President Buhari refused assent to the Digital Rights and Freedom Bill (DRFB) 2018 which was passed by both the Senate and the House of Representatives. The President’s refusal of assent has generated a lot of hue and cry from different strata of the society. I think some of the outrage are misplaced, however, we cannot blame the outraged persons, it is expected that the government should present more details on why the President’s action was the best for the country. As a lawyer with interest in information technology, I have undertaken an independent review of the Bill and here are my top ten reasons why I think the bill was not good to go!
- Request for personal data to be granted only after court warrant has been issued. Section 5 (3) of the DRFB is bad for digital business. A simple, unambiguous consent of the Data Subject should suffice. Insistence on court warrant before release of personal data is not in sync with globally accepted principles, nor local realities. The court system should not be straddled with another mountain of requests, where it is already overburdened.
- Publication of government request for private data makes data controllers to suffer for no just cause. Section 5(4) requires that Data Controllers should publish every instance of government request for private data in two National dailies. While there should be check on government intrusion on private data, but publication of such request after the action has been done does not prevent government nor protect the data subject, in fact it subjects the Data Subject to double jeopardy.
- Section 6 (3) requires that Cloud Service Providers must grant access to Data Owners to transfer their data from the server. This provision would be technically obtuse and is unimplementable. Grant of access to millions of people to Cloud Service Infrastructure defeats the essence of Cloud storage and increases national insecurity.
- Section 6 (7) provides that where data is lost by Cloud Service Provider, the Provider is liable in damages commensurate to the value of the data. There are many reasons data may be lost and all situations cannot be due to negligence by the Provider. Furthermore, the question is, how do you calculate the value of the lost data? Failure to answer this question is to put the whole information technology sector into disarray, as lawsuits would multiply and eventually stifle innovation.
- The Digital Rights Bill expects that Cloud Service Providers would give guarantee as to the constant availability of the data owner’s account. This provision in Section 6 (8) again, places an impossible task on the Providers. No service provider can give 100% guarantee of availability. The best is to ensure necessary systems are put in place to limit downtimes and make the Service Level Agreements and Terms and Conditions to provide sufficient disincentive for providing sloppy services.
- Section 7 (3) – Makes the court the primary recourse in the case of breach of data privacy. This is not in line with best practice and would overburden the courts. Privacy breach is dynamic and technical to prove. An administrative process as a precursor to court action would yield better results.
- Publication of interference of privacy rights in FG gazette as directed by Section 9 (1) (a) creates further violation of privacy. Moreover, what is the value of gazetting interference with privacy rights when there are more efficient means of disseminating information.
- Section 9 (1) (g) of the Bill requires that a person under surveillance for alleged offence be notified. This already defeats the purpose of surveillance. The interest of right to privacy and national security and order should always be balanced, without this, we are become unsafe. An ex-parte order of court should suffice to do surveillance on an individual or group of persons.
- Section 9 (7) – this section mandates government to establish independent public oversight mechanisms in addition to any oversight already provided through another branch of government. At a time, the nation is bleeding from proliferation of government agencies, establishing another agency is not a bright idea.
- Generally the Bill while seeking to advance privacy rights has not given sufficient thoughts to the need to balance the growth of innovation and cybercrime law enforcement. The drafters indeed may have the best intentions for the nation, however, these and other issues should be properly addressed before the Bill is represented to the 9th National Assembly for consideration.
Femi Daniel Esq.