Privacy is one of the most debated topics in recent memory. It seems like nowadays, everyone wants to know your business. And it’s not just the NSA and Facebook types that are rummaging through your information. Have you read all the permissions you agree to when you download an app to your mobile device? Even some offline games like Solitaire now require the ability to read your text messages, contacts and know your location! Is this just the price we pay for living in the digital age or an infringement on our rights as citizens and consumers? And what are organizations doing to protect your information? How do they truly keep your data safe? Is there such a thing as safe anymore?”- The Data Governance Institute

The above quote aptly captures the dilemma humans now find themselves. With increasing technological innovations, information which has previously been considered personal, is now available to a wider and global audience more than ever before. The sad reality today is that personal data can now easily be seen and accessed by anyone who cares enough to search for it. The emergence of the deadly corona-virus’ “new-normal” and its worsening effect on digital exposure can only be imagined. With the emerging cultural shift from the usual way of life, data, especially personal data, will be ubiquitous. Meetings are now virtual – from board meetings, religious meetings to cabinet meetings down to interviews, and a little forward to court sittings, all are moving to the virtual space – from the high towers of Victoria Island and Ikoyi to the smaller, but wider, rooms of video conferencing platforms. One of the unintended consequences in this paradigm shift is the increase in the activities of internet fraudsters and hackers. Therefore, there is a great need to protect the digital space and data more than ever before.

 

This Article is a three-part series. This first part analyzes the privacy policy of a prominent digital organization to understand why and how digital information is collected and what they are used for. In part two of this Article series, various legal provisions that have been put in place to protect personal data will be considered. Further, part three will analyze international enforcement of data rights, in the face of connected global digital life. Specifically, part three will answer the question: whether an aggrieved Nigerian resident who uses the resource in a foreign website can bring an action under Nigeria’s data protection law or that of a foreign country?

PART ONE – THE MYSTERIES IN PRIVACY POLICIES
Privacy Policy

Privacy policies are policies which are intended to educate internet users and regulate how digital information is collected, why they are collected, and how they are managed. Organizations with digital platforms are required to have privacy policies to regulate the collection and use digital information, especially personal data.

To aid a realistic analysis of the topic, we will be analyzing the provisions of Google Privacy Policy (“GPP”) . The preference of the GPP for analysis, rather than any other privacy policy, is informed by the reason that Google is one of the most populous digital service providers globally as almost all internet and phone users interact with one form, or the other, of the digital services provided by Google. Popular Google applications (“apps”) and platforms include Google search, YouTube, G-mail, Chrome browser, Google Play Store, Google Map and the Android operating system. For instance, the Android operating system is reputed to be the largest installed base of any operating system worldwide controlling the global operating system market with a 74.13% share .

The Google Privacy Policy (“GPP”)
Despite being fined the sum of €50 million (£44 million) in 2019 by the French data regulator, CNIL, for breach of data protection rules , Google, commendably, is one of the few digital platforms which regularly update their privacy policies to meet growing technological and privacy needs. The most recent of the updates to the GPP became effective on March 31, 2020 . The GPP applies to all services offered by Google such as Google apps, sites, devices, platforms, and products.
A major policy of the GPP is that information which personally identifies a user, such as name and email, will not be shared with advertisers and other persons unless the user consents that such information be shared, usually by clicking or tapping on an icon which signifies consent. It should however be noted that a user’s personal information may be shared, without his/her consent, for legal reasons and with the user’s domain administrator, where the user belongs to a particular domain, for instance, either as a student or an employee. We will now proceed to analyze the GPP to see what type of information is collected by Google.
Type of information/data which Google collects
The information which Google collects from its users includes:
i. The emails which the user writes and receives, saved photos and videos, documents which are created and even comments made on YouTube videos;

ii. Unique identifiers, browser type and settings, mobile network information, IP address , and Referrer URL;

iii. Information about the user’s activities such as terms you search for, videos you watch most, voice and audio information when you use audio features and people with whom you communicate or share content;

iv. Information about your location. Your location can be determined by GPS, IP address and sensor data; and

v. Information can also be collected from publicly accessible sources. For instance, if your name appears in an article or a newspaper, Google’s Search engine may index that article and display it to other people who search for your name.

 

How Google collects Data
This information/data is collected when a user runs a Google service on his/her device e.g when an app is installed from Play Store, the device automatically contacts Google servers to provide information about the user’s device. Technologies that can be used to collect and store user’s information include cookies, pixel tags, local storage, such as browser web storage or application data crashes, databases, and server logs.

Uses of information collected
The GPP clarifies the use to which collected information is put to. These include;
1. Helping to arrange the user’s likely preferences when searches are conducted, for instance on Google search engine or YouTube;

2. Providing recommendations and personalized contents for the user. For instance, new videos may be suggested to a user based on videos he/she previously watched on YouTube. Also, autocomplete features help to complete previously typed name, word or email when these are being typed again;

3. Offering features such as driving directions based on a user’s location information;

4. To communicate and interact directly with a user. For instance, a user may be notified of any suspicious activity, when detected, like an attempt to sign into the User’s Google Account from an unusual location;

5. To make improvements to services. For instance, by understanding which search terms are most frequently misspelled may help to improve spell-check features; and

6. To develop new and better services. For instance, by understanding how people organized their photos in Picasa (Google’s first photos app), helped Google to design and launch Google Photos.


The Sad Reality

Despite the above detailed privacy policy, the sad reality is that many Google users are not aware of these policies. Generally, a major concern in data protection is whether data subjects read privacy policies or understand what they read. In a survey conducted by Deloitte in 2017, it was found that 91% of U.S. consumers consent to terms of service without reading them . For persons within the ages of 18-34, the rate was even much higher: 97% did so. Similar studies also showed that some people unknowingly consented to terms requiring them to give away their firstborn children to a website and even agreeing to have everything they shared online on the website to be passed to the National Security Agency . What an onerous admittance!

Admittedly, a major challenge with privacy policies, and which affects their readability, is the length and the font size in which they are usually written. In many cases, such policies run into tens of pages and with unattractive small fonts requiring between 10 to 20 minutes to read in some cases. In a report published in The New York Times, it stated that several privacy policies, including those of major tech and media platforms like Facebook, Uber, and Airbnb, were too verbose and difficult to understand to some college graduates and, in some cases, also above the comprehension of high school graduates.
It is suggested that in drafting private policies, importance should be paid to brevity, easy to understand, clear and plain language. A privacy policy should not be too sophisticated and invasive. Unnecessary jargons should be avoided to reflect only the important disclosures. Sometimes, all that is important in a privacy policy is those to whom the data is exposed. Something as a simple list of companies that might purchase and use a person’s personal information could be all that is needed by the data subject and this could go a long way towards setting a new bar for privacy-conscious behavior . Data subjects may not want to be burdened with the intricacies about how data is collected, stored, processed, retrieved, or deleted. Thus, where these need to be reflected in a privacy policy, they should be properly arranged. The mode of arrangement of the BBC’s Privacy policy is commendable in this regard as it sets out only the subheadings of various aspects of the privacy policy . Thereby allowing readers to click on particular sections of the privacy policy and finding a flow of ideas, instead of clumping up the entire policy in a single paragraph-to-paragraph document.

While it may be necessary to explain some essential and relevant concepts, like cookies, IP addresses, etc, as important means of data collection, these explanations should be reduced to the minimum words needed to achieve the purpose. Privacy Policies should not be just another document drafted by lawyers for lawyers but it should be drafted to be comprehendible to even a high school student.
Conclusion and Privacy tips:
In concluding this part of the Article series, certain protective steps will be highlighted in which data collection may be protected and managed. From the discussion in this part of the Article series, it is evident that the nature of personal data that is collected by a service provider often depends on how privacy controls and settings are managed. For improved security, the following steps may be used:
1. Browsing the web privately by using the Incognito mode of your browser. Incognito mode of browsing allows a user to browse the internet without his/her activity being saved to the browser or device.

2. Adjust device privacy settings to control what data is collected and how it is used. For instance, Google account can be managed to determine what information is being saved.

3. Modification of location settings by turning the device location on or off. This prevents your location from being collected and shared.

4. Browsing settings may also be configured to block cookies. However, some websites and their features may not work properly as they rely on cookies to function properly.

5. Use of two-step verification to help protect device and account.

6. As much as possible, visit only trustworthy websites with which you are conversant and intentionally refrain from sharing certain vital information on the net.

As earlier noted, in part two of this Article series, we will examine the rights of data subjects under the legal system.

 

 


[1] Stanley is an Associate at Banwo & Ighodalo, a highly ranked law firm in Nigeria.

[1] <http://www.datagovernance.com/quotes/privacy-security-quotes/> accessed on May 25, 2020.

[1] A deviation from the norms, rules or the usual or ordinary way of life which was prevalent prior to the Covid-19 era.

[1] It should be noted that the analysis in this Article does extend to determining the validity, legality, adequacies or otherwise of the GPP. Except as otherwise stated, the review in this Article is limited to only an exposition of the content of the GPP.

[1] <https://www.statista.com/statistics/272698/global-market-share-held-by-mobile-operating-systems-since-2009/> accessed on May 21, 2020.

[1] <https://www.bbc.com/news/technology-46944696> accessed on May 21, 2020.

[1] The latest version is available for download at <https://policies.google.com/privacy?hl=en-US> accessed on May 21, 2020.

[1] Every device connected to the internet is assigned a number known as Internet Protocol (IP) address. These numbers are usually assigned in geographic blocks. An IP address can often be used to identify the location from which a device is connecting to the internet.

[1] A Referrer URL (Uniform Resource Locator) is a temporary webpage that links an internet user to another requested webpage. The Referral URL is a page where a user is temporarily taken just before he lands on the webpage he truly wants to visit.

[1] Your device may have sensors that can be used to detect your location or movement. For instance, an accelerator may be used to determine your speed and a gyroscope may be used to figure out your direction of travel.

[1] A cookie is a small file containing a string of characters that is sent to your device when you visit a website. It saves certain data from your device and when you visit the site again, the cookies allows the site to recognize your browser and recall your previous personal data. Cookies may store user preferences and any other information from your device. A typical cookie notice may read as follows:

“We use cookies to personalize content and ads, and to analyze our traffic. By continuing to use our website you consent to the use of our cookies in accordance with our Privacy Policy”

[1] A pixel tag is a type of technology placed on a website or within the body of an email for the purpose of tracking certain activity and the behavior of the internet user, such as views of the website, tabs clicked on a website and when an email opened. Pixel tags are often used in combination with cookies.

[1] <https://www.usatoday.com/story/tech/2020/01/28/not-reading-the-small-print-is-privacy-policy-fail/4565274002/> accessed on May 26, 2020.

[1] Ibid.

[1] Kelvin Litman-Navarro, We Read 150 Privacy Policies. They Were an Incomprehensible Disaster <https://www.nytimes.com/interactive/2019/06/12/opinion/facebook-google-privacy-policies.html>  accessed on May 21, 2020.

[1] Kelvin Litman-Navarro (Supra)

[1] <https://www.bbc.co.uk/usingthebbc/privacy/> accessed on May 21, 2020.