Information Technology

AI Technology: A Privacy and Data Protection Dilemma

Emmanuel Owosanni
| August 27th, 2024

Introduction
With rapid technological advancement across the globe, artificial intelligence (AI) has emerged as a transformative force with profound implications for various aspects of the society, especially privacy and data protection. Nigeria, like many other nations, stands at the forefront of integrating AI technologies into critical sectors, ranging from healthcare and finance to governance and education. However, as AI systems become increasingly pervasive, concerns about their impact(s) on privacy and data protection have gained prominence. This article aims to explore the complex relationship between AI and privacy/data protection. By delving into existing legal frameworks, examining the landscape of AI deployment, and analyzing the associated challenges and risks, this article seeks to shed light on the complex dilemmas facing policymakers, businesses, and individuals. Ultimately, it advocates for a balanced approach that promotes innovation while safeguarding fundamental rights as to privacy, thereby fostering a conducive environment for the responsible development and deployment of AI technologies in Nigeria.

AI and Privacy: The Relationship

The use of AI processing tools is nothing new. Over the years, big tech companies like Google and Meta have harnessed the power of AI to modify advertisement tools, ensuring that users receive internet services tailored to their unique preference. This is achieved by analyzing a vast amount of personal data in delivering the most relevant content.

But the data collection and usage of personal information with AI technologies were not limited to the world’s most popular social networks as insurance, fintech, and a number of companies now leverage AI in their work in ways that crucially impact the lives of individuals whose personal data are being processed.

This marked a turning point where AI transitioned from being a tool used by tech giants to something more mainstream. It became more accessible to businesses of all sizes. This accessibility, combined with increased robustness, has enabled businesses to process and analyze personal data on an unprecedented scale. Hence, the need for a compliance framework to reinforce regulatory mechanisms for the supervision of data affairs.

Data protection and the Legal regime: The Nigeria context

The emergence of AI with respect to uncoordinated usage poses significant challenges to the rule of law, fundamental rights protection, and the integrity of the judicial system. Hence, the establishment of regulatory frameworks.

In Nigeria, data protection is founded on the constitutional right to privacy.[1] There are also splinters of data privacy and protection legislations other than the Nigerian Constitution; The Cybercrime (Prohibition, Prevention, etc.) Act criminalizes unlawful interception of non-public data, providing for a penalty for offenders under Section 12. Although the Act does not mention the word ‘privacy’, it provides for the retention and protection of data in computer-based system by financial institutions and criminalizes the interception of electronic communications in financial institutions. Other legislations include the Terrorism Prevention Act, 2013, Freedom of Information Act 2013, the Nigeria Communications Commission Act 2003, the Nigerian Data Protection Regulation 2019 and the most recent Nigeria Data Protection Act 2023 (hereinafter referred to as NDPR and NDPA respectively).

The NDPA is Nigeria’s main data protection legislation enacted on June 12, 2023. It in fact repealed the Nigeria Data Protection Regulation (NDPR), 2019 and has been in effect since then.

Prior to the NDPA, the NDPR which was issued at the time by the National Information Technology Development Agency (NITDA) was the go-to regulation on data protection. Although enforceable, it remains a subsidiary legislation, and there was no specific commission to oversee data protection. The NDPR was a placeholder until the enactment of the NDPA, and NITDA had to stretch itself to oversee data protection. To temporarily assist the supervision, the Nigerian Government issued an executive order in February 2022 that established the Nigeria Data Protection Bureau (NDPB) and transferred the data protection role as well as the existing regulations or guidance issued by NITDA to the NDPB. By popular legal opinion, the NDPB lacked legislative backing, but with the enactment of the NDPA, the Nigeria Data Protection Commission (NDPC) was created to oversee data protection in Nigeria, and the 2022 abnormality was corrected. Based on the NDPA, the NDPB has been subsumed into the NDPC as an apex regulator of data protection-related matters in Nigeria.[2]

Furthermore, the NDPR along with regulations issued by NITDA or NDPB are still applicable to data protection in Nigeria and are now treated as regulations issued by the NDPC. Thus, the NDPR operates side by side with the NDPA, but the latter will prevail where there is a conflicting provision in the NDPR.[3]

The Misconstruation of Nigeria’s Data Protection Laws: The NDPR and NDPA In View

There is no doubt that the main legislation on data protection in Nigeria is the NDPA, while the NDPR and other regulations or circulars serve as supplements.

Apparently, there have been debates as to why the NDPR is still accorded legal reverence in terms of major data affairs when the NDPA has already been enacted, and in fact repealed the NDPR. Some legal analysts posit that most court cases [4] as to data affairs have been based on the NDPR, hence, this underscores the relevance in present times. Also, another group of legal analysts have strongly opposed this view of relevancy and contraposed that the NDPR be relegated to the historical artefacts of data laws that once regulated data affairs in Nigeria. The rationale for their agitation is that the NDPA repealed the NDPR.

Does the enactment of the NDPA make the NDPR an invalid regulatory framework for compliance purposes as to data affairs in present times? I strongly posit the answer to be NO, unless there is a sign of inconsistency with the NDPA. By virtue of its section 63, the NDPA does not entirely invalidate the NDPR, but rather:

  1. Repeals and replaces certain provisions of the NDPR with new ones.
  2. Builds upon the foundation established by the NDPR.
  3. Enhances and expands the scope of data protection in Nigeria.

Apparently, the NDPA repeals the NDPR’s registration and licensing requirements for data controllers and processors, as well as introduces new provisions for data subject rights, data breach notification, and enforcement. The position by some legal analysts as to the total abrogation of the NDPR and its relegation to historical artefacts of data laws that once regulated data affairs in Nigeria is thus, erroneous for basically two (2) reasons:

  1. The underestimation of administrative law, as this is the basis for which the NDPR was formed and
  2. The factor of existing registrations and licenses before the enactment of the NDPA in 2023.

From the scope of administrative law, the NDPR can be said to have maintained its relevance as to data affairs up to this present time. Hence, the viability and validation of the first position by legal analysts on the continued relevancy of the NDPR.

Privacy and Data Protection Concerns

The sudden resort to AI and other digital technologies, especially post-COVID pandemic has created new vulnerabilities for the data of people across the globe to be commercialized and even weaponized by both legitimate and illegitimate data actors.[5]

Modern computing technologies and the internet have generated the capacity to gather, manipulate and share massive quantities of personal data. Computers today can track our telephone calls, medical histories and unarguably a large number of data records. Someone with access to this information could do data subjects grave harm or otherwise, depending on a motive.

The adage, “Information rules the world” entails that personal information is a crucial currency in our contemporary world. Personal data is a commodity which can be owned, transferred and traded for value. As AI technologies often rely on vast amounts of data to function, it has raised concerns about data protection and privacy. The negative impacts of AI technologies have thus exacerbated these concerns. An example of such negative impacts for consideration is the deepfakes. The deepfakes are videos or images which contemplates the manipulation of AI technology to create a false representation of reality. These videos have the potential to be used for malicious purposes, such as spreading fake news or propaganda. In Nigeria, deepfakes were used during the 2019 presidential election to spread misinformation and fake news.[6] One video showed the opposition candidate, Abubakar Atiku, allegedly speaking at a public event and promising to “grant amnesty” to Boko Haram insurgents if elected. The video was later proven to be a deepfake.

For some reasons, including the above, many people fear the loss of their privacy in an AI-driven world, and such has resulted in what I call data apathy: a term to simply describe the disinterestedness of supposed data subjects in having anything to do with contemporary data civilization.

In defeating data apathy, data subjects, hence, have a right to be protected as to the collection, storage, and use of their personal data by data processors. The aim is to keep such information private and regulate its utility.

Recommendation and Conclusion

The integration of AI into the various sectors of the Nigerian society holds immense potential for innovation and progress. However, it is crucial to recognize and address the inherent privacy and data protection challenges associated with AI deployment. As highlighted throughout this article, the responsible development and deployment of AI technologies must prioritize the protection of individuals' privacy rights and data security (in one word, compliance). Striking a balance between AI innovation and privacy/data protection is imperative to ensure that Nigeria maximizes the benefits of AI while mitigating potential harms.

To achieve this balance, Government and Non-Government policymakers, businesses, and other requisite stakeholders must collaborate to formulate the appropriate policies, legal and regulatory frameworks that address the use of AI technologies and promote ethical AI practices. This process of achievement includes implementing robust data protection measures, enhancing transparency and accountability in AI systems, ensuring meaningful consent and user control over personal data. Additionally, investing in awareness-raising initiatives and capacity-building programs can empower individuals to make informed decisions about their privacy and data rights in the context of technology mainstreaming.

By adopting a proactive and collaborative approach, Nigeria can foster an environment conducive to AI innovation while upholding fundamental principles of privacy and data protection. This, not only safeguards individuals' data rights and interests but also enhances trust and confidence in AI technologies, thereby promoting sustainable socio-economic development and inclusive growth. As Nigeria navigates the complexities of the AI landscape, prioritizing the protection of privacy rights, data security, and tailored awareness programmes will be essential to neutralizing data apathy, as well as building a more equitable and resilient digital future for us all.


 

[1] Constitution of the Federal Republic of Nigeria 1999, s 37

[2] Nigeria Data Protection Act 2023, s 64

[3] Nigeria Data Protection Act 2023, s 63

[4] Digital Rights Lawyers Initiative v NYSC (FHC/IB/98/2020); DRLI v LIRS (FHC/ABJ/CS/1401/19); Incorporated Trustees of Laws and Rights Awareness Initiative v Zoom Video Communications Inc (FHC/AB/CS/53/2020)

[5] In March 2020, a class-action lawsuit bordering on data security breach was filed in the US District court of the Northern District of California against a giant video-conferencing firm, Zoom. Also in 2021, The National Information Technology Development Agency (NITDA) sanctioned an online lending platform, Soko Lending Company Ltd (Soko Loans), for privacy invasion.

[6] Ayobami Ojebode, ‘Fake News, Hate Speech and the 2019 General Elections; The redemptive role of the Nigerian Media’ (Sahara Reporters, 3 December 2018) https://saharareporters.com/2018/12/03/fake-news-hate-speech-and-2019-general-elections-redemptive-role-nigerian-media-ayobami accessed 22 August 2024.


Emmanuel Owosanni
Author

Sign up for our Newsletter

Join our newsletter and get resources, curated content, and design inspiration delivered straight to your inbox.

Related Post