“We have now seen a number of instances where clinical labs involved in testing, or major hospitals, have suffered ransomware attacks, where all their IT systems have been knocked down.” These are the words of Andre Pienaar, the founder of a venture capital firm named C5, in response to a cyber-attack on Hammersmith Medicines Research. The company, which is based in London and has been involved in clinical trials to combat the spread of Coronavirus, fell victim of the attack of hackers. It was reported that the hackers locked down a very significant number of the company’s patients’ records, by encryption, and threatened to publish them online if a ransom was not paid. It is a good thing that the company was subsequently able to strengthen its data defences, but that does not dispute the fact that the company fell victim of a breach in data. This is a pointer to the fact that data protection is a priority.
Have you ever paused to think about how data which you put out one time or the other is being processed? Also, have you ever imagined how far information about you has gone, without your knowledge? Finally, when was the last time you read through those privacy terms before you clicked the ‘accept’ button?
Funny, as they may appear, the above questions are pivotal questions that should be given consideration especially in a world that constantly takes giant strides in technological advancements.
However, it would not be out of place to give a quick definition of data protection. Data protection, in the simplest of terms, entails keeping safe important data or information, as the case may be, from loss, compromise or corruption. It involves every activity involved in trying to keep data secure and devoid of compromise. Data protection can also be referred to as information privacy or data privacy.
Techopedia has defined data protection as the process of protecting data, and further states that data protection involves the relationship between the collection and dissemination of data and technology, the public perception and expectation of privacy and the political and legal underpinnings surrounding that data. The aim of data protection is to create a balance between the use of data for business purposes and the privacy rights of the individual.
Data protection is not limited to particular forms of data; it applies to every form of data, whether such data is personal or corporate. There are different methods of data protection, and these methods vary based on context. Data protection could be on the personal scale, it could be in the context of businesses or public corporations, and it could be in the context of classified information which cannot be divulged, except to a selected few.
What is GDPR?
The General Data Protection Regulation (GDPR) is a regulation put in place by the European Union to ensure data privacy and protection in member states of the EU and in the European Economic Area EEA. The GDPR, furthermore, oversees the transfer of personal data outside the EU and areas characterized as EEA areas. The GDPR was proposed in 2012, it was adopted on the 14th of April 2016, and it came into force on the 25th of May, 2018. It has 11 chapters and 99 articles.
Principles of GDPR
These seven principles are reflections of the broader purposes of GDPR, and they are spelt out to define how personal data should be handled. Article 5 of the regulation provides for these principles. They are as follows:
Rights of the Data Subject
The data subject as defined by GDPR is an identified or identifiable natural person(s). There are eight rights which GDPR has put in place for the data subject. However, five of these rights have been in existence before now. The rights are contained in articles 15-22 of GDPR and they are:
Special Categories of Personal Data
GDPR, by virtue of Article 9(1), prohibits the processing of certain categories of personal data, and unless one or more of the conditions provided in article 9(2) of the regulation are met, the processing of such categories of personal data remains prohibited.
These categories of personal data include:
Legal Bases for Processing Personal Data
Article 9(2) of GDPR provides for six legal bases or exceptions to the provision of Article 9(1). Personal data related to the categories spelt out in paragraph one of article nine shall be processed on the following grounds:
Special Conditions for Children
Article 8 provides that in relation to the provision of information society services directly to a child, the processing of that child’s personal data shall be lawful if the child is not less than 16 years in age. In a situation where the child is younger than 16, the processing of the child’s personal data would depend on the consent of whosoever holds parental responsibility for the child. The provision also stipulates that member states can provide a lower age for the purpose of processing a child’s personal data, as long as the age provided is not below 13 years.
Other pivotal provisions of the GDPR include but are not limited to provisions for the controller and processor contained in chapter 4, transfers of personal data to third countries and international organizations, contained in chapter 5, and remedies, liabilities and penalties in chapter 8.
Data protection in the Nigerian context
Nigeria is not left out as regards laws that have to do with data protection. Though the state has no principal data protection law, it has data protection legislation which is subsidiary. This subsidiary legislation is the Nigerian Data Protection Regulation 2019, which in January 2019, was issued by the National Information Technology Development Agency (NITDA).
Apart from the Nigerian Data Protection Regulation, there are other individual provisions which are found in a couple of other legislations. For example, section 37 of the CFRN, 1999 (as amended), provides for the right to privacy. However, there are derogations to this right as provided by section 45 of the same constitution. Furthermore, the Child Rights Act, 2003 provides in section 8 for the right to privacy, correspondence, telephone conversations, among other rights for the child. The Nigerian Communications Act 2003, and the Cybercrimes Act 2015, are also relevant data protection laws.
Article 51 of the GDPR provides for each state to have one or more independent authorities that would be responsible for ensuring that the regulation is applied, and to protect the rights and freedom of the natural person in relation to personal data. For example, across the United Kingdom, the Information Commissi0ner’s Office (ICO) is the supervisory authority. In the Netherlands, the GDPR supervisory authority is Autoriteit Persoonsgegevens, translated as the Dutch Data Protection Authority (DDPA) is the supervisory authority. In Italy, what applies is Garante per la Protezione dei Dati Personali, which is translated as the Italian Data Protection Authority (IDPA).
Unlike what applies in EU countries, there is no specific supervisory body for data protection in Nigeria. However, there exist a number of authorities that are responsible for data protection. The Central Bank of Nigeria, The Nigerian Communications Commission (NCC), and the Nigerian Information Technology Development Agency (NITDA), among others are supervisory bodies for data protection.
The principles and the rights of the individual that apply in GDPR are similar to those that apply in the Nigerian context. However, the fact still remains that the Nigerian legal system has not developed so much to meet up with the constant advancements in information and technology.
Cases on data protection have not really sprung up in the Nigerian context for obvious reasons. However, there exists a particular case that can’t be overlooked; the case of Emerging Market Telecommunication Services v Barr Nya Eneye (2018) LPELR-46193. In that particular case a legal practitioner, Mr Eneye, took legal action against the operators of Etisalat for sharing his telephone number with persons and companies that constantly sent him unbidden texts. He based his legal action on the provision of section 37 of the CFRN, 1999 (as amended), which provides for the right to privacy. Consequently, he was awarded damages of Eight Million Naira by the Federal High Court. The operators of Etisalat appealed the decision of the Federal High Court, but the Court of Appeal upheld the decision.
As trivial as sending unwarranted texts may seem, a man who is aware of his data privacy rights took action and was awarded damages. That is very commendable, and how beautiful it would be if more people took their data privacy rights as important.
Data protection is a very crucial aspect of the technological life of individuals and organizations at large, especially with the rate at which the world is going digital. It would not be out of place for people to be interested in this aspect, even if they do not intend to build careers out of it. Furthermore, the legislative arm of government should prioritize the enactment of primary data protection laws in response to massive global technological advancement, as this would go a long way in positively affecting the culture of data protection in the Nigerian legal system.
Gallagher, R. (2020). Hackers ‘Without conscience’ Target health-Care Providers. Retrieved from Bloomberg: https://www.bloomberg.com/news/articles/2020-04-01/hackers-without-conscience-demand-ransom-from-health-providers
General Data Protection Regulation. (n.d.). Retrieved from https://gdpr-info.eu/
LP, O. B. (2020). Data Protection and Privacy Challenges in Nigeria (legal issues). Retrieved from Mondaq: https://www.mondaq.com/nigeria/data-protection/901494/data-protection-and-privacy-challenges-in-nigeria-legal-issues-
Senator Ihenyen, R. A. (2019). Nigeria: Data Protection 2019. Retrieved from ICLG: https://iclg.com/practice-areas/data-protection-laws-and-regulations/nigeria
Techopedia. (2017). Data Protection. Retrieved from Techopedia: https://www.techopedia.com/definition/29406/data-protection