Data Protection and Election –

Is Nigeria's democracy being undermined

FEBRUARY 13, 2023

Many African countries are slated to hold their election cycle in 2023, with quite a number of these countries having adapted technology solutions in their electioneering processes to solve numerous challenges that the countries face, including rigging and vote manipulation. Surprisingly though, given the adoption of new technologies for the electioneering process, very few countries have implemented safeguards to protect the personal information of voters. In both traditional and electronic voting systems, the electoral authorities are often unable to achieve a balance between the registration and verification of voters and maintaining the privacy of their data. 

As a result of the use of technology during elections, citizens in different African nations may now express their preferences and will during elections with the aid of technology; however, this comes at the expense of processing their personal data and, in most cases, biometric data. The biometric voter registration system, which most countries have adopted, takes stock of not only the personal data of voters, such as their name, date of birth, address, location, and email address, but also their facial images, fingerprints, and, in some instances, iris scans. 

In Nigeria, the Independent National Electoral Commission (INEC) has adopted a more digitised approach towards elections by using the Electronic Voters Register (EVR) and the Bimodal Voter Accreditation System (BVAS), both of which collect and/or process the personal and even sensitive data of users. However, the collection and processing of this biometric data and digital identity (ID) raise a number of privacy concerns. For one, digital IDs may increase the risk of exclusion and inequality among marginalised groups who may be unable to register for one, such as those with lower levels of digital literacy, women, and children, and those in remote areas with poor internet coverage or without access to mobile devices, as well as the issue of a lack of user trust in how data will be respected and protected by the government. To further contextualise the challenges, in many states in Nigeria, the names, pictures, dates of birth and polling units as well as a voter identification number (VIN) of voters, were pasted at strategic public places to alert people about the status of their registration or as a means to allow people to verify the accuracy of their data, in line with Section 19 of the Electoral Act 2022. Section 19 of the Act states that the voters’ register is to be displayed for public scrutiny at various local governments. The import of this section is that the act intends for certain personal data of voters captured during voters’ registration to be displayed to the general public. This violates the principles of data protection contained in the Nigerian Data Protection Regulation and international best practices for data protection and security. 

There is also a growing concern about the enforcement of data subjects' rights towards their voting data. Neither the Electoral Act 2022 nor the Independent National Electoral Commission (INEC) website makes any mention of processes for which data subject rights may be enforced. For example, how can a person request their data to be deleted, especially in situations where their Nigerian citizenship has been renounced? Can a data subject insist on casting their vote without manually providing their biometric details? 

Furthermore, INEC’s website makes no use of a privacy notice or cookie banner to notify the voters of their processing activities, in contravention of Article 2.5 of the Nigerian Data Protection Regulation. The absence of a privacy notice further questions the transparency as to the technical and organisational mechanisms and measures INEC puts in place to protect the privacy and security of voters’ data in their custody, servers, databases, and other electronic formats.

Another aspect that has raised privacy concerns is digital campaigning and commodifying voters' data from data brokers to data analytics providers. According to a report by the Information Commissioner’s Office in the United Kingdom, political parties and campaign groups in the UK are increasingly using personal information and sophisticated data analytics techniques to target voters. Unfortunately, these situations are not far from the realities of Nigeria and other African nations. There have been documented instances in various jurisdictions where political candidates, political parties, and fanatics violate citizens’ data protection rights through unsolicited messaging and calls for the purpose of digital campaigning. In one of the many complaints from voters, the voter stated that the political party not only had their name but they also had her location and stated they had gotten the data from her polling unit. In other instances, political parties send bulk messages to voters, directing them to log in or visit certain websites where, in exchange for their data, they receive stipulated sums of money. In situations like this, where voters are being targeted as a result of the data political parties have gleaned about them, it is important to begin to raise conversations about protecting voters' data, particularly because of how easily accessible people’s data has become for the wrong hands and minds.

Similar occurrences have also been recorded in other African countries, for example, in Kenya’s 2017 election, voters were involuntarily enrolled in political parties through the eCitizen platform and were subjected to microtargeting and receiving unwanted messages from election candidates. In addition, there were also incidences of using hackers and disinformation specialists to unsolicitedly send bulk messages to make it seem like they were from a particular thought leader or opposing party in the country. These activities in Kenya led to the publication of a Guidance Note on the Processing of Personal Data for Electoral Purposes by the Office of the Data Protection Regulator. Similarly, Senegal’s data protection regulator also released a Guidance on Data Processing during elections. Although this is not a magic wand to wave away data protection concerns during elections, it does serve to address policy gaps that may give room for undermining democracy as well as infringing on voters' rights to privacy.

The policy gap and lack of regulatory guidance from regulators on issues of data governance during the electioneering process in Nigeria have made voters' data susceptible to poor security and poor data protection standards, thereby encouraging unauthorised access and disclosure of data. Even more problematic is the extent of the sensitivity of the data, not only because it entails people's political opinions, which could cause them to be harmed by opposing fanatics, but also because the data collected is biometric and should be processed with even higher standards than non-biometric personal data. There have been complaints of malicious attacks on the servers of the Independent Electoral Commission (INEC), possibly putting users at risk of exposure to targeted campaigns from aspirants and malicious attacks from third parties 

Nigeria has various nationwide databases, from bank verification numbers (BVN) to voter identification numbers (VIN) and National Identity Numbers (NIN), and rarely do the data protection regulators publish guidance and advisories to the commissions and institutions in charge of these databases. More often than not, the regulator's non-responsiveness is quite costly during electoral cycles because data exploitation and misuse during the electoral cycle undermine the fundamental democratic process that is involved in the electoral process and constitute a violation of privacy and data protection rights. Moreover, there is little to no guidance, framework, or procedure to guide personal data protection while achieving verifiability during elections in many countries. For example, only a few African countries, like Kenya and Senegal, have documented guidelines on data processing during the election period, yet the abuse of voters’ information is still prevalent in these countries.  

We, therefore, urge the regulators to release guidance and advisories to INEC and other relevant stakeholders towards developing a data governance framework for data protection during elections.