BLOG

Eagle Eye - A violation of the right to privacy

The Economic and Financial Crimes Commission (EFCC), recently launched a mobile application (App), Eagle Eye, to make reporting economic and financial crimes to the commission easier. The App is currently available on Google PlayStore with over 10,000 downloads. It is not the first time a law enforcement agency is leveraging technology to solve crime. In 2017, the Nigeria Police Force launched an App, Hawk Eye for crime reporting.


The App was designed to reduce the need for direct person-to-person communication throughout the reporting process, real time reporting, ensuring anonymity and providing an additional incentive for effective whistleblowing. Members of the public can use the Eagle Eye to take a picture of a property or persons suspected of being fraudulently or corruptly acquired and report it using the App. Eagle Eye App is intended to go a long way toward assisting in the reporting of specific fraudulent activities, especially in the instance of money laundering through real estate.


Nonetheless, while the anti-graft agency's intention might be noble, the use of the App raises cogent human rights issues and potential violation of these rights. Our team of researchers recently reviewed the App and found the following:


Potential Violation of the Right to Privacy

The right to privacy is guaranteed under the Nigerian Constitution as one of the fundamental human rights. According to Section 37 of the 1999 Constitution,

“the privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected.”


Thus, allowing strangers to photograph persons or their property can amount to a violation of their constitutionally protected right to privacy. It has the potential to be a breach of territorial and bodily privacy. This infringement will also violate the legality, proportionality, and necessity principles established under international human rights law.


The privacy of Individuals' homes, correspondence, telephone calls, and telegraphic communications are all guaranteed and protected by the law. The right to a private life is linked to human dignity and personal autonomy. People have the right to live in seclusion from public scrutiny and the ability to regulate the scope of public intrusion. Furthermore, the same constitution provided derogations to the right.


Lack of a Privacy Notice

Eagle Eye App does not provide users with a privacy notice, contrary to the requirement of Article 2.5 of Nigeria Data Protection Regulation (NDPR). Similarly, the privacy notice available on Eagle Eye page on Google Play Store leads nowhere. Article 3.1 of the NDPR provides that

“reasonable steps to convey any processing-related information to the Data Subject in a concise, transparent, intelligible and easily accessible form,

using clear and plain language.”


A privacy notice provides a user or the public with information about the privacy practices and the description of the processing activities carried out on the App by the creator or publisher. The responsibility to protect personal data and provide a privacy notice is both a legal requirement and an App hosting policy. Article 2.5 of the NDPR and Article 3.2(iii) of the Data Protection Implementation Framework (DPIF) both require entities to make their privacy notice available to data subjects in a thorough and easily accessible manner. Therefore, it is a statutory requirement that a privacy notice be conspicuously displayed for the user to read.


The lack of privacy notice on Eagle Eye App, means there is insufficient information about the processing activities, tracking devices, and third-party requests, as well as an inability to advise data subjects of their rights. The inclusion of a privacy notice in the App will keep users informed about how their data is being used, and will raise users' trust that there are measures in place to protect their personal information.


Use of Advertisements Trackers

Eagle Eye is embedded with advertisement trackers that are capable of collecting massive amounts of personal information about users, much of which is sent to third-parties. The information sent to a third party can be used to target users with adverts. The users are unaware of the existence of the trackers or what data is being sent from their device, how it may be used to track them, or where it is going.


Installing trackers capable of profiling users and exchanging data with other parties without the knowledge of the users is unlawful and bad consumer protection practice. In furtherance of this assertion, we discovered that these third parties with whom the data is exchanged also have a long list of other third parties with whom such data will be shared.


There is no reason why a government app intended for the general public should include advertisement trackers without a clear lawful basis. Allowing third parties access to users' personal data without providing adequate information on how the data is used is illegal and an unfair practice to Eagle Eye users.


What we are doing

On 14 September 2021, we filed a complaint with the National Information Technology Development Agency, the substantive data protection regulator in the country about our findings. The Regulator responded on 15 September 2021, promising to review the complaint and take necessary action. We will continue to monitor the investigation, hold the regulator accountable and share the findings with the public when it is available.

Our Recommendations

Based on the real and potential violation of the right to privacy and data protection rights, we suggest that the EFCC should take the following actions:

1. We believe that leveraging technology is important to the fulfilment of the agencies mandate, however, such measures must respect and preserve human rights in accordance with existing local laws and international human rights principles;

2. The EFCC should withdraw the App publicly and redesign it with data protection by design considerations;

3. The use of advertisement trackers should be removed from the public serving App built by a government agency;

4. Before deploying the App, a data protection impact assessment and a human right impact assessment should be conducted, and the report should be made available publicly;

5. The redesigned App should contain a privacy notice that fully complies with the transparency principle of data protection; and

6. We recommend that the National Information Technology Development Agency (NITDA) should conduct an immediate investigation into the infringement of users' data protection rights, and that the EFCC should be mandated to make necessary improvements to the Eagle Eye App under the exercise of its administrative power.


Conclusion

We firmly believe that technology should be leveraged in the fight against the scourge of corruption, however, such measures deployed to combat crimes must conform with international human rights principles and not encourage their violation. Derogations from existing rights guaranteed under the constitution for the purpose of investigation of crime must also respect the principles of proportionality and necessity. We are also open and happy to assist the agency in doing the right thing. Finally, a public-serving tool containing advertisement trackers is unappealing and should not be encouraged.