By Michael Irene, PhD
In contemporary business, the collection, use, and possession of personal data remain vital. Without it, businesses would struggle to serve customers and carry out the necessary market analysis. Yet, most approaches to collecting and storing personal data borders on intrusion and trampling on human rights. In this three-part article, I give a historical background to data protection laws, cover business dynamics in data protection age and conclude with some recommendations.
Let’s start with a story. Chukwueze and his girlfriend walked into Domino Pizza in Shoprite, Lekki, ordered Mighty meaty and waited at the lounge for their pizza. Chukwueze wanted to log into twitter while his girlfriend busied herself by taking selfies. He remembered that Domino offers a free wi-fi connection. To gain wi-fi access, however, he must provide his name, his address and his phone number to get the One-Time Password (OTP) code. He answered correctly, clicked the “I agree” button and gained access. The girlfriend connected to the internet too via the same means.
About five minutes later, their pizza was ready. Chukwueze opened it, they took pictures of the pizza and posted it on Facebook. As they eat, Chukwueze got a text from a shoe company in the shopping complex, informing him about a discount deal. His girlfriend got the same text. They ignored it. After some seconds, another text message came from one of the banks within the shopping complex telling them about new account offers. Chukwueze and his girlfriend are not too worried. These texts were normal Nigerian marketing noise. But, when his girlfriend checked her Instagram page, she saw ads on her timeline about discounted items in Shoprite.
By filling out that form to get free wi-fi, they sold their personal information and will continue to get those marketing messages forever unless something changes in the laws with regards to data protection.
How Nigerian companies use personal information in their possession is fraught with danger. Without control and appropriate regulation, most Nigerian businesses will become tyrannical in processing personal data and will continue to violate the fundamental human rights of Nigerians.
In1970s Europe, there was an upsurge in the use of computers to process information about individuals. Companies began to process personal information of individuals to carry out their daily business. Trans-border trade among European nations also encouraged the rise in information sharing.
These developments increased advantages in terms of efficacy and productivity of businesses but also exposed personal information to risks.
Concerns were raised on how the automated storage and distribution of personal information in cross-border trading could lead to the limitation of freedom and infringe on human rights. The challenge, therefore, was to build frameworks that put these concerns into perspective in the transfers and handling of personal information.
The right to private life and associated freedoms are considered fundamental human rights by the European Union. It is the foundation on which the data protection law was built. This concept underlies the whole picture of EU data protection laws.
Right from the 1940s Europe the protection of individuals was enshrined in the Universal Declaration of Human Rights adopted on 10 December 1948 by the General Assembly of the United Nations. This was born following the atrocities of World War II and it acknowledged that the “inherent dignity and the equal and inalienable rights of all members of the human race in the foundation of freedom, justice, and peace in the world.” Article 12 of that declaration gives a pointer to data protection which states that “No one shall be subjected to arbitrary interference with his privacy.”
Remarkable developments would take place as Europe took data privacy and protection seriously. In Rome, in 1950, the council of Europe invited individual states to sign the European Convention of Human Rights, an international treaty set to protect human rights and fundamental freedoms. By 1998, there was a full-time Court of Human Rights and their Article 8 of the European Convention of Human Rights echoes Article 12 of the Human Rights Declaration and makes the following provision: “Everyone has the right to respect for his private and family life, his home and correspondence.” From 1940s to the late 1950s, there was a significant track record to keep fundamental human rights and freedoms in check.
European countries started implementing legislation aimed at controlling the use of personal information by government agencies and private companies circa 1960-1980s. Denmark, France, the Federal Republic of Germany, Luxembourg, Norway, and Sweden were among these countries. Also, Data protection was incorporated as a fundamental right in their constitutions. The legislation had to be built to protect the privacy of individuals technologies evolved. This led to the publication of Recommendation 509 on human rights and modern science and technological developments.
In 1973 and 1974, the council of Europe came up with Resolutions 73/22 and 74/29 which established principles for the protection of personal data in automated databanks in private and public sectors. Other initiatives pointed to the fact that the protection of individual information became apparent and, as such, the Organisation for Economic Co-operation and Development (OECD) and the Council of Europe formed the OECD guidelines on the Protection of Privacy and Transborder Flows of Personal Data and the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. After the implementation of the OECD guidelines, it was discovered that some loopholes existed in that there was not enough in terms of covering information that was not captured by non-automatic means and this they believed might “pose a danger to privacy and individual liberties.”
By 28 January 1981, the Council of Europe adopted the Convention 108 which took the view that private companies and government bodies using personal information in computerized form have a social responsibility to safeguard such personal information. Another main feature of Convention 108 was to introduce a harmonized approach to data protection instead of having a diverse set of regulations. This would lead to the introduction of the Data Protection Directive.
However, it was again discovered that the new directive was not keeping pace with the new technological advancement. In response to these concerns, the Commission launched a review of the legislation and came up with the strategy to reform the directive. In 2012, a comprehensive reform of the Directive in the form of a General Data Protection Regulation (GDPR) imposing a single set of rules across Europe was presented and came into force in May 2016.
In summary, the basis of the General Data Protection Regulation is to respect human rights.