Tosin Lewis, you are welcome.
Thank you YJ it's my pleasure to be here.
Section 37 of the constitution of the Federal Republic of Nigeria guarantees the privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications. It says those rights are guaranteed and protected. We have several other legislation that also sure up that provision of the constitution. So constitutionally yes. These things are guaranteed and protected but whether in reality that protection exists is a totally different kettle of fish.
I think that is the key point, in reality, because in everyday walks of life. Do you think the constitution at the time it was set and that clause, you said section 37 was set, did they have internet in mind? Did they have the privacy issues we deal with today in mind? Even if they didn’t have them in mind could they actually be relevant to those issues?
Are you serious?
Yes. I heard a voice cut into a call I was making and realized that there were four of us on that line. Our calls had just somehow gotten caught up together.
And so when we talk about privacy, really, how private are we going to be talking about?
But then in then outer world, taking that particular stance, everywhere else in the world they have a policy, which when you read it, it has a k-leg in it, it says I will use it for third parties or marketing purposes and they have built that into whatever policy. But I find that in Nigeria the policy might say that you are not going to use it. There may not even be a policy. A few years back. Do you remember when in, uhmm, if you went to Ikeja, the tech village in Ikeja, you could buy CDs of peoples GSM numbers and stuff like that. How does all that figure?
Now, let's look at this from two different angles. You spoke about how you could buy a CD of peoples GSM numbers, the same way till today you could buy something online in Nigeria that will give you the database of people their phone numbers, emails and whatever.
So have those people consented?
If you look at the law in terms of telecommunications in Nigeria, the licenses that are being given out, part of the law is that the owner of that license is obliged to have a directory in place of all subscribers.
A subscriber is entitled on demand to receive that directory.
The entire one?
The only way you or I can get our names out of that directory is to opt out.
Which most of us don’t?
Most of don’t even have a clue that the directory exists or that we need to opt out to get our names out of that directory.
That is a revelation.
That is one thing. So it is easy for a subscriber to get that directory and then do whatever he wants with it, in a poorly regulated society. Then when we look at emails. We all go to these events. We go to book launches. We go to seminars. We go to conferences. Where ever we go we put down our names and our email address, sometimes we put down out phone numbers. Nobody really asks the questions what is going to be done with this. If every day I receive spam email on a daily basis, before I get hot under the collar, I need to ask myself did I at any given point in time put down my email for these people to use. Now let’s say you run four companies. And one of your companies, I come to your company A the year 2010. You’re having a seminar and I put down my email and I think that’s it. And then in the year 2017 you rebrand. It's still the same company and you decide that you have a product that you want to push out and you look at your list of everyone who has ever provided an email, that email is going to be on their and they are going to push that product to me by email and I am going to think that it is spam because I can’t even remember that ten years ago I ever put down my email with you, I don’t know you rebranded and probably have a new name. So while we get all these spam emails not all of them have been bought, some of them somewhere along the line we have consented, although we did not know it.
OK! I get what you are saying. So in a way all this new GDPR stuff is actually in our favor although it may not necessarily be relevant to where we are in Nigeria or in Africa.
I do think it is relevant. I think it is extremely relevant.
But I thought it was for EU citizens.
The GDPR is for EU citizens and for anyone who sells a product or service to someone in the EU.
Now if in Nigeria, if you run a website selling products and you have not blocked all, what do you guys call it, IP addresses from then EU and someone comes in from the EU onto your websites, purchases something or tries to download something and puts their email there, you are caught by the GDPR regulations.
Does that also apply to people who are preexisting on your database?
Not that I know of. There might be but I am not aware of any moves right now by the legislators.
Is what we have sufficient?
Even down to the individual. You pointed telecommunication, you are on a call, and someone butts in. There is nothing you can do. You send an email. Your address is there. Someone can harvest it and use it anyway you like and the most surprising one is that one about the directory. So do we really need any further protection even though we have none already?
Contract outside the law. What is that?
That means if there is a law that says X, you and I cannot agree to bypass X.
They would say that under the law they are obliged to create this directory, so if you do not opt out...
Your data will be available for exposure.
Who is going to take me to task?
The person who says you contravene.
In which country?
Where it says you contravene. Like we talked about GDPR, applies to EU, or to people resident in the EU or to anyone who is selling a product or service to someone in the EU, regardless of the fact that that person is not in the EU.
So the EU will then be able to find me in Nigeria? They can find me?
If I wanted to prove a point.
But I would say before anyone would jump up and start trying to sue people for breach of privacy, like I had said before, take your time and if you can do a trace back, you need to be very sure you have not consented to the use of that email.
Okay. That's good.
Because we do it, it is very routine for us. We go somewhere, at the registration table and put in your email.
Yes it is.
We need to download a freebie online; you put in your email.
Okay that's true.
At times it gets to be a lot and you are not able to join or connect your dots, because maybe you did it four, five years ago and you can’t remember. Before you jump up, screaming blue murder trying to get a law suit going and whatever, take a step back, be very sure that you are on the right track.
Hmm! That's good actually. Do you think that Nigerians understand that they actually have a right over their personal data? Because it's true, I have been to many events I have done it exactly, I have signed up and I never even thought about what they are going to do with it. Do you think, maybe, we just don’t really understand we should control how much data we put out.
I think it is one of the factors that has led to this, is the way the authorities themselves treat our data. To get anything done in Nigeria, we go to the bank we have to input your data. Every single time we go into the bank, for one reason or another, we have to input our data. We have to put in your BVN, your whatever, submit your copies of your passport or your driving license. You need to do your passport, your international passport you go through the submit all that data again. You need to renew your driver’s license, you do all that. Whatever it is you need to do, you keep on putting all this data out.
So it's become a habit?
It's become a habit. We keep on hearing about a national database. As far as I am concerned it does not exist because if it did I would not need to keep on supplying the same information over and over again. So it’s like we have been conditioned, we been conditioned that once they put a form in front of us, to put in the data and never step back and say what is going to happen to all this data I am putting out here. It stems from the way the society has been structured. The way the authorities are managed right here in Nigeria.
You mentioned, in the event that you haven’t accidentally dropped your data along the line, the only redress seems to be section 37 and that's going to court. Do you really, in reality? That, that? What would the court do in reality? Would the fine? What do you think they would do?
Maybe the question would be what would be the value of the suite for you to actually go the whole hog? The damage to you must have been extensive for it to be worth your while and retaining counsel and doing all that. If it is huge damage then yes then the courts would consider it.
Yes. I am trying to think what would...
Okay, like an example?
Like for instance, a high net worth individual, he attends a conference to speak and by the by, for some reason along the way he is asked to submit his email and telephone number so that the conference can give feedback from the participants, but not give it out. But in the end what actually happens is that it is distributed among the one million participants that attended and he is being spammed. He has to close it down. He has been compromised and you know you can do a lot of hijacking through sms and email. It cost him. High net worth people they carry their email and telephone number all the way through. Not only that it can compromise your banking because banks tie everything to your email and your phone. Exactly, in Nigeria that's the scary part. Your email, your phone number, these personally identifiable bits of information is actually tied so closely to our financial system. So in that event he might well feel he wants some degree of redress. So what would be open to them? Cos in the GDPR there are fines. There are levels of fines, but they are government instituted but in Nigeria I can’t actually...
In Nigeria you would probably be looking in terms of a tort. IF you can’t actually support with a term of legislation you would be looking in terms of a tort.
Wow, what's a tort? Actually I don’t know. I am nodding but I don’t know. What's a tort?
I best not explain that now.
I don’t know.
Let me try and look for two or three examples. You have contracts. You have damage that arises by way of contract. You have damages that arise by way of tort. So for example you are a building contractor and I enter into a contract with you to build me a house. You use substandard material. And because of the substandard material you have used a wall comes crashing down. I will sue you for breach of contract. Now let’s say I don’t have a contract with you. Let's say I am building my house here and you are dredging next door and because you are dredging next door, the earth shifts underneath my house and a wall comes crashing down. You have no contract with me. What you have done is torturous. So that is why we call it a tort.
Okay. That's the first time I understand that.
So in essence, privacy policies might even need to get to a stage, where you come to a conference and I might actually have to let you know what I would be doing with data.
There is no will by the government. At least none that I know of. I seriously doubt that there will be a will by corporate organizations because it’s to the benefit of corporate organizations that things remain as it is.
Why do you say that?
And so there is this whole furor about no, no, no they can’t be driving it because they are trying to put in that would not be beneficial to the general public but they are they are trying to drive it. So the reason why that is happening is because in the US, and well globally people are more conscious because of the entire hullabaloo about the GDPR. In Nigeria it hasn’t caught up. As long as there is no move by government to legislate there is no reason for corporate organizations to actually push for anything. Why would they?
That's interesting. There are a lot of the top organizations in Nigeria, they operate internationally so wouldn’t they be a bit amiss ignoring this? Cos rightly as you said anyone from the EU dealing online, is a potential problem for you if you have not catered.
Fair point, fair point.
You look at the big guns like MTN, Etislat they all have their Nigerian websites. It is not a sole website serving everybody.
That's true. Okay regionally identifiable websites. That's true. Ah and that's a way out of it.
They should actually, in purely, I would say purely theoretically terms. The link is definitely there. Data sovereignty is all about where the data is warehoused and how it is supposed to be the laws of the domicile of the data should prevail. But when you look at the way online business, not just online but the way the business community is set up. As long as I am doing my accounting online using Wave or QuickBooks. I am having my CRM online. This is in the cloud and that is in the cloud and the company that I use has servers in five countries. I don’t know which server my information resides. It all theoretical and up in the air, then we could legislate about data sovereignty from now till kingdom come. Until the legislations says that if a business operates here the cloud must be here, the server in which all that in the cloud resides in must be in the same place where the business is operating, then I think data sovereignty is too far.
Okay, okay. It is a complex issue.
They would constantly be deleting wouldn’t you. It’s actually more complex. The more we look into the realities of it, it actually very complex. Without an email list, what's then point and the only way to get that email list is to get people to sign up for one thing or the other.
On, as we round up, what would be your advice, like I am also a user as well as a developer, and I have been to many websites and we are so quick and it says you want the product you want to get to the page, you click "I agree". Sometimes I open up these agreements and they are voluminous. What's your advice to anyone who goes to a website and they are about to click I agree even without looking at a policy. What good advice do you want to give them?
Well as a lawyer I would say read and read again.
It's like it takes about two hour to read a policy and yet what you are trying to access is a click away. So how does it work? You have no choice but to read.
Read. I would like to say that I always do but I don’t.
Sometimes a trick I use is I click and then I copy the agreement and read it later. What happens in the instance when you read it later and you figure out that okay, this really doesn’t agree with what, I am not happy with their terms? Can I go back and sort of disenrollment
Just unsubscribe. Unsubscribe. Once you've unsubscribed from a list they have no right to use your data.
If I have access to a lawyer and I copy it to my lawyer, is that an option?
The agreement to the lawyer. Because there are some instances the agreement is long and then it points you to another place and it points you to another place and continues to point you.
Yes if you send it to your lawyer, your lawyer will read and advise you to sign up, don’t sign up or you have signed up do not subscribe.
I do hope you will join us another time. I am very very thankful and I hope my audience has enjoyed our discussion as much as I have. So this is all for this session. I hope you will follow up. There will be an opportunity to download the whole series as one in an e-book. That will be at a later date. Please join us on our next exploration. That will be in about a week. Thank you very much this is Yetunde Johnson and