Right of Data Subjects Against Legitimate Recipients of Data for Non-Consensual Transmission to Third Party Infringers by Akintola Makinde
Since the advent of the Global System of Mobile Telecommunication and sundry technological innovations, there is hardly a person who has not received an unsolicited phone call, Short Message Service (SMS), email, etc., from known or unknown persons for various reasons. Most times, it is realized that these data were passed to the third-party caller or messenger through a person or medium that had legitimately obtained them. While a greater majority of persons might not have been bothered by such unauthorized transfer of data, the hostile and debilitating impacts of the breach have overtime, woken people to the imperative of taking benefit of the protections afforded by law.
It is now no longer strange for virtual loan companies to send libelous and threatening messages to telephone lines obtained from the accessed contact list of their defaulting clients; a few people might even have received calls from strangers, including investigative television and radio stations, sometimes within embarrassing contexts, demanding explanations on live radio or television programs. On the global scale, it is still fresh in our memory, how a British consulting firm, Cambridge Analytica, harvested data of over 87 million Facebook users for the United States of America electoral campaigns. Often, attention is focused on the third-party infringer, without paying attention to the potential liabilities of the legitimate recipient of the data, who served as a conduit to the third-party infringer, particularly, in the absence of consent from the data subject. In addressing this subject, therefore, it shall be necessary to examine relevant provisions across the legal framework for data privacy and protection, principal of which are the Constitution of the Federal Republic of Nigeria 1999 (as amended) (the Constitution) and the Nigeria Data Protection Regulations (NDPR/ the Regulation), which invariably is the most comprehensive extant law on the subject.
The entirety of the discourse derives its essence from the provision of section 37 of the Constitution, which confers on all persons, the fundamental right to the privacy of their telephone conversations and telegraphic communications. While the foregoing constitutional provision provides a broader spectrum for the referenced protection, the provision of the Regulations affords more specific dimensions to the extent of rights and duties available within the data space. Meanwhile, before proceeding further, suffice it to state that, put simply, data subject refers to the owner of the data in question, while a data processor is the one who uses the data, whether by means of collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination, etc. Therefore, in vivid terms, where A gives B his data for any purpose whatsoever, A becomes the data subject, while B is the data processor. This illustration has become necessary, in view of the recurrence of the phrases in this piece.
By paragraph 2.3 of the Regulations, all data subjects are entitled to willingly, give or withhold their consent to a data processor under circumstances devoid of fraud, coercion or undue influence, with the actual purpose of collection being made known to the data subject. This right comes with a corresponding duty on the data processor, not to obtain data from a data subject without making known to the said data subject, the specific purpose for which the data is being obtained. In practical and simple terms, the combined effect of the Regulations as discussed above, in relation to contact details, is that the person collecting data such as telephone numbers, email addresses, house address, pictures, etc., has the duty of stating clearly, the purpose for which the data is being obtained. In everyday human affairs, compliance with this provision, particularly under informal circumstances are often an issue of inference. For instance, when two friends run into each other at the bus terminal and they choose to exchange phone numbers, it can simply be inferred that the exchange is for the purpose of allowing them exchange calls or network under reasonable terms. Similarly, when conferees are made to fill the attendance register, disclosing their names, telephone numbers, email addresses, and home addresses, it is hardly expected that any of these data will be used for purposes which are unconnected with the subject of the conference.
It may be safe to argue that the reasonable man’s test would be relevant in determining the extent to which the data may be applied. This is elegantly expressed under clause 25 (1)(b) of the proposed Nigerian Data Protection Bill, 2022, which requires a data controller to only collect data for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. It, therefore, becomes an infraction of the Regulations and allied precepts, when such collector gives the data to a third party under any guise, whether by means of clicking the “allow application to access contacts” icon on third party-controlled digital applications, permitting access to contact fields by third party tech companies, or such other inconsistent, conscious or unconscious transfer of data to third parties. It is common knowledge that an app only needs a singular permission through a quick context-free question that automatically pops up during installation to access the data of a user, which data may be used for various purposes, including target adverts or further disclosures. It is the response to this pop-up question, which determines the liability of the user to persons whose data are stored in his device. This conclusion is consistent with paragraph 2.1 (1) (a) of the Regulations which provides that personal data must only be collected and processed in accordance with specific, legitimate and lawful purpose consented to by the data subject. Hence, any transfer to a third party, without the consent of the data subject automatically translates to an infraction of the provision of the Regulations.
Meanwhile, in further accentuation of the rights of the data subject, paragraph 2.1(2) and (3) imposes a duty of care and accountability on anyone who is entrusted with or in possession of data. The courts have defined duty of care in several decisions including Alivu v. Aturu (1999) 7 NWLR (Pt. 612) 536, and Oilserv Ltd. v. L. A. I. CO. (Nig.) Ltd. (2008) 2 NWLR (Pt. 1070) 191 as the duty of taking reasonable care to avoid acts or omissions which one can reasonably foresee would likely injure one’s neighbour. The net effect of this is that in addition to other remedies that may be available in the context of a breach of the provisions of the Regulations and similar laws, a data subject is also entitled to the right to recover in an action in negligence where damage arises from the infringement. At this rate, the legitimate recipient could arguably be described as the primary infringer, who may then take out a third-party notice against the stranger to the data subject, for the apportionment of liabilities.
As far back as 1992, when awareness on data privacy rights and protection was infinitesimal compared to what currently obtains , the Court of Appeal in Habib Nigeria Bank Limited v. Fathudeen Syed M. Koya (1992) 7 NWLR (Pt.251) 43 had the opportunity of deciding on a case of negligence instituted by a customer who alleged that had the bank properly discharged its duty of care, it would not have allowed his letter of instruction previously written to the bank to get into the hands of third parties who got wind of his account number and transfer instructions, to perpetrate fraud on his account. Though the court held that the allegation of breach of the duty was unproved, it, nonetheless, acknowledged the fact that the bank owed a duty of care and secrecy to its customers. More recently, in Emerging Markets Telecommunication Services Limited v. Eneye (2018) LPELR-46193(CA) at 29, the respondent as plaintiff at the trial court had contended that his private GSM Mobile Phone account with the appellant was flooded with unsolicited text messages by strangers with whom he had no relationship, which amounted to violation of his fundamental human right to privacy to his person and correspondence. The said plaintiff inferred that since the senders of the unsolicited text messages are unknown to him and the messages were received through the appellant’s network, the appellant is responsible for disclosing his telephone number to these strangers without his consent. In affirming the decision of the trial court in part, the Court of Appeal held that by giving unknown persons and organizations access to the respondent’s GSM phone number to send unsolicited text messages into it, the appellant was in violation of the respondent’s right to privacy of his personal telephone line.
Consent as a prerequisite to the transfer of data from data subjects to third parties, as demonstrated through the above provisions and judicial decision also applies to public institutions which are subject to the Freedom of Information Act. This is in fact, a basis for which by section 14 of the FOIA, the public institution is mandated to deny an application for information that contains personal information. In similar vein, clause 26 of the proposed Bill fixes a data controller with the duty of not processing or permitting the processing of personal data unless the data subject has given and not withdrawn his consent for the specific purpose or purposes for which it will be processed.
The point being made through the foregoing, is that subject to the peculiarity of the facts, the direct legitimate recipient of data, which ultimately becomes a subject of infringement may sometimes be jointly or severally liable with the third-party infringer. This position as can be gleaned from the law, therefore, becomes important when identifying potential defendants for a prospective case of data infringement.
Akintola Makinde is a Senior Associate at Wole Olanipekun & Co. He may be reached through jtolamakinde@gmail.com
Image Copyright: (c) Tashatuvango | Dreamstime.com
