The right to privacy is guaranteed in Section 37 of the 1999 Constitution of the Federal Republic of Nigeria as amended which states that every individual is entitled to the right of privacy, which must be protected and guaranteed.
Due to the rapid growth of the internet, privacy issues have become more complex, individuals can easily access data of other individuals online and make use of it without legal basis, this led to the necessity of having data protection law which clearly define the circumstance in which it is legal to process data.
The data protection laws particularly Article 1.3 of the Nigeria Data Protection Regulation 2019 clearly define the categories of persons involved in the data collection process, they include Data controller/processors, who are person who individually or jointly process data of data subject and data subjects, who are any person who can be identified and subject to data processing activities.
The problem with consent as a lawful basis for processing personal data
Article 1.3 of the Nigeria Data Protection Regulation 2019 clearly defined consent of a data subject to mean any freely given, specific, informed and unambiguous indication of the data subject wishes by which he or she through a statement or a clear affirmative action signifies agreement to the processing of his/her personal data relating to him or her.
Many data controller and processors are very kin on relying on consent as the lawful basis for which they process the data of individuals (data subjects). For example, the usual defense a data processor or controller might say when making use of a person picture in an online advert is that the person consented to the use of it when he/she signed the contract.
In some cases, this might be held to be valid consent while in other cases it might not, what if the agreement was ambiguous and did not directly specify that the data subject picture could be used in such type of advert, what if the only reason the data subject signed the contract was because he/she was under duress.
In these scenarios can it be said that the data subject has freely given consent to the use of his photograph in the advert, the answer is no because the law has specified that consent must be freely given, specific, informed and unambiguous.
Elements of valid consent
The Nigeria Data Protection Regulation 2019 Implementation Framework provides that before consent could be said to have been validly obtained it must be said to have been freely given, consent must be to a specific action, the data subject must be duels Informed about what he/she is consenting to and the terms in the agreement must be unambiguous.
Hence, due to these principles, the law has laid down valid requirements before consent could be said to have been obtained, they include;
- Silence of the data subject cannot be regarded as lawful consent
- The data controller or processor who is relying on consent as his/her lawful bases for processing data must inform the data subject of his/her right to withdraw at any given time
- The invitation for lawful consent must be clear and unambiguous.
Other lawful basis for processing personal data in Nigeria
Many persons when thinking about the lawful basis for processing data usually think only of consent as the only bases. From the combined reading of the Section 25 of the Data Protection Act 2023 And the Article 2.2 Nigeria Data Protection Regulation 2019, apart from consent there exist five other legal bases for which data can be processed and they include in simple terms;
- Legitimate interest.
- Vital interest.
- To fulfil a legal obligation;
- For public interest purposes.
- To fulfil a contractual obligation
Thus, a data processor/controller can make use of any of these lawful bases as the reason he/she is processing the personal data of data subjects.
In conclusion, from the examination of the elements of consent listed above, if a person is relying on consent as the lawful basis for processing data of data subject, there are stringent test that the law has put in place to determine if lawful consent was obtained or not. Thus, any data controller/processor who is relying on consent as the lawful basis for making use of another person’s data, he must make sure that the obtainment of consent is in accordance with the enabling law.