Hey there!

Welcome to another edition of Privacy Notes!

Recently, many members of the Nigerian Bar Association (NBA) have complained about receiving unsolicited text messages emails, and phone calls from aspirants for various leadership positions within the NBA. As we draw into the season of election campaigns building up to the 2023 General elections in Nigeria, we will be discussing some practices common with the election period in Nigeria, and implications they may have on Data protection.

Incase you missed our previous edition, we discussed the “Principle of Data Minimisation”. You can read it here .

Anyone conversant with election campaigns in Nigeria, starting from the level of tertiary institutions to the grand stage at the national level, vying for different political positions would be no stranger to incessant and often, unsolicited calls and text messages requesting the Data Subjects (we would be referring to them as ‘Users’) to support a particular candidate. Many of our readers can probably relate to the frustration and irritation this causes them, and many have questioned the legality of these unsolicited communications and made the common remark of “how did you get this number?!”

Under the Nigeria Data Protection Regulation (NDPR), which seeks to protect our right to privacy, Personal Data must only be collected for specific and lawful purposes, consented to by the Data Subject. This means that an organisation which has Personal Data such as our phone numbers and email addresses must inform us of the specific purpose(s) for which they require that we provide our Data, and they shall only process the Data for such agreed purpose(s). Thus, sending unsolicited phone calls, emails and text messages may be a breach of our rights to privacy under the NDPR and other Data protection laws applicable in Nigeria. So, back to our case study; where a user’s phone number or email address is being used for campaign purposes for which he/she has not given consent, and especially where the Data Controller has no overriding legal basis to do same, the Data Controller would be liable for the breach and could be subject to a fine and/or damages as may be granted by a competent court of law.

However, cases have shown that the breach may have resulted from the actions of a third party who is not the Data Controller but who had access to the Data being processed by the Data Controller. In this case, the Data Controller may still be held liable for failing to adequately protect the Personal Data of users in its possession. One of the Principles of Data Protection under the NDPR is the principle of Security[1] which provides that Personal Data must be processed in a manner as to guarantee its security, confidentiality, integrity and accessibility[2]. The NDPR further provides that anyone entrusted with Personal Data of a Data Subject or who is in possession of the Personal Data of a Data Subject owes a duty of care to the said Data Subject and anyone who is entrusted with Personal Data of a Data Subject or who is in possession of the Personal Data of a Data Subject shall be accountable for his acts and omissions in respect of data processing, and in accordance with the principles contained under the NDPR[3]. For example, NITDA found LIRS culpable for a Data breach which occurred on its website exposing the details of several taxpayers. Although this breach was caused by a third-party service provider, LIRS was fined a total of 1 million Naira as a result[4].

What are your options as a user who has been receiving unsolicited messages and calls? As a user, if you feel that there has been a breach of your Personal Data, you have a right to report such breach to the National Information technology Development Agency, (NITDA) viainfo@nitda.gov.ng .  Furthermore, The Nigerian Communication Commission, in line with its perspective on Personal Data and Privacy of users[5] took the proactive step of implementing a Do not Disturb Code (DND), which allows users to choose not to receive unsolicited text messages in form of advertisements and the likes. As at 2022, the total number of users on the DND stood at approximately 22,722,366[6].

[1] Article 2.1 (d) NDPR

[2] Article 2.1 (d) NDPR

[3] Article 2.1 (2) & (3) NDPR

[4] https://techeconomy.ng/2020/10/nitda-fines-lirs-n1million-for-alleged-breach-of-data-protection-regulation/

[5] www.ncc.gov.ng/accessible/documents/721-regulators-perspective-on-personal-data-and-privacy-of-users/file

[6] https://techeconomy.ng/2020/08/nccs-do-not-disturb-code-subscribers-surpass-2-7-million/

Leave a Reply

Your email address will not be published. Required fields are marked *