BIOMETRIC TECHNOLOGY IN NIGERIA: EXAMINING DATA PRIVACY CONCERNS

By : SAMUEL C. UZOIGWE (ESQ.)

Abstract

The proliferation of technology in the 21st century was pervaded by an astounding intrusion of technology in the everyday activities of humans, as evident in artificial intelligence, the Internet of Things, mobile communication, and biometric technology, among a litany of others.

One of the most prevalent technologies in our modern world is the biometrics systems. As a result, it has become a very integral part of doing business and living in modern-day African society. Ranging from simple commercial transactions between individuals or private legal entities to personal use of smart devices, government surveillance and security measures, and civil rights activities like elections, to mention a few. The application of biometric technology in Nigeria has yielded benefits, but as common with other parts of the democratic world, it has raised concerns about data privacy and protection. This article aims to examine biometric data processing in Nigeria, its privacy issues, and existing rules governing data privacy and protection in Nigeria. It also aims to make recommendations for addressing privacy problems by examining how other regimes, particularly the European Union, operate.

Introduction

To have a robust comprehension of the concept of biometrics, it is important to understand the meaning of biometrics, biometric data, and biometric technology.

One of the most comprehensive definitions of biometrics was expressed by Woodward, Orlans, and Higgins, wherein they defined biometrics as      “any automatically measurable, robust and distinctive physical characteristic or personal trait that can be used to identify an individual or verify the claimed identity of an individual”.[1] Biometrics makes it possible for a particular individual to be identified through a verifiable data set unique to them and thus, is their identity. Examples include, but are not limited to fingerprint, palm veins, face recognition, DNA, palm print, hand geometry, iris recognition, retina and odor/scent.[2] The United States National Technology and Science Council Sub-committee on biometrics, defined biometrics in terms of technical application, as an enabling technology that makes possible: tracking criminal histories, and solving crime, protecting wide-ranging border areas, screening individuals in high volume transportation conduit, and protecting automated consumer transactions.[3]

Biometric data is personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allows or confirms the unique identification of that natural person, such as facial images or fingerprint data.[4] In other words, when biometrics undergo specific technical processing using technical devices, such that its result creates a database that allows or confirms the unique identity of a natural person, such result becomes biometric data. Biometric data can be used to identify, authenticate, and verify a person’s identity in civil transaction, and has become a prominent feature of law enforcement activities such as the verification of the identity of criminals, suspects, victims of crime, etc well as tracking individuals of interest.

Biometric technologies generally refer to the use of technology to identify a person based on some aspect of their biology.[5] However, automated biometric systems have only become available over the last few decades due to significant advances in the field of computer processing.[6]

The use of biometric applications can be categorised into four broad areas. The first application category controls access to data, such as logging into a device, PC, or network. The second application category controls access to tangible materials or areas, such as buildings or physical access control. The third application category validates a claimed identity against an existing credential, such as in a border control environment. Finally, the fourth application is to register or identify individuals for social purposes such as elections and national identity purposes.[7]

Governments all over the world experiment with the idea of biometric systems on various levels, and sophistication. The deployment of biometrics systems has been pitched as the solution to incivility, and better general lifestyle convenience such as faster voting procedures and healthcare.

Beyond the scope of the already identified uses of biometrics above, biometric technology is increasingly used for an array of public administration purposes ranging from identity registration to border control and administering and managing access to civic rights such as voting.[8] For example, at the United States Department of Homeland Security, biometrics are used to detect and prevent illegal entry into the United States, grant and administer proper immigration benefits, vetting and credentialing, facilitate legitimate travel and trade, enforce federal laws, and enable verification for visa applications to the United States.[9] Biometric technology is also deployed to manage and enhance social rights such as health care and education. These technologies are also being used for security purposes, including tackling national security threats, conducting law enforcement activities, and as a general means of carrying out mass surveillance which has been kicked against vehemently as being intrusive to people’s right to privacy in democratic settings.

All the activities above that stem from the use of biometric technology have to be regulated to ensure they do not violate the right to privacy, and related rights of natural persons, such as freedom of expression, association, and movement. However, due to the sophisticated nature of technological activities, Regulation and monitoring of biometrics have already proven to be a challenge for countries where data protection and other safeguards are in place. Consequently, there are increasing concerns regarding the situation in the developing world, where the deployment of sophisticated biometric technology is increasingly popular, and legal safeguards to protect the right to privacy and data security are lacking or threadbare and inadequate.

Application of Biometrics in Nigeria

Nigeria is one of the African countries at the forefront of implementing biometric systems across the board, ranging from private to government sectors. The introduction of biometric identification in Nigeria primarily tackled different kinds of fraud that existed due to poor identity management system.[10] Prior to this period, the inadequate identity management system in the country made it easy for individuals to manipulate the system using fake individual profiles for different purposes. The Nigerian government needed a proper identity system for its citizens which would enhance access to social services and also aid in curbing crime.

There was the plague of numerous fictitious bank accounts; inactive bank accounts raided by unscrupulous bank employees, forged passports and driving licences, diversion of shareholders’ dividends by fraudsters etc. At the fore of the attempt to curb these vices was the employment of biometric technology by the Federal Government of Nigeria. Combating fraud was not the only motivation for the employment of biometric technology. Ease of access to social services, and enhanced citizens’ security were other reasons. The Federal Road Service Commission adopted the “Bypass Capture feature” in 2019 for ease of renewal of drivers licence, but this was only accessible if one’s biometric information had been captured by the Commission.[11]

The Nigeria Immigration Service also adopted biometric technology for better border security, among others.[12]

The Bank Verification Number was one of the first biometric measures introduced by the Central Bank of Nigeria (CBN), and it was launched in February 2014.[13] It involves the registration of customers in the financial system using biometric technology. This is done by recording and storing a customer’s unique physical traits such as fingerprints and facial features. This recorded data is then deployed to correctly identify the customer afterwards for several transactions. Once a person’s biometrics has been properly captured, the person is issued a Bank Verification Number or BVN.[14] Without the BVN, it will be impossible to open and operate a personal bank account in Nigeria.

The Nigerian Stock Exchange introduced the Central Security Clearing System with biometric security for shareholders[15]. In addition, the Nigerian Immigration Service, and Federal Road Safety Commission introduced biometric systems to curb the forgery of passports and driver’s licences.[16]

Before the BVN mandate, Nigeria’s Communication Commission in April 2010, issued a regulation that mandated all telecommunications network providers, to register all SIM cards, and this required issuing every mobile telephone number a biometric profile to enable tracking of criminals, and their activities.[17] Failure to register your mobile telephone number would result in an inability to operate such mobile telephone numbers anywhere in Nigeria. In 2017, Nigeria’s Immigration Services, started issuing biometric visa, the first in Africa, designed to effectively block many people that would not need to enter the country.[18]

Further, on the issue of identity verification, the National Identity Management Commission (NIMC), operates and regulates matters of national identity in Nigeria with services covering National Identification Number (NIN) enrolment and issuance, National e-ID card issuance, identity verification as well as data harmonisation and authentication.[19]

The National Identification Number (NIN) is a set of numbers assigned to an individual upon successful enrolment into the National Identity Database (NIDB).[20] Every Nigerian citizen and legal resident must enrol for the NIN, and this requires the collection and processing of citizens’ biometric information by the NIMC. The NIMC licensed over twenty (20) private entities to provide NIMC services in Nigeria and abroad.[21]

The NIN can be used to access a wide range of services, from Government Social Services like obtaining loans, Voters Card Registration, Issuance and renewal of International Passport, to Bank Account Opening and Reactivations. Most recently, the Joint Admissions and Matriculation Board (JAMB), saddled with admission examination and placement into tertiary institutions in Nigeria, made possession of the National Identification Number (NIN) a precondition for candidates who wish to register for its examination in 2021. This requirement was introduced to checkmate examination malpractices.[22]

In December 2020, The Federal Government of Nigeria mandated all Nigerians to link their National Identification Numbers (NINs) to their SIM cards or risk losing the ability to own and operate the numbers assigned to such SIM cards.[23] Recall that biometric information was captured prior to the issuance of a NIN, and the same process was required for the registration of SIM cards by SIM card owners. Without the option to refuse, Nigerian citizens were compelled to supply biometric information to mobile telecommunication companies to be consolidated with biometric data in the users’ profiles. This created the case of one citizen having multiple biometric data profiles in the custody of both private and government institutions.

The Nigerian private sector’s involvement in the use of biometric technology is also apparent. Some of these private sector services are those offered by Online Integrated Solutions. Online Integrated Solutions (OIS) is a licensed private specialist visa application agency that provides online passport, visa processing and technical support services for Governments.[24] However, identity authentication services popularly known as “Know Your Customer”, remains the most involved the private sector is per biometric technology in Nigeria. It entails verifying that a person is actually who the claim to be.

In 2013, the CBN issued a circular on January 18, requiring all Nigerian banks to maintain a level of Know Your Customer (KYC) due diligence for all of their customers.[25] The term “know your customer” is used to extract basic and sensitive information about customers especially their source of income, it may also be used for other non-banking sector.[26] The KYC policy obliged all banks and financial institutions to develop rules and structures that would allow them to collect and preserve basic information about their customers before forming a relationship or opening an account with them. Sequel to the above, several private companies engage in KYC services, accessing millions of digital data of persons to verify their identity for banks, real estate, human capital and E-commerce industries etc. Such service providers are VerifyMe[27] (a verification platform that enables seamless, real-time identity (ID) verifications), and Carbon.[28] These entities collect personal information, and verify one’s identity against existing biometric databases which were not processed by them.

The above pattern identified in applying biometric technology in Nigeria strongly suggests that government and private entities, understand that in the current information age, the importance of having a reliable personal recognition system cannot be overstated. The main objective of biometric authentication systems is to verify that a user is who he claims to be. The traditional knowledge-based and token-based methods do not really provide adequate personal recognition, because they rely on surrogate representations of a person’s identity such as identity cards that could easily be manipulated or forged. As earlier reflected, the major application of biometric technology in Nigeria is for identification and authentication across many industries.  The industries covered ranges from financial and banking services aimed at extending coverage and access to financial inclusion groups to social cash and in-kind transfers, public service administration and reform, health initiatives, and electoral management.

The above seeming widespread adoption of biometric technology in Nigeria is not a certain indication of its magnitude of success in resolving the issues it set out to tackle. Some flaws inherent in the use of biometric technology were no more highlighted than in 2015 during the general elections. The then-president, Dr Goodluck Jonathan, could not be accredited, as verification of his Permanent Voter Card failed, as it was rejected by the Smart Card Reader (SCR) at his polling unit.[29]Nigeria had adopted the Automated Fingerprint Identification System in 2011.[30]Every Nigerian voter received a permanent voter’s card after biometric registration, which stores biometric information such as fingerprints and facial images.

Flowing from the above, every Nigerian citizen or resident’s personal biometric data is expected to be processed or stored in various databases, o risk losing access to various crucial activities in the process. This highlights the issue of the data privacy and protection of Nigerian data subjects’ biometric data and places it firmly at the fore of the deployment of biometric technology, especially considering access concerns raised by the number of entities that are provided with access to these biometric data.

Privacy issues with the use of Biometric Technology in Nigeria

Rapid advancements in electronic data processing and the introduction of mainframe computers enabled governments and large corporations to establish large data banks to improve and expand the gathering, processing, and exchange of personal data. This comes at a great cost to individuals’ privacy and has raised concerns about whether private life can truly remain private. There are significant privacy concerns regarding the appropriate protection of citizens’ rights and apprehension by privacy enthusiasts and proponents that personal data collected by private and public organisations may not be managed carefully and sensibly. Biometric data application in Nigeria falls squarely within this discourse. It pertains to very private, highly distinctive information about individuals, especially in light of the dramatic increase in its collection, use, storage, and sharing, by private and government entities.

Privacy issues are at the heart of the ethical issues of biometrics.[31] It is a fundamental human right, and in today’s digital world, it is the cornerstone that safeguards who we are and supports our ongoing struggle to maintain autonomy and self-determination in the face of increasing state power.[32] The right to privacy is upheld by an array of global and regional international human rights treaties and guaranteed under the 1999 constitution of Nigeria.

Undoubtedly, beyond Nigeria, a biometric revolution has been a major subject of concern as the technology is both delicate and intrusive, in the sense that it touches the very essence of a living person, juxtaposed with breakthroughs in harnessing the best of biometrics.

As highlighted earlier, the privacy risks associated with biometric data systems are numerous, ranging from identity theft made possible by hacking biometric databases by unauthorised parties and subsequent data breaches to fraud and social sorting. This has serious implications for individuals’ privacy, security and data protection rights. Once biometric data is compromised, one may no longer have control over it.[33]

There also lies the function creeps [34] problem, mass surveillance and tracking. These are not issues that can be dismissed lightly or taken for granted.

Concerns about access to biometric data emerge when the data controller allows access to multiple governments or private entities for a variety of reasons, such as third-party verification or security activities by security services. The purpose for which biometric data is collected may not be the only purpose for which it is used, and data subjects may be unaware of all of its actual uses, as well as the extent to which such data is shared and transferred among corporate bodies, making their lives and concerns less private than ideal. Purported consent to data collection and processing by data subjects, whether express or implied, may be called into doubt due to the nature of the consent, such as insufficient information leading to consent or severe repercussions for refusing consent.

Data Protection Regime for Biometrics in Nigeria

Nigeria has an array of regulations that deal with the Regulation of the personal information of its citizens. They could best be described as a patchwork of Regulations, as they serve different purposes for various industries or their obligations. Few shall thus be highlighted cursorily, while the Nigerian Data Protection Regulation, the most comprehensive and encompassing, shall focus more on it.

The 1999 Constitution of the Federal Republic of Nigeria (as amended) is the most superior legislation in Nigeria and is the grundnorm for all privacy rights in Nigeria. Section 37 of the 1999 Constitution enshrines the inalienable privacy rights thus: “The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected.” It is based on this provision that all other privacy rights are structured in Nigeria.

The National Communications Commission (NCC) has a Registration of Telephone Subscribers Regulation 2011, which is the regulatory framework for managing and storing the data of subscribers in Nigeria in Mobile Telephone companies. It regulates the management of a licensee’s “Central Database”-(the subscribers information database), containing all subscribers’ biometric and other registration information.[35] A Licensee is a provider of Mobile Telephone Services that utilises a subscription Medium in the Federal Republic of Nigeria. The Regulations guarantees the subscriber’s right to privacy, access, and data protection of the subscribers’ biometric information.[36] However, access to subscriber biometric information is also granted to security agencies without a court order, subject to any act of the National Assembly.[37]

Curiously, The Central Database is made the property of the Government of the Federal Republic of Nigeria[38], and its management is placed under the control of the NCC.[39] Presently, there is a draft Registration of Telephone Subscribers Regulations 2021[40], but it still maintains the above core mandates.

The Cybercrimes (Prohibition, Prevention, etc,.) Act 2015 deals with cybercrimes, cyber terrorism, and internet-related fraud. The Act mandates service providers and persons in possession of personal data to safeguard such information[41] and further criminalises unlawful data breaches in general.[42]

Biometric databases created in the National identity Management Commission’s (NIMC) NIN issuance mandate are regulated by the NIMC Act 2007. Section 26(1) of the NIMC Act bars access by individuals, or corporate bodies to data or information contained in the NIMC database concerning a registered individual, without the Commission’s authorisation. Ironically, the Commission is empowered to provide third party access to individuals’ stored information without their consent in the interest of national security, prevention or detection of crime or any other purpose specified by the Commission in a regulation. It is pertinent to note that the governing body of the NIMC is made up of representatives of 14 other government agencies[43] or bodies, which could imply inter-agency sharing of citizen’s biometric information.

The Nigeria Data Protection Regulation (NDPR) was enacted in January 2019. It applies to the processing of personal of natural persons residing in Nigeria or residing outside Nigeria who are citizens of Nigeria.[44] The NDPR is Nigeria’s contemporary sector specific Regulation on data protection.

The NDPR: The GDPR and other Data Protection Regimes in Perspective

When evaluating the NDPR’s relevance in terms of biometric data protection in Nigeria, several concerns are highlighted by global standards. This is informed by the disparity between the NDPR’s provisions regulating biometric information processing when juxtaposed with the EU GDPR, the most comprehensive data privacy and protection regulation in the world, and other obtainable global practices.

The NDPR is still seen as a partial instrument, as NITDA’s core mandate is the expansion of a “regulated” digital market,[45] and the agency depends fully on the minister of communications. “It’s a fair starting point, but now we need a comprehensive Data Protection Act and an independent monitoring authority,’’ said Ridwan Oloyede, a privacy expert at Nigerian consultancy firm Tech Hive, and this is a statement that bears great significance in our current clime.[46]The Nigeria Data Protection Regulation (NDPR) 2019 does not define biometrics or biometric data.  Biometric components which are “physical, genetic, and psychological”, and which form the crux of one’s biometric information, were however classified as personal data by the Regulations.[47]

The Nigeria Data Protection Regulation (NDPR) defined sensitive personal data to the exclusion of biometric data.[48]This is worrying considering the nature of biometric data, and the large scale of biometric data processing ongoing in the country as earlier pointed out. The EU GDPR beyond classifying biometric data as special category of data restricted the processing of biometric data to the circumstances provided in the GPPR such as explicit consent or public interest.[49] The NDPR lacks such Regulation and treats biometric data just like all other personal data even though it is sensitive while not all other forms of personal data are sensitive.

The NDPR does not create any special safeguards to be employed in the use of biometric data. It only provides that data controllers/processor owe a “duty of care”, without any measurable element for accountability.[50] While the NDPR does not expressly provide for data protection impact assessment (DPIA) prior to biometric data processing, NITDA’s Implementation Framework Draft adopted in November 2020, cited DPIA as an obligation of data controllers.[51] The dilemma with the above scenario in nutshell, becomes evident in terms of whether data controllers can be liable for failure to carry out a DPIA, since its express requirement is only required under the Implementation framework which is not a law in Nigeria with powers of enforceability. . In contrast, under the GDPR, DPIA was designated as a specific requirement for processing special categories of data on a large scale, one of which is biometric data.[52]

The processing of the biometric information of every Nigerian citizen, the most populous black nation in the world in the instances earlier highlighted, could not be more definitive of large scale biometric processing which by GDPR standards, requires a DPIA before processing, as a matter of law.

Another indicator of the NDPR’s inadequacy in protecting data subjects from the privacy risks associated with processing biometric data is found in Regulation 3.1(7)(l). The aforementioned Regulation provides that a data subject shall be informed of automated decision making including profiling, but the term profiling, was not defined or mentioned anywhere else in the Regulation. This right is synonymous with the GDPR’s principle of fair and transparent processing. Therefore, it is strange that while the NDPR creates a right, an interpretation of that right will require reference to a regulation created for other countries, and in this case, the GDPR. Article 4(4) of the GDPR defined profiling as any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular, to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Unique data, generated from the biometric characteristics of humans, may be used by security agencies or third parties to track and profile people across their lives.[53] The possibility of profiling and tracking citizens using sophisticated biometric technology in Nigeria raises concerns as biometric data processing is poorly regulated and can lead to a blatant disregard and invasion of the rights of biometric data subjects in Nigeria.

The privacy risks involved profiling using biometric systems was magnified when the majority of the members of the European Parliament voted to place very strong safeguards against the use of sophisticated technology to profile and track individuals by security agencies.[54] Parliamentarians clamoured for an outright ban of such high powered biometric systems that enable automated biometric mass surveillance either by private persons or government agencies save for when one is suspected to have committed a crime.[55] The lack of any tough regulations against profiling using biometric systems in Nigeria creates an enabling atmosphere for the abuse of citizens’ privacy rights through possible exploitation of their biometric information.

The data protection by design or default obligation, which is one of the most important data protection obligation, is absent in the NDPR. This obligation is the brainchild of the GDPR. A community interpretation of Articles 24(1), (2) and 25(1) of the GDPR 2018 reveals the huge significance placed by the European Union on the implementation of technical and organisational safeguards by data controllers at the time of determining the means of processing data (system design), as well as during the time of processing data.

Considering the sensitive and delicate nature of biometric information, it would be fair to argue that the highest possible global standards of data protection obligations should be imposed around its processing in Nigeria to guarantee its security and mitigate possible exposure. The privacy by design and default obligation for biometric data processing has its value in this regard.

In highlighting the importance of this obligation, Lee A. Bygrave[56] observed as follows; “Bearing the title ‘data protection by design and by default, Article 25 (of the GDPR) requires that core data protection principles be integrated into the design and development of systems for processing personal data.”[57] Privacy by Design applies not just to the design of software or hardware; it extends to business strategies and other organisational practices as well. It is a principle that must be incorporated into networked data systems and technologies, by default to ensure that personal data are automatically protected. No action is required on the part of the individual to protect their privacy − it is built into the system, by default.[58] The NDPR data security provision states that “anyone involved in data processing or the control of data shall develop security measures to protect data; such measures include but are not limited to protecting systems from hackers, setting up firewalls, storing data securely with access to specific authorised individuals, employing data encryption technologies, developing organisational policy for handling Personal Data (and other sensitive or confidential data), protection of emailing systems and continuous capacity building for staff.”

The obligations required for biometric data processing in Nigeria are estimable. They serve as a good foundation and one on which better data protection obligations for biometric data processing should be built. It stills falls short of a risk-based approach and fails to provide for a “robust” privacy security measures for biometric data processing as in the GDPR.[59]

The consequence for biometric data processing in Nigeria is that good but lesser data protection standards apply. Systems necessary for biometric data processing ought to have privacy by design and default as compulsory features.

Another data protection regime worth highlighting is the World Bank endorsed “principles which focuses on “official” identification systems provided by, on behalf of, or recognized by governments,[60] which in this case concerns the biometric identity system recognized and adopted by the Nigerian government. The principles have three (3) pillars; Inclusion, Design and Governance, on which principles for securing the privacy rights of citizens in a digital identity system are built.

The Inclusion pillar summarily implores identification systems to be designed in ways that ensure ease of access, and extinction of barriers that may stop citizens from exercising their rights to oversight and control of their biometric information logged within these identity systems. The Design pillar in a nutshell mandates that design, policies, and technol­ogy used by identification systems should comply with global norms for data protection. Some of these global norms include data minimization and proportionality, purpose specification and data protection by design and default among others some of which the NDPR obligates. This pillar particularly highlights biometric data processing as one for special oversight and regulation. Finally, the Governance pillar mandates the regulation of digital identity systems through very strong and comprehensive legislation that genuinely provides data subjects with data privacy rights, and makes data controllers and processors truly accountable through proper independent institutional oversight.

In light of all the above, the NDPR become more evident,  when juxtaposed with globally obtainable biometric data processing obligations calls for concern as it would appear that biometric data processing has not been given deserved attention in the framework. Considering the sensitive nature of biometric data, these concerns cannot be glossed over as the processing of biometric data using sophisticated biometric technology in Nigeria has come to stay and will most likely metamorphose. The increased use of biometric processing technologies presents real problems of fraud, misuse and abuse of data subjects’ privacy rights if not adequately regulated in line with global best practices. Privacy rights are fundamental in Nigeria, and in the face of increasing technological advancements, this right becomes core in helping citizens maintain their autonomy in the face of increasing access to the core components of their person through biometric technology.

Recommendations

A logical conclusion of the state of Nigeria’s biometric data protection regime is that while progress is being made, it cannot be said to be substantial yet against the backdrop of advancing global data protection regimes. This insufficiency is further heightened by the proliferation of more sophisticated biometric technologies, algorithms and activities.

Biometric data processing in Nigeria has exploded, posing serious data protection and security concerns. Among the dangers are massive data retention of data, access control, especially where multiple agencies have access[61], vulnerability to cyber-attack, mass surveillance, function creep, data identity theft and fraud, and uninformed consent obtained from data subjects before prior to their biometric data processing. In addition, biometric technologies create major data protection and security risks when used without strong legal frameworks properly protecting biometric data subjects, and regulatory oversight since their application might be widened to promote discrimination, profiling, and mass surveillance.

The NDPR is laudable, as, for the first time in Nigeria, there is a specific regulation of personal data processing, but it appears inadequate for calming nerves and addressing serious privacy issues surrounding the use of technology to harness and process the biometric information of Nigerians. Below are non-exhaustive recommendations which will help boost data privacy practices and standards in Nigeria if applied to the existing institutional framework as pertain to biometric data processing.

Creation of an Independent Regulatory Agency

The Federal Government on February 4, 2022 created the Nigeria Data Protection Bureau (NDPB)[62] to focus on data protection and privacy for the country by the request of the Minister of Communication and Digital Economy, Prof. Isa Pantami. The Bureau is still in infancy stages and the extent of its brief is yet to be clearly identified. It is important that the agency receives full independent and specialized statutory flavour to focus solely on monitoring and enforcing data protection obligations by data controllers subject to Nigerian Data Protection Laws.

Data Protection by Design and Default

Biometric data protection regulation in Nigeria, should have express and solid data protection by design and default obligations for data controllers and processors, to ensure that data controllers, administrators, or processors incorporate data privacy as part of the design concept of a biometric system, and by default, highlighted also as organisational and administrative policies before data processing commences. This would help guarantee biometric data privacy and security and ensure that function creep is eliminated considering the extremely sensitive nature of biometric data and its potential for weaponization. This will also ensure against unauthorised or unlawful processing and against loss, destruction or damage, using appropriate technical and organisational measures. Biometric data of Nigerians needs to be characterised by default as being a feature and information of sensitive character automatically placing it in a class of data that requires special care as early as during organisational policy making for biometric data processing, system design and procurement.

Data Protection Impact Assessment

The importance of data protection impact assessment similar to the provisions contained in the EU GDPR, cannot be overstated. Considering the sensitive nature of biometric data, and the large amount of biometric data being processed in Nigeria, it is of utmost importance and in line with current global best practices that an extensive data protection impact assessment provision be included in a new data protection law to govern biometric data processing in Nigeria, which will make it enforceable as opposed to only being cited in NITDA’s implementation framework as a guide for compliance with the NDPR. This will ensure that data controllers and processors carry out obligatory and comprehensive data protection impact assessments to identify, evaluate and minimise possible data protection risks before commencing large scale biometric data processing in Nigeria.

Biometric Data Access by Security Agencies

Security agencies’ access to the biometric data of data subjects as permitted by other regulations needs to be curtailed unless necessary to safeguard national security. It is imperative that sensitive personal information like biometric data should be accessed with court orders or warrants to avoid an abuse of power and mass indiscriminate tracking and surveillance of citizens through their biometric data. It is more worrisome considering that security agencies by themselves may not necessarily have sophisticated technology to prevent data breach of such biometric information by criminal elements, after access by such security agencies. It is also imperative that access in such circumstances be restricted to only high clearance level officers on a need to know basis. Provisions should also be made for the deletion of such biometric data from the database of such security agencies after a certain period. Access at this level should be greeted with organizational and technical safeguards to regulate such information sharing restricting access to such biometric data collected by security agencies on a need to know basis, with adequate security measures to curtail data breach. A new Data Protection Act should have guidelines in place in line with international best practices, on biometric data access to ensure that proper ethical checks and balances are in place with respect to security agencies’ access to sensitive biometric data of Nigerians.

All the pivotal principles for data protection existent in the GDPR such as lawfulness, fairness and transparency, purpose limitation, data minimisation, data accuracy, storage limitation, and integrity and confidentiality should be in place. Profiling of Nigerian citizens using biometric technology should be specifically regulated to comply with global standards.

Technological advancements are always welcome, but they should not be at the expense of the privacy of the people who the technology is supposed to serve, and any limitations to the rights of Nigerians to their biometric data privacy should be reasonable. This particular issue of access is a discuss/topic which still requires extensive research, and consultation by stakeholders, policy makers and the general public, so as to create a balance between regulating individual’s privacy rights, and national security at large.

Data Privacy Awareness Creation

The need for an increased concerted awareness creation and enlightenment of the public about their personal information privacy rights by Rights Groups, various non-governmental stakeholders, and NITDA (for the time being) cannot equally be overstated. This need goes beyond data subjects’ biometric data privacy but extends to all other data privacy rights. When Individuals are not given important information, they are harmed because they lose their ability to assert their rights, to respond to issues involving their data, or to make meaningful decisions regarding the use of their date. Increased awareness will ensure that citizens know the extent of their rights, and have proper knowledge of mechanisms for redress in the event of default by data controllers and processors. Such knowledge will also enable an efficient enforcement of data privacy and protection laws by oversight agencies, as breaches shall be brought to the knowledge of regulatory agencies at a higher rate by data subjects. While this will not be a statutory obligation for data controllers and processors, as it will be unfair to place the burden of educating tens of millions of Nigerians on data privacy on them, it is necessary for the data protection regulatory agency to champion this cause. This is in line with the World Bank’s endorsed principles for national digital identity systems. Private stakeholders in the data protection field of their own volition can undertake same as some form of social responsibility.

Need for a speedy passing of a comprehensive Data Protection Act

A new Data Protection Law must be speedily enacted so as not to keep playing catch-up to technological advancements. It is noteworthy that the Nigerian National Assembly had a comprehensive Data Protection Bill (DPB) 2020 before it, which if passed into law, will replace the NDPR. The DPB by Section 7 creates the office of a Data Protection Commission to oversee implementation and compliance of the law. There were reports however in major news outlets that the Federal Government had abandoned the DPB in favour of drafting a new one, which left experts confounded by the news.[63] It was also reported that the Federal Government was seeking a new consultant to provide legal advice to the Government in order to help implement a new framework on the subject matter.[64]

This notwithstanding, the DPB 2020 laudably classified biometric data as sensitive data[65] with restrictions on its processing.[66] The Bill omitted extensive data protection impact assessment of any sorts for data controllers and processors. Section 30(1)(e) of the DPB provided for impact examination of intended data processing. This however did not possess same intensity or force of language, as data processing impact assessment provisions contained in the GDPR. The data privacy by default and design is also not featured in the DPB. As earlier recommended, it is an important obligation to be imposed on data controllers for the processing of biometric data in Nigeria.

However, as any bill is yet to be fully debated, or passed into law, reference cannot be alluded to the DPB or any other bill as an existing or extant law, and as such, it has no bearing whatsoever on what constitutes the legal regime for the processing of biometric data in Nigeria. Several provisions of the bill as it stands, may not survive legislative debates, might be altered, or deleted before the bill comes into law, if and when it does. The DPB merely offers an insight to what may possibly constitute the legal privacy and protection regime for biometric data processing, and general data privacy and protection in the future. This may be a long time ahead considering the bureaucratic and statutory bottlenecks, interests, and red tapes involved in passing laws in democratic societies. An example of the above is the difficulty and hurdles encountered in passing the Petroleum Industry Bill (PIB), which was signed into law on 16th August 20210[67]after over 10 years.[68]. Similarly, on 10th March 2020, the Companies and Allied Matters Act (Repeal and Re-enactment) Bill, 2020 (“the CAMA Bill”) was passed into law after years in the waiting. Taking the aforementioned into consideration, any draft Data Protection Bill, might not be passed into law anytime soon, and until then, the NDPR  remains the only sector specific Regulation on biometric data  protection in Nigeria.

 

Conclusion

That “the world’s most valuable resource is no longer oil, but data” is a saying that has gained traction over the past few years.[69] This highlights the importance of data in today’s technology-driven society. It is a vital resource for the information economy’s operation. By this, the need for data collection, processing, storage, and distribution has spiralled, and thus data has become extremely valuable. In this light, the collection and processing of biometric information of data subjects will only increase and get more sophisticated.

In Nigeria, biometric data processing using biometric technology has been around for a while, and the need for a comprehensive data protection law to properly regulate it cannot be overemphasised. Considering the evolvement of data privacy regimes in similar, and advanced jurisdictions, and their respective reciprocity regulations for cross-border data transfer, it is without peradventure that a speedy enactment of a comprehensive data protection law in Nigeria to enhance the existing regulatory framework is overdue. This approach would go a long way toward protecting all Nigerians’ biometric data privacy rights, among others in local and cross-border transactions involving the processing of their biometric data by any government agency, and local or foreign firm.

Footnotes:

[1]Woodward, J. D., Orlans, N. M., & Higgins, P. T., (2003). Biometrics: Identity Assurance in the Information Age: McGraw-Hill Osborne Media, New York.

[2]Wikipedia, “Biometrics” https://en.wikipedia.org/wiki/Biometrics Accessed October 29 2021

[3] National Technology and Science Council, The National Biometrics Challenge, https://www.hsdl.org/?view&did=481001, Accessed October 31 2021

[4] Thales; Biometric data and privacy laws (GDPR, CCA/CPRA), https://www.thalesgroup.com/en/markets/digital-identity-and-security/government/biometrics/biometric-data, Accessed October 31 2021

[5]Dastbaz M., Wright S., Emerging Technologies and the Human Rights Challenge of Rapidly Expanding State Surveillance Capacities”, https://www.sciencedirect.com/topics/computer-science/biometric-technology, Accessed October 31 2021

[6] Stephen Mayhew., History of Biometrics, https://www.biometricupdate.com/201802/history-of-biometrics-2, Accessed on October 31 2021

[7]SpringerLink, Biometric Applications, Overview | SpringerLink Accessed October 31 2021

[8] John Laidler, “Should cities and towns ban their government’s use of facial recognition technology”, https://www.bostonglobe.com/2020/02/06/metro/should-cities-towns-ban-their-governments-use-facial-recognition-technology/ Accessed October 31 2021

 

[9] Department of Homeland Security, Biometrics, https://www.dhs.gov/biometrics, Accessed October 31 2021

[10] Patrick Dele Cole, “Opinion”, Biometrics, BVN and Nigeria | The Guardian Nigeria News – Nigeria and World News — Opinion — The Guardian Nigeria News – Nigeria and World News Accessed October 31 2021

[11] https://frsc.gov.ng/applicants-of-drivers-licence-renewal-to-embrace-bypass-capture-frsc/, Accessed March 01, 2022.

[12] Adam Vrankulj “Nigeria Immigration Service to use biometrics to handle immigration”,

https://www.biometricupdate.com/201302/nigeria-immigration-service-to-use-biometrics-to-handle-immigration, Accessed March 01 2022.

[13]https://www.vanguardngr.com/2015/05/bvn-the-banking-public-and-the-june-deadline/, Accessed October 31 2021

[14] Ibid.

[15] Patrick, Dele Cole.

[16] Ibid.

[17]Tomiwa Onaleye, https://technext.ng/2020/10/12/7-sim-card-registration-offenders-get-6-months-jail-terms-n20000-fine-in-nigeria/, Accessed October 31 2021

[18]https://www.vanguardngr.com/2017/12/nigeria-introduces-biometric-visa-stop-unwanted-visitors/#:~:text=Nigeria%20introduces%20biometric%20visa%20to%20stop%20unwanted%20visitors,that%20would%20not%20need%20to%20enter%20the%20country, Accessed October 31 2021

[19] National Identity Management Commission, https://nimc.gov.ng Accessed October 31 2021

[20] A3 Techworld, NIN Nigeria – All About National Identity Number, https://a3techworld.com/nin-nigeria-all-about-national-identity-number/, Accessed October 31 2021

[21]https://nimc.gov.ng/approved-licensed-service-providers/,  Accessed October 30, 2021

[22]https://guardian.ng/opinion/shelve-nin-as-requirement-for-jamb-registration/ Accessed October 30 2021

[23] Daniel Adeyemi, Nigerian Government extends NIN-SIM registration deadline to May 6,

https://techcabal.com/2021/04/05/nigerian-government-nin-sim-registration-deadline-to-may-6/, Accessed October 30 2021

[24]https://www.vanguardngr.com/2021/08/african-business-moguls-win-big-in-forbes-2021-awards/, Accessed October 31 2021

[25]MojisolaSonde, KYC in Nigeria, https://www.complianceinafrica.com/kyc-in-nigeria/,  Accessed October 29, 2021

[26] FINANCIAL WATCH, https://www.financialwatchngr.com/2021/06/14/what-is-know-your-customer-kyc/, Accessed October 29, 2021

[27]https://verifyme.ng/corporate, Accessed October 29, 2021

[28]https://carbonivs.co/, Accessed October 29, 2021

[29]https://www.vanguardngr.com/2015/03/jonathan-arrives-for-accredition/, Accessed October 30 2021

[30]https://www.washingtonpost.com/news/monkey-cage/wp/2015/03/10/what-other-african-elections-tell-us-about-nigerias-bet-on-biometrics/, Accessed October 30 2021

[31] Kumar A., Zhang D., Ethics and Policy of Biometrics. Third International Conference on Ethics and Policy of Biometrics and International Data Sharing, ICEB 2010, Hong Kong, January 4-5, 2010. Revised Papers, Springer-Verlag Berlin Heidelberg, 2010.

[32]https://privacyinternational.org/sites/default/files/2017-11/Biometrics_Friend_or_foe.pdf, Accessed October 29 2021

[33]Jennifer van der Kleut, “Biometrics and Biometrics Data” Biometrics and biometric data: What is it and is it secure? (norton.com) Accessed November 03 2021

[34] The expansion of a system or technology beyond its original purposes.

[35] Regulation 1(2)

[36] Regulation 9

[37] Regulation 8(1)

[38] Regulation 5(1)

[39] Regulation 5(2)

[40]https://dailypost.ng/2021/08/31/ncc-publishes-draft-registration-of-telephone-subscribers-sim-replacements-others/, Accessed October 31 2021

[41] Section 38(5), Cybercrimes (Prohibition, Prevention Etc,) Act 2015

[42] Ss. 6 and 14(1), Cybercrimes (Prohibition, Prevention Etc,) Act 2015.

[43] Section 2 NIMC Act 2007

[44] Regulation 1.2, NDPR 2019

[45] https://nitda.gov.ng/mandate/, Accessed on October 31 2021

[46] Privacy International, https://privacyinternational.org/long-read/3390/2020-crucial-year-fight-data-protection-africa, Accessed on October 31 2021

[47] Regulation. 1.3 ( xxv) Nigeria Data Protection Regulation 2019.

[48] Regulation. 1.3 ( xxv) Nigeria Data Protection Regulation 2019. – “sensitive personal data” means data relating to religious or other beliefs, sexual orientation, health, race, ethnicity, political views, trades union membership, criminal records or any other sensitive personal information.

[49] Article 9(2) of the General Data Protection Regulation (GDPR) 2018

[50] Section 2.1 (2) and (3)

[51] Article 3.2(viii) of the Implementation Framework of November 2020.

[52] Article 35(3)(b) of the GDPR.

[53] Privacy International, “Biometrics”, https://privacyinternational.org/learn/biometrics, accessed November 2, 2021

[54] https://www.europarl.europa.eu/news/en/press-room/20210930IPR13925/use-of-artificial-intelligence-by-the-police-meps-oppose-mass-surveillance, Accessed February 27 2022.

[55] Natasha Lomas, “European Parliament backs ban on remote biometric surveillance”,   https://www.google.com/amp/s/techcrunch.com/2021/10/06/european-parliament-backs-ban-on-remote-biometric-surveillance/amp/ Accessed February 27 2022.

[56] Professor of Law, Norwegian Research Center for Computers and Law, Department of Private Law,

University of Oslo, Norway.

[57] Lee A. Bygrave, Data Protection by Design and by Default : Deciphering the EU’s Legislative, Oslo Law Review Vol. 4, pg.109

[58]Ann Cavoukian, Privacy by Design: The 7 Foundational Principles, https://www.iab.org/wp-content/IAB-uploads/2011/03/fred_carter.pdf, Accessed on October 31 2021

[59]Regulation  2.2, NDPR 2019

[60] https://documents1.worldbank.org/curated/en/213581486378184357/pdf/Principles-on-Identification-for-Sustainable-Development-Toward-the-Digital-Age.pdf, Accessed on February 26 2022.

[61] The Nigerian National Identification Scheme issued Identification Numbers, which are used to identify people for various social services such as voting, education, and immigration. This means that the electoral commission, immigration authorities, and other entities will have access to, and process biometric data of individuals.

[62] https://www.vanguardngr.com/2022/02/fg-creates-data-protection-bureau/, Accessed on February 04 2022.

[63] https://www.premiumtimesng.com/news/top-news/495768-data-protection-indignation-as-fg-abandons-draft-bill-seeks-consultants-for-fresh-process.html, Accessed on November 20 2021.

[64] IAPP, https://iapp.org/news/a/nigeria-seeks-consultant-for-new-data-protection-bill-draft/, Accessed on November 20,2021

[65] Section 66, Data Protection Bill 2020.

[66] Section 26, DPB 2020.

[67]Andersen Tax; “Nigeria: President Buhari Signs Petroleum Industry Bill (PIB) Into Law”

https://www.mondaq.com/nigeria/oil-gas-electricity/1104026/president-buhari-signs-petroleum-industry-bill-pib-into-law, Accessed on November 1 2021

[68]KPMG, “Petroleum Industry Bill, A Game Changer?”, https://home.kpmg/ng/en/home/insights/2021/06/petroleum-industry-bill-pib-2020.html, Accessed on November 1 2021

[69]Kiran, Bhageshpur, Data is the New oil, and That’s a Good Thing, https://www.forbes.com/sites/forbestechcouncil/2019/11/15/data-is-the-new-oil-and-thats-a-good-thing/?sh=2336a2de7304, Accessed November 1, 2021

Related Posts