August 30, 2019
On 28 June 2019, the Federal High Court (“FHC” or “the Court”) affirmed the data privacy rights of Nigerian citizens and directed the National Identity Management Commission (NIMC) to improve on its data privacy and security systems in order to avoid a breach of citizens’ rights to privacy. This decision was reached in the case between Incorporated Trustees of Paradigm Initiative for Information Technology (PIIT) & Sarah Solomon-Eseh (Applicants) v National Identity Management Commission (NIMC) & Anor.
NIMC is an administrative body established by the NIMC Act of 2007 to regulate and manage matters relating to national identity in Nigeria. The NIMC’s services include enrolment and issuance of National Identification Number (NIN), National electronic identity card, identity verification as well as data harmonization and authentication in Nigeria.
In January 2019, the Applicants instituted an action in the FHC, Abuja, challenging the powers of the NIMC to enforce mandatory use of the NIN in the absence of overarching data protection laws in Nigeria. The Applicants also stated that the NIMC operated an Unstructured Supplementary Service Data (USSD) Code (*346#) which revealed the NIN of Nigerian citizens (which is linked to confidential and private information of individuals), without any data security measures to protect the sensitive data of persons registered with the NIMC.
However, the NIMC led evidence to demonstrate its data security systems and measures that had been put in place to ensure privacy of citizen’s information by explaining that the personal information of citizens are stored in the National Identification Database which complies with global security standards.
In determining the case, the Court held that the concerns of the Applicants on the use of the USSD Code had been resolved by the NIMC before the conclusion of the case. Thus, the Applicant’s claim had become merely academic. As such, the Court held that it could not make any orders based on speculative infractions, which are expected to occur.
Notwithstanding the foregoing, the FHC emphasized that NIMC needs to improve on data security and protection within its organization to avoid breach of citizens’ constitutional right to privacy. The Court added that it is not enough to have lofty data security policies, but such policies must be implemented.
This case highlights the fact that Nigerians are fast becoming more conscious of their rights to privacy and data protection.
It is instructive to note that this case commenced prior to the issuance of the Nigerian Data Protection Regulation 2019 (NDPR) which imposes strict data obligations on data controllers and processors as well as strict liabilities for non-compliance with the regulatory directives. The FHC’s decision could have been more severe if NIMC was found to be in breach of its privacy obligations under the NDPR, given the strict penalties provided under the NDPR.
Following from the above, all data controllers and processors are advised to obtain professional guidance in order to intensify the implementation of the NDPR provisions. This is to avoid any data protection/privacy breach, which could result in stiff penalties.
Please click here to read more on the NDPR compliance obligations.