INTRODUCTION
Every online activity is saved as a digital record and is always accessible on the internet. It is said that the Internet has a memory and that it is slow to forget. The right to privacy has become necessary in the digital age because personal information can be easily shared and maintained. A developing legal notion known as the "Right to Be Forgotten" (RTBF) enables people to ask for specific personal data to be removed from public view, primarily online. Understanding and implementing the RTBF is becoming increasingly crucial as Nigeria works to improve its data protection laws. The Right to Be Forgotten and its adoption issues in the Nigerian context are examined in this article.
UNDERSTANDING THE RIGHT TO BE FORGOTTEN
The right to be forgotten acknowledges the importance of individuals having control over their data and having it deleted or removed from databases and online platforms. It allows individuals to request the deletion of personal information that is no longer required, has been unlawfully processed, or is being used in a way that breaches their rights. This right is an essential tool for individuals to gain control over their digital footprint and regulate the information they publish online. It allows a person to have data about them destroyed so that outside parties, notably search engines, cannot discover it.
The right to be forgotten allows a Data Subject to have their data erased by a Data Controller or Data Processor due to a previous action or occurrence. In other terms, it is the right to have information about a person, particularly unpleasant and obsolete ones, deleted from online searches or directories under specific conditions. This right emanates from the decision of the European Union Court of Justice in the case of Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (2014).[1]
LEGAL FRAMEWORK OF THE RIGHT TO BE FORGOTTEN IN NIGERIA
The Constitution of the Federal Republic of Nigeria, 1999
Like most other laws, data protection laws trace their origin to the 1999 Constitution, from which they derive their validity. Section 37 of the 1999 Constitution provides that citizens' privacy, their homes, correspondence, telephone conversations and telegraphic communications is guaranteed and protected. This provision is widely acknowledged as the foundation for data protection regulation, particularly in connection with processing personal data in the digital age. The provision, however, does not address specific components of the right to privacy, such as the right to be forgotten. Thus, while the Constitution has laid a solid framework for enforcing the right to privacy, it failed to include adequate provisions for enforcing the right to be forgotten as a component of privacy.
National Information and Technology Development Agency Act, 2007
Section 6 (a) and (c) of the National Information and Technology Development Agency Act empowers the agency to make regulations under which the Nigerian Data Protection Regulation (NDPR) was issued on 25 January 2019. This Act was created to acknowledge public and commercial entities' widespread online migration of business and other information systems. These data systems are now essential components of the information infrastructure that need to be controlled, secured, and protected from breaches involving personal information.
The Nigerian Data Protection Regulation, 2019
While the NDPR's data subject rights are not as comprehensive as those under European Union law, the legislation specifically includes the right to erasure.
Paragraph 2.1 (1c) of the NDPR provides that personal data must be stored only for the period it is reasonably needed. The ambiguous nature of this provision has been further clarified in paragraph 8 of the NDPR Implementation Framework 2020. The Implementation Framework states that, unless expressly agreed upon by the data subject and the controller, data must not be kept for more than three years from the data subject's last interaction with the digital platform or six years in the case of an online contractual transaction. In all other circumstances where data is processed without the data subject's consent, the data must be erased immediately upon request unless a statute prevents such deletion or the data retention is required for a court action or inquiry involving the subject.
Further to paragraph 2.1 (1c) of the NDPR, paragraph 3.1 (9) lists the grounds for requesting personal data erasure in the regulation. The grounds are:
i. Where erasure is mandated by the law or agreement between the data controller and the data subject.;
ii. Where the information is inaccurate;
iii. Where the information has been kept without the consent of the data subject;
iv. Where the data subject objects to the continued processing of the data, and there are no overriding legitimate grounds to keep the data;
v. Where the processing is no longer necessary in relation to the purpose for which they were obtained.
The application of paragraph 3.1(9) is not contingent on the existence of a contractual connection between the data subject and the controller who processes the data, in contrast to paragraph 2.1(c). It has the consequence of retaining data subjects' rights to demand erasure from organisations and digital platforms for personal information stored by such entities, regardless of whether it was posted by or obtained from third parties. This implies that data subjects significantly influence how their data is used in the digital environment.
The Nigerian Data Protection Act, 2023
The Nigerian Data Protection Act 2023 currently establishes an extra framework for enforcing data subjects' rights in Nigeria, including the right to be forgotten. Section 34 of the Act expressly addresses a data subject's full variety of rights, including the right to request erasure. Section 34(1)(c) of the Act grants a data subject the right to demand from a data controller, without restriction or unreasonable delay, the correction or, if rectification is not possible, deletion of the data subject's data that is inaccurate, out of date, incomplete, or misleading. Section 34(1)(d) of the Act provides that a data subject has the right to obtain from the data controller the erasure of personal data concerning the data subject.
Section 64(2)(f) of the Act states that all existing regulatory instruments, such as regulations, directives, and authorisations issued by the National Information Technology Development Agency (''NITDA'') or the Nigeria Data Protection Bureau (''NDPB''), will remain in force until they expire, are repealed, replaced, reassembled, or altered. In other words, the provisions of the NDPR relating to the right to be forgotten remain in effect and, along with the Act, serve as the legal foundation for direct enforcement of the right to be forgotten in Nigeria.
LIMITATIONS ON THE RIGHT TO BE FORGOTTEN
Despite the significance of data subjects' privacy rights, which serve as the foundation for the right to erasure, the right is not absolute and has restrictions.
One of the most challenging issues in implementing the right to be forgotten is striking a balance between privacy rights and freedom of expression. There is a need to ensure that the right to be forgotten does not result in the suppression of critical information or historical records. Striking this balance necessitates careful consideration and regulatory frameworks safeguarding privacy and free expression. In some cases, the public's right to free expression and information may precede the data subject's desire to maintain privacy rights.
Another barrier to data protection enforcement is a lack of understanding of data protection rights. Public education initiatives and easily accessible data privacy information can help users manage their online presence and connect with data controllers more effectively. There is currently no verdict by the Nigerian Courts on this matter.
The European Court of Justice in Google Spain SL, Google Inc v. Agencia Española de Protección de Datos, Mario Costeja González recognised that public interest in information connected to public figures may frequently override the rights of such individuals to demand erasure. Accordingly, continuing publication or storage of the data subject's information may be required to meet a legal duty. In this context, the NDPR Implementation Framework 2020 prohibits using the NDPR on personal data held for national security, public safety, or public health purposes. As a result, the data subject will be unable to demand the erasure of such information held by statutory organisations deemed vital for the public's benefit.
CONCLUSION
As Nigeria continues to improve its data protection legislation, the Right to Be Forgotten emerges as a critical component of digital privacy. While the NDPR offers a solid framework, explicit provisions and judicial interpretations are required to integrate the RTBF into Nigerian law properly. Addressing the issues and balancing the many interests will be critical to adequately implementing this right and ensuring that it benefits individuals and society.
IOLA Legal Services
Ikeola Atilola
[1] https://curia.europa.eu/juris/document/document.jsf?docid=152065&doclang=en (last accessed 19 August 2024)