By Dr. ‘Kemi Pinheiro, SAN, FCIArb
I want to begin this review with a message of praise to my learned brother and prolific author, Olumide Babalola, MCIArb, for investing the efforts, time and scholarly research that one can only imagine goes into writing a book, especially one of such new and upcoming character. I must salute the unwavering tenacity of my learned brother for taking such a giant stride in publishing a masterpiece in this novel area of law and seeing that the subject of data protection is taken more importantly and given a voice in our courts, lecture rooms, businesses and in the society today.
It is quite a humbling privilege to have received the request of my learned brother, a great brother I must say, to be the reviewer of his book titled “Privacy and Data Protection Law in Nigeria” which is to be unveiled on this magnificent day alongside his 40th birthday celebration. It is indeed a noble feat, my brother, and a real cause to pop the Champagne on such a spectacular day. With my extremely tight schedule towards the end of the year, I find my learned brother’s invitation as one which I am compelled to honour because of how special he is to me.
At a first glance into the book, one will observe the author was deliberate about creating a pleasurable reading experience for his readers. From the wonderful choice of font-text used – Georgia, with a unique size 12 and adequate spacing, it appeared the author had all readers in mind, including those who belong to the “four-eyes” category such as myself.
Having comprehensively perused this book on ‘privacy and data protection’, I must confess that on one hand I am faced with the issue of not revealing so much about this impressive book, so as not be liable for any data breach whatsoever as there is a need to ‘protect the data’; while on the other hand, I am faced with the challenge every reviewer of any book will encounter, which is “how can I do justice to such a book in just a thousand words?”
This book of 264 pages opens with a preface by the learned author himself and a table of contents. The book is divided into 5 (five) main parts which is further sub-divided into 22 (twenty-two) chapters with each addressing critical issues of Privacy and Data Protection.
Part I of the Book which titles ‘Privacy’ consists of Chapters 1, 2, 3, 4 & 5.
Chapter One opens the book with diverse scholarly and erudite definitions of ‘Privacy’ which may be considered enlightening, as it discloses different perspectives one may never have attributed to the subject matter. One definition, among other insightful ones that caught my fancy will be that of Holvast who defines Privacy as the ‘a right to be let alone and a right of each individual to determine under ordinary circumstances, what his or her thoughts, sentiments and emotions shall be when in communication with others.’
The Second Chapter goes on to shed light on the different categories of privacy, 20 (twenty) classes which it meticulously discusses under the topic ”Taxonomy and Typology of Privacy.” I find it quite fascinating that there exist such diverse categories of the subject matter.
Chapter Three is titled “Right to Privacy in Nigeria.” This chapter reveals the reality of the concept of privacy in Nigeria, and the cultural restriction on the practicality of privacy in the face of the African society’s communal setting.
Chapter Four presents us with a detailed historical journey on the evolution of privacy through the lens of different regions, alluring to non-Nigerians and effectively giving the book an international flavour. It addresses privacy as a tort, and interestingly reveals how jurisdictions that refused to enact laws with regards to privacy as an independent cause of action, have included it under other existing causes of action and remedies (reference to page 43 of the book).
Chapter Five addresses the concept of privacy and its nexus with fundamental right. It draws to light how the right to privacy has been included in a number of fundamental right instruments, one of which is the Constitution of the Federal Republic of Nigeria 1999 (as amended), with reference to Section 37. We are presented with over 14 (fourteen) cases where the issue of privacy as a fundamental right was addressed from diverse perspectives by the courts of different jurisdictions. I appreciate the Nigerian choice cases of Emerging Markets Telecommunication Services v. Eneye (cited at page 57 of the book), where the court held that the telecommunication company shared the subscriber’s personal telephone number with third parties without his consent and that, the spam text messages received from such entities constituted an infringement”; Uwaifo v. Attorney General of Bendel State (citation supplied in the book); Akintokun v. Legal Practitioners Disciplinary Committee (citation supplied in the book), inter alia.
I observed that the author has brilliantly navigated the distinction between privacy in the common sense of private and family life as used in the Nigerian Constitution and other Nigerian literatures from privacy in relation to data protection.
In introducing the novel concept of privacy and data protection, part I of this book uses the generic view of privacy as an introduction to the main theme of data protection in this book. I consider the author highly intelligent for adopting this technique to accommodate and patiently introduce the concept of data protection to an unlearned mind.
Part II of the Book which is titled ‘Data Protection’ consists of Chapter 6, 7 & 8.
The “Evolution of data protection in Nigeria” is discussed in Chapter Six. This identifies the development of law on data protection in Nigeria, the various existing sectorial laws on data protection, and the attempts, albeit unsuccessful, to enact a principal law on data protection. It further places emphasis on the need for our dear Nation to do so.
Chapter Seven discusses the various sources of data protection in Nigeria. It examines the legal framework for data protection both domestic and internationally. It makes it apparent that while there is not an all-inclusive legislation on the subject matter in Nigeria, as earlier noted, some other members of the international community at large also share the same predicament. It further identifies the various laws, though limited, on which reliance is placed on the issues of data protection.
The Eight Chapter deals with the relationship between data protection and other rights. It emphasizes the role of other rights and freedom in the understanding and enjoyment of data protection rights. Prior to this chapter, the issue of drawing a distinction between the right to privacy and data protection was raised. However, this chapter properly addresses this issue, identifies the relationship between these two concepts, their similarities, points of difference and areas where they overlap. Data protection is also examined alongside other rights, such as freedom of information, freedom of expression, right to human dignity and one I find most interesting, the relationship between data protection and intellectual property rights.
Part III of the Book which is titled ‘Nigerian Data Protection Regulation (NDPR): Introduction, Scope and Definitions’ consists of Chapters 9 & 10.
Chapter Nine of this book examines the scope and application of the NDPR. The Author explains the purpose and intents of the Nigerian Data Protection Regulation (NDPR) and juxtaposing same with the parent legislation – National Information Technology Development Agency Act (The NITDA Act). Furthermore, the author makes reference to the cases of Osadebay v. Attorney General of Bendel State (citation supplied in the book) and Governor of Oyo State v. Folayan (citation supplied in the book), both of which are Supreme Court decisions, to buttress the nexus, overlaps and distinctions between the NITDA Act and the NDPR. The question of extraterritoriality of both legislations was also adequately dealt with in this chapter.
Chapter Ten focuses on definitions. This chapter briefly defines certain terminologies and technical terms used in the NDPR sequentially. The author further references the General Data Protection Regulation (GDPR), to give meaning to these terms, thereby concluding that “European law is a part of the sources of data protection in Nigeria.”
Part IV of the Book which titles ‘Nigerian Data Protection Regulation: The Processing of Personal Data’ consists of Chapters 11, 12, 13, 14 & 15.
A major chapter, Chapter Eleven, attends to the “Principles of Data Protection”. The Author shares with us the universally accepted principles of data protection drawn from the GDPR and the English Data Protection Act 2018. These principles were traced to their roots under the Organisation for Economic Cooperation and Development (OECD) Revised Guidelines. I should also mention that I found these principles quite interesting and fascinating.
Chapter Twelve titled “Lawful basis for data protection” deals with the valid grounds for processing the data of data subjects. It states in details the principles and conditions of giving an unqualified consent on the part of the data subjects, and the legitimate use of it thereof by the data controller.
Derogation and Exemptions to the right of enjoyment of privacy is dealt with in Chapter Thirteen. The author discusses the incidences that may relate to the suspension of certain data protection rights with reference to the Constitution of the Federal Republic of Nigeria, 1999 (as amended). He explicates on some reasonable justification of these derogation with the mention of Olawoyin v. Attorney General of Northern Nigeria (citation supplied in the book) and Osawe v. Registrar of Trade Unions (citation supplied in the book) both of which are Supreme Court decisions. Also discussed are exemptions of data protection laws and regulations, law enforcement/investigation activities, anonymized or anonymous data and the data of deceased person or legal entities.
Chapter Fourteen involves the processing of sensitive personal data. It couldn’t have been better said when the author stated that “protection of intimate or sensitive personal data is the crux of data protection law.” He defined and explained the concept of sensitive personal data alongside the duty on data controllers to safeguard processing of sensitive data.
In Chapter Fifteen, the author distinguished between data security and cyber security. A few mechanisms and technical measures for data security were suggested in the Book, they include; Anonymization, Pseudonymization, Encryption and Tokenization.
Part V of the Book which titles ‘Rights, Supervision and Enforcement’ consists of Chapters 16, 17, 18, 19, 20, 21 & 22.
Chapter Sixteen titled “Rights of Data Subjects”, the author considered significant rights associated with data subjects. A total of 9 (nine) rights were highlighted in the book and discussed elaborately with relevant statutory backings and judicial authorities.
Chapter Seventeen which happens to be the longest chapter in the book with 22 pages deals with Data Protection Authority (DPA). We are introduced to Nigeria’s DPA which happens to be the NITDA. Also, we learn the powers, functions and duties of NITDA under the NITDA Act and the NDPR. The Chapter closes in on discussing the Independence of NITDA.
The enforcement of data protection is examined in Chapter Eighteen. It discusses various bodies/organizations that have a role to play in attaining an adequate enforcement mechanism for the right of data privacy. Which will in turn aid the full enjoyment of data protection rights.
The Nineteenth Chapter examines the administrative fines and damages for the violation of data protection laws. Contrary to the common belief, this chapter discloses to the public the current position of law on the definition of fines, with reference to the case of National Oil Spill Detection and Response Agency (NOSDRA) v. Mobil Producing Nigeria Unlimited (cited at page 198 of the book).
Chapter Twenty addresses the issue of international transfers of data and the need for enhanced cooperation between data protection/privacy enforcement authorities and the need to jointly regulate cross-border transfer of data.
Chapter Twenty-One examines Personal Data Breach. An interesting and insightful definition of ‘personal data breach’ was referenced to be “a deliberate or accidental disclosure or exposure of personal data to unauthorized persons or bodies.” The chapter further discloses the types of personal data breach and the obligations of both Data Controllers and Data Processors.
The last chapter of the book which happens to be Chapter Twenty-Two reminds me of John Dowey’s quote:
“A problem well stated is a problem half solved”.
This chapter proffers several suggested reforms that are necessary for the Nigerian data protection space. It further discloses possible solutions to the issues the book has identified, providing suggestions for the possible means for privacy and data protection law to flourish in Nigeria. As concisely put by Betty Williams;
“There’s no use talking about the problem unless you talk about the solution.”
The Author in this chapter has suggested noteworthy reforms that I believe should be implemented by our Data Protection Agency.
The author exhibited scholarly excellence, by making reference to over 400 sources in the book’s bibliography.
I consider the Author a gifted writer who has by reason of his extant passion for data protection and years of practicing experience, has been able to articulate his thoughts to publish such a Masterpiece. I find this great book impressively detailed and virtually exhaustive on all fundamental subjects relating to Privacy and Data Protection Law in Nigeria. This is a worthy academic material for all law teachers to utilize for themselves and in equipping the next generation of legal practitioners who will be in a firmly advantaged position, having gained mastery of the subjects treated in this book. It is also handy for practicing lawyers to make use of in the preparation of their brief of arguments.
With this book, my learned brother has succeeded in bringing to life an area of law which many would have described as abstract, prior to his literature. He is indeed a trail blazer.
It has been my pleasure and privilege to review this book and I thank you all for your kind attention.