• Friday, March 01, 2024
businessday logo


Data controllers vs data subjects: Legal insights on the right to privacy

Data controllers vs data subjects: Legal insights on the right to privacy

The era of 5G Networks is upon us and Data is everything, Data in your home, Data in your office and Data in your hands. Our personal and financial life is Now Open to cyberspace placing a limit on our privacy. By virtue of section 37 of the 1999 constitution; Nigerian citizens have a right to their privacy including but not limited to their homes, private and official correspondence, telephone conversations, e-mail, and other virtual and or electronic communications. The only exception being for the purposes of detection or prevention of crime.

Read also: High petrol price, inflation squeeze data centres, networks

In the Online world of computing data refers to; information stored and processed digitally on an ICT equipment; including text, images, audio or video. Data privacy and information security varies based on usage and region developers of software applications collect and or share your data for different purposes; either to analyse for purposes of advertising or to influence political opinions during election; as was the case with Facebook and Cambridge Analytica and is now the subject of litigation between UK consumers and Google to the tune of $7 Billion.

Search engines as data controllers

In situations mentioned above search engines act as Data Controllers and are required under international legal instruments such as: The General Data Protection Regulations (GDPR) not to share your Data with third parties, disclose what your Data will be used for, we can as of right request that our Data be deleted as Data Subjects. Uber’s privacy policy for example states how Uber services collect and use Data of Riders, Drivers, Delivery recipients and delivery persons. Data processed must be fair to the Data Subject, it must be processed for legitimate purposes and the Data collected must be accurate.

Pursuant to article 4 (1) of the GDPR, the Data Subject is an identifiable natural person that personal Data Relates; a Data controller is an entity that by itself or jointly with others determines the purposes and means of processing personal Data.

Read also: Leveraging Credit Bureau Act will make credit data possible Expert

The recent ruling of the court of appeal before the Presidential Election Petition Court (PEPC) ought to have put INEC through the prism of being a Data Controller in line with International best practice, it is hoped that the Supreme Court will widen its gavel of interpretation in view of modern technology realities. The Nigerian Data Protection Act (NDPA) 2023 creates a legal framework for the protection of personal information and establishes for administrative purposes the Nigerian Data Protection Commission (NDPC) Section 28 (1) and (2) of the (NDPA) are to be effect that: “Where processing of personal Data may likely result in high risk to the rights and freedoms of a Data Subject by virtue of its nature, scope, context, and purposes, a Data Controller shall prior to the processing carry out a Data Privacy Impact Assessment (DPIA) and further enjoins the Data Controller to consult the NDPC to determine the level of sensitivity of the Data to be processed. The data Controller is also obligated to make a third party entity it engages to process Data on its behalf to comply with the detailed requirement of this law. Section 32 inter-alia requires major Data Controllers like Telcos and Banks to employ Data Protection officers (DPOs) who shall advise the Data Controllers on matters of compliance with the NDPA. The right of a Data Subject as spelt out in section 34 and under section 35 a Data Subject is entitled to withdraw consent to his Data being processed.

Web Developers should generally be mindful of excessive collection of personal data, it may land them in millions of dollars in litigation and may damage their corporate goodwill and reputation

Under global perspectives on information security a Data Controller is required to also ensure the confidentiality, integrity and authentication of Data being Processed under the NDPA Section 39 aptly captures this requirement inclusive of cross-border transfers of personal Data being the subject matter of section 41 of the NDPA.

Nuisance of loan app companies

Defamatory false statement are often made by some Loan App Companies when a borrower fails to meet repayment obligations; they often broadcast this false statement through social media platforms like Whatsapp, Facebook or Instagram to the defaulting borrowers contacts with the intent to damage their character and reputation, this recovery of debt strategy is gross violation of privacy by these shylock Loan Apps. The federal Competition and Consumer Protection Commission (FCCPC) has approached Google and other search engines to delist several Loan Apps from their Play stores for damaging the reputation of Nigerians.

Read also: Here’s what Dangiwa plans to do in quest for credible housing data


Web Developers should generally be mindful of excessive collection of personal data, it may land them in millions of dollars in litigation and may damage their corporate goodwill and reputation. Privacy policies of data controllers should be easily accessible and clearly stated, use encryption protocols when transmitting sensitive personal Data like DNA results. In the context of electronic commerce and consumer protection data is now big business.