Two days ago, I received a call from my best friend. She had recently been sent a message by a loan company informing her that someone had taken out a loan and defaulted. She was listed as a guarantor and was to ensure that this person paid back the money, or she would be in trouble.
She was reasonably panicked. She contemplated what would happen to her since the loan company claimed to have her bank account details. She wondered if they could really do anything to her.
In the Nigerian context, this is a familiar story. In August 2021, Nigerian loan company, Sokoloan was fined ₦10 million by the National Information Technology and Development Agency (NITDA) for invasion of privacy.
NITDA said the company had been illegally accessing users’ contacts, defaming customers, and had malicious malware from third parties tracking customers without their consent on its app.
A few years ago, we concluded that Nigerians care less about data protection. Hasty? Maybe not.
The update meant that WhatsApp would be able to share information with other Facebook companies.
However, data protection and privacy remain important subjects. From a PoS transaction to entering information on a health app, data is exchanged and needs to be protected.
The Privacy Roundtable is a monthly series focused on privacy issues and happenings in Africa with input from experts and non-experts.
We will discuss privacy issues peculiar to the African landscape and speak to data protection and cybersecurity experts, tech enthusiasts, and even tech indifferent people.
Before we dive in, here's an explanation of frequently used and sometimes confusing concepts.
What is data privacy, and how is it different from data protection?
While both terms are often used interchangeably, they mean different things.
Data privacy or information privacy refers to an individual’s right to authorise access to their data. This also applies to organisations.
Data protection is the process of safeguarding information from corruption, compromise, or loss.
So while data privacy focuses on who has access to your data and the right to safeguard it, data protection is based on data availability and management.
By law, data protection is the responsibility of the organisation receiving such data.
Although data privacy can exist without data protection, there would be no need to safeguard data if there is no right to do so.
At the heart of both terms is data processing.
Data processing refers to any operation or set of operations performed on personal data. This could include collecting, recording, organising, structuring, storing, disclosing, and erasing.
Who are the persons involved?
There are several entities involved in data processing.
- Data subject
A data subject refers to any living individual whose personal data is processed by an organisation. For example, Bongo wants to get a loan, so he opens an account with a loan company. In this case, Bongo is the data subject.
- Data controller
This refers to any person, organisation, or body that receives and controls an individual's data. The data controller determines the purpose and means of data processing. Using Bongo’s case, the loan company is the data controller.
- Data processor
A data processor refers to a person, company, or body that processes data on behalf of the data controller. This could be an employee of the controller or an external body or person. So in this instance, Bongo’s loan company could decide to have an employee handle the role. They could also choose to hire an external expert or company.
Why is data privacy and protection important?
Most people believe that data privacy is for people who have something to hide. However, this is not true.
Data privacy deals with personally identifiable information (PII) such as name, date of birth, addresses, passwords, and ATM card pins. If this information gets into the wrong hands, a lot of damage could be done. And data protection is trying to stop this from happening by safeguarding vital information.
If PIIs are not adequately protected, one could be the victim of identity theft, suffer the loss of important data, or have their money stolen.
The importance of this grows as the amount of data received increases. This is why corporations like Facebook and Google are expected to pull out all the stops to protect users' data. However, this also applies to smaller companies.
These rights also apply in cases of cross-border data transfer.
What rights do you have?
Apart from the right to decide who gets access to your data, by law, individuals have the right to request that their data be deleted.
There is also the right to access your personal information without any cost to you, the right to withdraw consent, and the right to get more information on further processing.
This is why laws mandate data controllers to have privacy policies.
These rights apply to online and offline data.
It should explicitly describe whether information is kept confidential and be as straightforward and explanatory as possible, devoid of too much legal jargon.
For you, it gives some insight into how your data is being processed.
It also ensures that data controllers, like Bongo's loan company, comply with regulations and gives them an edge over competitors when they are as transparent as possible.
Which laws apply?
In Africa, only eight countries have either a data protection act, a regulation, or a semblance of both.
Ethiopia, Tanzania, Nigeria, and Namibia do not have comprehensive data protection laws. However, a draft data protection law is expected to be presented to the Namibian Parliament in 2021. On the other hand, Nigeria published a draft data protection bill in August 2020, but it has yet to be presented.
These countries have either issued a proclamation or regulation, or are in discussions to do so.
Currently, only Kenya, South Africa, Togo, and Uganda have comprehensive data protection laws. However, these laws have only been developed but haven't been implemented. All four countries do not have an established regulatory authority overseeing the laws.
However, the laws and regulations prescribe penalties for breach, what should be contained in privacy policies, data processor or controller requirements, among others.
While these explainers are not exhaustive, they give a general idea of what you should expect from the series.
However, this explainer would be updated regularly to cover previously unexplained concepts.