In commemoration of the 2023 World Data Privacy Day, members of the Action Group on Free Civic Space comprising Spaces for Change |S4C, Accountability Lab Nigeria and Dataphyte organized a Twitter Spaces conversation: How Safe is your Data?” which brought over 100 digital rights activists and netizens in Nigeria and beyond. The Twitter Space conversation moves away from the conventional dialogues around data privacy which have always been held in formal gatherings even though the implications extend far beyond the air-conditioned meeting rooms. Nothing underscores the importance of this dialogue more than the moderator’s opening remarks which reminded that “privacy used to mean discussing family business in low tones, with all the windows shut to keep out nosy neighbors. The cloud was your father’s old suitcase that housed all the important family documents and was often hidden in a wardrobe with a key to lock it. Hot gist had to wait till the Christmas holidays when all your cousins were around for the holidays. Today, all of that has changed … because of our dependence on digital technologies and the behemoth that is the internet infrastructure. How safe are we in this heavily connected world that runs on our collective data?”
Nearly every social and economic activity in Nigeria involves some element of data-gathering. For example, the Nigerian government collects data for national identification number (NIN) enrolment and for voter registration. NIN is now required for most social, economic, and political activities in Nigeria. Even in the villages lacking internet connection, data is being collected from all and sundry. How the large volumes of data collected are used and stored remains shrouded in mystery. Along these lines, the conversations rested on four pillars: data protection and privacy laws in Nigeria, the data privacy regulatory agencies, the duties of data controllers, and the duties of data subjects.
Data privacy is protected under a variety of national laws beginning with the Constitution of the Federal Republic of Nigeria (as amended) 1999 (CFRN), Consumer Code of Practice Regulations of 2007 (NCC Regulations), the Credit Reporting Act 2017, the Consumer Protection Framework 2016, the Cybercrimes (Prohibition, Prevention, Etc.) Act 2015, and the Freedom of Information Act 2011. The Nigeria Data Protection Bureau is the government agency saddled with the responsibility to protect consumer data. Although a robust framework for data governance exists in Nigeria, there are serious concerns about the capacity of agencies to implement them.
The private sector, especially telecommunication companies and tech corporations, plays a significant role in data collection in Nigeria. Discussants considered the various ways of obtaining user consent before obtaining and using their data, and to what extent private actors satisfy the requirements of consent. Consent must not only be affirmative, credible, and unambiguous, but must also be backed by the duty to safeguard all data in their custody. This obligation to protect user data is shared by both the federal government and private actors.
Highlighting the obstacles to data privacy in Nigeria, the speakers spoke extensively about the knowledge gap and lack of judicial will to enforce extant laws. Judicial officers need more enlightenment regarding how these technologies operate and the legal implications for digital rights and data privacy. Beyond the judicial officers, other stakeholders—such as regulators, CSOs, data controllers, and data subjects—equally have vital roles to play. While CSOs can help increase awareness of digital rights, government agencies, and regulators must also be willing to regularly update the laws and mechanisms in order to keep up with the highly kinetic digital world. The government and their private sector counterparts must step up efforts to improve data governance and transparency in data handling. They owe a duty to disclose their use of data in clear, concise, and unambiguous terms. All these measures do not take away the users’ responsibility to take extra precautions in protecting their own data, especially in digital spaces.