Data offers direction. The Nigerian government’s determination to make sure everyone counts through the implementation of national identity number (NIN) is a policy decision in the right direction.
To be sure, data-driven policy decisions have created real transformations in the economy, infrastructure turnaround and provision of meaningful social services
Undoubtedly, precision is important in modern governance. So also is protection of citizens’ data from falling into the hands of those who could exploit it.
Like every adult Nigerian, I went to get my NIN a few years ago. In registering, no one asked me if I understood the reason for taking my biometric data or informed me of my data rights. Surprisingly, there were no terms and conditions for this data collection or storage.
I had no option but to submit to this exercise because without my NIN, I could not open or operate a bank account, make phone calls, or go through passport renewal. That would put a stop to my upwardly mobile lifestyle.
But this thought of my NIN data rights has led me to the question of: what is my government doing to protect my data rights?
In the past few years, the Nigerian government has proposed and enacted several interesting digital space laws. Of course, – after the civil protests organised by the EndSARS movement, there was an evident rise of what one could define as oppressive measures against citizens.
For example, from banning twitter to blocking crypto accounts, the Nigerian government promptly took actions, in the digital space, against anything considered unflattering. And with the government’s quick response to ‘digital harms,’ one could safely assume that the Nigerian authorities should also be able to act fast in protecting citizens’ digital and data rights. So, is enough being done?
With an internet penetration of close to half the population (46.6%), internet usage continues to be on the rise in the country and that has positioned Nigeria as one of the leading nations in technological penetration and integration in Africa. By 2023 it is projected that Nigeria’s internet penetration will grow to 131.7 million users. This means that, now more than ever, the Nigerian government needs to take steps to ensure their citizens and businesses are properly protected.
Writing for Scientific Research Inc. (SCRIP), Abiodun Odusote who’s identified as having affiliation to the University of Lagos explains that in 2019, the Nigerian Data Protection Regulation (NDPR) was passed as a part of the National Information Technology Agency (NITDA) Act. The law was a strong step in the right direction for Nigeria. While there had been previous laws that sort of addressed data privacy, no clear law outlined the protections for data privacy. The law encompassed everything left out in previous protection laws such as clear definitions of terms necessary to enact protection and data usage. The law also largely provided protections for Nigerian citizens within the nation and abroad.
But despite being more robust than previous legislation, few flaws weakened the potential efficacy of the NDPR. The NDPR chose to define data as “characters, symbols, and binary which operations are performed by a computer…”
Interestingly, Luminate Group, a global organisation that supports active engagement of citizens in governance estimates that three-quarters of Nigerian web traffic is generated through smartphones. This means that data storage could also be occurring through mobile and, with such a limiting definition, the NDPR fails to protect non-computer-based data.
Secondly, the NDPR also limited the definition of data protection to individuals and not businesses thereby raising the question of legal recourse for businesses’ data breach.
Thirdly, the bill resulting in the NITDA Act did not establish an independent agency that deals with data protection. Such shortcomings and others, of which the Nigerian government was aware, led to the drafting of, – the Data Protection Bill of 2020.
However, in 2021 the government decided to abandon the bill and sought international funding to hire another team of consultants to draft a new bill. Coincidentally, while the data protection bill seemed to need ‘more’ attention, the Social Media Bill and the Hate Speech Bill progressed through a first reading within the House of Representatives and the Senate.
Here’s the rub: the Protection from Internet Falsehood and Manipulation Bill (Social Media Bill), presented in 2019, would restrict social media posts that are “likely to be prejudicial to national security” and “those which may diminish public confidence” in the Nigerian government. The Human Rights Watch has enunciated that in a report.
Again, unlike the NDPR, the Social Media bill outlines clear punishments for people at fault, including fines and/or jail terms.
Also, the National Commission for the Prohibition of Hate Speech Bill (Hate Speech Bill) was introduced again in 2019 with a concerning provision that vaguely prohibits abusive, threatening, and insulting behavior which could be left wide open for interpretation, according to Amnesty International.
Although, NDPR was a start, it didn’t answer all the current issues of data rights. Clearly, data rights protection regulation cannot be administered by a body that is under a government agency. The agency needs to be independent to allow it to be unbiased in exploring cases of infringement from the government.
The issue of awareness through public education also needs to be addressed. While I can sit at home and research my data rights when signing up for services; not every Nigerian is so privileged. From literacy to language barriers, the Nigerian government needs to educate the public to ensure that when someone answers yes to questions bordering on terms and conditions,” they do and correctly. This can be done through provision of resources that can encourage local civic organisations, academics in data rights, and legal advocates to take up the campaigns.
Stakeholder training is another essential aspect that needs to be implemented. NITDA offers services that allow stakeholders to be adequately trained and even has provisions under the NDPR that ensure entities keeping data have a Data Protection Officer. Despite this, enough is not being done to train relevant stakeholders handling the data of Nigerians. As seen in my personal experience, stakeholders do not know how to help citizens understand their data protection rights. The Nigerian government has demonstrated its efficiency insofar as stopping criticism and dissension; it can also act promptly on citizens’ digital space rights. The act of governance is wholesale.
For my rights, the question is wetin my government go do for me?
- Oyinlola is of Georgetown University, Washington DC.