By Bibitayo Emmanuel Ojo
A storm is brewing in Lagos’ booming ride-hailing industry
Against the backdrop of a growing ride-hailing industry, a growing concern is emerging from the agreement between ride-hailing platforms and the Lagos state government which was executed in 2020. This agreement sought to facilitate the sharing of user data, a decision that has since catalysed a potential dispute between the government and Uber, a prominent player in the industry. Notably, while Uber’s competitor, Bolt, has reportedly embraced the terms outlined in the agreement, Uber remains hesitant, as it was reported.
Backdoor Access and Big Brother?
The genesis of this inharmoniousness traces back to regulatory interventions introduced in 2020 by the Lagos State government pertaining to ride-hailing operations. Among these regulations was a stipulation mandating ride-hailing companies to grant backend access to user trip data and location specifics. The government asserted multifaceted objectives for this requisition, citing imperatives such as urban planning, revenue optimisation, and strengthening security measures. This regulatory framework set the stage for the current gridlock, highlighting the intersection of governmental interest, and privacy of the ride-hailing users.
Data Privacy Principles Under Threat
While governments may cite various reasons for access requests, it is essential to critically examine such actions through the lens of data privacy principles.
Principle of Purpose Limitation
Section 24 of the Nigeria Data Protection Act 2023 emphasizes the principle of Purpose Limitation, which states that personal data should be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. When governments request access to Uber user data, questions arise regarding the intended purpose of such access. If the government’s use of the data extends beyond the original purpose for which it was collected, it could violate this fundamental principle. So, the question is whether the purpose for which data was collected from Uber users includes government surveillance.
Checking through the data sharing clause in the Uber privacy policy, it was crystal clear that data is not to be shared with the Lagos state government for one reason or the other. Could that be an oversight from Uber?
Either way, processing users’ data outside the purpose for collection is against the spirit of the fundamental right to privacy of users (Section 37 of the Constitution of the Federal Republic of Nigeria (1999 as Amended))
Principle of Data Minimisation
The principle of data minimisation mandates that personal data should be adequate, relevant, and limited to what is necessary for the purposes for which it is processed. When governments request access to extensive datasets from Uber, including user trip histories and location information, there is a concern that data is being collected more than it is strictly necessary for the stated objectives.
Reliance on Part B of Uber’s privacy policy
‘Uber uses data to enable reliable and convenient transportation, delivery, and other products and services. We also use data:
- to enhance the safety and security of our users and services
- for customer support
- for research and development
- to enable communications between users
- for marketing and advertising
- to send non-marketing communications to users
- in connection with legal proceedings’
There is nowhere it is written that the data collected would be used for objectives outside the list above. This overreach violates the principle of data minimization and exposes individuals to unnecessary privacy risks.
It could be argued conversely that Uber can use data to ‘satisfy requirements under applicable laws, regulations, operating licenses or agreements, insurance policies, or pursuant to legal process or governmental request, including from law enforcement’. However, I would rely on the principle of reasonable expectation of privacy and contend that an Uber user has a reasonable expectation of privacy in the public. This was well settled when Justice Potter Stewart handed down that The Fourth Amendment to the US Constitution is to protect people and not places. Katz v. United States, 389 U.S. 347 (1967)
Balancing Needs, Protecting Rights
While Lagos State may have legitimate reasons for requesting access to Uber user data, it is essential to ensure that these requests are lawful, transparent, and proportionate to the stated objectives. Upholding data privacy principles is important to safeguarding individuals’ rights and maintaining trust in both government institutions and private companies. Any deviation from these principles poses risks to the privacy rights and undermines the foundations of a democratic society.
Therefore, there is a need for a carefully balance of interests with the need to protect individuals’ privacy in the digital age.
Conclusion
It is sufficient to say that safeguarding privacy in this instance issue is not just as right, it is also crucial for maintaining the legitimacy of governmental actions. Failure to address these concerns could lead to backlash from civil society, and undermine the very foundations of democratic governance. Thus, the government should tread carefully while the ride-hailing companies should ensure compliance with the data protection laws and regulations, lest they open doors for legal battles.
Bibitayo Emmanuel Ojo
Data Protection Analyst bibitayoemmanuel@gmail.com