Scrolling through Twitter a few days ago, something caught my eye. It started a chain of reactions culminating in a midnight call and a new story idea for this month’s Privacy Roundtable.
On Friday, October 15, 2021, we sent out a tweet asking readers to fill a form for a story on why they do not care about privacy. As you might have already guessed, today’s article has gone off on a tangent. And for this, I apologise to everyone. We will talk about it in next month’s edition.
While you are here, please populate the form with your answers.
For today’s story, our focus would be on data privacy rights and possible exceptions. I paint a picture in the following paragraphs that guides this article's narrative.
Ada is a 24-year-old graduate with a theatre arts degree. If there’s one thing she loves, it’s talking to her friends on the phone. She could spend the whole day doing that. Perhaps, that’s why she’s unemployed.
A few days ago, she saw a trending post on Twitter about this new fintech app that allows you to send money as airtime to anyone with a tag. Expectedly, she jumped on the train because she always needs airtime since she spends all day talking on the phone.
Today, though, Ada has a problem. While trying to send her airtime, her friend mistakenly sent it to a user with a similar but slightly different tag; this user has an underscore (_) at the end of theirs.
Ada is distraught and decides she wants to change her tag to something unique but still identifiable by her friends. She goes on the app and tries to change her tag but is told she cannot. Now, she’s angry. Why can’t she change her tag? It’s hers, after all.
Under the Nigeria Data Protection Regulation 2019, a data subject has several rights over the use of their personal data. These include the right to transparent information relating to the processing of data and prior information before data processing.
It also includes the right to erasure, rectification and restriction of data, and the right to move your data to another platform, among several others.
Ada has the right to know extensively how her personal information is being handled and when it is handled. She can also choose to delete, correct, or restrict access to that data. If she wishes to move her personal information on that particular app to another with similar functions, she can do that too.
But it's not as cut and dried as this, and this brings me to the idea behind this story.
What's the big idea?
A Twitter thread caught my eye two days ago; it went something like this,
"You can't change your Abeg tag or your name on the Abeg App. You can't also delete your account on the app.
"This is in breach of the Nigerian Data Protection Regulations which protects the right of a data subject to rectification and erasure of their personal data."
This Twitter user, a lawyer with the handle, @Oluwanonso_Esq, then proceeded to share a screenshot of the conversation between him and an Abeg Customer Service Agent, Lù, on the startup's Instagram account.
Lù told him that he could not change his Abeg tag.
Two questions come to mind. Is this usual with fintechs? Is there truly a problem here?
Is this an isolated incident?
I currently have several fintech apps on my phone. So, I decided to do a little investigation using the ones I could access.
Using Roqqu, Cowrywise, Risevest, Piggyvest, Accrue, and Barter as case studies, I tried to find answers.
- On Roqqu, I found that I could not change the name associated with my account.
- Cowrywise allows you to change your name and unique tag.
- Risevest and Piggyvest require you to send their support team an email.
- Barter does not allow you to change your name, but you can change your handle.
Is there really a problem?
To better understand if this was indeed a problem, I spoke with Nigerian lawyer, Motunrayo Ope-Ogunseitan, to get a general idea of possible defences in a similar scenario.
She said there might be different reasons why a company would not allow an individual to change their data on its platform. The first is what she called the “Startup Syndrome.” This means the company is probably not paying attention to complying with the NDPR and is basically trying to get going as soon as possible.
The other reason she gave was that there might be a legitimate defence to such an action. Why? All laws have exceptions. A good example is the right to freedom of movement as contained in the Nigerian Constitution and the abrogation of that right in a state of emergency or when a crime is committed.
“My best bet would probably be that such companies would say, ‘Oh, we cannot allow you to frequently go on the app and delete your personal data or amend it because it may compromise the interests of other people.’”
But she also said this defence would need to be looked at on a case by case basis as all companies might not be able to rely on the same defence.
“The idea of the startup app might be philanthropic, to give or provide for people who are in need. So imagine a situation where I get some money, I change my profile details, and I enter another giveaway and keep amassing a lot of money when the money is actually supposed to reach as many people as possible.
“Or a scenario where someone credits my verified account with a huge sum of money to assist with sharing it and I just delete my account or deactivate and go offline. Given the nature of the app, considering the fact that it’s largely a financial platform, you shouldn’t just allow people to modify their data. There’s a higher standard of care involved.”
But she advised companies to communicate these decisions to users.
Another thing she referred to is the golden rule of interpretation in law. This rule states that a law could be interpreted to show the spirit or the intent of the law rather than a literal interpretation.
“In as much as it provides for these rights, they don’t necessarily tell the companies how to achieve it. The laws don’t say the right to rectification of data by the data subject must be done on the platform by the individual, or it must be achieved immediately.
“As a platform provider, I can say, ‘Oh yes, you have a right, but you just can’t do it yourself and randomly.’ And that’s why a lot of companies just say, ‘You have a right to delete your data, amend your data. To exercise any of these rights, please contact us by email.’ They won’t necessarily allow you to just do it directly on the platform.”
Essentially, while the right still exists, it cannot be exercised haphazardly.
The NDPR provides for situations that might be regarded as the lawful processing of a data subject’s data. Article 2.2 of the Regulations says at least one of the following must have occurred:
- The Data Subject has given consent to the processing of his or her Personal Data for one or more specific purposes,
- processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract,
- processing is necessary for compliance with a legal obligation to which the Controller is subject,
- processing is necessary in order to protect the vital interests of the Data Subject or of another natural person, and
- processing is necessary for the performance of a task carried out in the public interest or in exercise of official public mandate vested in the controller.
Like we explained here, a data controller is any person, organisation, or body that receives and controls an individual’s data. The data controller determines the purpose and means of data processing.
Combining Motunrayo's words and the provisions of the NDPR, if the company provides a way to ensure the right is exercised or falls under the exceptions listed in Article 2.2, the data subject’s rights have not been tampered with.
Using Ada’s scenario, if the startup has an option to contact the company’s support person for help to rectify her tag, then her rights as a data subject are still being protected.
Or you could think of it this way. Facebook only allows you to change your name once every 90 days. While you still have the right to rectify your data, it just takes longer.
Much ado about nothing?
Yesterday, October 20, 2021, Abeg replied to @Oluwanonso_Esq’s tweet.
“Hi Nonso, thank you for stating your concerns, however, it is possible to change your Abeg tag and delete your Abeg account by contacting our support team at [email protected].
“These measures were put in place for security reasons for the initial rollout.
“We're making some adjustments and all users will be able to deactivate and change their names without having to reach customer service.”
This can also be seen on Abeg’s website in the FAQ section.
So why did the customer support agent on Instagram tell Nonso he couldn’t change his tag? Did they mean to say only on the app? I don’t know.
But what I do know is that it has prompted a very important discussion on data rights and how they can be abrogated.