability of organizations that process personal data. The safeguards provided by agencies such as the National Identity Management Commission, the Nigerian Communications Commission, and the Central Bank of Nigeria for personal information (such as individuals’ names, medical information, and biometric data) vary according to the specific laws or regulations governing each agency’s data processing
and frequently fall short of international best practices.
The National Identity Management Commission (“NIMC”) is central to Nigeria’s identity regime. The NIMC is tasked with creating a National Identity Database and issuing identity cards under the law that established the agency (the “NIMC Act”). As a safeguard, the NIMC Act prohibits third–party access to the information stored in the database unless both the NIMC and the person whose information is sought consent. Unlawful access is punishable by ten years in prison without the option of a fine.7 Despite this general prohibition, the NIMC is permitted to provide personal information to “another person” (a term not defined in the legislation) when disseminating it in the interests of national security, when disclosure is necessary for purposes related to crime prevention or detection, or when disclosure is for purposes “strictly necessary in the public interest” as specified under an exemption.8 The legislation contains several troubling provisions.
First, while the NIMC Act prohibits unauthorized access, it does not specify the NIMC’s responsibility to implement security safeguards. Second, there is no mechanism in the Act for holding the NIMC accountable for its protection of individuals’ personal information—for example, if the NIMC unlawfully releases an individual’s information, there is no way for that individual to complain or seek redress.9 Furthermore, the Act is silent on subcontractor regulation and the restriction of cross–border data transfers. The lack of a robust data protection mechanism can expose citizens to significant risks, particularly when foreign contractors are used, as demonstrated by the national identity card scheme’s turbulent history.10
Since a national identity card scheme was first proposed in Nigeria in 1976, several failed attempts have been made. The previous attempt, which occurred between 2001 and 2006, ended in a corruption scandal in which the technology subcontractor, SAGEM (a French company), was terminated for breach of contract and bribery of Nigerian officials. SAGEM had collected the personal information of 35 million Nigerians at the time of its termination. Due to SAGEM’s status as a foreign company, the Nigerian government was unable to exert meaningful control over its conduct following project termination. The current national identity card project is a new initiative that involves redoing all of SAGEM’s data collection. The NIMC, like its predecessors, relies on subcontractors, including foreign companies, most notably MasterCard. While MasterCard has stated that its involvement in the identity card scheme will be limited to supporting the card’s payment function and will not store biometric data, given the lack of comprehensive data protection legislation, concerns about the protection of Nigerians’ personal information remain. 11
2.1.CONCLUSION AND RECOMMENDATIONS
In September 2017, the government announced that all existing identity databases would be fully harmonized within 14 months, beginning with the BVN database, the NCC database (discussed below), and the Federal Road Safety Commission database.12 Although data harmonization has the admirable goal of reducing fiscal waste and eliminating duplicate registrations, it can also raise data protection concerns, exacerbating the lack of legal and institutional safeguards to ensure data protection principles are followed. When previously separate databases are merged into the NIMC database, the amount of personal information at stake grows, as does the number of people who can access it. This raises the possibility of abuse and the use of data in ways that were never intended when it was collected. The NIMC Act and NIMC’s internal privacy policy, as they currently stand, do not include the necessary safeguards to protect the data and infrastructure’s integrity and security. As a result, as part of the harmonization program, the government must strengthen data protection measures surrounding the NIMC database.13 If data privacy rights are better perceived and cognizable, the infringement of data privacy rights to apprehend insecurity perpetrators (the practice of NIN–sim integration itself) can be sufficiently balanced. This alleviates the decision of choosing the lesser evil.
3.0.THE JUSTICIABILITY OF NIN–SIM INTEGRATION: AS NIN–SIM INTEGRATION VIOLATES DATA PRIVACY RIGHTS TO APPREHEND INSECURITY PERPETRATORS, IS DATA PRIVACY RIGHT SUBSUMED UNDER RIGHT TO PRIVACY TO MAKE IT ENFORCEABLE UNDER CHAPTER IV OF THE CONSTITUTION?
Section 37 of the Federal Republic of Nigeria’s 1999 Constitution (as amended) guarantees and protects the right to privacy of all citizens. A data subject, on the other hand, cannot make a claim under this section. This is due to the fact that, first, the right to privacy does not extend to data privacy protection and, second, that the privacy standards established by the Constitution cannot be measured by the NDPR standards. Given the premise that the right to privacy does not extend to data privacy protection, courts have stated, in applying the literal rule, that words should be given their ordinary meanings when such meanings are obvious.14 The constitution guarantees and protects “the privacy of citizens, their homes, correspondence, telephone conversations, and telegraphic communications.” The ordinary meaning of the constitution’s wordings demonstrates that the list of what is protected is exhaustive. It emphasizes the specific items protected by the section, and the right to privacy does not include data privacy protection.
On the premise that the privacy standards established by the Constitution cannot be measured by the NDPR standards, it is also tenable to assert that the right to privacy does not extend to data privacy as contemplated under the NDPR Act. This position is backed up by the case of the Incorporated Trustees of Laws and Rights Awareness Initiative and The National Identity Management Commission (RAI vs. NIMC).15 It was held in that case that a breach of data subject’s right under the NDPR is not necessarily a breach of the right to privacy under the Constitution so that a claim for interpretation of the provisions of the NDPR is not a fundamental rights action falling within the purview of the FREP Rules. The reasoning in RAI vs. NIMC is persuasive because, while some data subject rights under the NDPR may be similar to the right to privacy under the Constitution, this should not elevate data subject rights under the NDPR to the status of rights specifically cognizable under the Constitution in order to justify their enforcement under the FREP Rules or as human rights.16
Additionally, the NDPR derives its legitimacy from the NITDA Act and not the Constitution. Section 3.2.2 of the NDPR states that a breach of the provisions of the NDPR is to be construed as a breach of the NITDA Act. The case of Virgin Nigeria Airways Ltd v. Roijien17 also reiterated this principle. Therefore, to the extent that the language used in Section 3.2.2 of the NDPR is clear, it should be given its ordinary grammatical meaning.
Furthermore, as provided by law, a breach of the NITDA Act may only be remedied or sanctioned in accordance with its provisions, and Section 18 thereof provides that a breach of the NITDA Act by a body corporate or person, upon conviction, would attract a fine of N200,000 or imprisonment for a term of one year, or both, for the first offense; and for a second or subsequent offense, the breach would attract a fine of N200,000 or imprisonment for a term of one year It is also worth noting that Section 2.10 of the NDPR specifies specialized penalties for violations of any data subject’s data privacy rights, i.e., payment of a fine of 2% of the preceding year’s annual gross revenue or payment of N10,000,000, whichever is greater, in the case of a data controller dealing with more than 10,000 data subjects; and payment of a fine of 1% of the preceding year’s annual gross revenue or payment of N10,000,000, in the case of a data controller dealing with less than 10,000 data subjects.
It is unlikely that the sanctions prescribed by Section 18 of the NITDA Act and Section 2.10 of the NDPR can be imposed or enforced against a defendant in proceedings initiated using the FREP Rules. This is because, in general, the proceedings envisioned under the NITDA Act and the NDPR are criminal or quasi–criminal, while proceedings for the enforcement of fundamental human rights are purely civil, and in civil proceedings, there can hardly be any basis for a court to impose criminal sanctions on any of the parties. Thus, the right to privacy does not extend to the data protection provided for under the NDPR Act.
3.1.CONCLUSION AND RECOMMENDATIONS
Existing case law also asserts that the right to privacy includes the right to data protection. This was seen in the case of CPC v. INEC and ORS.18 A similar decision was made by the court in the case of Godfrey Nya Eneye v MTN Nigeria Communication Ltd, 19 in which the plaintiff, a lawyer, claimed that MTN disclosed his mobile phone number to unknown third parties who sent unsolicited text messages to him, infringing on his right to privacy. Additionally, the Ogun state high court in Incorporated Trustees of Digital Rights Lawyers Initiative and L.T Solutions & Multimedia Limited (DRLI VS LTSM)20 confirmed the view that data privacy is an aspect of the right to privacy.
In applying the literal rule, the courts have also stated that words should be given their ordinary meanings when such meanings are obvious. The protection of citizens’ “privacy” is enshrined in the Constitution. Personal data is defined in Section 1.3(xix) of the NDPR as “certain personal information and bank details of an identified or identifiable natural person.” It has the potential to reveal personal information about individuals and, as such, is an infringement of privacy by definition.
Furthermore, human rights laws should be liberally interpreted in order to protect human rights. It may therefore not be far–fetched to assert that the right to personal data protection is included in the right to privacy. Where data privacy rights are justiciable, the infringement of data privacy rights to apprehend insecurity perpetrators can bring about a sufficient balance, as data privacy rights would be enforceable under the constitution.
Footnotes:
1 Ayang Macdonald. ‘Nigerian President Says Digital ID Project Will Help Curb Insecurity (Www.biometricupdate.com, 10 May 2021) www.biometricupdate.com/202105/nigerian–president–says digital–id–project–will–help–curb–insecurity. Accessed 30 June 2021.
2 ibid.
3 Francis Oluluo “Data Privacy and Protection under the Nigerian Law – Privacy – Nigeria” (www.mondaq.com 19 February 2020) https://www.mondaq.com/nigeria/privacy–protection/895320/data–privacy–and protection–under–the nigerianlaw=The%20Nigeria%20Data%20Protection%20Regulation%20(NDPR)%20201912 text=The%20regulation%20was%20issued%20by
4 “Submitted by Paradigm Initiative and Privacy International Stakeholder Report Universal Periodic Review 31st Session –Nigeria the Right to Privacy in Nigeria” ( 2018).
5 Ibid.
6 “An Extensive Article on Data Privacy and Data Protection Law in Nigeria” (International Network of Privacy Law Professionals) https://inplp.com/latest–news/article/an–extensive–article–on–data–privacy–and–data–protection–law–in–nigeria/accessed June 30, 2021
7 Supra (n 4).
8 Ibid.
9 Adegoke A, “DIGITAL RIGHTS and PRIVACY in NIGERIA” (The Paradigm Initiative July 2020)
https://ng.boell.org/sites/default/files/2020–08/Digital%20Rights%20and%20Privacy%20in%20Nigeria_0.pdf
10 Ibid.
11 Adegoke A, “DIGITAL RIGHTS and PRIVACY in NIGERIA” (The Paradigm Initiative July 2020) https://ng.boell.org/sites/default/files/2020–08/Digital%20Rights%20and%20Privacy%20in%20Nigeria_0.pdf
12 “Nigerian Government Moves to Harmonise Data from NCC, FRSC, CBN – ITEdgeNews.ng” (September 24, 2017) https://itedgenews.ng/2017/09/24/nigerian–government–moves–harmonise–data–ncc–frsccbn/ accessed June 30, 2021
13. Supra (n 4).
14 Olalomi Industries Ltd. v NIDB Ltd. [2009] LPELR– 2564(SC); Aqua Ltd v Ondo State Sport Council [1988] 4 NWLR [Pt. 91] 622; Fawehinmi v I.G.P. [2000] 7 NWLR [Pt. 665) 481; Awolowo v Shagari (1979) 6–9 SC 51; Alamieseigha v FRN [2006] 16 NWLR [Pt. 1004].
15 Suit No. FHC/AB/CS/79/2020 (Unreported)
16 Templars, “Enforcing Data Subjects Rights Under Nigeria’s Data Protection Regulation: The Wrong Way (And The Right Way).
17. Virgin Nigeria Airways Ltd v. Roijien [2013]LPELR–22044(CA)
18 CPC v. INEC and ORS. [2011] JELR 47447 (SC)
19. Godfrey Nya Eneye v MTN Nigeria Communication Ltd[2018]LPELR–46193(CA).
20 Suit No. AB/83/2020 (Unreported)
0 Comments