MR. PRESIDENT AND THE NATIONAL ASSEMBLY: Data Protection for Nigerians First
Recently, the Nigerian President, Dr. Goodluck Jonathan launched a new national e-ID card at the Presidential Villa, Abuja. Powered by MasterCard, it is a multipurpose card that doubles as a national identification card and an automated teller machine (ATM) card useful for making deposits and withdrawals. The card will also be used for identification and electronic signatures. For the first phase of the project, an estimated thirteen million Nigerians will be issued the card while the second phase is to target one hundred million Nigerians. It bears the MasterCard lo
go at the back and also has an expiry date; five years.
With the launching of the Card, arguments for and against it are ongoing. Some on one side have argued, that the logo of MasterCard on the national I.D Card, questions the sovereignty and pride of Nigeria. They further argue that partnering to acquire biometric data of present and future Nigerians with an American firm, MasterCard, in an age that has seen intense data surveillance by the National Security Agency (NSA) of the United States of America could spell doom for Nigeria’s territorial integrity, as well compromise our security as a people and a nation in the near future – they say it could end up like the historical Esau and Jacob story. On the other hand, the proponents for the card argue that a Nigerian ID card is of no value outside Nigeria except there it is authenticated by an internationally reputable establishment like MasterCard. On this, rather than ‘comment my reserve’, I would reserve my comments, because my question to Mr. President and the National Assembly would be based largely on legal considerations (and less on socio-economic juxtapositions).
Firstly, why would the “President of Nigeria” and the National Assembly happily (as obvious in the launch) authorize the handover of biometric data of millions of citizens to a “foreign private firm”, without first engineering the existence of a very detailed and structured legal framework (rules, policies, and laws) that address issues of Data Protection and Privacy? Remember how oil rights were given to Shell in the early 1900s at the expense of Nigeria’s interest. The same problem of poor regulatory framework haunted the Power Sector, until the Electricity Power Sector Reform Act 2005 and the Nigerian Electricity Regulatory Commission (NERC) surfaced. In the words of the NERC Chairman, Dr. Sam Amadi ‘… failure in the electricity industry in Nigeria is, at heart, a failure of law. Law is the principal instrument of social development”.
Secondly, (for the National Assembly) how would a country like Nigeria not have data protection and privacy laws, in an age where Information and Communication Technology and human rights are quick to clash?
Thirdly, in the course of brokering the deal with MasterCard, did the Nigerian Government do a thorough data and privacy due diligence? Did those involved get technical expertise to review the privacy policy of MasterCard and its host country, and see where it conflicts with Nigeria’s interest? If Nigeria’s ‘data experts’ such as Engineer Titi Omo Ettu, Franklin Akinsuyi, Gbenga Sesan (and the likes of these three) were not in that team, I doubt there was any ‘due diligence’ team.
However, before I underscore the importance of the above questions, as well as issues on data and privacy protection laws, a few issues would be addressed. Firstly, out of the over one hundred countries with National Iden
tity Card (with fourteen with non-compulsory National Card such as Switzerland and the United States), not a single one has ever partnered with any local or foreign organization to produce National Identity cards (with the company’s logo on their cards). So, Mr. President, why Nigeria? We may argue it is the first of its kind, but we should also not be quick to forget that Malaysia has an integrated national e-Identity Card (ID+ATM) done by Malaysia (without foreign interference), for Malaysians.
Now, on the matter of the need for a comprehensive Data and Privacy Protection laws, it is important to state that data and privacy laws exist to strike a balance between the rights of individuals to privacy and the ability of organizations to use data for the purposes of their personal business. Many countries have taken proactive measures to protect the fundamental human rights of its citizens in this age. For example, Zimbabwe has a comprehensive Access to Information and Protection of Privacy Act, Singapore has a Personal Data Protection Act, UK has a Data Protection Act 1998 coupled with other laws within the UK and the European Union protecting data and privacy, and Ireland has its Data Protection (Amendment) Act 2003. When would Nigerian get hers? Is there a body that ensures that MasterCard or any other holder of data on such National scale uses it properly? What actions would be taken if data protection and privacy is breached? These are key issues that should have been considered within a regulatory (and legal) framework. In fact, aside the traditional roles of Nigerian Communications Commission (NCC), one wonders what regulatory (and legal) framework enforces a check on Nigeria’s Telecommunication companies with regards to data and privacy? These days unsubscribed text messages bombard ones phones about unsolicited lotteries from the network providers; even at midnight. If we have not gotten data and privacy right on a local scale, I wonder what it would be with MasterCard.
Well, it is obvious that with this deal between Nigeria and MasterCard, all the present and future generations of data go to the American payment platform. Therefore, with no explicit and elaborate Nigerian data and privacy laws, the implication is that Nigeria is left to the mercy of the available data and privacy laws in the United States; the headquarters of MasterCard. Would that be sufficient to protect Nigerians? To date, the US has no single data protection law comparable to the EU's Data Protection Directive. Privacy legislation in the United States tends to be adopted on an ad hoc basis, with different legislations arising when certain sectors and circumstances require, examples of these laws in the United States include; 1974 U.S Privacy Act, 1986 US Electronic Communications Privacy Act, Health Insurance Portability and Accountability Act (HIPAA), and Sarbanes-Oxley Act.
It is trite knowledge th
at the 1999 Constitution of Nigeria guarantees the right to privacy of Nigerian citizens. Therefore, I strongly advocate that this fundamental human right be given a more explicit and elaborate expression and zeal of implementation by the National Assembly and the office of the President. I further advise that there should be up to four independent and co-existing legislations (with great consideration for the provisions of The Freedom of Information Act) on data and privacy issues; which should include:
- Data Protection Legislation,
- Computer Misuse Legislation,
- Information Security Legislation, and
- Lawful Interception Legislation.
Timi Olagunju LL.B (Ibadan), B.L, CSc (Amsterdam), is a member of the International Association of IT Lawyers; a member of Telecommunication Standardization Sector (ITU-T) and is accredited by WIPO (World Intellectual Property Organization).He can be reached at [email protected].
#datalawsnigeria
Also published on: www.saharareporters.com/2014/09/02/mr-president-and-national-assembly-data-protection-nigerians-first
And on: https://www.yourcommonwealth.org/2014/09/19/data-protection-for-nigerians-must-be-first-priority
Lawyer || Tech Policy - GR || AI/Blockchain || Digital Transformation
10 年Many thanks, Moss Uromtah for your validation of key points! And Uwaya Fidelis for your thoughts. Firstly, Uwaya Fidelis, it must be stated that (reading carefully) in no single text (in the above writeup) was any mention made of giving a Nigerian firm the project.... Secondly, how can any Government bank on an assumption (the lowest form of knowlegde) that MasterCard would protect Nigerians' data? The need for privacy and data laws is not about the intergrity of MasterCard here, it about ensuring that when there is a conflict of interest between the privacy/data of any Nigerian and commercial interest of MasterCard, the former will prevail over the latter. Lastly, you asked an important question, whether there is any data privacy in the world.... Truly, i agree with you, there is no data privacy in the world! And that is why laws are made to ensure that your rights and mine are preseved and enforceable. For example, laws made it possible for the Electronic Privacy Information Center and fourteen other consumer protection groups to lodge a formal complaint against Facebook with the Federal Trade Commission some years back. I would further add that the kind of data collected by facebook and google is not the same here.... With Biometric data collection (emphasizes on 'biometric'), your human characteristics and traits would be collected, examples include (but are not limited to) fingerprint, palm veins, face recognition, DNA, palm print, hand geometry, iris recognition, retina and odour/scent, gait, and voice. I doubt facebook and google has gathered half of these- this card will. The MasterCard National ID Card can also be used to accurately identify individuals in groups that are under surveillance. The card is a welcome development, only that we should have regulatory (legal framework) around data and privacy. And that is what I stand for! And I plead that you and I make our voices heard! #datalawsnigeria
Business and Tech Builder in Africa
10 年Barrister Timi, you have spoken vividly to even a layman. I am very shocked at the way some of the policies are brought to the fore with no thorough familiarity of the 'impact' and democratic process. Data is a veritable tool for our national development as it becomes even necessary in a world were data is wealth.But when would Nigeria learn from history? Why would a national firm or institution not be part of this process to understand the tech' and maintain integrity for posterity if we really have a future. Nigeria is a sold out nation if there is no data or cyber law to curb the ebb of assault on e-usage. Let Nigeria learn to consult the gods (the right custodian of knowledge)
MD\CEO at WattsHour Engineering Limited
10 年Good talk barrister, I like your judgement, vwry logical but your insisting on giving a Nigerian firm such security sensitive project I may not agree for now. The card involves both our identitity info and cash info. Take a look at the whole banks and payment systems organisation in Nigeria , they all rest in partnership on the shoulders of either an American , Indian firm or Europe firm to wit - MasterCard, Visacard and the likes , I think they know this firms have integrity with data even when I do not disagree with you they still need some fine tuning of our data privacy . but come to think of it with the Likes of Google, facebook and its likes ., do you really think there is any data privacy in the world you had better think again.