In the world today, digital platforms and access influence most aspects of our lives and work. From policy making and decision making that enjoys feedback from social media to business decisions made based on research conducted with the help of digital tools, to personal choices made by individuals because of information obtained from their social network, and even to the work of civil society actors that benefit from the huge reach and visibility that digital platforms provides, digital platforms have proved to be extremely useful, and the right to enjoy such freedoms that exist offline should also be available online.
With an Internet penetration rate of 46%, Nigeria has the largest number of Internet users in Africa, and the 7th largest in the world. The need for a law that governs, protects, administers and enforces the digital human rights is telling because as technology continues to shape and disrupt the current global landscape, certain measures and standards must be put in place to ensure the sanctity of each and every citizen’s rights more particularly online rights relating to digital freedom.
A little over a year ago the Digital Rights and Freedom Bill (HB. 490) passed the second reading in the Nigerian House of Representatives. The Bill is long titled “An Act to provide for the protection of human rights, to protect internet users in Nigeria from infringement of the fundamental freedoms and to guarantee application of human rights for users of digital platforms and/or digital media and for related matters”
“Human Rights” has been defined as the “inalienable rights of people”. They are the legal entitlements which every citizen should enjoy without fear of interference from the government or other fellow citizens. Therefore, it can be inferred that the rights citizens enjoy as being inalienable in their physical lives must also be protected online.
The fundamental rights and freedoms codified in the Digital Rights and Freedom bill include data privacy; right to anonymity; protection from surveillance and lawful interception; freedom of opinion, expression, information, assembly and association online; protection from phishing, etc.
It is not the intention to criticise a proposed legislation that is still in its embryonic phase. Rather it is an attempt to highlight the potential legal loopholes of the proposed legislation that has the capacity and capability to affect every citizen of a nation. The digital rights of citizens must be safeguarded with the populace being made aware of some of the surrounding issues with a view to adopting a forward thinking perspective.
The first issue to be addressed is the ambiguity and utilisation of many undefined terms in the Bill. There is the use of a plethora of words and phrases which have no concrete definition and create an unhelpful situation of guessing and assumptions. Examples of such terms include the use of “personal data” and “private data” interchangeably in various sections of the proposed legislation with no attempts to define them. Words such as “responsible party”, require a more robust and comprehensive definition so as to cover current and future events under the Bill. There are also certain peculiar uncertainties such as the section on penalties and administration of the proposed law. While it is true that ambiguity has its benefits, it is unadvisable for a Bill of such significance to be riddled with peculiar uncertainties which can in turn affect the fundamental freedoms of citizens.
The second issue is the strict liability placed upon Service Providers in Section 8 (3) (C1386). The term “Service Providers” is undefined by the proposed bill which has added a tone of ambiguity to the section. Due to the absence of a working definition or interpretation, “Service Providers” would include but not be limited to Internet Service Providers, Data Storage Service Providers, Social Media Service Providers and a host of others. Here, the Proposed Bill mandates that Service Providers shall strictly protect the privacy rights of owners against violation by third parties and by the Service Providers themselves or through their agents. It goes further to prescribe compensation to be paid by such Providers although the extent of damage would be determined by the Court of Law.
The duty to ensure strict protection of the privacy rights of the data owners is somewhat impossible given that there is only so much protection that Service providers can provide in view of hackers and other mishaps of the digital world. In view of this, strict liability and consequent compensation may be unjust. It may be unwise for the Bill to start on such a negative and potentially destabilizing front wherein Service Providers always bear the brunt for any breach whether directly connected to them or not. The wordings of this section of the Bill do not take certain necessary elements of business and economics into consideration.
Liability for a breach of the private data should be limited to such extent that where a service provider has put in place reasonable security measures (to be predetermined) to prevent a breach or hack, there should be no strict liability against the Service providers in the event of a data breach.
Another issue is the issue of consent. Section 11(2) (C1390) prescribes that the use of personal data shall be in accordance with consent, purpose and reasonableness. This section is beset with ambiguity particularly on the issue of reasonableness. Reasonableness is relative and susceptible to manipulative interpretation in this context. There is no benchmark or standard as to what will be considered appropriate for a so called reasonable person. In more developed climes such as the European Union which has in place the EU General Data Protection Regulation 2017 (‘GDPR”) consent must be freely, given, specific, informed and unambiguous. The GDPR is a regulation created by the European Parliament, the Council of the European Union and the European Commission to strengthen and unify data protection for all individuals within the European Union (EU) and individuals interacting with entities in the EU. The GDPR becomes enforceable from 25 May 2018 after a two-year transition period and, unlike a directive, it does not require national governments to pass any enabling legislation, and is thus directly binding and applicable.
A data subject’s consent to processing of their personal data must be easy to withdraw as to give. The data controller is required to be able to demonstrate that consent was given. Although the Bill provides for the withdrawal of consent and the procedures for effecting such withdrawal, the scope of withdrawal covers just use, collection, processing and dissemination of such data between data processors, controllers and Service Providers.
It may also be necessary for “the Right to be Forgotten”, also known as Data Erasure to be inserted into the Bill. This right which entitles the data subject to have the data controller/processor erase his/her personal data, cease further dissemination of the data and potentially have third parties halt processing of the data. The conditions for erasure should include the data no longer being relevant to original purposes for processing, or a data subject withdrawing consent. The right should also prescribe a requirement that controllers should compare the subjects’ rights to the public interest in the availability of the data when considering such requests.
Another lacuna in the Bill is the absence of any provision that addresses the obligations of Data Controllers, Processors and Service Providers on the issue of data breach and the required notification. The GDPR makes it mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72hours of first having become aware of the breach. Data Processors are required to notify their customers, the data controllers, “without undue delay” after first becoming aware of a data breach.
The equivalent of such provision is absent from the Bill and it is envisaged that it will be to the detriment of the citizenry whose data would be the subject matter of such breach. This lacuna could result in the loss and abuse of personal and private information which has spiralling effects on individuals. A good example of the effects of such lacuna would be the Equifax Data Breach of 2017, where the breached company did not disclose the breach for up to a month after the breach occurred, thereby pitting 147.7 million people in danger of online attacks and financial mishap. Another example is the recent Yahoo Data breach.
With regards to penalties for offences in the Bill, this may need to be reconsidered as it does appear to be quite harsh and may need restructuring at the committee stage.
There also appears to be a prohibition on direct marketing by Service Providers in the Bill (Part II – Section 11(19) (C1395). The entire provision of the above section totally defeats the purpose of marketing which in turn will affect the growth of a burgeoning area of the Nigerian economy which is the mobile money market. Such prohibition can stunt economic growth and stagnate cash flow of businesses both large and small scale enterprises. It is suggested that marketing and advertising should be allowed unless and until the owner of the personal information opts not to receive such marketing notifications. Under the GDPR 2017, there is a provision to the effect that where personal data is processed for direct marketing, the data subject will have the right to object. This right will have to be explicitly brought to their attention.
Therefore, it may be prudent to restructure such provision to read thus “The processing of personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication including but not limited to automated calling machines, facsimile machines, SMSs or e-mail is permitted unless the data subject has expressly notified the organization of its withdrawal, permission or consent.”
The Proposed Bill indicates that the National Human Rights Commission (“NHRC”) will be the administrative agency in consultation with other relevant government agencies. It would seem that the phrase in consultation with other relevant government agencies is riddled with ambiguity and uncertainty, it is perhaps more pertinent to note that the NHRC may not be competent enough to be saddled with the responsibility of administration and enforcement of the proposed law. Although the National Information Technology Development Agency might seem like a better fit for such task, it might be more expedient for a separate entity or body be created to administer and enforce the Bill. This is the case in the European Union where there are Data Protection Agencies in member states who monitor and enforce data protection procedures and breaches
Given recent discussions comparing data as the new oil, the role of data in the disruption and advancement of the world economy is immense and cannot be underestimated. Therefore, it would be interest of any forward thinking nation and economy to create a flexible and creative framework of laws and regulations that would adequately cater for the protection of the data rights of citizens and corporations alike.
Another useful suggestion for inclusion in the Proposed Bill would be the privacy by design concept which is a legal requirement under the GDPR 2017. This concept calls for the inclusion of data protection from the onset of the designing of the systems, rather than an addition. The data controller should be required to implement appropriate technical and organisational measures in order to protect the rights of data subjects. Data controllers should be allowed to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well limiting the access to personal data.
There should also be a right to access for the data subjects whereby subjects can obtain confirmation as to whether or not it is being processed, where and for what purpose. This would also result in data portability which involves the right of a data subject to receive his/her personal data which they have previously provided in a commonly used and machine readable format and have the right to transmit that data to another controller.
The proposed legislation also addresses the issue of hate speech and clearly defines what could be termed as a hate speech; however Bill has not prescribed any punishment for the use of hate speech. This development is clearly self-defeating as hate speech is prohibited and being a crime should have punitive sanctions in place where individuals breach same.
The Bill also fails to specifically address the emerging scourge of online social harassment and manipulation such revenge porn, non-consensual distribution of intimate images and other related acts. The bill must seek to protect the digital lives of individuals that may be maliciously embarrassed by acts of online social harassment and manipulation. Punitive measures should also be put in place for individuals or bodies involved in the active distribution of such media items aimed at making individuals social victims and outcasts within the society
The suggestions stated above are not entirely exhaustive but can be used a starting point to effect the proper change to the structure of the Digital Rights and Freedom Bill. The future of the global market economy will be dictated by those who deal, trade or process data on an expansive scale and it should be the goal of a progressive nation and legislature to provide an adequate platform for the protection of the data rights of all its citizens and the world at large.
The Article was written by Niyi Duale and Deji Sarumi of Duale, Ovia & Alex-Adedipe. The Firm won the 2017 Media and Entertainment award at the ESQ Nigerian Legal Awards.
