In June, the National Identification Number (NIN) slips of Nigeria’s Communications and Digital Economy Minister, Bosun Tijani,,and the National Data Protection Commission’s National Commissioner, Victor Olatunji were purchased online by Paradigm Initiative, a civil society organization, for just N200. The organization’s purchase of the data was to drive home a concern it has voiced repeatedly – the private data and personal details of Nigerian citizens entrusted to the country’s National Identity Management Commission (NIMC) were not safe.
The recent spike in concerns about the quality of the Nigerian government’s data protection mechanism was triggered by a March 2024 report by the Foundation for Investigative Journalism that revealed there are private websites that have monetised access to the NIN and other personal details of millions of Nigeria that only the NIMC should provide. This problem is compounded by the fact that these websites have no guardrail to determine who can access what as long as you pay an access fee of just N200 for each data request. Putting this problem within a global context, a study by Surfshark, published in May, says Nigeria is home to some of the highest number of data breaches globally.
But these concerns are not new. For instance, as part of efforts to ramp up the digitization of Nigeria’s national identity in 2012, the NIMC introduced the NIN verification service to grant verification agents access to its database as may be demanded by Nigerians. In 2017, an audit by the World Bank identified that the system was prone to several vulnerabilities that can be exploited for data breaches, prompting the government to shutdown the program. The need to address concerns broadly connected with the governance of the country’s data protection obligation and aid the rollout of the data identification program necessitated the introduction of the Nigeria Data Protection Act 2023 to replace the 2019 Nigeria Data Protection Regulation.
As the country continues to struggle with the protection of its identity database, the evident shortcomings in the current data protection structure, including the recent data breaches, have serious implications for citizens whose fundamental right to privacy as data subjects is guaranteed by the NDPA 2023, and for technological advancement, especially the training of AI models, which relies on these data to birth innovation and create utility. Highlighting these impacts is necessary for a full understanding of the dangers the poor data protection framework poses for the country’s digital progress.
First, the NDPA 2023, which covers the processing of personal data, including for AI development or deployment, outlines specific privacy considerations that must not be overlooked. These conditions which range from security and accuracy of personal data to accountability and data minimization cannot be guaranteed if the country’s database protector cannot fulfill the same. The random availability of citizens’ personal details online means AI systems, often built using information scraped from the internet, can be fed with data not consented to by data proprietors. The trickle down effect is that models produced by this process will have shortcomings that perpetuate biases or provide misleading outputs since they are typically based on low quality data that don’t contain the full characteristics of the data subjects affected.
This will also have negative impacts on the quality of the AI outputs. For example, financial institutions like M-Kopa with presence in the country use AI to analyze the financial records of individuals seeking credit facilities. But if such models rely on these incomplete data, it could provide misleading inputs, which can have real life impact on individuals’ ability to access such services.
Closely linked to this is the fact that breaches like this deprive Nigerian citizens of several rights they are entitled to within the context of AI development because the access to these rights can only be guaranteed if there is a formal framework through which their data is sourced in the first place. Some of these include: the right to correction, right to restriction of processing, right to objection, right to withdraw consent, right to erasure, among others. For instance, the right to correction gives data subjects the ability to have inaccurate or incomplete personal data about them rectified or completed but it is impossible to enforce if the data in question was generated without the consent of the affected data subjects in the first place.
In the same vein, if this trend continues, public trust in digital technologies, especially AI systems will be eroded, thereby making it difficult for citizens to share other details that are necessary for further development of AI. However, while these potential impacts are a serious source of concern for AI development, the government can still change this narrative.
To achieve this, the Nigeria government needs to address the fundamentals of the country’s data protection framework. One challenge to address is the wide spectrum of personnels who have access to the private data entrusted with the government. For instance, the country’s NIN verification service, which was reopened in February, is considered to be home to loopholes that enable scores of actors, including licensed agents who can individually grant access to other unauthorized agents, to carry out data breaches like the ones cited earlier with ease. To change this, the government must limit the volume of personnel authorized to access citizens’ data. This will also make it easier to identify those responsible for any further breach.
Second, the legal framework for data protection must be strengthened. While the NDPA 2023 made significant improvements, there are still critical questions that the legal framework for data protection must answer. For example, even though the Act mandates the conduct of data audit to ensure the integrity of information entrusted with data controllers and processors, it did not stipulate a timeline for this audit, meaning that actors can decide to carry out these audits within a time interval that will undermine its effectiveness or not carry it out at all. Gaps like this must be filled by specific windows within which these audits must happen and the addition of enforcement mechanisms to prevent organizations from defaulting.
Also, the Nigerian government has to ensure there is strong deterrence to prevent private organizations from disregarding citizens’ data rights. In July, the government imposed a 220 million dollar penalty on Meta after a 38-month investigation by the NDPC and Federal Competition and Consumer Protection Commission found it guilty of invasive practices against data subjects/consumers in Nigeria, such as appropriating personal data or information without consent, and non-compliant privacy policies which appropriated consumer personal information without the option or opportunity to self-determine. The Nigerian government’s arguments against Meta are not isolated. Globally, there is a growing concern about how tech organizations breach users’ rights. For instance, in April, the European Union also accused Meta of breaching its General Data Protection Regulation which upholds the privacy of users’ information. However, Meta has disputed the conclusion of the Nigerian government and expressed its intention to appeal. While recent developments, like the move against Meta are welcome, at best, they are still only a starting point to addressing the current state of data privacy in Nigeria and the inadequate protection of the national identity database. To truly change this narrative, the government must go beyond the ordinary by addressing the fundamental problems in the data protection framework, limit access to sensitive data, strengthen encryption and enforce strict penalties for non-compliance to the data protection act.