“The internet never forgets”. Many users of the internet particularly popular social media platforms are familiar with this expression which suggests the virtual permanence of information posted online. The enduring nature of information stored using information technology, has been enhanced with the development of cloud storage which allows collection, aggregation, and storage of data often without regard to natural borders of sovereign states. When information is posted through a social media platform, it is often a matter of minutes before it can be viewed, and shared by millions of people across the world. The internet and social media platforms beyond the medium they provide for sharing of information and ideas, also serve as repository of information.
Many organisations have capitalised on this to develop business model such as digital marketing, where data takes the nature of feedstock for further exploitation. The ubiquitous nature and use of computer system have serious implications for privacy rights of citizens, especially where personal information are shared, traded, and exploited without the consent of the data subject. The intervention of data protection legislation as a means of protecting private rights of persons is thus seen as a welcome development to protect people from over-exposure of their personal information in the digital world. It is in the context of the foregoing that this article analyses the right to erasure which is one of the salient rights under data protection laws.
The right to erasure recognizes the importance of individuals being able to control their personal data and have it deleted or removed from databases and online platforms. It empowers individuals to request the deletion of their personal information when it is no longer necessary, has been unlawfully processed, or is being used in a manner that violates their rights. This right serves as a vital tool in giving individuals more control over their digital footprint and ensuring that they can manage the information they share online. By analyzing the right to erasure within the context of data protection laws, this article explores its significance in protecting individuals’ privacy and enabling them to assert greater control over their personal information in an increasingly interconnected world.
Legal Basis for Data Protection Rights
Under the Nigerian legal system, every law traces its origin to the 1999 Constitution from which they derive their validity. Data protection laws are no exception. Section 37 of the 1999 Constitution provides that the privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected. It is generally accepted, that this provision forms the basis for data protection regulation particularly in relation to processing of personal data in the digital age1. In furtherance of the objective of protecting citizens’ rights as data subjects, the Nigerian Information Technology Development Agency which is saddled with regulation of IT usage in Nigeria enacted the Nigerian Data Protection Regulation (NDPR) 2019, as well as the supplementary Implementation Framework 2020 to regulate data protection in the country2. Among other salient data protection provisions of these two legislations, specific rights of data subject were provided for therein. The right to demand erasure with which this article is concerned is one of the rights created under the NDPR.
Data Subject and Scope of protected data
Central to every data protection regulation is the data subject. In the context of Nigerian law, the data subject is every natural person in Nigeria whose private information is protected under the law. The law does not make a distinction in this regard between a Nigerian citizen, and other non-national residents. This protection offered to nationals and non-national residents alike, conforms to international standard as applicable in advanced economies such as the US, and the EU. Ancillary to the concept of the data subject is the means of identifying them which include information relating to physical, mental, physiological, economic, social and cultural identity. In addition personal information necessary for identifying a data subject is further defined, to cover information such as internet IP data, location information, social media handle/moniker, email address as well as posts and publications to name a few. By virtue of this broad definition, information automatically stored by digital platforms through cookies collection, geo-location applications and website IP addresses are all covered as personal information subject to protection under the regulation.
Another important point to note in relation to protection of data subject is that his rights are triggered in relation to any act of processing by organisations coming into contact with its personal information. Data processing in this regard is widely defined under the NDPR to mean
“any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”
Thus where an entity engages in any of the acts defined above in respect of personal data of a data subject, the protections offered by the regulation is activated regardless of whether the entity comes in contact with the data through a contractual arrangement with the data subject, or the data is acquired through non-consensual means or from third parties.
Understanding the right to Data Erasure
While there are varieties of rights available for protection of a data subject under the NDPR, this article is more concerned with scope of right to data erasure which is also known as “the right to be forgotten”. In its simplest form, the right to data erasure is the right of a data subject to demand from a data controller or data processor the deletion of personal data kept of it in the records of the data controller. This right has its origin in European Union data protection law particularly from the case of Google Spain v. Agencia Española de Protección de Datos3. This was a case where the plaintiff successfully sued Google for refusing to oblige request to delete embarrassing data concerning the plaintiff that come up on Google search engine. This decision by the European Court of Justice was subsequently codified in the EU General Data Protection Regulation (GDPR) 2018.
While the scope of data subject rights under the NDPR is not as elaborate as provided for under EU law4, the right to erasure is expressly provided for by the regulation. Paragraph 2.1 (1c) of the NDPR provides that “personal data must be stored only for the period within which it is reasonably needed”. The ambiguous nature of this provision has been further clarified in paragraph 8 of the NDPR Implementation Framework 2020. The Implementation Framework provides that in the absence of express agreement between the Data subject and the controller, data must not be kept for more than 3 years from the last date of interaction with the digital platform by the data subject, or within 6 years in the case of an online contractual transaction. In all other cases where the data is processed without the consent of the data subject, the data shall be deleted immediately upon request, unless a statute prohibits such deletion, or the retention of the data is necessary for a court action or investigation involving the data subject.
In addition to paragraph 2.1 (1c) of the NDPR, paragraph 3.1 (9) itemises the common grounds for demanding personal data erasure in the regulation and they are;
- Where the information is inaccurate – this right is ancillary to the right of data subject to have accurate information kept of it by a data processing entity. Thus a data subject is entitled to demand the erasure of such erroneous data
- Where the information has been kept without the consent of the data subject, or the consent previously given has been withdrawn.
- Where the data subject objects to the continued processing of the data, and there are no overriding legitimate grounds to keep the data.
- Where the processing is no longer necessary in relation to the purpose for which they were obtained.
One important point to note is that the application of provisions of paragraph 3.1(9) unlike paragraph 2.1 (1c) is not dependent on the existence of a contractual relationship between the data subject and the controller who processes the data. This has the effect of preserving the data subject rights to demand erasure from organisations and digital platforms, in respect of personal information hosted by such entity regardless of whether they are posted by or obtained from third parties. This by implication confers data subjects with a greater form of control over use of their personal data in the digital world. Also data subjects have greater control in determining what information about them is accessible to third parties or the general public.
A practical illustration will be in the case of a social media blackmailer who releases compromising information about its victim to the web. The victim apart the right to seek law enforcement actions against the blackmailer, can rightfully demand that the digital platform where the information is published take it down. This expansive interpretation of the data subject right to erasure conforms to the objectives of privacy protection under the law, and gives practical effect to the provisions of section 37 of the 1999 Constitution. Also this approach conforms to the conception of data in contemporary world as a personal asset worthy of protection. This article takes the position that this purposive interpretation of the NDPR should be preferred whenever the regulation is to be applied, as it mirrors the elevated level of protection in the EU where personal data is protected as a fundamental human right by virtue of Article 8 of EU Charter of Fundamental Rights.
Limitations on right to demand data erasure
Despite the importance attached to privacy rights of data subjects forming the basis of the right to erasure, the right is not an absolute right as its enjoyment is subject to limitations. The most relevant restrictions to the data subject right to demand erasure are the rights to freedom of expression and information by other persons. There are circumstances where the freedom of expression and information rights of the public might trump the desire of the data subject to protect privacy rights. This will largely depend on the peculiarity of the case, bearing in mind factors such as the nature of the information sought to be protected, the status of the data subject in society, and the relevance of the information at the particular period in time. There is presently no decision of Nigerian Court on this issue. However the European Court of Justice in Google Spain v. Agencia Española de Protección de Datos(Case C-131/12) recognised that public interest in information relating to public figures may often supersede the rights of such persons to demand erasure.
In addition to the foregoing, continued publications or storage of the data subject’s information might be necessary to fulfil a legal obligation. An example of this will be in respect of criminal records of offenders, such as a sex-offender register or conviction register which is open to members of the public. Another instance will be in respect of information kept pursuant to law for the fulfilment of a public duty. In this regard, the NDPR Implementation Framework 2020 expressly excludes the application of the NDPR in respect of personal data kept for the purpose of national security, public safety or public health. The data subject will thus not be able to demand the erasure of such information kept by statutory organisations, which is considered necessary for the benefits of the public. Also right to erasure might affect other third party rights such as where the information relate to other persons. The question of whether demand for erasure is justified in such instance will be determined on a case by case basis having regard to the conflicting rights of the parties
The right to be forgotten is essential to the constitutionally guaranteed right to privacy, and is intimately connected to the ability to start over with a renewed identity. Its enjoyment gives greater control to data subjects in respect of use of their data and is in some cases important to the preservation of their dignity as members of society. The right equally balances the interest of digital platforms which see data as the “new crude oil of the digital world”5, capable of exploitation, and often against the proprietary interests that data subjects have over their information. The introduction of data protection legislation in this regard puts Nigeria in the league of developed nations concerned with the protection of the privacy rights of its citizens. It is hoped through enhanced enlightenment campaign, Nigerian citizens will become more aware of their rights as data subjects, and will thus be in a better position to secure their data in the digital world.
- O. Babalola, ‘Nigeria’s data protection legal and institutional
model: an overview’ (2022) Vol 12, No 1, International Data Privacy Law, p47.
- The NDPR Implementation Framework 2020 was enacted as a guideline on the interpretation of the NDPR.
- Case C-131/12 (2014)
- Under EU data protection framework, data protection is a fundamental right. See Article 8 of EU Charter of Fundamental Rights
- 1M Kuneva, ‘Keynote Speech’ (Roundtable on Online Data Collection, Targeting and Profiling March 31, 2009) http://europa.eu/rapid/press-release_SPEECH-09-156_en.htm
Leave a Reply