Podcast with Tosin Lewis about Privacy Policy

A Chat With Tosin Lewis on Privacy Policy


Transcript of the Discussion With Ms Tosin Lewis on Privacy Policy

Chat With Tosin Lewis on Privacy Policy - Part 1

Welcome to the sixth day of our exploration into privacy policy. As I have promised, I said that we would end this series with a discussion with one of the prominent lawyers in Nigeria, Miss Tosin Lewis. Now she is a very good friend of mine and I have a lot of respect for her and her knowledge. She is going to help us understand privacy policy in more depth and perhaps from a more legal perspective and look at other issues. So I hope you have enjoyed the previous days and I hope you will enjoy this discussion today. So let me waste no further time.

Tosin Lewis, you are welcome.

Thank you YJ it's my pleasure to be here.

Thank you for coming. Now I don’t if you have been following our series but over the last five days or so we have been doing a very simplistic look into what privacy policy is about. Especially from the perspective of people actually putting themselves out on the internet, which is the current trend. I remember reading, just vaguely somewhere that enshrined in the constitution of Nigeria there is a clause that says we are all entitled to privacy in some degree or other. Can you expand on that? Can you give us a little bit more understanding?

Section 37 of the constitution of the Federal Republic of Nigeria guarantees the privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications. It says those rights are guaranteed and protected. We have several other legislation that also sure up that provision of the constitution. So constitutionally yes. These things are guaranteed and protected but whether in reality that protection exists is a totally different kettle of fish.

I think that is the key point, in reality, because in everyday walks of life. Do you think the constitution at the time it was set and that clause, you said section 37 was set, did they have internet in mind? Did they have the privacy issues we deal with today in mind? Even if they didn’t have them in mind could they actually be relevant to those issues?

It’s a bit difficult to say whether they did have the internet in mind. I see no reason why not. I see no reason why not but it is difficult to know what the legislator was thinking at that time. Is it relevant today? It should be but in practice I would say that it is not. When you talk about privacy of citizens it’s not just the internet. We have telephone. We have any form of communication when we talk about privacy policy and all that. It covers more than what we do on the internet. If I give you an example as to how, outside the internet, this constitutional guarantee of privacy is just, uhm, what I would say is paying of lip service. I remember several years; well let’s say several decades ago, before we had mobile telephones in Nigeria. I was on a phone call with someone, and we had been talking for a while, until a voice cut in and requested that we hurry up with our phone call because she needed to continue with a phone call with someone else. It was at that time it dawned on me that we had been chatting away and there were two extra pairs of ears listening to everything that was being said. Needless to say they hung up immediately. But the irony of it is, and what is a bit more alarming is that of recent I had such an experience again on the mobile phone.

Are you serious?

Yes. I heard a voice cut into a call I was making and realized that there were four of us on that line. Our calls had just somehow gotten caught up together.

Hmm!

And so when we talk about privacy, really, how private are we going to be talking about?

That's very true. Sometimes I feel that because of some of the security issues that we face, a lot of people are quite, or seem to be quite happy to surrender privacy for what they deem to be security, just as an aside. When we talk about privacy policy, from the, not even from the internet perspective, but from any perspective, even that conversation you just described, it’s all about personal information, personal data. Can you expand on personal data from the point of view of a legal perspective?

Ok! When we talk about personal data and privacy policy we are talking about how we expect that our personal information, I would expect that my email addresses, my phone numbers, what I do, my age, just basic information about me should not just be out there for anybody to pick up and use whichever way they please. When we look at what is being said globally about privacy policy, it’s all about how my personal information is being used out there. How no one should be able to just reach out to me with cold calls and cold emails.

But then in then outer world, taking that particular stance, everywhere else in the world they have a policy, which when you read it, it has a k-leg in it, it says I will use it for third parties or marketing purposes and they have built that into whatever policy. But I find that in Nigeria the policy might say that you are not going to use it. There may not even be a policy. A few years back. Do you remember when in, uhmm, if you went to Ikeja, the tech village in Ikeja, you could buy CDs of peoples GSM numbers and stuff like that. How does all that figure?

Now, let's look at this from two different angles. You spoke about how you could buy a CD of peoples GSM numbers, the same way till today you could buy something online in Nigeria that will give you the database of people their phone numbers, emails and whatever.

So have those people consented?

If you look at the law in terms of telecommunications in Nigeria, the licenses that are being given out, part of the law is that the owner of that license is obliged to have a directory in place of all subscribers.

OK.

A subscriber is entitled on demand to receive that directory.

The entire one?

Yes.

Oh!

The only way you or I can get our names out of that directory is to opt out.

Which most of us don’t?

Most of don’t even have a clue that the directory exists or that we need to opt out to get our names out of that directory.

That is a revelation.

That is one thing. So it is easy for a subscriber to get that directory and then do whatever he wants with it, in a poorly regulated society. Then when we look at emails. We all go to these events. We go to book launches. We go to seminars. We go to conferences. Where ever we go we put down our names and our email address, sometimes we put down out phone numbers. Nobody really asks the questions what is going to be done with this. If every day I receive spam email on a daily basis, before I get hot under the collar, I need to ask myself did I at any given point in time put down my email for these people to use. Now let’s say you run four companies. And one of your companies, I come to your company A the year 2010. You’re having a seminar and I put down my email and I think that’s it. And then in the year 2017 you rebrand. It's still the same company and you decide that you have a product that you want to push out and you look at your list of everyone who has ever provided an email, that email is going to be on their and they are going to push that product to me by email and I am going to think that it is spam because I can’t even remember that ten years ago I ever put down my email with you, I don’t know you rebranded and probably have a new name. So while we get all these spam emails not all of them have been bought, some of them somewhere along the line we have consented, although we did not know it.

OK! I get what you are saying. So in a way all this new GDPR stuff is actually in our favor although it may not necessarily be relevant to where we are in Nigeria or in Africa.

I do think it is relevant. I think it is extremely relevant.

But I thought it was for EU citizens.

The GDPR is for EU citizens and for anyone who sells a product or service to someone in the EU.

Ok

Now if in Nigeria, if you run a website selling products and you have not blocked all, what do you guys call it, IP addresses from then EU and someone comes in from the EU onto your websites, purchases something or tries to download something and puts their email there, you are caught by the GDPR regulations.

Does that also apply to people who are preexisting on your database?

Yes.

It’s called the World Wide Web for a reason. It’s a global stage. So it makes sense that no matter where your website is your privacy policy really ought to comply with the GDPR. Look at the one in California, all the different ones. They are all asking basically for the same kind of protection.

Talking about GDPR because it does tap into privacy policy by the virtue of the fact that it is to do with personal data. Now like you I have noticed that Europe, yes. Canada, yes. What's Africa doing in terms of, if not privacy policy, of protecting Africans citizens, Nigerians citizens personal data, is there anything, besides the one that is enshrined in the constitution.

Not that I know of. There might be but I am not aware of any moves right now by the legislators.

Is what we have sufficient?

We don’t have anything. We don’t have anything in terms of privacy policy for websites.

Even down to the individual. You pointed telecommunication, you are on a call, and someone butts in. There is nothing you can do. You send an email. Your address is there. Someone can harvest it and use it anyway you like and the most surprising one is that one about the directory. So do we really need any further protection even though we have none already?

Yes I think we do. If the directories there quite alright and the directory issues. A good privacy policy for a website in Nigeria would take into consideration the GDPR, it would also take into consideration I mentioned, specifically issues such as the legislation that talks about the directories and whatever and make it clear that if at any point, the information about you I am collecting on this website this what I can do with it, this is what I can do with it. But there is also this issue. There is this legislation. No human being can, there is this legal term we use. You cannot contract outside the law.

Contract outside the law. What is that?

That means if there is a law that says X, you and I cannot agree to bypass X.

Okay

So you cannot contract outside the law. So a good privacy policy would also mention this legislation. So if I have a privacy policy on the website it would all have the regular GDPR stuff, this is what I intend to do with it, I will not do this with it, I will not do this with it, I will not do this with it. It would also have on there the legislation that says that others can do directories and whatever. Please note that you have to opt out of this so that this does not happen. So in businesses that, for example let’s say MTN, MTN online the Nigerian site, let’s say they are putting on a privacy policy on their website. They would mention it.

OK

They would say that under the law they are obliged to create this directory, so if you do not opt out...

Your data will be available for exposure.

Yes.

Ok. That's interesting, because you see I was just thinking when you were talking, even if I had a privacy policy on my Nigerian website, who is to take me to task? Which law will apply? Let's say I contravene.

Yeah.

Who is going to take me to task?

The person who says you contravene.

In which country?

Where it says you contravene. Like we talked about GDPR, applies to EU, or to people resident in the EU or to anyone who is selling a product or service to someone in the EU, regardless of the fact that that person is not in the EU.
So the EU will then be able to find me in Nigeria? They can find me?

Yes

Okay. Let's say it wasn’t GDPR, generally if I have a privacy policy on a Nigerian website, there is nothing applicable. Do you understand what I am saying? I have it but so?

Okay. You have a privacy policy on a Nigerian website and I come onto your website. Let’s assume I have never ever met anybody who had asked me for my email before. So I put my email. Maybe it's a brand new spanking email. It’s the first time I am using it and I put it on your website. And then somehow I find that that email address has been sold on to a marketer, so I know without a doubt it has come from you. The leak has come from you. If I want to prove a point I could say you have violated my constitutional right to privacy.

Okay. Interesting.

If I wanted to prove a point.

Yes.

But I would say before anyone would jump up and start trying to sue people for breach of privacy, like I had said before, take your time and if you can do a trace back, you need to be very sure you have not consented to the use of that email.

Okay. That's good.

Because we do it, it is very routine for us. We go somewhere, at the registration table and put in your email.

Yes it is.

We need to download a freebie online; you put in your email.

Okay that's true.

At times it gets to be a lot and you are not able to join or connect your dots, because maybe you did it four, five years ago and you can’t remember. Before you jump up, screaming blue murder trying to get a law suit going and whatever, take a step back, be very sure that you are on the right track.

Hmm! That's good actually. Do you think that Nigerians understand that they actually have a right over their personal data? Because it's true, I have been to many events I have done it exactly, I have signed up and I never even thought about what they are going to do with it. Do you think, maybe, we just don’t really understand we should control how much data we put out.

I think it is one of the factors that has led to this, is the way the authorities themselves treat our data. To get anything done in Nigeria, we go to the bank we have to input your data. Every single time we go into the bank, for one reason or another, we have to input our data. We have to put in your BVN, your whatever, submit your copies of your passport or your driving license. You need to do your passport, your international passport you go through the submit all that data again. You need to renew your driver’s license, you do all that. Whatever it is you need to do, you keep on putting all this data out.

So it's become a habit?

It's become a habit. We keep on hearing about a national database. As far as I am concerned it does not exist because if it did I would not need to keep on supplying the same information over and over again. So it’s like we have been conditioned, we been conditioned that once they put a form in front of us, to put in the data and never step back and say what is going to happen to all this data I am putting out here. It stems from the way the society has been structured. The way the authorities are managed right here in Nigeria.


Chat With Tosin Lewis on Privacy Policy - Part 2

You mentioned, in the event that you haven’t accidentally dropped your data along the line, the only redress seems to be section 37 and that's going to court. Do you really, in reality? That, that? What would the court do in reality? Would the fine? What do you think they would do?

Maybe the question would be what would be the value of the suite for you to actually go the whole hog? The damage to you must have been extensive for it to be worth your while and retaining counsel and doing all that. If it is huge damage then yes then the courts would consider it.

Really?

Yes. I am trying to think what would...

Okay, like an example?

Yes.

Like for instance, a high net worth individual, he attends a conference to speak and by the by, for some reason along the way he is asked to submit his email and telephone number so that the conference can give feedback from the participants, but not give it out. But in the end what actually happens is that it is distributed among the one million participants that attended and he is being spammed. He has to close it down. He has been compromised and you know you can do a lot of hijacking through sms and email. It cost him. High net worth people they carry their email and telephone number all the way through. Not only that it can compromise your banking because banks tie everything to your email and your phone. Exactly, in Nigeria that's the scary part. Your email, your phone number, these personally identifiable bits of information is actually tied so closely to our financial system. So in that event he might well feel he wants some degree of redress. So what would be open to them? Cos in the GDPR there are fines. There are levels of fines, but they are government instituted but in Nigeria I can’t actually...

In Nigeria you would probably be looking in terms of a tort. IF you can’t actually support with a term of legislation you would be looking in terms of a tort.

Wow, what's a tort? Actually I don’t know. I am nodding but I don’t know. What's a tort?

I best not explain that now.

I don’t know.

Let me try and look for two or three examples. You have contracts. You have damage that arises by way of contract. You have damages that arise by way of tort. So for example you are a building contractor and I enter into a contract with you to build me a house. You use substandard material. And because of the substandard material you have used a wall comes crashing down. I will sue you for breach of contract. Now let’s say I don’t have a contract with you. Let's say I am building my house here and you are dredging next door and because you are dredging next door, the earth shifts underneath my house and a wall comes crashing down. You have no contract with me. What you have done is torturous. So that is why we call it a tort.

Okay. That's the first time I understand that.

I didn’t just want to do a legal definition. I wanted to put it in context. People usually need you to put it in context so they understand what a tort is better. In that instance and this high net worth individual suffers such a damage, like I said he needs to be able to trace it, one. Then two there is no privacy policy or there is no contract between him and the people who have the conference so there has been no breach of contract. So it's a tort.

So in essence, privacy policies might even need to get to a stage, where you come to a conference and I might actually have to let you know what I would be doing with data.

Why not? Why not? If I could come and speak with someone and as a pre-requisite for that time together I ask you to sign a non-disclosure, why shouldn’t I ask you to sign a privacy policy.

That's a very good point. But do you think there is a will in Nigeria to do anything above and beyond the section 37 of the constitution to enshrine just the issues of privacy policy. Because you rightly mentioned and I agree with you, we are coming up to elections, again we are going to be voter registration. I did this. So why am I being asked to do it again? If you have this data somewhere, why don’t you just pull it out? There is nothing addressing these issues apart from you have a right to privacy. Do you think there is a will by either the Government, by corporate organizations, as it might actually be to their advantage not to tackle this?

There is no will by the government. At least none that I know of. I seriously doubt that there will be a will by corporate organizations because it’s to the benefit of corporate organizations that things remain as it is.

Why do you say that?

I know right now for example, take the US for example. I know there are issues now and the big corporations now are pushing, they are the ones trying to drive the privacy policy legislation in the US, for the sole reason that they want terms that are advantageous to them.

OK

And so there is this whole furor about no, no, no they can’t be driving it because they are trying to put in that would not be beneficial to the general public but they are they are trying to drive it. So the reason why that is happening is because in the US, and well globally people are more conscious because of the entire hullabaloo about the GDPR. In Nigeria it hasn’t caught up. As long as there is no move by government to legislate there is no reason for corporate organizations to actually push for anything. Why would they?

That's interesting. There are a lot of the top organizations in Nigeria, they operate internationally so wouldn’t they be a bit amiss ignoring this? Cos rightly as you said anyone from the EU dealing online, is a potential problem for you if you have not catered.

When you look at the way the top organizations in Nigeria are set up, how much, in terms of what is required in a privacy policy, do they do online?

Fair point, fair point.

You look at the big guns like MTN, Etislat they all have their Nigerian websites. It is not a sole website serving everybody.

That's true. Okay regionally identifiable websites. That's true. Ah and that's a way out of it.

It’s a way out. That is not to say those guys don’t have, I haven’t checked. They might have a privacy policy in place and everything.

Okay that brings me to very funny questions, it came up when I was thinking about what we would discuss on privacy policy and I am thinking worldwide and I am honing in on Nigeria and Africa. I am in the IT world and we have been discussing data sovereignty and I started thinking and asking myself does privacy policy, personal data and data sovereignty do they have any link anywhere?

They should actually, in purely, I would say purely theoretically terms. The link is definitely there. Data sovereignty is all about where the data is warehoused and how it is supposed to be the laws of the domicile of the data should prevail. But when you look at the way online business, not just online but the way the business community is set up. As long as I am doing my accounting online using Wave or QuickBooks. I am having my CRM online. This is in the cloud and that is in the cloud and the company that I use has servers in five countries. I don’t know which server my information resides. It all theoretical and up in the air, then we could legislate about data sovereignty from now till kingdom come. Until the legislations says that if a business operates here the cloud must be here, the server in which all that in the cloud resides in must be in the same place where the business is operating, then I think data sovereignty is too far.

Okay, okay. It is a complex issue.

Yeah.

But it might rear its ugly head at some point. We've looked at the law as it stands and whether it covers or not and you've explained that very nicely. Thank you. But I also remember reading; there is a World Wide Web foundation and they in conjunction with company, paradigm shift. I think they are local. I have heard of them before. They did a kind of survey or a look at privacy policy in Nigeria in particular. They came up with some findings. They came up with three particular recommendations that I picked up on. They may have been more but there were three that I kind of picked up on. One was use of personal data must be in accordance with the purpose for which it was collected, which is something you mentioned already. They also felt that there needs to be a framework or something that discusses the consent of the individual must be obtained prior to collecting his or her personal data. Then the third one was rights of the individual to seek legal remedies for misuse and or unauthorized access to his or her personal data must be guaranteed. From what they are saying they are not enshrined anywhere. What framework if any could add these kinds of clauses to protect the individual or is it not necessary?

I think that it is necessary. Maybe it will be able to do with privacy policy. IT will be definitely be more complex than these three recommendations would cover. It would be a rather complex bill. The things that this recommendations would as they are, in order to establish that there has been a breach, you are going to have to jump through a lot of hoops. For example the rights of an individual to seek legal remedies for misuse and unauthorized access. You need to establish the lack of authority. You need to establish misuse. That might be difficult for you to establish. Particularly if the use which you are now saying is not authorized has been done by a company that is very good at keeping who is very good at keeping records. If they are very good at keeping records, you might find yourself fighting a battle, on which at the end of the day you might need to pay damages for wrongful. It would need to be a rather complex legislation that would take care of many things so that if I had given you my info for this purpose, then some of the sign up forms that you sign at conferences would have to state clearly on that form that the data being collected for that registration would only be used for the conference in respect of that, that took place from this date to this date and could not be used for anything else. But then it would be difficult to push that through as legislation, then in that case both online and offline companies would find it very difficult to build up an email list. Every company needs an email list.

They would constantly be deleting wouldn’t you. It’s actually more complex. The more we look into the realities of it, it actually very complex. Without an email list, what's then point and the only way to get that email list is to get people to sign up for one thing or the other.

On, as we round up, what would be your advice, like I am also a user as well as a developer, and I have been to many websites and we are so quick and it says you want the product you want to get to the page, you click "I agree". Sometimes I open up these agreements and they are voluminous. What's your advice to anyone who goes to a website and they are about to click I agree even without looking at a policy. What good advice do you want to give them?

Well as a lawyer I would say read and read again.

It's like it takes about two hour to read a policy and yet what you are trying to access is a click away. So how does it work? You have no choice but to read.

Read. I would like to say that I always do but I don’t.

Sometimes a trick I use is I click and then I copy the agreement and read it later. What happens in the instance when you read it later and you figure out that okay, this really doesn’t agree with what, I am not happy with their terms? Can I go back and sort of disenrollment

Just unsubscribe. Unsubscribe. Once you've unsubscribed from a list they have no right to use your data.

If I have access to a lawyer and I copy it to my lawyer, is that an option?

You copy?

The agreement to the lawyer. Because there are some instances the agreement is long and then it points you to another place and it points you to another place and continues to point you.

Yes if you send it to your lawyer, your lawyer will read and advise you to sign up, don’t sign up or you have signed up do not subscribe.

Any parting words for our listeners as they listen to the privacy policy and as they are contemplating developing their own because the basis of this whole conversation is, we are going online, we are becoming more of an online market, so they need to be aware to either have a very simplistic privacy policy. Or depending on how feature rich their websites are a more complex.

I would say generate a privacy policy. IT is a simple enough thing to do. Look for what are the basic things that should be in your privacy policy vis a vis what you intend to do as a business. You need to think globally. Think people visit your website from anywhere. If you go to your Google analytics you find that people are visiting your website from places you had no clue that anyone would look at your website. So think globally. Put up a good privacy policy that ticks all the boxes. It’s not going to cost you anyway.

Thank you I think that was the best end to this session. I have learnt a lot. In fact I am even more awed by the privacy policy issue. Thank you very much for your insight.

Thank you.

I do hope you will join us another time. I am very very thankful and I hope my audience has enjoyed our discussion as much as I have. So this is all for this session. I hope you will follow up. There will be an opportunity to download the whole series as one in an e-book. That will be at a later date. Please join us on our next exploration. That will be in about a week. Thank you very much this is Yetunde Johnson and

Tosin Lewis.

Bye

Privacy Policy Podcast

Privacy Policy Series

This series of Slingshot Technologies LIT (Look Into Technology) in Nigeria and Africa takes a look at Privacy Policy, why we need them, what they are and how we go about creating one. It ends with a discussion with one of the leading lawyers in Nigeria about how this relates to Nigeria and Africa.

What would the future look like for your personal data

What Would The Future Look Like For Personal Data

Personal data is one part of things we considered as we worked towards highlighting what you need to create a privacy policy. It might have made you think. Especially as privay policies are suppose to help you make a decision whether to submit it on a site or not. Are you beginning to get the feeling that you might be worth something, or at least your personal data might be. Well i came across the following Tedx Talk from TedxBermuda talk on The Future of Your Personal Data - Privacy vs Monetization by Stuart Lacey. It was very insighful and provided lots of food for thought.

Have a listen and consider the three questions posed by Stuart Lacey and provide your own answers.
1. Are you being robbed?
2. Are your missing out?
3. Are you being paid?

See you on the other side.

YJ

How much is your privacy worth to you?

How Much Is Your Privacy Worth?

Over the last five days we have been looking at different things related to privacy policy. One of the things that has come out of that is the idea and understanding, i hope, of what personal data is all about and how it relates to privacy policy. Your personal data and keeping it private or knowing how it is used is important for you to start thinking about. The quote below suggests how important privacy is. Do you agree? Consider this question and let us know.

How much is your privacy worth to you?
How much is your privacy worth

Thank you for reading this post.

I look forward to hearing from you.

YJ

Privacy Policy - How to Create it

Privacy Policy – How To Create It


Welcome to the fifth part of privacy policy. Today we are going to have a brief chat about the different ways you can quickly create a privacy policy. Its a long document, legal looking, wordy and in some ways very complex. I know when i try to sit down and do ours, i initially attempted to do it in one way, then after looking at it for a few minutes i decided there must be an easeier way to do this. Guess what there are. There are many quick ways in which you can quickly generate a privacy policy. But we are going to look at this stage by stage.

Read More

Privacy Policy - What Do You Need In It

Privacy Policy – What Do You Need In It


Welcome to the fourth part in the Privacy Policy series. In the previuos three sections we have looked at generally what a privacy policy is about and had a more indepth look at what it is exactly. Then we also examined in the last session personal data and what it is.

Welcome to this the fourth one where we are taking a dive into what you need in a privacy policy. What are the different components and text pieces that you need to make up a good privacy policy in these current times.

Read More