4 min read
Summary: Data has become extremely valuable in recent times. A lot of companies sell and exchange user data to push targeted advertisements to people. This raises serious privacy and security issues. What happens if a person’s data is involved in a data breach? The person is then left vulnerable to identity theft, extortion, defamation of character, and a myriad of other problems. The Federal government, in a bid to address some of these problems, introduced the National Data Protection Regulation (NDPR) in 2019. The NDPR contains rules concerning data protection, privacy and governance. Organisations have to do everything they can to comply with the NDPR to avoid sanctions and fines, and more importantly, the damage, loss, or theft of data.
Amidst ongoing cyberattacks resulting in personal data leakages, the most recent involving international public figures, conversations around data protection measures continue to be on the top burner.
The technology (tech) industry relies heavily on data to sustain innovation and meet the needs of end users. The endless potential of data is one of the promises of tech, and the realisation of this fact has encouraged the development of highly sophisticated data analytics technology.
However, if the Cambridge Analytica episode taught any lessons, it is that data can be breached with attendant devastating consequences. This is even more true for tech companies operating in the financial services sector. When in 2017, Equifax, Inc suffered a data breach, financial information and personal data of approximately 147 million people was leaked, resulting in widespread identity theft and credit card compromise, and the potential for similar occurrences is huge. Data is collected from end users, analysed, and in some cases, exchanged.
In many instances, data is exchanged for the purposes of facilitating digital targeted advertising. Some tech companies share user data with advertisers who utilise information such as profiled behavioural traits, personal preferences, and in some cases, location for the purposes of directing targeted advertisements (ads).
Fintech companies in particular store a vast amount of data on customer financial habits and spending patterns which may be exploited to expose users to very specific products. Targeted ads raise serious privacy issues, and in the event user data is collected, stored and shared without compliance with extant regulations, serious legal consequences would naturally follow especially where a breach has occurred.
The Nigerian Data Protection Regulation
The Nigerian Data Protection Regulation (NDPR or Regulations) is anchored on the key principle of data privacy. Under the NDPR, data may only be collected and processed with the consent of the data subject.
The purpose for which the data is being processed must be consented to by the data subject except it is in the public interest, or for historical or scientific purposes. In the context of targeted advertising, this implies that companies in possession of customer/user data must obtain prior consent of the data subject before collecting the data, and cannot share the same with advertisers or any other person without the consent of the customer.
Where personal information is shared in breach of these provisions it amounts to a breach of the NDPR, and a violation of privacy rights which may expose the company to regulatory sanctions and legal liability. Even when consent has been duly sought, the NDPR mandates that if data is to be shared with a third party, a Third Party Data Processing Contract (TPC) must be executed.
The TPC would usually contain protective and confidentiality clauses, and would state the purpose for which the data is to be processed in specific terms. The challenge faced by most technology companies are the very rigid provisions of the NDPR and the increased cost of compliance.
However, it is essential that companies, especially fintech companies comply religiously with these provisions to avoid legal liability that may threaten their operations. Legal counsel may be sought to ensure compliance.
Protection of User Data
The NDPR mandates that all means by which user data is collected must be expressly stated in the company’s data policy, and companies must develop competent security measures to prevent data breach. Also, data controllers are required by the Regulations to conduct a periodic audit of their data collection and processing processes, and send the audit reports to the National Information Technology Development Agency (NITDA).
It is observed that there is a problem of compliance with the NDPR among Nigerian companies. In December 2019, the NITDA issued notice of non-compliance with the provisions of the NDPR to about 100 companies, some of which were in the sensitive Fintech sector.
Recall that some years back, the Advertising Practitioners Council of Nigeria (APCON) promulgated the Regulations on Code of Advertising Practice, Sales, Promotions and Other Rights and Restriction on Practice which is made applicable to internet advertisement. Like the NDPR, the Code also places emphasis on privacy rights by Article 11 which provides that the right of individuals to privacy shall be respected. These provisions consolidate on Section 37 of the 1999 Constitution which guarantees as a human right, the “privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications”.
Need for Increased Compliance
While the level of compliance with the NDPR may have improved since December, 2019 as many companies have begun to put in place mechanisms to ensure compliance with increased awareness, the fact is that the vast majority of companies still remain non-compliant. This is evident in the fact that since January 2020, Nigeria has recorded some avoidable high profile data breaches.
Companies must also be able to determine for themselves if they qualify as Data Controllers or Data Administrators/Processors. This distinction is important as a Data Controller is responsible for obtaining the consent of the Data Subject devoid of force, deceit or misrepresentation. The Data Controller is principally liable under the NDPR for any data breach by the Data Processor. It is for this reason that the importance of the Third-Party Processing Contract cannot be overemphasised. Startup companies whose operations involve collection and processing of customers’ personal data should also consider incorporating these measures early on.
Today, companies must be circumspect, exercise caution and be deliberate about whom they share customer information with. In a bid to expand and develop business operations, many companies are known to contract advertising agencies and data analysts with whom they share sensitive user information.
As the preceding paragraphs show, great care must be taken to ensure compliance with the NDPR when sharing such information in order to avoid business-crippling legal liability and regulatory sanctions.
• Organisations involved in the processing and storing valuable data should learn about the NDPR.
• Organisations should consider seeking support from legal practitioners to help them understand, and comply with, the NDPR.
• Organisations that process and store large amounts of data should appoint Data Protection Officers as mandated by the NDPR.
• Organisations have to put good security measures in place to protect the data they collect.
• Organisations that share data with third parties, such as advertising companies, must prepare a Third Party Processing contract which should contain confidentiality clauses and descriptions on how the data is to be used.
About the Author:
– Aderemi Fagbemi – Aderemi is a Partner with Tope Adebayo LLP with almost two decades of experience in the legal profession. She is well versed in corporate and commercial transactions with particular expertise in energy law and policy, mining, tech & digital law, corporate and commercial law with particular interest in startup legal advisory, project finance and infrastructure projects.
– Peter Okoyomoh – Peter Okoyomoh is a Legal Practitioner and research enthusiast whose interests span across Environmental, Labour and Intellectual Property law. His experience in advocacy and legal research was developed through experience in the cities of Enugu, Ibadan and most recently Lagos.
Keywords: Data, Privacy, Advertising, Protection, NDPR