Data Protection Concerns in the Regulation of On-line Taxi Hailing Businesses in Lagos Nigeria
By : Emmanuel Salami
The Lagos State Government (LASG) of Nigeria recently published the ‘Guidelines for Online Hailing Business Operation of Taxis in Lagos State’ (the Guidelines) for the regulation of ridesharing apps and e-taxi services.  Curiously, relevant stakeholders have raised concerns regarding the Guidelines as it affects the processing of personal data.
Paragraph 4.1(A) (x) of the Guidelines provide that “All Operators of e-hailing taxi services must give the Ministry access to their database”, the ministry in this context being the transportation ministry of the LASG. The implication of this is that online taxi hailing operators like Uber, Bolt, etc. operating in the Lagos online taxi hailing market will be obliged to grant the LASG access to their databases. Though the Guidelines do not expressly mention the extent of such access, one may infer that based on the objectives of the Guidelines (to be discussed subsequently) the contents of such databases ought to be transferred to the LASG. However, it is explicit from the Guidelines that the access granted to the LASG amounts to the processing of personal data. The personal data usually held by online taxi hailing service operators include customer names, phone numbers, visited destinations (which can reveal home and work addresses), credit and debit card details, names and details of drivers, etc.
The pertinent question that may be raised by relevant stakeholders is whether there is an established legal/regulatory framework that enables the LASG to issue such Guidelines. It is apparent that the Guidelines are an attempt by the LASG to regulate the transport sector as well as access the data generated by said sector. This article addresses this legal development from the standpoint of data protection by focusing on whether such attempt is in consonance with basic principles of data protection.
In evaluating the data protection concerns evident from the Guidelines, some data protection principles readily come to mind: the lawfulness principle,  the integrity and confidentiality principle,  and the data minimization principle.  In very simple terms, the lawfulness principle requires that personal data should be processed subject to conditions which include consent, performance of a contract, legitimate interests, etc. It suffices to state that the integrity and confidentiality principle forbids the unauthorized disclosure of personal data. This principle demands that personal data be transferred to third parties on a strictly need-to-know basis. The data minimization principle entails the processing of only categories of personal data necessary for the purpose of the processing operation. The proportionality requirement is also relevant to this analysis, and it requires that an interference with data protection rights should not exceed what is needed to fulfil the legitimate aim pursued. 
In order to effectively appreciate the implication of the principles above, the objectives (i.e. the purpose) sought to be achieved by the Guidelines ought to be properly understood. Flowing from Part 2 (A) (i)-(vi) of the Guidelines, its objectives can be summarized into two heads:
- To enhance the lawful, safe and secure use of taxis and,
- To develop a robust database of operators, drivers, app developers and deployers.
While the first objective of the Guidelines appears legitimate, the second objective is questionable because it casts doubts on the necessity of retaining such a ‘robust database’. However, it is arguable that said database is necessary to adequately determine the licensing fees that should be paid by relevant operators, drivers, app developers and deployers”.  From the perspective of the lawfulness principle, it can be inferred that by virtue of the Guidelines, the LASG intends to rely on ‘legal obligation’ as the legal basis justifying its access to the database. However, the Guidelines will potentially be in clear infraction with other principles of data protection. This is because the second objective of the Guidelines are “to develop a robust database of operators, drivers, app developers and deployers”. Granting the LASG access to the database will give them access not only to the personal data of “operators, drivers, app developers and deployers” which the Guidelines stipulate, but also to the personal data of customers of the operators of the online taxi hailing services. The implication of this (at least based on the Guidelines), is that the LASG will have access to (customer) data which exceeds the scope of the Guidelines thereby violating the data minimization principle in the process. Furthermore, LASG having access to customers’ personal data will violate the integrity and confidentiality principle because personal data would have been unlawfully shared with a third party (the LASG), having no legitimate right to access same. Accessing the entire database of the operators of the online taxi hailing services will also not be proportionate to the objective of maintaining a database of “operators, drivers, app developers and deployers”.
To be compliant, if the LASG must access the database of online taxi hailing service operators to develop a database of ‘’operators, drivers, app developers and deployers’’, it is necessary to create a Chinese wall of some sort which prevents any access of the LASG to customer data as said customer data falls completely out of the scope of the Guidelines. The online taxi hailing service operators must be given ample time to create a system that prevents access to their customer data. Should the LASG have plans to access customer data, this will completely change the nature of this assessment particularly in the context of the necessity of such an action. Any attempt by the LASG to process customer data will amount to a violation of the principles of personal data protection as previously analyzed. Since the data of operators, drivers, app developers and deployers, etc. will also include personal data, it is necessary to ensure compliance with other relevant requirements of data protection including the provision of adequate information, the use of justifiable retention periods, ample room to exercise data protection rights, etc. The importance of the provision of adequate information to the “operators, drivers, app developers and deployers” cannot be overemphasized as it is through such information that the customers, operators and other industry participants will receive adequate information about the processing activity.
Unfortunately, the Nigerian Data Protection Regulation (NDPR) which is Nigeria’s first and most comprehensive data protection regulatory instrument cannot be enforced against a state government for a plethora of reasons which include the fact that the NDPR is neither an Act of Parliament nor drafted pursuant to one. Such subsidiary legislation drafted beyond the scope of the powers expressly granted to the National Information Technology Development Agency (NITDA) cannot bind a state government.  Therefore, an agency of the federal government (in this case, NITDA), cannot unilaterally regulate the activities of a state government without the requisite legal backing or authority. Consequently, due to these procedural deficiencies, the NDPR is not applicable in this instant.
The concerns identified in this article highlight the recurrent problems in the Nigerian data protection space which revolve around the lack of an Act of Parliament which would have created more robust and weighty data protection rules and also established the office of an effective data protection supervisory authority for the country. One can only hope that the LASG will retrace its steps and ensure it complies with the relevant principles of data protection.
It is noteworthy that the courts have extended the right to privacy to include the right to data protection, the LASG is therefore urged to respect the principles of data protection as a means of protecting the privacy of its residents.  Lastly, pending a substantive legislation on data protection, it is imperative that the data of citizens be protected as an extension of their fundamental right to privacy.
- Please find the guidelines embedded here: Emmanuel Paul, Lagos to enforce regulations on Uber, Bolt, others from August 20, 2020, (August 11th 2020, Techpoint.Africa). Available at: https://techpoint.africa/2020/08/11/lagos-ride-hailing-regulations-august/ accessed 11/08/2020.
- Peter Carey, Data Protection: A Practical Guide to UK and EU law, Oxford University Press, 2018. P. 33.
- Ibid, p. 39-40, Lee A. Bygrave, Data Protection Law: Approaching Its Rationale, Logic and Limits Information Law Series, 2002, Volume 10, (Kluwer, The Hague), p. 67.
- Lee A. Bygrave, (2002), p. 59.
- and Marper v. the United Kingdom [GC], Nos. 30562/04 and 30566/04, 4 December 2008.
- Paragraph 4.1 (B) of the Guidelines.
- See section 6 of the National Information Technology Development Agency Act 2007. NOSDRA v. EXXONMOBIL (2018) LPELR-44210(CA).
- Section 37 of the Constitution of the Federal Republic of Nigeria 1999 (as amended). See also MTN Nigeria Communication Ltd v. Barr. Godfrey Nya Eneye, Appeal No: CA/A/689/2013 (Unreported).