AANOIP presents Webminar on EU-GDPR and Data Privacy at ISOC Nigeria’s SGM
The African Academic Network in collaboration with the Internet Society (ISOC) Nigeria Chapter presented a webinar to ISOC NG Chapter members on the Importance of the GDPR, Current Trends and how it affects the African Digital Landscape on the 23rd of May, 2018. This session was moderated by the Mrs. Bukola Oronti who is a member of the Network.
The purpose of the webinar was to sensitize the wider membership of the Internet Society in Nigeria on the data privacy issues. This furthers the outreach objectives of the African Academic Network to recruit more academics to the network.
The Project Manager (Caleb Ogundele) introduced the African Academic Network on Internet Policy as an academic think tank on internet policy, that carries out research on how its application can improve the Africa digital economy. He noted that there is also an interdisciplinary scholarly engagement and discussion on the state of the internet,and regulatory framework in Africa. He further encouraged academics within the ISOC Community to join the network in furthering the cause into making Internet safe and resilient for everyone.
The webinar presenter from AANOIP Project Office, Adenike Ajuwon (Google Policy Fellow) opened by informing the participant about the previous seminar series / colloquium on Data Policy and Privacy in Nigeria hosted by the Network in December, 2017.
Adenike began the presentation by explaining what personal data means. In her words, “Personal Data means any information relating to an identified or identifiable natural person known as the data subject”; This could mean anything from your name, address, account number, phone number, driver’s license numbers, home ownership, marital status, bank records, medical history etc.
The presentation also noted that in Nigeria, the constitution is the highest law in the country and Section 37 of the 1999 Constitution states that ‘’The PRIVACY of citizens, their homes, correspondence, telephone conversations and telegraphic communications are guarantee and protected”. An identifiable person is one who can be recognized, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
The case study of Facebook and Cambridge Analytica data breach and unlawful use was discussed while encouraging internet users to be concerned about privacy and what data is shared with data collectors.
A further look at 8 principles of data protection were explained which are:
- to be fair and lawful,
ii.adequate to needs,
iii. specific for its purpose (an example was given about how INEC Nigeria used citizens personal information gotten from the 2015 elections to a third party voters.ng, how Paradigm Initiative using the freedom of information act requested for an explanation as to why voters information was transferred to a third party without citizens informed),
- accurate and up to date,
- not kept longer than needed,
- take into account people’s right,
vii. kept safe and secure,
viii. should not be transferred internationally without adequate protection.
General Data Protection Regulation (GDPR) is likely the most comprehensive data protection law in the world. This law took the European Union 4-5 years to figure out, with over 30,000 inputs from different multi-stakeholders. The law which would be in activated from 25th May 2018 is strongly emphatic on protecting the data of an EU citizen bound by the GDPR which provides that when there is a data breach the European Union Data Protection Body has to be notified with 72 hours. Additionally, the organization must have a data breach protection mechanism and policy in place.
Key data protection requirements for GDPR compliance includes Article 15, Article 17, Article 20, Article 25&32, Article 33&34, Article 35, Article 37. Article 83 outlines the penalties for GDPR Non- Compliance which goes as high as 20 million Euros. She further spoke about how companies can prepare for GDPR which includes to hire a data protection officer, create a data protection plan, conduct a risk assessment to identify EU citizen data and where it is at risk, implement security measures to mitigate risk and comply with GDPR requirements and access on a regular basis for continuous improvement. The GDPR makes it clear that EU citizens own their data and can decide how their data is used.
She further spoke about personal data protection ecosystem actors (data subject, data controllers, data processors, third parties), personal data protection ecosystem in Nigeria, how to protect your data online which includes: backing up your data, always using anti-malware, setting system to update application automatically, turning off your computer when not in use, password your hotspot/internet device, do not store passwords on phone/laptop, switching off the internet when not in use, always disable bluetooth when not in use, locking your phone, reading privacy setting, be weary of phishing, be mindful of the apps you install.
Finally, the Nigerian context of Data Protection was examined and it was noted that there is a need for Nigeria to have a data protection law as there is no specific provision to protect Nigerians as the current constitution does not adequately encapsulates data protection of citizens specifically as a stand-alone without strict rules of engagement.
Some policy recommendations made, emphasized that, the use of personal data must be in accordance with the purpose for which it was collected, the consent of the individuals must be obtained prior to collecting his/her personal data, the consent of the individuals must be obtained prior to collecting his/her personal data, enact a data protection act with principles consistent with those contained in the African Union Convention on Data Protection and/or the EU’s GDPR, to enact a child online privacy protections provisions into the child’s right act, amend the National Identification Management commission act to contain robust data protection principles and expand powers of NIMC to function as a data protection authority.