On June 17, 2019 a Nigerian man identified as Jeffrey Ewohime allegedly destroyed seven cars and property at the Nigerian High Commission in London over a delay in releasing his passport to him by officials of the Nigerian High Commission. Responding to the situation, the Nigeria Immigration Service (NIS), the institution saddled with the responsibility of issuance of international passports, took to its Twitter handle @nigimmigration to display an already issued International Passport in the name of the alleged vandal and tweeted that the High Commission had already closed for the day at the time the man arrived to pick up his passport at the High Commission, and further that he did not have the required Collection Slip on him. Many things could have angered the man in question, but nothing would justify the criminal damage he allegedly perpetrated in law.
While Mr. Ewohime may be answering allegations from the UK authorities at the moment, a debate has been going on around the incident as to the propriety of the displaying of his international passport’s data page on twitter by NIS, thereby putting his personal data in the full glare of the public. While some believe that it is wrong for NIS to have displayed the Data Page of Mr. Ewohime to the public, others believe that the action is not wrong given the fact that the passport itself is the property of Federal Government of Nigeria and may be withdrawn at any time, as clearly inscribed on the passport itself. This debate therefore leads us to find out whether or not NIS owes Mr. Ewohime a duty to protect his personal data.
On January 25, 2019 Nigeria’s Federal Government agency responsible for developing and regulating information technology in the country, the National Information Technology Development Agency (NITDA), issued a data protection regulation called Nigeria Data Protection Regulation or NDPR with the aim of protection personal data of Nigerians home and abroad and non-Nigerian residents in Nigeria. The regulation came into force that same day. The NDPR is Nigeria’s equivalent of Europe’s GDPR with substantial similarities in their provisions. NDPR defines “Personal Data” to mean
“any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM, Personal Identifiable Information (PII) and others.”
By the regulation, all public and private organizations that control and process data of natural persons are bound to comply with the provisions of the regulation. The regulation defines processing of personal data to mean “any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” Under the NDPR, conditions for lawfulness of processing of a personal data are provided, precisely in Article 2.2 of the NDPR and they are (i) consent of the person owning the data (Data Subject), (ii) in performance of a contract or taking steps in entering into a contract by the person, (iii) in compliance with a legal obligation, (iv) in protection of vital interests of the person or another natural person, (v) in the public interest or in exercise of a mandate vested in the data controller.
It is therefore clear that NIS owes Mr. Ewohime a duty to protect his personal data and the agency is indeed bound to comply with the provisions of NDPR. In displaying Mr. Ewohime’s international passport’s data page, NIS thereby processed his personal data including his photo, full name, passport number, place of birth, date of birth and nationality all of which directly identify Mr. Ewohime. Sadly however, NIS did not meet any of the conditions stipulated in Article 2.2 of NDPR which therefore renders the disclosure of Mr. Ewohime’s personal data a clear contravention of the regulation.
A brief look at how Europe’s GDPR has been enforced in two cases will show the burden of data protection imposed on data controllers, commitment of the enforcing authorities on GDPR across Europe and help us understand the liability of NIS in the instant case. In Poland, a Sport association was penalized and handed a fine of 12, 950 Euros for publishing personal data referring to judges who were granted judicial licenses online. However, not only their names were provided, but also their exact addresses and PESEL numbers (national identification number). The Polish National Personal Data Protection Office (UODO) held that by making them public, the administrator posed a potential risk of their unauthorized use, e.g to impersonate them for the purpose of borrowing or other obligations. Although the association itself noticed its own error, as evidenced by the notification of a personal data protection breach to the President of the Polish Data Protection Authority, the fact that attempts to remove it were ineffective determined the imposition of a penalty. In Lithuania, the Lithuanian Data Protection Supervisory Authority found a Payment Service Provider, UAB Mister Tango processed more data than necessary to achieve the purposes for which it was a controller. In addition, it became known that from 09-10 July 2018 payment data were publicly available on the internet due to inadequate technical and organisational measures. A fine of 61, 500 Euros was imposed on the data controller (UAB Mister Tango) as there was not even any breach notification made to the Data Subjects as required by Art. 33 of GDPR.
From the circumstance of Mr. Ewohime’s case, it is clear that the conduct of NIS is a personal data breach and a clear act of illegality. For those that validate the unlawful disclosure of Mr. Ewohime’s personal data by NIS given its power to withdraw passports, such an argument cannot hold water as withdrawal of a passport is one thing and the unlawful disclosure of personal data of a Data subject is another thing. NIS can withdraw international passports even without the bearer vandalizing anyone’s property including that of the government. Yet, vandalizing someone’s property or that of the government is not in itself a condition for withdrawal of passport. In fact, the only two conditions for withdrawal of passport are contained in Section 13 of the Immigration Act 2015 and they are “obtaining a passport by fraud” and “unlawfully holding more than one passport at a time.” Even if a person’s passport is lawfully withdrawn, the law only requires the details of the passport withdrawn to be published in the Federal Gazette and not on Twitter or any social media platform.
As for NITDA, the first blow, they say, is only half of the battle and not the end of it. While NITDA might have dealt the first blow on the culture of infringement of personal data privacy of Nigerians and non-Nigerian residents in Nigeria by issuing NDPR, it cannot sit back yet. It must consistently deal more blows on the terrible culture through massive efforts to educate private and public institutions and the general public, training, re-training and licensing of auditors and attending to personal data breach complaints. Finally, while NIS is called upon to immediately take down the data page of Mr Ewohime from its Twitter handle and any other online platform, how NITDA responds to this contravention of NDPR by NIS in Mr. Ewohime’s case will be a blue litmus test of NITDA’s readiness to enforce the regulation.
Update
On Friday July 12, 2019, The National Information Technology Development Agency (NITDA) commenced investigation into the personal data breach of Mr Jeffrey Ewohime’s personal data by the Nigeria Immigration Service. Pressure on NITDA came from various fronts. In addition to the above article and significant public concern, Digital Rights Lawyers Initiative filed three suits against NITDA to ensure implementation and enforcement of Nigeria Data Protection Regulation. Read More.