Data is the new digital currency. This increasingly familiar expression is used to denote the invaluableness of data in today’s digital world. Indeed, data processing corporations feature prominently among the most valuable corporations in the world. As is typical with any lucrative venture, new entrants are emerging in the data processing space including tech startups, each with its unique product offering, competing for market share. The more established data corporations also appreciate the necessity to keep innovating to stay afloat and retain/expand their market share. Consequent on the foregoing, innovative tech products that are data reliant are being churned out at an unprecedented scale, the latest being artificial intelligence applications such as ChatGPT which requires loads of input data, among others. Furthermore, it is common knowledge that personal data in light of its value, is subject to abuse and exploitation with attendant devastating consequences. It is therefore imperative that adequate safeguards through laws and regulations are emplaced to regulate the use and processing of personal data. Conversely, there are arguments that data privacy regulations are likely to stifle innovation since mining and access of personal data which serves as the raw feedstock for many of the innovative products of our time, may be restricted. This has naturally spurred conversations on the legal ramifications around data privacy and innovation, and ways to reconcile or manage these two seemingly mutually exclusive concepts. Some thoughts on these are articulated below.
Data Privacy Rights are not Inviolable: Data privacy rights are arguably considered as derivatives of the right to privacy. In Nigeria the right to privacy is constitutionally recognised and guaranteed as a fundamental human right under section 37 of the 1999 constitution as amended. However, the fundamental rights specified under chapter IV of the constitution including the right to privacy, are qualified by the provisions of section 45(1) of the constitution which provides as follows:
Nothing in sections 37, 38, 39, 40 and 41 of this Constitution shall invalidate any law that is reasonably justifiable in a democratic society:
a. in the interest of defence, public safety, public order, public morality or public health; or
b. for the purpose of protecting the rights and freedom or other persons.
In other words, the right to privacy including data privacy rights can be lawfully derogated from in any of the instances referenced above. As such, innovative products that process data for a purpose covered under any of the objectives outlined in the above quoted section will not be in violation of the law. For instance, tech applications that help to combat crime, provide alerts during national emergencies, or aid national response to pandemics will be lawful, notwithstanding that they process personal data. A case in point is the UK emergency alert system that was tested earlier this year and enables the UK government to send mass alerts on life-threatening emergencies to the mobile devices of its citizens/residents. Similar emergency warning systems currently operates in Spain, Germany, and Netherlands.
Anonymised Data is Exempt from Regulation: In Nigeria and several other jurisdictions, data privacy only applies to personal data i.e. information that identifies or is capable of identifying a natural person. In this wise, tech products that make use of data not falling within this category are not in breach of data privacy rights. Equally worth noting is that where the personal data has been anonymised, such data can no longer be classified as personal data and in effect can be processed without the restrictions or conditions imposed by law or regulation. What this means is that innovations that process anonymised data do not contravene data privacy rights and anonymisation of personal data presents an effective means of sustaining innovation while at the same time protecting data rights. For instance, applications that conduct analytics with anonymised data can produce the same result and are no less efficient than similar applications that use personal data.
Regulation may breed Innovation for Compliance: While it is widely presumed and rightly so, that data privacy regulations impose constraints on innovation, a commonly overlooked consequential prospect is that it also creates a market opportunity for others to create innovative solutions to help companies achieve compliance without damaging their regular production and value-creation activities. This innovative compliance products/applications can thereafter be sold to those companies affected by the regulation in question. An example of privacy-enhancing innovation is homomorphic encryption, which is touted to transform cloud security, upon which healthcare providers will rely. Homomorphic encryption enables computation on data in a cloud environment without leaking the private key – it is commonly referred to as the “holy grail” of cloud security.
Regulation may Secure Access to Large Foreign Markets: Data privacy is increasingly a topical global subject that has gained a lot of momentum in recent times. However, some countries i.e. the United States of America, perhaps for some strategic reasons such as promoting innovations at the expense of data privacy, have failed to enact comprehensive data privacy regulations. For these countries, it may seem beneficial in the short term and somewhat confer competitive advantages to companies operating in their domain, since those companies do not need to worry about complying with the requirements prescribed under any data privacy law or regulation. In the long term however, failure to regulate personal data may be counter-productive given the fact that many innovative tech products that utilise personal data are frequently developed for global use. As such, if the developers of such products and the products as well, are not data privacy compliant, such products may be banned or unmarketable in foreign markets where data protection laws are in effect. Consequently, it comes as no surprise that not a few American companies and their products have been penalised for being in breach of the GDPR in the EU. In effect, it may serve countries little value to attempt to shield their companies from the constraints of data privacy regulations given the effects of globalisation and the increasing internationality of the subject of data privacy.
SimmonsCooper Partners is a licensed Data Protection Compliance Organisation and has demonstrable experience in advising businesses on the entire gamut of compliance with extant legal and regulatory frameworks on data protection in Nigeria. Please feel free to contact us for more information and/or clarification pertaining to this guide.