I want my government to do something about my privacy – I don’t want to just do it on my own.
– Evgeny Morozov[i]
Generally, the right to privacy has attained a universal status,[iii] and countries have enacted various laws to regulate the collection and use of personal data, popular amongst which is the European General Data Protection Regulation 2018. In this part (“part 2”) of this Article series, we will undertake a comparative analysis of the rights of data subjects under the Nigerian and Kenyan legal systems. In part 3 of these Article series, consideration will be on the inter-jurisdiction enforcement of these data rights.
DATA PROTECTION AND RIGHTS UNDER THE NIGERIAN LEGAL SYSTEM.
The security of the digital space and digital data has received a commendable level of attention in Nigeria, as different laws now regulate how digital data is collected and used. Some of these legislative and regulatory provisions include the Constitution of the Federal Republic of Nigeria, 1999 (as amended); the Cybercrimes (Prohibition, Prevention, etc) Act 2015; the Freedom of Information Act, 2011; the Nigeria Data Protection Regulation, 2019; and, more recently, the Guidelines for the Management of Personal Data by Public Institutions in Nigeria, 2020. Some of the important data provisions in these laws will now be analyzed.
The Constitution of the Federal Republic of Nigeria 1999 (the “Nigerian Constitution”).
A proper discussion on data protection in Nigeria can only be appropriately commenced by paying homage to the Nigerian Constitution: the supreme law of the land and fountain of legislative life. One of the foremost fundamental rights recognized by the Nigerian Constitution is the right to privacy. Section 37 of the Nigerian Constitution guarantees “the privacy of all citizens, their homes, correspondence, telephone conversations, and telegraphic communications”. This constitutional provision prohibits any act that may impede on the privacy of a Nigerian citizen, irrespective of whether such privacy is digital or physical.
The Nigerian Constitution was however not exhaustive to provide for whose duty/obligation it is, to protect such privacy, neither did the constitution spell out the requirement/rules for such protection. This is where the statutory mandate of the Nigerian Information Technology Development Agency (“NITDA”) arises, having been set up to develop guidelines for electronic governance and to monitor the use of electronic data interchange and other forms of electronic communication transactions[iv]. Pursuant to this mandate, NITDA issued the Nigeria Data Protection Regulation, 2019 (the “Regulations”); and the Guidelines for the Management of Personal Data by Public Institutions in Nigeria, 2020 (the “Guidelines”) to, amongst others, safeguard the rights of natural persons to data privacy.
The Nigeria Data Protection Regulation, 2019, and The Guidelines for the Management of Personal Data by Public Institutions in Nigeria, 2020.
The Regulations were primarily issued to protect personal data which are made available on digital and electronic platforms[v]and amongst the conspicuous objectives of the Regulations is that it will safeguard the rights of natural persons to data privacy and prevent the manipulation of personal data[vi]. In part 3 of this Article series, we will discuss the scope and applicability of the Regulations. Emphasis herein is on the rights of Data Subjects. A Data Subject, under the Regulations, is a person who can be identified, directly or indirectly, by reference to an identification number or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity[vii].
Rights of a Data Subject under the Regulations
One of the most important rights of Data Subjects under the Regulations is the right to consent and withdraw consent to data processing. Failure to obtain such consent makes any data processed unlawful, except for other specific lawful instances provided for under the Regulations[viii].
- the right to be given information, relating to the processing of data, in a concise, transparent, intelligible, and easy to read form. This also includes the right to receive such information free of charge, except as provided by the Regulations;
- the right to receive adequate information prior to the collection of personal data, stating amongst others, the recipients of the personal data, transfer of data, right to withdraw consent, etc;
- where personal data are transferred to a foreign country, the data subject has the right to be informed of the appropriate safeguards for data protection in the foreign country;
- the data subject has the right to request the deletion of any personal data without delay;
- The data subject has the right to receive his/her personal data, which was provided to a controller and transmit the same data to another controller, etc.
Also, in line with its statutory mandate, NITDA recently released the Guidelines to specifically guide how public officers in public institutions handle and manage personal information in compliance with the Regulations. The Guidelines provide for additional rights of Data Subjects, prominent amongst which is that no person shall be tracked, traced, or be subject to automatic or digital decisions without a law of the National Assembly or consent of the subject[xii].
It should be noted that the data rights under the Regulations are to be interpreted to advance and never to restrict the safeguards a Data Subject is entitled to under any data protection instrument made in furtherance of fundamental rights and the Nigerian laws[xiii]. This, therefore, recognizes other data safeguards and protection under Nigerian laws. We will proceed to discuss some of these other laws.
The Freedom of Information Act, 2011 (the “FOI”)
The FOI while providing for public access to public records and information also protects public records and information to the extent consistent with the public interest and the protection of personal privacy. Specifically, under the FOI, public institutions are mandated to deny applications for information that contain personal information or if it will constitute an invasion of personal privacy[xiv] . The FOI defined personal information to mean any official information held about an identifiable person.
The Cybercrimes (Prohibition, Prevention, etc) Act 2015 (the “Cybercrimes Act”)
The Cybercrimes Act contains provisions on the protection of electronic communications, data, intellectual property, and privacy rights. The Cybercrimes Act makes it an offence for a person to fraudulently or dishonestly make use of another person’s personal data, such as electronic signature, password, or other unique identification features[xv]. The Cybercrimes Act also imposes certain duties on service providers in relation to the protection of data[xvi].
Surprisingly, section 19(3) of the Cybercrimes Act while requiring financial institutions to establish effective counter-fraud measures to safeguard their customers’ sensitive information, however, provides that, in the event of a security breach, the burden is on a customer to prove the negligence of the financial institution which resulted to such breach[xvii] . The customer is required to prove that the financial institution could have done more to safeguard its information integrity. It is humbly submitted that this provision offends the right of a Data Subject to the security of his data. It should be the duty of the financial institution to prove that the institution was not negligent and that it did all it could have done to protect the information. Not the other way round. In fact, where there is a security breach, this should be a prima facie proof that the financial institution was indeed negligent in its security arrangements, rather than requiring an aggrieved customer to prove the same.
At this point, we will proceed to analyze the data protection under the Kenyan Legal system
DATA PROTECTION AND RIGHTS UNDER THE KENYAN LEGAL SYSTEM.
Human rights protection and promotion is a clarion call that reverberates from all spheres of the Kenyan nation. Human rights activists, public benefit organizations, and the citizenry have all exercised hawk eyes with regards to this topic. Human rights is a vast area that includes the right to privacy. The duality of rights as evident in the Constitution of Kenya, 2010, the Data Protection Act, and case laws will be analyzed.
THE CONSTITUTION OF KENYA, 2010
A decade ago, Kenyans enacted for themselves and their future generations the Constitution of Kenya, 2010 (“Kenyan Constitution”).[xviii] The Kenyan Constitution has been hailed as being progressive and transformative. In particular, Chapter 4 (The Bill of Rights) of the constitution has earned national and international praise as fundamentally safeguarding, promoting, and protecting human rights. The Bill of Rights is an integral part of Kenya’s democratic state and a framework for its social, economic, and cultural policies.[xix] The rights espoused in the Bill of Rights, includes amongst others, the right to privacy[xx]which belongs to all individuals rather than being a token of appreciation from the State. Suffice to note that apart from the specific rights in Article 25, all other rights in the constitution (including the right to privacy) are not absolute and thus may be limited within the confines of the constitution.[xxi]
Article 31 of the Kenyan Constitution in guaranteeing the right to privacy expressly provides as follows;
“Every person has the right to privacy, which includes the right not to have-
- their person, home or property searched;
- their possession seized;
- information relating to their family or private affairs unnecessarily required; or
- the privacy of their communication infringed”.
Thus, similar to the position in Nigeria, the right to privacy of communication is one of the constitutionally guaranteed rights in Kenya. Specifically and to further protect this right in relation to digital privacy, Kenya enacted the Data Protection Act in 2019 to, particularly “give effect to Article 31(c) and (d) of the Kenyan Constitution.”[xxii]
THE DATA PROTECTION ACT (ACT NO. 24 OF 2019) (the “Data Act”)
Kenya took nine (9) years, after the enactment of the Kenyan Constitution, to put this legislation in place for the realization of Article 31 of the Kenyan Constitution. This might have been because the Fifth Schedule of the Kenyan Constitution did not provide for a specific timeline within which the legislation was to be enacted. This may be a vindication of the cold feet with which the right was and continues to be treated. As earlier noted, the Data Act was enacted to, amongst others, give effect to Article 31 (c) and (d) of the Kenyan Constitution and to provide for the rights and remedies of data subjects and obligations of data controllers and processors.[xxiii]
It is worthy to note that the Data Act is still in its early days and can be regarded as a baby still in the bathtub. Its effect and impact have obviously not been seen to a great impact as it is only a few months old and thus offers not much for stocktaking. It still needs to be nurtured. Specifically, the Data Act requires that all data controller or processor must register with the Data Commissioner and that the Data Commissioner shall prescribe thresholds required for such mandatory registration. As at the time of this publication, this threshold is yet to be prescribed by the Data Commissioner thereby creating a vacuum for such mandatory registration. Similarly, the regulations that are required by section 71 of the Data Act to aid the implementation of the Act are yet to be put in place.
Surprisingly, several other Acts within the Republic of Kenya infringes on the right to privacy of citizens. One such Acts is the Official Secrets Act 1968 (as amended), whose recent amendments border on tapping into private conversations. The amendments allow the tapping of phone calls of private citizens in their relations with other private citizens and thus infringing on their privacy and even the confidentiality of classified information.[xxiv] The Judiciary has since disputed the fact that the judgment granted the government such powers. This trend is worrisome and will claw back the gains made in the course of entrenching the right to privacy.
The Data Act creates the Office of the Data Commissioner and entrusts in it a litany of functions that will ensure respect for the right to privacy. The Data Commissioner is empowered by the Data Act to, inter alia, receive and investigate complaints by any person on the infringements of their right to privacy under the Data Act and to carry out inspections of private and public entities to evaluate the processing of data. The Data Commissioner is also empowered to create awareness to the general public of the provisions of the Act.[xxv]
Rights of Data Subject under the Data Act
Similar to the position in Nigeria, the Data Act provides for the principles and obligations of personal data protection. Personal data is to be processed in a manner that is, amongst others, in accordance with the right to privacy, in tandem with a fair and transparent manner, not transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject.[xxvi] The element of consent which can be withdrawn at any time[xxvii] is key in data processing since it will then amount to the data subject waiving his ‘immunity’ to have his/her private data used. Specifically, in an attempt to safeguard the data subject, Section 26 provides for the following rights of a data subject:
(a) the right to be informed of the use of their personal data;
(b) the right to access their personal data in the custody of data controllers or processors;
(c) the right to object to the processing of all or part of their personal data;
(d) the right to correction of false or misleading data; and
(e) the right to deletion of false or misleading information about them.
It is noteworthy that the rights of a data subject may be exercised on his behalf either by a person having parental authority, a guardian, administrator, or a person duly authorized by the data subject.
Data breach is preempted.[xxix] In this regard, data processors and controllers are under a lawful obligation to notify the Data Commissioner and data subject within seventy-two hours of becoming aware of any breach. The detailed notification is, amongst others, required to contain information as to the nature of the breach; measure taken by the data controller and processors to address the breach; recommendation on the measures to be taken by the data subject to mitigate the adverse effects of the security compromise, et cetera.
In the Consolidated Petitions 56, 58, and 59 of 2019,[xxx] the petitions were challenging several amendments factored in by the Statute Law (Miscellaneous Amendment) Act, 2018. Of concern to the petitioners were the amendments to the Registration of Persons Act (Chapter 107 Laws of Kenya). The petitioners argued, inter alia, “that the impugned amendments significantly violate the right to privacy owing to their intrusiveness, particularly the collection of DNA without consent; the absence of a legislative scheme on how to secure privacy or individual privacy rights; and the vagueness and lack of intelligibility by the impugned amendments to guide implementation. Further, that the linkage of registration to services violates numerous rights in a manner that is not justifiable in a free and democratic society, including the right to citizenship and all attendant rights – such as the right to movement; economic and social rights; and the right to property, In any event, that the amendments limit the rights in a manner that is unjustifiable in a free and democratic society based on the non-derogable criteria stipulated in Article 24(1).” Noticeably, at the time of presenting the petitions, the Data Act had not come into force. In its determination of the petition, the court rendered itself in explicitly clear terms and suspended the collection of DNA information and also put to a stop the attempt by the government to require the collection of personal information as a prerequisite to offer and receive government services. This was a great win for the right to privacy in Kenya.
RECOMMENDATION AND CONCLUSION
From all of the above analysis of the Nigerian and Kenyan legal systems, there is an itching call for global action towards data protection, beyond a single jurisdiction. Data accessibility now transcends any territorial limitations, especially with the use of social media. Citizens of different countries and at different locations are now capable of accessing a single platform at the same time, thereby making multi-national data available on a single digital platform. Persons in Nigeria, Kenya, Canada, Australia, and even Cambodia can now access a digital platform operating from Ireland, Mexico or Iraq.
Noteworthy, just like in Nigeria, the Kenyan Data Commissioner is empowered to promote international cooperation in matters relating to data protection and ensure the country’s compliance with data protection obligations under international conventions and agreements. With such agreements and corporation amongst Nations, it is hoped that there will be a more global framework that will regulate data privacy, more so as the world is now more of a global village with persons interconnected despite physical territorial limitations. Commendably, the Kenyan Data Commissioner is empowered by the Data Act to enter into association with other bodies or organizations within and outside Kenya as appropriate in furtherance of the objects of the Data Act. It is therefore hoped that these will aid global collaborations towards protecting data privacy across multi-jurisdictions. The European General Data Protection Regulation 2018 applicable to countries in the European continent, is an illustration of the need to have not just a continental regulation but a global regulation or convention.
Commendable, African countries, specifically Nigeria and Kenya as seen in this article, have taken great strides in the right direction by providing a regulatory framework for data protection. However, much more still needs to be done. The goal should now be to have a global regulatory framework for data protection, especially as a data breach may transcend the realms of one country to another. Fittingly, the determination will now be how to enforce such a breach where there are multi-countries involve. This will be the focus of the next part of this Article series.
[i] <http://www.datagovernance.com/quotes/privacy-security-quotes/> accessed June 18, 2020
[ii] >https://www.thepalmagazine.com/privacy-policy-data-protection-and-inter-jurisdictional-enforcement-of-data-rights-meeting-the-realities-of-the-new-normal-by-stanley-o-omotor> Part 1 of this Article series