My name is Olumide Babalola, I am honoured and grateful for this invitation to share my knowledge and experiences with you on what your (Young Legal Professionals) representatives have tagged "privacy and social media" but since they gave me a carte blanche to tweak the topic into what I modestly feel should be more attractive to you as young professionals, I will share with you what I have tagged "Career pathways in Privacy and Data Protection"

Let me start with a brief peep into my journey as a privacy practitioner. Although I am not yet certified under CIPP/E, I am the second Nigerian member (as at the last time I checked, we were only two) of the International Association of Privacy Practitioners - the largest and most authoritative body of privacy practitioners in the World. I will tell you the implication of certification and membership later in this discourse and back home, my Law Firm is one of the few Firms licenced by National Information Technology Development Agency (NITDA) as a Data Protection Compliance Organisation (DPCO) under the Nigeria Data Protection Regulation (NDPR) in 2019.

When in 2015 and 2016, telemarketing and unsolicited telephone calls became very intense and extremely exasperating in Nigeria, I had to file a class action against the four giant telecommunication companies at the High Court of Lagos State in what turned out to be the first class-action on privacy in Nigeria (to my mind).

The keenly-contested matter was heard by Justice S. A. Onigbanjo and regularly publicized on a radio programme (Office of the Citizen) sponsored by Enough is Enough (widely known as EiE- a NGO with the main objective of tackling the ills in our society headed by the highly strong-willed Yemi Adamolekun) as well as print and social media.

Upon our publication of the class action certification order in national dailies as envisaged by the provision of Order 13 rule 13 of the High Court of Lagos Civil Procedure Rules as ordered by the court, EiE embarked on a campaign that saw over 1000 Nigerians opt into the class action wherein Mr. T. Molajo, SAN appeared for MTN, the Firm of Banwo and Ighodalo defended Etisalat among others.

The suit was filed pursuant to section 37 of the Constitution on right to private and family life but that turned out to be its Achilles heel as it was struck out on the ground that, it could not be fought under that procedure.

Upon that decision, I resolved to obtain an appellate decision on right to privacy in relation to telemarketing and I was inspired to study foreign trajectory on privacy, thus leading me to discovery of decisions on the "right to be left alone" under the fourth amendment of American Constitution and a host of other variants of right to privacy which are persuasive precedents which may or may not have swayed the mind of the court in that case.

It is worthy of note that, the action and several advocacies around it, compelled the regulator (Nigeria Communications Commission) to roll out the "Do Not Disturb" codes which reduced the unsolicited calls and text messages to the barest minimum.

I recall that, at one of the stakeholders meeting I was invited to by the regulators and industry players at that time, where the idea of withdrawal of the suit was mooted, my response to them was: "this matter is not for today's troubles but for the future struggles" and as it turned out, invasion of privacy has taken a whole new dimension with the vulnerability of our personal data which are daily processed on various platforms.

That class action which is now before the Court of Appeal sitting in Lagos, set the tone for my privacy practice which has seen me file well over twenty matters on personal privacy, data protection, privacy of citizens, correspondence etc.

In one of the decisions, the High Court of Lagos State recently held that, noise emanating from a neighbour's compound, can in some instances, constitute invasion of privacy. We are however expanding the decisions on appeal as well as our aim is to build our (non-existent) jurisprudence on personal and data privacy.

Our case-law is worrisomely replete with restrictive decisions on privacy of homes and that is the narrow route our courts have taken on privacy over the years. They are quick to confine every other type on invasion of privacy under the law of torts to the detriment of several litigants who have genuine cases of invasion of private and family life under the Constitution.

Career option

For clarity and ease of reference, I have subjectively chosen, to discuss this along three lines of my perceived practice areas in privacy thus:

  1. Litigation
  2. Advisory, and
  3. Operational

Litigation: This presumably, has no ambiguity, as far as lawyers are concerned. Everything about privacy in Nigeria had always been centred around litigation until the General Data Protection Regulation (GDPR) was made in Brussels, Belgium on 27 April, 2016 but came into effect on 25 May, 2018.

The GDPR which is a European regulation would not have caught the attention of Nigerian lawyers and businesses but for its far-reaching provisions on its protection for European Union citizenry and residency etc. Hence any Nigerian who does business with European citizens or companies need to brace himself with the provisions of the GDPR and that is where our services as lawyers/privacy practitioners, come in handy.

The GDPR became an instant hit in World economy as errant companies and business continue to suffer huge sanctions under the GDPR. For instance, in 2019, the British Airways faced up to 183 million pounds fine for data breach affecting 500, 000. Google was also fined under the GDPR and the case had gone up to the English Court of Appeal in Lloyds v Google LLC. Etc.

Taking a cue from the GDPR, credit must be given to NITDA for issuing the Nigerian version as NDPR on the 25th day of January 2019 with the main objective of "safeguarding the rights of natural persons to data privacy" within the scope of personal data processed by any means.

Upon the coming into effect of the NDPR notwithstanding its shortcomings, I was elated because we found in it, an additional tool to litigate under section 37 of the Constitution (on private and family life) which had hitherto, been given, very narrow interpretation by the courts in favour of privacy of homes but to the detriment of other shades of infringements on privacy right.

Although, the Court of Appeal, in Nwali v. EBSIEC & Ors. (2014) LPELR-23682(CA) held that: "Privacy of citizens" is general and is not limited to any aspect of the person or life of a citizen" the lower courts have not placed so much reliance on the holding any time they are faced with unfamiliar shades of invasion of privacy, they have been more inclined towards condemning them to tortious actions.

Public interest causes for privacy litigation

Now under the NDPR, privacy litigation can be embarked under section 37 of the Constitution since the regulation was made pursuant to same. Most Data Controllers are now in blatant breach of regulation 2.5 of the NDPR that mandates publication of privacy policy. As a public interest privacy litigator, that has always been my first port of call; I simply check the company's website to see whether they have a privacy policy and where it has, I check further to ensure it is in compliance with the requirements. If they are in default, then my cause of action has accrued under regulation 3 which invests civil societies with locus standi to ensure compliance with the NDPR.

Live causes

Sometime in December 2019, the data breach of the Lagos State Internal Revenue Service and Surebet247 made the newsstands but surprisingly, none of the affected data subjects has, to my knowledge, approached the courts for redress under the NDPR.

That is a cognizable cause under the NDPR entitling the victims to compensation, although, we have commenced an action against the alleged violators – it remains in the realm of public interest and whatever fine NITDA imposes will go to the government coffers.

I have spoken to litigation under NDPR and the Constitution here but I recently wrote an article on my discovery of the tort of "invasion of privacy under the Law Reform (Torts) Law of Lagos State 2015", you may want to read up here (https://www.linkedin.com/posts/activity-6622444188594167808-cmJK)

So, under the NDPR, section 37 of the constitution and/or extant laws on invasion of privacy, litigation may be commenced to seek redress for: (a) data breach (b) data processing without consent (c) omission of privacy policy or its inadequacy (d) unauthorised use of data (e)refusal to provide personal data/information upon request (f) invasion of privacy of homes, correspondence, etc. I think the list is almost endless.

The next career path – legal advisory

Some Nigerian lawyers loathe litigation and this is understandable – our justice system is not only slow, it is sometimes (un)expectedly bedevilled with the ills of our society. Hence, if you don't like to litigate on privacy, then you can be a "Ridwan Oloyede" who engages in enviable privacy and data protection legal advisory.

This affords you the opportunity to provide legal services on:

Legal advisory;

Contracts drafting and review;

Cross-border and international data transfer;

Drafting and review of data transfer exchange agreements and policies; Training and awareness;

Legal opinions etc

A couple of foreign organisations sell toolkits for contracts and precedents but they can be adapted to specific clients. For example, onetrust.com provides varieties of materials that can assist a practitioner on data protection and/or processing contracts drafting, among other services etc.

For versatility and visibility, you may want to consider writing certification exams. I will recommend the CIPP/E conducted by the International Association of Privacy Practitioners. Visit their website at www.iapp.com for more information.

The online exam can be taken anytime of the year in Nigeria but it is based on the GDPR and other European instruments and institutions like United Nations Declaration on Human Rights, European Convention of Human Rights, ePrivacy Directive, Council of Europe Law (CoE Law), Council of Europe Convention, European Union Charter on Human rights, Court of Justice of European Union, European Court of Human Right etc.

So prospective candidates who desire to write the exam will be expected to create adequate time to read and understand all these materials and how they work. The computer-based exam is multiple choice with a couple of hypothetical questions and simulations – all testing the candidate's knowledge of theories and practices.

Ultimately, to start a career in legal advisory on privacy and data protection, I will (inexhaustibly) advise that you:

  1. Consider and ascertain your interest in the field;
  2. Subscribe to IAPP's newsletters and materials
  3. Follow NITDA's privacy related activities
  4. Search and read as much as you can, on GDPR, NDPR and other privacy materials
  5. Attempt obtaining certification from the IAPP – it will boost your knowledge and confidence
  6. Onetrust.com has a variety of privacy products that can improve your knowledge and skills
  7. Connect with as many privacy practitioners you can, on social media. Networking has huge impacts on people's careers. I met all my colleagues in privacy and data protection practice on LinkedIn and international events
  8. Plan and make out time to attend events. I attended IAPP's workshop and Conference in Brussels last November – the event was mind-blowing and the networking opportunities have started yielding ROI. An event in coming up in Nigeria on "digital identity and data protection" on Thursday 30th January 2020 at NG_Hub, Sabo, Lagos, Nigeria hosted by Lawyershub.org. It promises to be expository.

Lastly, another career option is on the "Operational" path

I must emphasize that, this is by no means, within the exclusive reserve of lawyers as experience has shown that other practitioners like cybersecurity experts, cyber engineers, etc do better in this field than lawyers due to the nature of skills required and tasks to be performed.

Some of the services involved here are:

Data Protection Impact Assessment (a service that helps the client to identify and minimise the data protection risks of their business)

The others are:

Data mapping & scoping

Analysis of mobile application and Website

Privacy engineering

Analysis of security standards and procedure

Security assessment

Risk assessment and Auditing.

Although, this is fused with privacy and data/protection practice, it must be completely differentiated from legal services per se.

Conclusively, to forge a career in privacy and data protection litigation, you do not necessarily require certification but it is advisable if you want to pitch your tent with legal advisory (it gives you an edge) and if you desire such a career path, the time to start, is NOW!!!

Thank you.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.