The global recourse to the ‘’population lockdown’’ measure in combating the rampaging spread and effects of Covid-19 ( coronavirus) has resulted in the confinement of over a billion persons in over 185 countries and six continents to their homes, restricting cross-country and international travels and making physical meetings difficult. To meet the socio-economic imperatives for meetings, the ingenuity of our human race has compelled a more robust attention to the use of developed and other developing technologies as tools to advance these needs.
We all are somewhat familiar with the trappings of automation and the attendant use of technology to either inflict harm or pursue positive ends. The reputational damage caused to Nigeria by the operators of “yahoo-yahoo” and the ignoble transition of Obi Nwanne (aka Invictus Obi) “who went from Forbes to FBI” and his network of accomplices are still easy for our recollection.
Zoom, Skype for Business, Messenger Rooms et cetera and other competing apps are dominating the social and business spaces and have remarkably provided and continue to offer unquantifiable value in telemedicine, teleconference and video meetings. Private businesses in Nigeria have enabled employees to work and hold meetings remotely. Because of their utilitarian values, more reliance is now placed on the use of this technology. Regulatory agencies of the Government have also keyed into it and have introduced measures for business continuity in line with these readily available tech tools.
Read also: COVID-19: Why government’s decision to ease lockdown was difficult
The Corporate Affairs Commission, premised on the provision of Section 230 of the Companies & Allied Matters Act, proactively issued the Guidelines on Holding of Annual General Meetings (AGM) Of Public Companies Using Proxies while the Practice Direction For Remote Hearing of Cases In The Lagos State Judiciary, and also in Borno state, were made in response to an increasing decibel of criticisms over the unwholesome implications of the frozen judicial right of access to the court. In a similar breath, the National Judicial Council held its inaugural Virtual meetings on the 22 & 23rd of April 2020 and has also asserted the readiness of the Supreme Court to deploy technology for virtual proceedings.
The growing importance of these tech tools imposes corresponding obligations on us all to interrogate their actual and potential interference with the human rights to privacy via data protection alongside other legal issues of contracting, payment systems, digital signatures, intellectual property and criminal dimensions of hacking and fraud which are constituents of this author’s concerns and focus for writing this article.
The security vulnerabilities of tech tools have profound implications for the continuous guarantee of the right to privacy considering the immeasurable consequences of a data breach potentially for fraud. For illustration purposes, CNBC reported that apart from a class-action lawsuit by one of its shareholders, Michael Drieu in the U.S. District Court for the Northern District of California over allegations that Zoom concealed its privacy and security shortcomings, another lawsuit has been filed at the Los Angeles Federal Court, naming Zoom, Facebook and LinkedIn as Defendants. The suit alleges unjust enrichment, intrusion upon seclusion, invasion of privacy, unfair business practices, and trespass to owners’ computers and mobile devices.
According to the report, the suit states that Facebook created detailed profiles on users who installed the Zoom app that benefited Facebook’s targeted advertising business. The profiles also helped Zoom profit by helping it more accurately target users for additional services and converting them to paying customers, according to the suit. That allowed people hosting Zoom meetings to see LinkedIn details of meeting participants, even when participants sought to keep their personal details anonymous, at the same time, LinkedIn was able to collect Zoom users’ information.
Upon installing or upon each opening of the Zoom App, Zoom collects the personal information of its users and discloses, without adequate notice or authorisation, this personal information to third parties, including Facebook, Inc. (“Facebook”), invading the privacy of millions of users. This was accompanied by claims that Zoom used an inferior form of encryption for video communications.
Even though some have argued that the above suit may be political (which is not the crux of this article), it only emphasises the potential deluge of infractions which requires the need to up and indeed strengthen the protection regimes for corporate and individuals’ privacy rights to data protection and for Companies to ensure the adequate protection of data belonging to customers, employees, contractors and third parties generally. Section 37 of the Constitution of the Federal Republic of Nigeria (as amended) provides that the privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communication are hereby guaranteed and protected. More elaborate provisions on data protection, privacy and cyber-security are contained in more specific legislation and Regulations such as the; Consumer Code of Practice Regulations 2007 (NCC Regulations), Consumer Protection Framework 2016 (Framework), Credit Reporting Act 2017, Cybercrimes (Prohibition, Prevention etc) Act 2015, Freedom of Information Act, 2011 (FOI Act), National Identity Management Commission (NIMC) Act 2007, National Health Act 2014, Nigerian Communications Commission (registration of telephone subscribers) Regulation 2011, Federal Competition and Consumer Protection Act, 2019. These domestic legislations guide public (INEC, NIMC, Security /Law enforcement Agencies) and private (Banks, Telcos, Credit Bureau, Direct Marketing Companies et cetera) data controllers (and may be supplemented by existing regional and international treaties offering privacy rights to data protection) and provide frameworks for the collection, storage, control, use of personal and corporate data and indeed impose varying penalties and criminal prosecution for breaches.
Beyond this current global affliction of Covid-19 and the fast-paced development of the world digital economy which is driven principally by private and corporate data, much more security lapses would be discovered that could be contested and litigated upon. It is therefore advised that both public and private companies ensure the compliance with applicable data protection legislation, particularly the most recent Nigerian Data Protection Regulation (NDPR) issued in 2019 by the Nigerian Information Technology Development Agency (NITDA).
Read also: Global job losses rise sharply as coronavirus lockdowns are extended
The NDPR deals with the protection of personal data and it is defined to mean all information relating to an identifiable natural person (data subject) which includes name, address, photograph, email address, bank and transaction details, posts on social networking websites, medical information and other unique identifiers such as an address, IP address, IMEI number, IMSI number, SIM, Personal Identifiable Information (PII) and others.
Thus every business which processes data by way of collecting, organizing, structuring, storing, adaptation, alteration, retrieval, use, consultation, transmission, dissemination, alignment, combination, erasure or destruction of personal data (Data Controller), must take time to understand their obligations under the NDPR.
The obligations of data controllers under the NDPR can broadly be summarised into two . The first obligation directly affects the processing of data which captures (a) the duty of the Data Controller to collect and process personal data in accordance with specific, legitimate and lawful purpose consented to by the data subject; (b) duty to process personal data adequately, accurately and without prejudice to the dignity of the human person; (c) duty to store personal data only for the period within which it is reasonably needed, and; (d) duty to secure personal data against all foreseeable hazards and breaches such as theft, cyberattack, viral attack, dissemination, manipulations of any kind, damage by rain, fire or exposure to other natural elements.
In meeting this obligation, a Data Controller is expected to observe and be guided by certain principles and procedures for processing data and procuring the consent of data subjects. These principles include diligence by data processor or controller, the prohibition of improper motives, publicity and clarity of data privacy policy, data security, principles on third party data processing contract, principles on objections to data processing by data subject, and the advancement of right of privacy. While certain lapses concerning these obligations may have been obscure in time past, customers and data subjects are now more likely to, notice the breach of their data privacy and take action.
The second obligation of a data controller under the NDPR relates to certain duties in respect of the transfer of personal data to foreign companies. In this regard, NDPR particularly limits the transfer of personal data to foreign countries or international organisations. Any transfer in this regard must be done with the supervision of the Honourable Attorney General of the Federation, (HAGF) and NITDA after concluding that the foreign country has an adequate data protection regime espousing the respect, protection and enforcement of privacy rights with exceptions only in situations where the data transfer is of utmost importance and the data subject has explicitly acquiesced to the transfer and is well aware of the potential risk. As businesses try to survive the pandemic, certain quick decisions may be made to stay afloat which may involve transacting with foreign companies and may require the transfer of data. However, it may be difficult in the current situation to urgently secure the supervision of the HAGF and NITDA in order to transfer data to foreign companies. It is therefore important for Data Controllers to seek professional advice accordingly.
Communication with the data owner, either to secure consent for data procession or relay information on the organisation’s data protection policies or practices, is a priority. Like never before, businesses must improve on this communication. Company websites must be updated to reflect these policies or practices. Customer care service operators should also be engaged to regularly engage with customers.
Obviously, this is a wrong time for any business with data protection obligations not to have a Data Protection Officer (DPO). As mandated by the NDPR, companies will do well to appoint a DPO to ensure adherence to the Regulation, relevant data privacy instruments and data protection directives of the Data Controller. Companies may also explore the option of outsourcing data protection to a verifiably competent firm or person.
The implications for failure to meet the obligation and duties under the NDPR are quite dire. By article 2.10 of the NDPR, a Data Controller dealing with more than 10,000 Data Subjects, who breach the privacy rights of a data object is liable to payment of a fine of 2% of Annual Gross Revenue of the preceding year or payment of the sum of N10 Million, whichever is greater. In the case of a Data Controller dealing with less than 10,000 Data Subjects, the punishment is a fine of 1% of the Annual Gross Revenue of the preceding year or payment of the sum of N2 Million, whichever is greater.
In addition, businesses are advised to report their compliance with the provisions of the NDPR by periodically submitting a data audit to NITDA. As at 2020, several companies are yet to comply with the provisions of the NDPR, and worse still, submit a data audit to NITDA. Failure to submit an audit attracts a fine of N200, 000 (Two Hundred Thousand Naira) or imprisonment for a term of 1 year or to both such fine and imprisonment for the first offence; and for a second and subsequent offence, to a fine of N500, 000 (Five Hundred Thousand Naira) or imprisonment for a term of 3 years or both such fine and imprisonment.
Early this year, NITDA issued several enforcement notices to companies who had failed to comply with the NDPR. The notices typically requested the recipients to immediately submit a data audit to the Agency. When the NDPR was issued on the 25th of January 2019, Data Controllers had a maximum period of 6 months from the date the Regulation was issued, to submit the audit. This initial time for compliance expired on 25th of July 2019 and was subsequently extended by NITDA to the 25th of October 2019. It is forecasted that NITDA will step up and activate all enforcement mechanisms under the NDPR as soon as the lockdown is lifted. Thus like never before, businesses must ensure that their data protection measures are top notch during this period.
NITDA recently reported that it had investigated and penalised the violations such as disclosure of personal data of taxpayers of Lagos State, so obviously, not even government agencies will be spared by NITDA if they are found to have breached their obligations under the NDPR.
In conclusion, In light of the current trend, it is important for companies to review their data protection policies, examine the impact of the current and existing technologies on the privacy and security of personal data within their possession and apply measures to stay in compliance with applicable laws and regulations on data protection. Companies, should ensure that any breach detected during review is investigated and reported in accordance with applicable laws. Companies may also utilise this period to engage the services of a licensed Data Protection Compliance Organisation for the evaluation of its data processes.
Kofo Olokun-Olawoyin
Kofo is the Author of the fast selling book “The Nigerian Electricity Supply Industry- Post Privatisation Realities, Trends and Challenges”. She can be reached on ko@kofoolawoyin.com or kofo.olokunolawoyin@gmail.com
