By Olumide Babalola
In the past two years, I have heard and read on varying platforms, especially by Nigerian privacy enthusiasts and professionals that, the term ‘data privacy’ does not exist and in other words – a misnomer. They either argue that privacy can only be enjoyed by natural persons and that the right cannot be associated with inanimate objects or that the law does not contemplate the co-existence of both privacy with non-living things. In this short article, I will modestly articulate my brief thoughts on this position that has been repeatedly argued in many Nigerian privacy fora.
It is however important to always start this kind of discourse by reminding ourselves of the origin of the term in question. Dr. Sanjay Sharma argues that the term data privacy is deeply rooted in the UN Declaration of human rights, but its growth is traceable to France in the early 70s. (see Sanjay Sharma, ‘A Brief History of Data Privacy’ in Data Privacy and GDPR Handbook (Wiley, 2019) 23). This account was also elaborated by the erudite Norwegian professor of privacy, Lee Bygrave in his book – Data Protection Law: Approaching its Rationale, Logic and Limits (Information Law serves, 2002).
Hence, the term is not a new concept as some researchers have traced its origins to the inception of data protection itself in the 70s. (see also the account of one of the fathers of data protection – Prof. Spiros Simitis, ‘Einleitung’ in Bundesdatenscchutzgesetz – BDSG (7th edn. Nomos, 2011).
To demonstrate it nuances and its distinction from other similar terms, some academics have repeatedly used the term ‘data privacy’ in their various publications: Bygrave views it as a matter of semantics and ‘packaging’ which regulates processing of personal data and addresses the manner in which personal data is ‘gathered, registered, stored, exploited and disseminated’ (see L.A. Bygrave, Data Privacy Law. An International Perspective (Oxford University Press, 2014) 1).
Gimpel and other German researchers see it as a necessary evil in the compliance world. (Henner Gimpel, Dominikus Kleindienst, Niclas Nuske, Daniel Rau, and Fabian Schmied ‘The Upside of Data privacy- Delighting Customers by Implementing Data Privacy Measures’ (2018) Electronic Markets, 438)
Jianping He and his Chinese colleagues evaluated some data privacy issues in network communication in the article titled ‘Consensus-Based Data Privacy Preventing Data Aggregation’ (2019) 64(12) IEEE Transactions on Automatic control,1).
Anna Rohunen & Jolini Markkula, two researchers at the University of Oulu (Finland) also adopted the term in their article titled ‘On the road – Listening to Data Subjects Personal Mobility Data Privacy Concerns’ (2018) Behaviour and Information Technology) and then Dennis Grishin, a Harvard University scholar and his co-researchers referenced the term in their work – ‘Data Privacy in the Age of Personal Genomics’ (2019) 37(10) Nature Biotechnology, 17).
Notwithstanding the foregoing articles, innumerable books have been written by law researchers with data privacy in the title and body of text. See David Solomon’s Data Privacy and Security (2003); Advanced Research in Data Privacy (2015)by Navarro-Arribas Guillermo and Vincene Torra; African Data Privacy Laws (2016) by Alex B. Makulilo and; Kim- Kwing Choo and Ali Dehghantanha’s Handbook of Big data Privacy (2020) etc.
Academics continue to use the term ‘data privacy’ interchangeably with ‘data protection’ and ‘information privacy’ etc. It is instructive to note that, Nigeria’s most prolific academic writer on privacy and data protection – Dr. Lukman Adebisi Abdulrauf, a senior lecturer at the University of Ilorin argues that:
“While some scholars prefer to use the term ‘privacy’ or information privacy, others will use the term ‘data protection’. These differences are a reflection of the jurisdiction which the discussion focuses on. A term recently increasingly being used is data privacy. Although no recent data privacy instrument has adopted the term, it seems that data privacy is the current preferred term as shown in the recent literature of renowned scholars like Kuner, Bygrave Greenleaf, Makulilo.” (See L.A. Abdulrauf ‘The Legal Protection of Data Privacy in Nigeria: Lessons from Canada and South Africa’ (2015)
Constitutional provision on data privacy
Contrary to arguments that inanimate things cannot be associated with privacy, section 37 of the 1999 Constitution guarantees in unmistakable terms – ‘privacy of homes’ ‘privacy of correspondences’ and ‘privacy of telephone conversations’ and ‘privacy of telegraphic communication.’ These are clearly different from privacy of citizens and they somewhat negate the argument that only natural persons can enjoy privacy in such context. (See I.N. Walden and R.N. Savage ‘Data Protection and Privacy Laws: Should Organizations be protected?’ (1988) 37(2) The International and Comparative Law Quarterly 337-347).
Hence, if the Constitution can associate privacy with inanimate things like homes, correspondences and communications, then associating privacy with data should not necessarily generate arguments in this regard.
International Data Privacy Day
To give further credence to the term, the international community celebrates data privacy annually on the 28th day January. The largest body of privacy professionals in the world – International Association of Privacy Professionals (IAPP) and other renowned organizations commemorate this day annually to create awareness for data privacy. (see IAPP, ‘Celebrate Data Privacy Day with Privacy Pros Near and Far’ https://iapp.org/connect/data-privacy-day/)
Data Privacy Act
Ultimately, on the 25th day of July 2012, the Filipino congress enacted what appears to be the first law in world with data privacy in its title. The Data Privacy Act (Republic Act 10173) was passed to inter alia protect individual personal information. The term ‘data privacy’ is used seventeen times in the enactment. (see https://www.privacy.gov.ph/data-privacy-act/)
Reference to the term ‘data privacy’ is simply a matter of convenience and since Nigeria’s privacy and data protection law and practice do not have a definitive direction at the moment, we seem to adopt whatever terminology or concept suits every context. The NDPR adopts the American concept of personal identifiable information (PII) with the European version of personal data (PD) and goes ahead to allude to data privacy (American) and data protection (EU), all in same document. It is however hoped that the impending data protection bill would be more consistent with its legislative transplantation.
However, it is always important to understand the origin of a term in order to appreciate its aptitude or otherwise given every peculiar circumstance. Hence, it is conclusive that the term data privacy is conceivable under the Nigeria data protection legal framework as far as the extant NDPR is concerned.