What the NDPR gets right about privacy in 2020
With the issue of data collection and privacy being, in the last few years, the major highlights of consumer protection when using digital services, the Nigerian Information Technology Development Agency (NIDTA) released a new GDPR-like privacy-centric law called the Nigerian Data Protection Regulation (NDPR).
Just the GDPR, this law aims at curtailing the excesses of digital service providers (DSPs) when collecting, using and transferring personal data of the users of their services. With Nigeria being one of the few countries with the most netizens (i.e. citizens online) and yet no comprehensive data protection regulation up until the NDPR was passed, this law quite has many ramifications on how digital businesses are conducted when Nigerian citizens are involved.
More importantly, the law pretty much sums up the views of the NIDTA on how online privacy should work in Nigeria.
As intellectuals and millennials who use these digital services daily and have opinions on how our right to online privacy should be framed, let’s examine what the NDPR gets right about how privacy should work in 2020.
1, It is not okay to collect people’s data without their consents
The same way you can’t shave off a man’s head in his absence is the same way you should be unable to legally collect people’s data without their consent.
Indeed, Section 2.3 of the NDPR duly provides that digital service providers or their agents can only collect user data where the user gives free, uncoerced and unduly influenced consent. The law also makes it possible for users to withdraw their consents at any time, and once they do, it becomes illegal for digital service providers (DSPs) to continue to collect such users’ data.
2, It’s more than just consent. It’s about what is right
Thus, in Section 2.4 of the NDPR, even where a user gives consent freely, provided such consent would promote crime or propagate the commission of atrocities against children etc, the law nullifies such consent. As a matter of fact, it is illegal for the DSP to ask for such consent to perpetuate the aforestated acts start with.
Also, parties to contracts involving dealings with users’ data are to also scrutinize firms they work with to ensure that these firms don’t have track records of violating people’s privacy rights provided under the law.
3, Privacy policies need to be more explicit
Under the NDPR (Section 2.5), every piece of data a company collects from users must be outlined in the company’s privacy policy as part of data the company collects. More importantly, privacy policies must contain not just the fact that data is collected; they must also state why such data is collected and what the data collected is to be used for.
The law further excludes the application of the legal doctrine of ‘statute of limitation’ when a person decides to a company for failing to uphold this provision of the law on privacy policies. The implication of the exclusion of this doctrine is that: irrespective of how many years ago the issue of the company failing to comply with Section 2.5 arose, the plaintiff can still sue. Normally, in some court matters e.g. contracts, after some years, if the plaintiff fails to sue, he would be barred for life from instituting a lawsuit on that matter. But for the failure to comply with providing an explicit privacy policy, the law allows an aggrieved person sue anytime.
4, Companies must treat protection of data they collected from users as a fundamental part, and not an appendage, of the business
Section 2.6 makes it compulsory by using the word ‘shall’ when it stated that companies involved in dealing with users’ data shall develop security measures necessary to safeguard the data they collected from users.
In protecting this data, security measures companies are to take include: (i) setting up firewalls (ii) encrypting data, where applicable (iii) authorizing only specific individuals, and not every member of staff of the company, to directly deal with users’ data (iv) protection of email systems (v) developing organizational policy for handling sensitive user data.
5, Companies can’t allow users to opt into giving their data and then shut the door
To put it succinctly, as the law provides in Section 2.8, as users are allowed to opt into giving their data, so must they be allowed to opt-out of giving their data.
6, Treating user data with care is so important now that, as it should be, there are grave sanctions for mistreating such data
Section 2.10 of the NDPR states that where a company mistreats the data of more than 10,000 people, the company would be liable to pay N10m fine or 2% of its annual gross (not net) revenue, whichever of both sums is greater. If it was data of less than 10,000 people that such company mistreated, then the fine is N2m or 1% of the company annual gross revenue.
7, Just like it has always been for buying & selling, for dealings with data, users (customers) must always be served like kings
Section 3.1 of the NDPR gives users the right to make enquiries about what is going on with their data. And, the company to whom such enquiry/request is validly made to is to, as soon as possible, supply the user with the relevant information in clear and plain language. This service is to also be provided free of charge, except where, for instance, the user’s request is baseless & unduly excessive. In such a case, the company can charge fees for administrative costs incurred.
Where a user enquires and the company can’t respond to such an enquiry within one month, it must explain to the user why it has been unable to respond. It must also simultaneously notify the user of his/her right to complain about its default (i.e. the company’s default) to the relevant supervisory authority.
Conclusion
While there are still some inadequacies & likely unreasonable provisions, it is fair to conclude that the NDPR gets quite a lot right. From the elevation of the importance of the right to privacy to going as far as providing hard-hitting sanctions for breach of this right to privacy, the NDPR is a right step in the right direction.
It should be noted still that this doesn’t in any way indicate that we have gotten to the final bus stop in the protection of privacy in Africa’s most populous nation.
Thus, even as the NDPR is a law that takes many steps forward and visibly very few steps backwards, there is still a lot of work to do. Stakeholders need to roll up their sleeves and continue to push forward till we get a digital space that guarantees not just entertainment & ‘seamlessness’ of transacting but also guarantees that all we do while we use these online services would, as it should be, remain secured, consensual and private.
Mayowa Samuel Adegoke is a lawyer and chartered mediator with strong interests in technology, tech law, and revolutionary advancements generally. He can be reached via email at mayowamsa@gmail.com.
