Nigeria: X-Raying The Legal Framework For Enforcement Of The Right To Be Forgotten In Nigeria

1.0 Introduction

The disruptive impact of technological innovations on the privacy of citizens no doubt calls for a continuously evolving legal framework which is adaptive to rapidly evolving societal trends. Globally, the increasing adoption of the social media, search engines and the internet generally, has led to the formation of a near-permanent record of the activities of individuals on the cyberspace. The Internet is renowned for remembering everything while forgetting nothing. Personal data of data subjects, in the form of videos, pictures, tweets, documents and audios have found its way into the cyberspace and remain easily accessible with a mere click.

The information or data on the internet may in some cases include past criminal records, health records, court proceedings or other unpleasant (or pleasant but unnecessary) information which the owners of these data consider unworthy for its continued retention on the internet. This raises the challenging question of whether a Nigerian data subject can compel search engines or other data processors to delete, remove or 'forget' such data or information from the internet. In the light of the recently enacted Nigerian Data Protection Act 2023, this paper aims to explore the legal framework for enforcement of the right to be forgotten in Nigeria.

Keywords: Law, Technology, Privacy, data protection and Nigeria.

2.0 Conceptual Framework

To enhance a greater understanding of the concepts used in this work, it is imperative to define certain terms and terminologies used herein.

'Data controller'means an individual, private entity, public commission, agency, or any other body who, alone or jointly with others, determines the purposes and means of processing of personal data ¹. Data processor means an individual, private entity, public authority, or any other body, who processes personal data on behalf of or at the direction of a data controller or another processor ². Data subject means a person to whom data subject relates. ³ Personal data is on the other hand defined as any information relating to an individual, who can be identified or is identifiable, directly or indirectly, by reference to an identifier such as name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, cultural, social, or economic identity of that individual ⁴.

2.1 Overview of the Concept of the Right to be Forgotten

The right to be forgotten, also known as 'the right to erasure', is the right of data subjects to compel the deletion or erasure of certain private information about them from internet searches and other directories.

This right was first brought to limelight by the decision of the European Union Court of Justice in the case of Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (2014) ⁵ In this case, Mr Costeja González, a Spanish national resident in Spain, filed a complaint before the European Court of Justice, against, Google Spain, Google Inc and two Spanish newspapers. His complaint centered around the fact that, upon entry of his name in the Google search engine, the information that popped up was the publications regarding a confiscation order for his house in respect of an attachment proceeding. He therefore requested the erasure of the information since the attachment and confiscation had long been resolved, rendering the retention of the information on the internet irrelevant. The European Court of Justice found in favour of Mr. Gonzalez and held that the information regarding the attachment proceedings be deleted. This decision was subsequently codified in Article 17 of the European Union General Data Protection Regulation ("GDPR") and has formed the foundation for development of the right to be forgotten in various jurisdictions.

The right to be forgotten has since gained traction globally, with several jurisdictions now incorporating the right into their corpus juris. In the succeeding parts of this work, we shall explore Nigeria's legal framework for the right to be forgotten.

2.2 Legal Framework for the Right to Forgotten in Nigeria.

The Constitution of Federal Republic of Nigeria:

Prior to the enactment of the Nigerian Data Protection Act 2023, Nigeria had had several pieces of laws dealing with the issue of privacy. However, at the heart of the right to privacy regime in Nigeria is the Constitution of the Federal Republic of Nigeria 1999, as amended. ('the Constitution'). Section 37 of the Constitution provides in generic terms that: 'The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected.'. The provision, however, failed to address specific aspects of the right to privacy such as the right to be forgotten. Thus, while the constitution provided sufficient foundation for the enforcement of the right to privacy, it failed to make adequate provisions for the enforcement of the right to be forgotten as an aspect of privacy.

Nigerian Data Protection Regulation (NDPR):

With development in information technology in Nigeria came the National Information and Technology Development Agency Act of 2007. Section 6 (a) and (c) of the Act empowers the agency to make regulations pursuant to which the NDPR was issued on 25th January 2019. It was made in recognition of the fact that many public and private bodies have migrated their respective businesses and other information systems online. These information systems had become critical information infrastructure which must be safeguarded, regulated and protected against personal data breaches ⁶. The NDPR ⁷ made specific provisions for the right to be forgotten and indicated five circumstances under which a data subject may request the deletion of personal data:

"...: a) the Personal Data are no longer necessary in relation to the purposes for which they were collected or processed; b) the Data Subject withdraws consent on which the processing is based; c) the Data Subject objects to the processing and there are no overriding legitimate grounds for the processing; d) the Personal Data have been unlawfully processed; and e) the Personal Data must be erased for compliance with a legal obligation in Nigeria."

Practical Approach in Nigeria Courts:

Unfortunately, whilst the Nigerian Data Protection Regulations 2019 had adequate provisions for the enforcement of the right to be forgotten in Nigeria, many Nigerian litigants and lawyers remained oblivious of this subsidiary legislation and its provisions. There was thus little or no opportunity for the courts to enforce or test the provisions of the Regulation as it relates to the right to be forgotten. In the few cases having the flavour of the right to be forgotten, lawyers and litigants appeared to have sought its enforcement under the human rights provisions of the Constitution, thereby encountering challenges along the line.

In Hillary Ogom v. Google LLC & Anor ⁸, which was brought before the High Court of Lagos State, a cleric, who had been convicted and imprisoned in the United Kingdom filed a suit against Google in Lagos Nigeria. He sought a court order to compel Google to delete or erase information pertaining to his previous conviction and imprisonment in the United Kingdom from Google search engine. His claim was premised on the alleged stigmatization he faced due to the continued presence of the information on google. The Court dismissed this action and held that the claimant failed to establish violation of his rights to privacy, freedom of association and the dignity of his human person. Additionally, the Court stated that he had failed to meet the legal requirements for invoking the right to be forgotten ⁹. It may be argued that the case would have recorded a greater chance of success if the Claimant had based his claim on the right to be forgotten and adduced evidence to establish how the continued retention of the information on the internet was legally unjustifiable.

The 2023 Act:

The Nigerian Data Protection Act 2023 now provides an additional framework for enforcement of the rights of data subjects in Nigeria- including the right to be forgotten. Section 34 of the Act specifically deals with the broad range of rights available to a data subject including the right to request erasure, otherwise known as the right to be forgotten. By section 34(1)(c) of the Act, a data subject has the right to obtain from a data controller, without constraints or unreasonable delay, the correction or, if correction is not feasible, deletion of the data subject's personal data that is inaccurate, out of date, incomplete, or misleading. Also, by section 34(1)(d), a data subject has the right to obtain from the data controller, the erasure of personal data concerning the data subject.

It is imperative to note that by the provision of Section 64(2)(f) of the Act, all existing regulatory instruments, including regulations, directives, and authorizations issued by the National Information Technology Development Agency (''NITDA'') or the Nigeria Data Protection Bureau (''NDPB'') shall remain in force until they expire, are repealed, replaced, reassembled, or altered ¹⁰. In other words, the provisions of the NDPR relating to the right to be forgotten remains in vogue and, together with the Act, form the legal basis for the direct enforcement of the right to be forgotten in Nigeria.

The recognition of the right to be forgotten under the Act, no doubt, lays a better foundation for the development of the right in Nigeria than the previous regime. It is also hoped that lawyers and litigants would take advantage of its provisions to seek reliefs when seeking erasure of their personal data in cases when it would be legally justifiable to do so.

2.3 Enforcement of the Right to be Forgotten vis-à-vis Conflicting Interests

A paramount consideration in any attempts at enforcing the right to be forgotten in Nigeria is the need to balance enforcement of the right with other seemingly conflicting rights and interests. These interests would amongst other things include the need to protect the constitutionally guaranteed right to freedom of expression, as well as public policy considerations such as the need to preserve information on the internet for research, educational purposes and historical references.

There are thus varying levels of application of the right to be forgotten across several jurisdictions influenced by the priorities accorded the rights against other competing rights such as freedom of expression ¹¹. For instance, in Europe where privacy is held to high standards, the right enjoys strong protection, while in the United States, where free speech tends to trump the protection of privacy, the right to be forgotten has not gained much traction ¹².

In Nigeria, enforcement of the right to be forgotten must be balanced with these conflicting interests, such that the court ensures that the freedom of the press and of individuals generally, are not overly encroached while considering a litigant's request for the deletion of information.

The European Union Court of Justice, in Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González ¹³, proposed striking a balance between the legitimate interest of internet users and researchers who seek access to information on the one hand, and a subject's right to be forgotten on the other hand. This consideration becomes imperative in view of the need to ensure that information available on the internet for research and public interest purposes are not unduly depleted in an attempt to honour data subject's deletion request. Nigerian Courts are equally enjoined to take all competing interests into consideration in deciding whether to honour or discountenance claims based on the right to be forgotten.

3.0. Conclusion

While many Nigerians have argued that the right to be forgotten is a forgotten right in Nigeria, this paper has indeed revealed that the right is not forgotten but is indeed gaining traction. It is also observed that implementing the right will require a careful calibration between privacy and other interests including freedom of expression. More so, with the Nigeran Data Protection Act 2023 now recognizing the right to be forgotten, it is anticipated that litigants will become more conscious of the right and take full advantage of it when seeking remedies for breach of data privacy.

Footnotes

1Nigerian Data Protection Act 2023, s. 65.

2Ibid, s. 65.

3Ibid.

4Nigerian Data Protection Act 2023, s. 65

5ECLI:EU:C: 2014:317

6Nigeria Data Protection Regulation: Implementation Framework of November 2020

7Section 3(9) of NDPR

8Suit No. IKD/319/GCM/2019 (Unreported)

9See,Olumide Babalola, 'Right to be Forgotten: How Nigeria Missed a Golden Opportunity'https://dnllegalandstyle.com/2021/right-to-be-forgotten-how-nigeria-missed-a-golden-opportunity/. Accessed August 1, 2023.

10Nigerian Data Protection Act 2023, s. 64.

11Franz Werro, 'The Right to Be Forgotten: The General Report' in Franz Werro (ed), The Right to be Forgotten: A comparative study of the emergent right's evolution and application in Europe, the Americas, and Asia (Springer, 2020) 2.

12Joanna Connolly, ''The right to erasure: Comparative perspectives on an emerging privacy right'', Alternative Law Journal 2021, Vol. 46(1),

13Supra

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.