By Olumide Babalola
On the 3rd day of August 2024, Dr Bosun Tijani – Nigeria’s Minister of Communication, Innovation and Digital Economy – released a draft document titled ‘National Artificial Intelligence (AI) Strategy’ and invited the public to make ‘input’ and ‘further dissect its contents.’ As a member of the public and a stakeholder in the privacy and data protection industry, I have decided to make my input public for posterity’s sake especially since this is not the first time the Federal government would draft a strategy. An attempt was made in 2021.
Clarity of purpose
If the 73-page document is meant to be put to good use by all and sundry, its introduction must clearly articulate the purpose. I read through the document but struggled to find a clear expression of what purpose it is meant to serve.
However, on page 12, it states that: “A national strategy therefore must “A national AI strategy, therefore, must provide nuanced guiding principles clearly defined and articulated in alignment with country values and goals, as well as ensure consistency with higher-order goals for the future of humanity and civilisation.” There are two problems with this statement. First, while the statement reiterates a part of the normative value of a national strategy, it does not confirm whether or not that is its own purpose. Secondly, assuming the statement contains the objective of the document, the proposition of principle … in alignment with country’s values and goods’ falls short of the utility of a national strategy. Conceptually, a document conveying national strategy ought to essentially contain a guide and communicate the government’s plan to “allocate” resources towards attainment of its policy objectives. The allocation of resources is either omitted or hidden in the document. I however stand to be corrected on this. For whatever it is worth, these clear and lucid objectives need to be set out at the beginning of the document to ease reading, understanding and utility by all concerned.
Insufficient commitment to privacy and data protection
For a document that proposes to enhance citizens’ welfare and quality of life, one would have expected a real and articulate devotion to fundamental rights and freedoms, especially privacy and data protection. Surprisingly, in the entire 73-page document, ‘human rights’ is only mentioned three times with no clear-cut explanation of real protection and surprisingly, reference to the Nigerian Constitution is conspicuously omitted. In the words of Neil Richard, (a professor of privacy) in his recent book ‘Why Privacy Matters’ published in 2022 by Oxford University Press at page 9:
“If we want to build a digital society consistent without hard-won social values – a society that is fair, just, equitable, free and sustainable – then a meaningful commitment to privacy must continue to be a part of that society. Privacy matters and it will continue to matter, not just because privacy is a proxy for social power but because good privacy rules promote the essential human value of identity, freedom and protection”
For clarity, I will narrow down my observations on privacy and data protection into the following sub-headings hereunder:
i. Avoidable misnomer and typographical errors
Contrary to the reference to 2024 on page 12, the Nigeria Data Protection Act was enacted in 2023 although the correct date was stated in the subsequent opportunity. On page 15, the statement – “AIs dependence on data makes the National Data Protection (NDP) Act 2023 statutes protect data subjects and guide processing of personal data essentials” – needs to be rejigged for many reasons. First, it is fraught with some grammatical and typographical errors: the ‘N’ in NDPA stands for ‘Nigeria’ but not ‘National’. Secondly, for the purpose of syntax, ‘statutes’ should be expunged not only because the NDPA is not plural but also for logical reasons. Third, the ‘essential’ after personal data should also be removed – it is clearly an erroneous addition which robs the statement of its desired meaning.
On page 43, the phrase “additional Acts on Data Protection Regulation” is confusing. Since the passage references relevant legislation and policies, why not simply state the Nigeria Data Protection Act 2023? Also “cybercrime” “NOTAP” and “NUC” in the paragraph are neither legislation nor policies, they should be corrected to reflect the specific laws concerned. It may also be helpful for the document to have a definition section to clear any misconception of (technical) terms. For example, “data” and “sensitive data” are used carelessly throughout the document but these terms have varying meanings under specific laws. Within the context of data protection, “sensitive personal data” has a statutory meaning which may be at variance with similar terms under other legislation. Worthy of note is also an erroneous reference to the repealed Copyright Act of 2004 instead of the extant 2022 Act.
ii. Misconception of the coverage of the NDPA
On page 12, the document audaciously declares: “…the 2023 Data Protection Act does not particularly address AI-related data concepts”. This is somewhat misleading since most, if not all AI mechanisms process personal data – the subject of NDPA. Interestingly, section 37 of the NDPA particularly prohibits the use of rights-impacting AI (i.e automated decision-making) for processing activities exclusive of human intervention except under listed circumstances. Secondly, in addition to referenced issues like data security and cross-border transfers in relation to AI, the NDPA also regulates the entire life cycle of personal data processed by AI; transparency; accuracy (data quality); data minimization (big data issues); storage limitation (retention periods); consent mechanism; sensitive personal data; purpose limitation (misuse of data/secondary use) and data breach etc. Since it proposes to be a roadmap, the document ought to be as directional as possible.
iii. Ethical principles for privacy
On page 27, the fourth pillar proposes clear and comprehensive ethical principles for privacy among other interests. Flowing from this, page 39 reproduces the same as one of the outcomes, but privacy is conspicuously omitted from the strategies proposed on page 40. As if that is not odd enough, apart from transparency and accountability, all other principles of data protection are completely omitted. Moving forward, due consideration ought to be given to the force ascribable to the proposed “Ethical principles for AI”. Are they going to be enforceable legislation or another initiative like the legislative House of Representatives Committee’s curious ‘developing and implementing AI policies’ as referenced on page 35?
iv. Funding of another regulator despite omission/refusal to fund the NDPC?
As it is with every industry, page 42 proposes the establishment of an AI Governance Regulatory Body. While I am not particularly against this, my concerns are twofold. One, the Nigeria Data Protection Commission (NDPC) – one of the existing agencies recognised (on page 13) in the AI ecosystem for its implementation is currently cash-starved. It is yet to be funded by the Ministry of Digital Economy, Innovation and Communication and other agencies as prescribed under section 19 of the NDPA. While this weight is yet to be shed by the ministry, the document’s proposal of an additional body and financial burden may not be justifiable. Two, there exists the National Centre for AI and Robotics (NCAIR) – a subsidiary of NITDA with statutory functions woven around the development of technology and sundry infrastructure. It is more cost-effective and efficient to empower the agency in this regard. Conclusively, regardless of this scepticism, the document ought to propose workable plans for funding and allocation of resources to the outlined objectives.
