Mr. President And The National Assembly: Data Protection For Nigerians First.

BY TIMI OLAGUNJU, sahara reporters.
Recently, the Nigerian President, Dr. Goodluck Jonathan launched a new national e-ID card at the Presidential Villa, Abuja. Powered by MasterCard, it is a multipurpose card that doubles as a national identification card and an automated teller machine (ATM) card useful for making deposits and withdrawals. The card will also be used for identification and electronic signatures.For the first phase of the project, an estimated thirteen million Nigerians will be issued the card while the second phase is to target one hundred million Nigerians. It bears the MasterCard logo at the back and also has an expiry date; five years.Mastercard Branded Nigerian National Identity card
With the launching of the Card, arguments for and against it are ongoing. Some on one side have argued, that the logo of MasterCard on the national I.D Card, questions the sovereignty and pride of Nigeria.  They further argue that partnering to acquire biometric data of present and future Nigerians with an American firm, MasterCard, in an age that has seen intense data surveillance by the National Security Agency (NSA) of the United States of America could spell doom for Nigeria’s territorial integrity, as well compromise our security as a people and a nation in the near future – they say it could end up like the historical Esau and Jacob story.  On the other hand, the proponents for the card argue that a Nigerian ID card is of no value outside Nigeria except there it is authenticated by an internationally reputable establishment like MasterCard. On this, rather than ‘comment my reserve’, I would reserve my comments, because my question to Mr. President and the National Assembly would be based largely on legal considerations (and less on socio-economic juxtapositions).
Firstly, why would the “President of Nigeria” and the National Assembly happily (as obvious in the launch) authorize the handover of biometric data of millions of citizens to a “foreign private firm”, without first engineering the existence of a very detailed and structured legal framework (rules, policies, and laws) that address issues of Data Protection and Privacy? Remember how oil rights were given to Shell in the early 1900s at the expense of Nigeria’s interest. The same problem of poor regulatory framework haunted the Power Sector, until the Electricity Power Sector Reform Act 2005 and the Nigerian Electricity Regulatory Commission (NERC) surfaced. In the words of the NERC Chairman, Dr. Sam Amadi ‘… failure in the electricity industry in Nigeria is, at heart, a failure of law. Law is the principal instrument of social development”.
Secondly, (for the National Assembly) how would a country like Nigeria not have data protection and privacy laws, in an age where Information and Communication Technology and human rights are quick to clash?
Thirdly, in the course of brokering the deal with MasterCard, did the Nigerian Government do a thorough data and privacy due diligence?  Did those involved get technical expertise to review the privacy policy of MasterCard and its host country, and see where it conflicts with Nigeria’s interest? If Nigeria’s ‘data experts’ such as Engineer Titi Omo Ettu, Franklin Akinsuyi, Gbenga Sesan (and the likes of these three) were not in that team, I doubt there was any ‘due diligence’ team.
However, before I underscore the importance of the above questions, as well as issues on data and privacy protection laws, a few issues would be addressed. Firstly, out of the over one hundred countries with National Identity Card (with fourteen with non-compulsory National Card such as Switzerland and the United States), not a single one has ever partnered with any local or foreign organization to produce National Identity cards (with the company’s logo on their cards). So, Mr. President, why Nigeria? We may argue it is the first of its kind, but we should also not be quick to forget that Malaysia has an integrated national e-Identity Card done by Malaysia (without foreign interference), for Malaysians.

Now, on the matter of the need for a comprehensive Data and Privacy Protection laws, it is important to state that data and privacy laws exist to strike a balance between the rights of individuals to privacy and the ability of organizations to use data for the purposes of their personal business. Many countries have taken proactive measures to protect the fundamental human rights of its citizens in this age. For example, Zimbabwe has a comprehensive Access to Information and Protection of Privacy Act, Singapore has a Personal Data Protection Act, UK has a Data Protection Act 1998 coupled with other laws within the UK and the European Union protecting data and privacy, and Ireland has its Data Protection (Amendment) Act 2003. When would Nigerian get hers? Is there a body that ensures that MasterCard or any other holder of data on such National scale uses it properly? What actions would be taken if data protection and privacy is breached? These are key issues that should have been considered within a regulatory (and legal) framework. In fact, aside the traditional roles of Nigerian Communications Commission (NCC), one wonders what regulatory (and legal) framework enforces a check on Nigeria’s Telecommunication companies with regards to data and privacy? These days unsubscribed text messages bombard ones phones about unsolicited lotteries from the network providers; even at midnight. If we have not gotten data and privacy right on a local scale, I wonder what it would be with MasterCard.
Well, it is obvious that with this deal between Nigeria and MasterCard, all the present and future generations of data go to the American payment platform. Therefore, with no explicit and elaborate Nigerian data and privacy laws, the implication is that Nigeria is left to the mercy of the available data and privacy laws in the United States; the headquarters of MasterCard.Would that be sufficient to protect Nigerians? To date, the US has no single data protection law comparable to the EU's Data Protection Directive. Privacy legislation in the United States tends to be adopted on an ad hoc basis, with different legislations arising when certain sectors and circumstances require, examples of these laws in the United States include; 1974 U.S Privacy Act, 1986 US Electronic Communications Privacy Act, Health Insurance Portability and Accountability Act (HIPAA), and Sarbanes-Oxley Act.
It is trite knowledge that the 1999 Constitution of Nigeria guarantees the right to privacy of Nigerian citizens. Therefore, I strongly advocate that this fundamental human right be given a more explicit and elaborate expression and zeal of implementation by the National Assembly and the office of the President. I further advise that there should be up to four independent and co-existing legislations (with great consideration for the provisions of The Freedom of Information Act) on data and privacy issues; which should include:
1.      Data Protection Legislation,
2.      Computer Misuse Legislation,
3.      Information Security Legislation, and
4.      Lawful Interception Legislation.
Timi Olagunju LL.B (Ibadan), B.L, CSc (Amsterdam), is a member of the International Association of IT Lawyers; a member of Telecommunication Standardization Sector (ITU-T) and is accredited by WIPO (World Intellectual Property Organization). He can be reached at timithelaw@gmail.com.
0