In September 2022, Ikigai Innovation Initiative shared a comprehensive update of our ongoing legal efforts to challenge privacy rights infringements by the Nigerian government and its associated agencies. This post offers a detailed account of our latest developments concerning our legal challenges against the International Data Transfer Whitelist under the Nigerian Data Protection Framework.
Background: Unravelling the Whitelist Dilemma
In August 2021, we assessed international data transfer under the Nigeria Data Protection Regulation 2019 (NDPR) and the Data Protection Implementation Framework (DPIF), which govern data transfer from Nigeria to other countries. It is worth mentioning that under Annexure C of the DPIF, a list of countries known as "Whitelist countries" was introduced. These countries were deemed to have sufficient data protection measures and frameworks to ensure secure cross-border data transfers.
However, an in-depth evaluation of this Whitelist by Ikigai discovered a significant inconsistency. It was found that the regulator did not consistently adhere to its own criteria, as outlined in Article 2.11 of the NDPR, when selecting countries with adequate data protection frameworks. Some of the criteria for adequacy by the regulator included having robust data protection legislation, a competent data protection regulator or supervisory authority, sufficient safeguards for data subject rights, and engagement in international binding commitments and conventions.
With this criteria, countries without data protection laws, such as India, Sierra Leone, Mozambique, and the Comoros, were still included in the Whitelist. Even more puzzling, nations like Togo and Zambia, with data protection laws but no data protection authorities, received a nod of approval, raising important questions about the integrity and consistency of the Whitelist and the need for transparency and accountability in data protection regulations. Even with the new Nigerian Data Protection Act 2023 (NDPA), the Whitelist is still in force as provided by the transitional provisions of the NDPA, as the new regulator has issued no new rules, lists or guidance on a new Whitelist adequacy program.
What We've Done: Challenging the Status Quo
On September 7, 2021, we filed a formal complaint with NITDA, demanding a thorough review of the Whitelist and a request for clarification on discrepancies between the NDPR and NDIF. NITDA, in response, acknowledged the issue and indicated that they were examining the provision for possible changes. However, as of our latest update, no changes have been made to the Whitelist.
In response to the inaction of the regulatory authority at the time, we proactively took a pivotal step to safeguard individual privacy rights, recognising the inherent vulnerabilities and harm when data is freely transferred to countries lacking data protection laws and authoritative enforcement mechanisms. We initiated a legal petition, urging the court to declare the Whitelist in direct contradiction to NITDA's own regulations. Our petition called for the creation of a new list that unequivocally adheres to existing legal frameworks. This initiative stems from our firm commitment to upholding data protection standards and ensuring that the rights of individuals are shielded from compromise, setting the stage for a more secure and accountable data transfer landscape.
Expected Outcomes: A Ray of Hope on the Horizon
Our unwavering commitment to accountability has driven us to persistently advocate for our cause in the courts, and now we stand on the brink of resolution. The case is on the verge of a court judgement, and our optimism is buoyed by the hope that the courts will recognise the shortcomings of the Whitelist and rule in favour of transparency and innovation.
In our quest for justice, we seek a court declaration that the Whitelist contradicts NITDA's regulations, demanding the creation of a new list that aligns with existing laws. We firmly believe that the court's decision will send a resounding message, serving as a catalyst for regulatory bodies to uphold data protection standards and rigorously adhere to their rules.
Stay tuned for updates on this pivotal case in the coming months.
Our Eagle’s Eye Case: A Refusal to back down
In September 2023, we shared the court’s decision on the action filed against the Economic and Financial Crimes Commission (EFCC) and their "Eagle Eye" mobile app, which we believed posed data protection concerns. Despite presenting evidence of trackers within the app and their potential to monitor and profile users' behaviour, the court, to our disappointment, prioritised the app's societal objective over individual privacy rights and imposed costs on us for the action.
In response, we are resolute in our decision to advocate for individual privacy rights, and thus, we have decided to appeal the judgement. We firmly believe that while technology is a valuable tool in fighting financial crimes, it must respect international human rights principles and protect individual privacy.