As the celebration of Data Privacy Day approaches, it is essential not only to celebrate the occasion but also to raise awareness about privacy rights and adopt a collaborative approach to advancing data privacy legislative frameworks. In today’s digital age, the growing reliance on technology has made robust data privacy regulations more critical than ever, and Nigeria is no exception, particularly with the increasing use of social media platforms for both personal and commercial purposes, which underscores the importance of comprehensive privacy protections.
Just a few months ago, the Federal Competition and Consumer Protection Commission (FCCPC), in collaboration with the Nigeria Data Protection Commission (NDPC), imposed a $220 million fine on Meta for violating local consumer, data protection, and privacy laws in relation to Facebook and WhatsApp. This action emphasises the need for stringent enforcement of data privacy laws to safeguard individuals and promote accountability among technology companies operating in the region.
This incident was followed by updating and including additional provisions to Nigeria’s Data Protection Regulations (NDPR) of 2019 to birth the Nigeria Data Protection Act in 2023. Of course, the act improved the former regulations, especially in the aspects of provisions relating to consent, data security, and penalties for breaches.
During the investigation, the FCCPC identified multiple violations of data protection, consumer, and privacy laws and ultimately found that Meta had “appropriated the data of Nigerian users on its platforms without their consent, abused its market dominance by imposing exploitative privacy policies on users, and subjected Nigerians to discriminatory treatment compared to users in other jurisdictions with similar regulations, amongst other violations.
Furthermore, the Nigeria Data Protection Commission revealed that Meta failed to comply with key requirements of the regulations, including engaging a Data Protection Compliance Organisation (DPCO) and filing the mandated audit reports. This fine marks the first major penalty imposed on Meta in the region and aligns with findings from other parts of the world, where Meta has been criticised for denying users meaningful choices to opt out of intrusive data collection practices.
A similar example of a data breach is in the United States, especially in the financial sector; the First American Financial Corporation data breach scandal remains one of their largest financial data breach scandals. In 2019, in the case of FAFC, the data breach was due to a standard website design error known as Insecure Direct Object Reference (IDOR). Simply put, a link containing sensitive and financial records created for intended recipients was compromised, so anyone with access to that link can view the personal records of FAFC’s consumers and use them for fraud.
Read also: Data privacy and the Nigerian data protection act
The exposed files contained bank account numbers, bank statements, mortgage records, tax documents, wire transfer receipts, Social Security numbers, and photos of driver’s licenses, which can be traced back to customers as far back as 2003. This information was accessible without any form of protection. This data breach exposed 885 million sensitive documents, which are detrimental to consumers.
The example of FAFC scandals establishes that privacy issues have become a pandemic, even in the best of countries. We can assume that it has become a souvenir that comes with technological advancement. Even at that point, Nigeria is lagging behind in educating its citizens on their rights based on the limited legal frameworks we have.
Fundamental concepts, such as the data controller (the organisation that determines what and how personal information will be processed); the data processor (the individual, business, or institution processing the data on behalf of a data controller.); and the data subject (the individual, business, or organisation whose data is being processed.), should not be novel to an average Nigerian.
Loan companies have repeatedly engaged in unethical practices by unscrupulously publicly disclosing the personal information of their clients and their family members under the pretext of “calling out” loan defaulters. In many instances, these actions have gone unchecked, as affected individuals often overlook the violations, likely due to a lack of awareness about their privacy rights.
As we commemorate another Data Privacy Day, it is crucial for stakeholders, governments, and experts to intensify efforts to raise awareness about data privacy. Regularly published opinions, periodic resolutions by state and federal legislatures, and ongoing recommendations for improving the current legislative framework are essential steps toward this goal. In this new digital world, privacy regulations transcend their role as mere legal instruments; they represent a societal commitment to safeguarding individual autonomy and building trust in the digital age.
As Nigerians increasingly engage with technology, understanding and asserting their privacy rights becomes ever more critical. By enhancing existing legal frameworks and fostering widespread awareness, the privacy sector can cultivate a culture of accountability and innovation. This will not only ensure compliance but also pave the way for a secure and equitable digital future for all. After all, the more we know, the better equipped we are to protect our rights.
Join BusinessDay whatsapp Channel, to stay up to date
Open In Whatsapp
