Data Privacy and Data Protection; Hullabaloo or No?
Introduction
With the emergence of Big Data came the popularity of the ‘behind the scenes’ modus operandi of data privacy and data protection. As individuals, business owners, governments’, it seems we have enough stress and worries as it is, than to add another layer of ‘what we need to be aware of’. What then is all the recent fuss on data privacy and protection about? Hence the question ‘Hullabaloo or No?’
Background
Fortunately and unfortunately, it has become expedient to pay attention to data privacy and data protection. Why? There are two major events I’d like us to take cognizance of.
The first incident happened in 2014; when a young man by the name Max Schrems filed a complaint against Facebook to the Irish Data Protection Commission (“DPC”); requesting the DPC to investigate and suspend the transfer of his personal data from Facebook Ireland to Facebook Inc. USA. He elucidated that the data could be accessed by U.S. Intelligence authorities, and this would be a violation of his data protection rights under the European Union (“EU”). The DPC described the complaint as “frivolous and vexatious” at the time, and many echoed the same sentiment. Schrems consequently took the matter to the Irish High Court with the DPC as the defendants (Schrems v Data Protection Commissioner also known as Schrems I) .
The case was thereafter moved to the Court of Justice of the European (“CJEU”) where Facebook showed that they had legal basis for the processing and transfer of the data under the 15 year old transatlantic U.S.-EU Safe Harbor Framework/agreement (“Safe Harbor”). The CJEU invalidated the Safe Harbor which Facebook had seemingly relied on. This was a massive landmark decision which sent ripples through Europe, and the rest of the privacy world. In simple terms, Facebook and any other organization (“Data Controllers or Processors”) dealing with the data of Europeans (“Data Subjects”) could no longer send data (personal information of Europeans) from Europe to ‘any other country’ outside the EU including onward transfers; without certain specific requirements being met. Requirements such as:
(i) Ensuring there is focus on individual rights of data subjects. For instance ensuring:
a. all the right of the data subjects under the General Data Protection Regulation “GDPR” is met. This entails ensuring that the consent of the data subjects’ is obtained;
b. that data subjects are aware and informed of who would and could have access to their data (i.e. inclusive of eventual third parties); and
c. what their data would and could be used for (especially in the case of onward transfer of data), amongst other rights.
(ii) Ensuring adherence to new restrictions on access of such data to Government authorities, and other third parties (onward transfers). This would ensure the data stays safe even during transfers;
(iii) Ensuring the categorization of countries is used and followed. The categorization is based on the comparison of GDPR to the data protection laws in the transferee country; and ensuring it is of a competent or equal level.
This would apply to all organizations dealing with data of Europeans anywhere in the world. After Safe Harbor was invalidated, the Privacy Shield came to be. This new framework was more stringent, with specific requirements that needed to be implemented, and agreed upon prior to transfer of data. The Privacy Shield after Schrems II was also invalidated, and we currently have Transfer Impact Assessments (Standard Contractual Clauses SCCs or Binding Corporate Rules (‘BCRs’) in its place.
The second incident to note was the Facebook Cambridge Analytica scandal; where a whistle blower named Christopher Wylie, came out with a tell-all in 2018 explaining how Cambridge Analytica (a political consultancy firm in the UK) had obtained more than 85 million profiles from Facebook as a third party. Cambridge Analytica had allegedly proceeded to use the data received (which included Facebook messages, profiles, status updates, likes’ and so on) to create a psychological profile for each user. These profiles were detailed having been built from data of each users likes’, patterns, preferences, and so on… essentially creating a digital clone). Cambridge Analytica consequently created psychological tools to suit each user, which could inadvertently influence them in specific and designed ways towards the 2016 presidential elections (where Donald Trump emerged as President). The discovery caused an outrage amongst users, regulators, and policy makers alike. Mark Zuckerberg had to be called to testify before Congress regarding the entire scandal. Facebook apologized for the data harvesting drama; but in 2019, the Federal Trade Commission (“FTC”) announced a whopping $5 billion fine levied on Facebook for the privacy violation of its consent regulation. Even the FTC described the fine as record breaking. The FTC also imposed new restrictions on Facebook to ensure more accountability on an ongoing basis.
These incidents amongst others, ended up showing to the world that:
(i) data could actually be a ‘weapon of misuse’ by unscrupulous parties,
(ii) data controllers many times collect more information than is necessary from data subjects,
(iii) most people need to be aware of their rights as data subjects/owners
(iv) most do not have any idea what their information is actually being used for and ‘need to’,
(v) data controllers/processors need to be held accountable for data obtained from data subjects
(vi) data controllers/processors should no longer be allowed to hide behind nonspecific, vague, or all-purpose ways of obtaining data (for instance organizations deceitfully hiding the details of consent in the very fine print of notices, terms, and policies; knowing most people would not read the fine print)
(vii) new regulations, policies, need to be enacted, implemented, and updated on an ongoing basis
(viii) new or existing regulatory agencies’ need to be more aware, informed, and equipped to implement new and existing regulations.
Consequently the above shows the importance of data privacy and data protection to our very existence considering the impact data could have where mismanaged or manipulated.
It is also important to note that there is data privacy and data protection. What’s the difference? Forbes has an awesome article on the differentiation between the two. The difference basically, is that data privacy addresses the need to control and manage access to data (for example, who has access to my data? why?, and what for?); while data protection addresses the necessary tools and techniques to restrict and secure such data against loss, corruption, or compromise (for instance using tools such as ‘a network monitoring device’, ‘data discovery and inventory’, ‘anonymization and pseudonymization of data’, or ‘encrypting data’ and so on). Both data protection and data privacy are used interchangeably every now and then; it is however important to note the difference.
A Constitutional or Fundamental Right?
Then begs the question is data privacy a constitutional or fundamental right? That is another article in itself. The EU currently has the most robust privacy laws. Under the EU Treaties and in the EU Charter of Fundamental Rights, the right to data privacy is stated and clear. Other EU legislations echo this as well; and there are several instances of case law available to support this.
In the US the right is not specifically mentioned in the constitution, however it has been entrenched under the U.S. Federal Trade Commission (“FTC”) and State legislations like the California Consumer Privacy Act (“CCPA”); the supplementary California Privacy Rights Act (“CPRA”); the Virginia Consumer Data Protection Act (CDPA); the Colorado Privacy Act (“CPA”); and a number of State and Federal legislations in view. Case law on the subject matter is also quite extensive, interpreting the right to privacy as including information/data privacy.
In India, the right to privacy is a fundamental right under Article 21 of the Constitution of India; which states: “No person shall be deprived of his life or personal liberty except according to a procedure established by law”. In addition to Article 21, the Part III rights under the same constitution were considered. This position was opined by the Supreme Court of India in Justice K.S.Puttaswamy v. Union of India, where a literal interpretation of the law was employed.
So we have generally seen the weight of some regulations’ thrown behind the right to data privacy and data protection.
Nigerian perspective:
InNigeria, which is my jurisdiction, the Constitution of the Federal Republic of Nigeria 1999 as amended (“1999 Constitution”); section 37 states that “The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected”. The Constitution is not specific; neither did the constitution define privacy, but we can infer from the wordings ‘the general right to protect one’s territory, communications, and correspondence’ is intended (literarily just like the Indian Constitution). Inference nonetheless, has no place under the Nigerian law. Other Nigerian Federal laws and regulations have gone ahead to entrench privacy in some way; for instance The Cybercrimes Act 2015, The Child’s Right Act 2003, The Nigeria Data Protection Regulation (NDPR) 2019, the Freedom of Information (FOI) Act 2011, the Nigerian Communications Commission (NCC) Code of Practice regulation 2007, just to mention a few.
We have case law establishing rights to privacy of communication for instance, in Emerging Market Telecommunication Services v. Barr Godfrey Nya Eneye (2018) LPELR-4619 Mr Eneye sued Etisalat (Emerging Market Services) for sharing his telephone number with third party organizations who in return, started forwarding unsolicited text messages to him. This he claimed was in violation of section 37 of the 1999 Constitution. The Federal High Court awarded him damages of N8, 000,000.00 (Eight Million Naira). However, the specificity (of the term “data privacy”) is yet to be fully ‘backed’ by case law in Nigeria as being a constitutional or fundamental right. In the case of Incorporated Trustees of Digital Rights Lawyers Initiative and L.T Solutions & Multimedia Limited [Suit No. AB/83/2020] it was held at the Ogun State High Court; that the rights to privacy under the 1999 Constitution extends to the protection of the personal data of citizens. On the other hand, in Incorporated Trustees of Laws and Rights Awareness Initiative and The National Identity Management Commission [Suit No. FHC/AB/CS/79/2020]the Federal High Court held that a breach of personal data of a citizen does not necessarily fall under the rights available under the 1999 Constitution. This does not help to resolve the discuss on where the rights lie. There is hope that pending litigation before the courts would eventually help to shine the light of hope as to ‘definite’ and ‘landmark’ decisions in the area of Data Privacy and Protection in Nigeria. There is also the argument that the breach of the right of data subjects should be implemented strictly under The Nigerian Information Technology Development Agency Act (“NITDA Act”) which has elements of a criminal matter due to the heavy fines imposed; as opposed to a strictly civil matter. We evidently still have some ways to go.
Conclusion
Inconclusion… No! It’s no hullabaloo. We all need to pay attention to data privacy and its protection. It is somewhat entrenched in our fundamental/constitutional rights as ‘people of the world’ albeit lacking a little case law gusto in Nigeria. For organizations’, data privacy and protection regulations need to be adhered to, as not doing so will begin to affect the bottom line of your organization. We also need to educate many more about these rights, and how to protect it (from other people, organizations, and even sometimes from the Government). The EU amongst other countries have realized the potency of data; and the need to control, and secure it appropriately. With this in mind, Governments’ and regulators’ have the greatest duty to provide a robust ecosystem of education, laws/regulation, and enforcement to protect its citizenry. In other words, itself!
Thanks for reading this article! :) If you liked it, please support by clapping 👏🏻 and sharing the post. Feel free to leave a comment 💬 below.
Disclaimer: This article is not intended to provide legal or financial advice. All information, content, and materials available on this site are for general informational purposes only. Areas discussed are also constantly changing with new regulations, laws, cases and so on; Consequently, do ensure you conduct your own personal research before using information herein.