Victoria Bassey
There have been various fruitless attempts by National and International stakeholders and the National Assembly to create a solid home in the form of an Act for the concept of Data protection in Nigeria. Though homeless, Nigerians are not completely hopeless as many existing laws like The Cybercrimes (Prohibition, Prevention, etc.) Act 2015, the Child Rights Act 2003, the Freedom of Information Act 2011 touch on Data protection. Case laws on the subject matter also abound. On another hand, The Nigeria Data Protection Regulation 2019, a subsidiary legislation commendably released by the National Information Technology Development Agency specifically addresses Data Protection issues in the country.
The purpose of this discourse, however is the constitutional basis of Data protection in Nigeria. The constitution of the federal Republic of Nigeria 1999 is the grandmom, meaning all laws in the country are subject to it and must never go contrary to its provisions. Firstly, what provisions in the constitution enable us have a framework for data protection? Understanding the constitutional underpinnings help us understand the ‘why’ of data protection.
Data protection is not just about protecting data. It is about protecting the quality of life. It is about protecting dignity, privacy, freedom and much more. It is protecting human beings from corporate entities because without data protection, it becomes easy for corporations to treat humans like indispensable objects, commodities, liabilities and assets.
1 RIGHT TO LIFE – SECTION – 33
This section provides that “every person has a right to life, and no one shall be deprived intentionally of his life”. The right to data protection is an intrinsic part of the right to life. It was in 1890 that American lawyers, Samuel warren and Louis Brandeis wrote in the Harvard Law Review that the scope of the right to life has broadened and has come to also mean the right to enjoy life and the right to be left alone . The unlawful publication of an individual’s sensitive data can be devastating and lead to reputation damage which disrupts one’s full enjoyment of life. Also, If the medical records of a critical patient get deleted in a data breach, it could have a serious knockoff effect on their medical treatment and ultimately their life.
2. RIGHT TO DIGNITY OF HUMAN PERSONS – SECTION 34
This section provides that “every individual is entitled to respect for the dignity of his person.” Human dignity is fundamental to the core of data protection. No physical harm follows the violation of an individual’s data but an injury to their dignity occurs. When an individual is shamed online by money lenders, he suffers injury to his dignity. When false data is used to defame an individual, what follows is injury to dignity.
Torture And Labor Exploitation
Some of the practices that violate human dignity include torture and labor exploitation. Sec 34 (1) (a) (b) (c) of the Constitution provides that no person shall be subjected to torture or to inhuman or degrading treatment; no person shall be held in slavery; and no person shall be required to perform forced or compulsory labour.
A lot of the data practices we face nowadays could amount to psychological torture or cruel, inhuman and degrading treatment. Sometimes, personal data is leaked and then used in the most dehumanizing manners of defamation and extortion.
In the sense of labour exploitation, Individuals create a digital footprint through their consistent use of the internet. This information includes their social media posts, emails sent, websites visited, online purchases etc. This data is invaluable to companies and they exploit it for free. They use it to target people who are likely to buy their products or use their service. An individual’s digital footprints doesn’t come from thin air. It is a result of their use of and time on the internet. A digital footprint is created with time and effort which can be viewed as labour. When this data is exploited, A few individuals end up with millions while those from whom the information is gotten end up with nothing. They are instead bombarded with targeted ads or lose out of an employment opportunity.
The Principle Of Autonomy And Consent
When German courts developed the notion of ‘informational self-determination’, it was conceived as related to dignity . The concept of informational self-determination refers to every individual’s right and opportunity to determine which information about him- or herself is disclosed to others and for what purposes such information may be used. This can be related to Consent. Data protection rules set a high standard for consent. It means giving people genuine choice and control over how one uses their data.
3. RIGHT TO FAIR HEARING – SECTION 36
The Right to lodge a complaint with a supervisory authority is recognized in Data Protection Laws. If you think your data protection rights have been breached, you have an option to file an action directly in court against the company involved because Sec 36 of the Nigerian constitution provides the Right to Fair Hearing. It provides that In the determination of one’s civil rights and obligations, including any question or determination by or against any government or authority, a person shall be entitled to a fair hearing within a reasonable time by a court or other tribunal established by law and constituted in such manner as to secure its independence and impartiality.
4. RIGHT TO PRIVATE AND FAMILY LIFE – SECTION 37
Section 37 forms the foundation of Data Protection in Nigeria. It guarantees the privacy of Nigerian citizens, their homes, correspondence, telephone conversations and telegraphic communications. Data protection appears to be an offspring of the right to privacy. It is inextricably linked to privacy and it will be difficult to assess its notion and purpose without falling back to privacy.
In 1997, the European Court of Human Rights said that “the protection of personal data is of fundamental importance to a person’s enjoyment of his or her right to respect for private and family life” .
Right To Be Forgotten/Erasure
The right to be forgotten is the right to have private information about a person be removed from Internet searches and other directories under some circumstances.
In May 2014, the “right to be forgotten” was first established in the European Union as the result of a ruling by the European Court of Justice in Google Spain SL, Google Inc. v Agencia Española de Protección de Datos [es], Mario Costeja Gonzalez . Although the Court did not explicitly grant the right, it depended its locus classicus decision instead on the individual’s rights deriving from Article 7 (respect for private and family life) and Article 8 (protection of personal data) of the Charter of Fundamental Rights of the European Union.
The right to privacy also prevents the Government from spying on the data and communications of its citizens unless absolutely necessary and lawful. It prevents companies from taking personal data without informed consent of the individual and using it for their own goals. It enables people engage freely in politics as they are allowed to cast their vote confidentially.
5. RIGHT TO FREEDOM OF THOUGHT, CONSCIENCE AND RELIGION – SECTION 38
Section 38 provides that every person shall be entitled to freedom of thought, conscience and religion, including freedom to change his belief, and freedom (either alone or in community with others, and in public or in private) to manifest and propagate his religion or belief in worship, teaching, practice and observance.
The freedom to think for ourselves cannot be taken for granted as it is the foundation to democracy and the key to what makes us human. In relating the freedom of thought to the right of data protection, three key elements cannot be ignored .
- The right to keep our thoughts and opinions private: What we think and how we think have become major commodities of sale in the data economy. Our metadata; the pictures we hover over, the time we spend on an app, the regularity of our daily habits allow companies makes inferences about our thoughts, whether they are accurate or not. In 2021, Reset Australia revealed that facebook was offering targeted advertising based on children’s propensity for gambling, interest in extreme weight loss and other vulnerabilities. Trying to understand what makes people tick is something we do every day in our social interactions but where do we draw the line between what we choose to reveal about ourselves and what is being unlawfully inferred about our thoughts?
- The right not to have our thoughts and opinions manipulated: Data analysis that infer our thoughts are valuable. When the Cambridge analytica scandal hit in 2018, it became apparent that behavioural targerted advertising techniques were being developed to influence minds. A small tweak of one’s social media feed can potentially impact one’s mental state. Information we receive which are filtered through an algorithm can weaken, enrage, and affect how we feel about something.
- The right not to be penalized for our thoughts and opinions.
6. FREEDOM OF EXPRESSION – SECTION 39
The constitution provides that every person shall be entitled to freedom of expression, including freedom to hold opinions and to receive and impart ideas and information without interference. This includes a general right of access to information held by public bodies.
The Right to be Informed and The Right of Access are examples of Data protection rights. It the right to request and receive confirmation of whether an organization hold your personal data.
- RIGHT TO BE INFROMED: Individuals have the right to be informed about the collection and use of their personal data. Individuals must be provided with information including: purposes for processing their personal data, retention period for that personal data, and who it will be shared with.
- RIGHT OF ACCESS: Individuals have the right to be aware of and verify the lawfulness of the processing an organization is carrying out.
7. RIGHT TO FREEDOM FROM DISCRIMINATION – SECTION 42
One of the principles of Data Protection is Transparency. This principle requires that any information and communication relating to the processing of personal data be easily accessible and easy to understand, and that clear and plain language be used. There is a recognition that the collection and processing of data should be carried out in a manner that prevents discriminatory effects on persons ‘on the basis of racial or ethnic origin, political opinion, religion, Beliefs, trade union membership, genetic or health status or sexual orientation’ . This is in tune with section 42 of the 1999 Constitution of Nigeria which provides the right to freedom from discrimination.
This section establishes a right to not be subject to a decision solely based on automatic processing, including profiling, defined as the use of personal data to analyze or predict certain aspects of a person, including their health, behavior, movements and personal preferences.
Victoria is a Nigerian lawyer enthusiastic about Intellectual property, general law practice, and arbitration. She is also a blogger