INTRODUCTION
Every online activity is saved as a digital record and is always accessible on the internet. It is said that the Internet has a memory and that it is slow to forget. The right to privacy has grown in importance in the digital age because of how easily personal information can be shared and maintained. A developing legal notion known as the "Right to Be Forgotten" (RTBF) enables people to ask for certain personal data to be removed from public view, especially online. Understanding and putting the RTBF into practice are becoming more and more important as Nigeria works to improve its data protection laws. The Right to Be Forgotten is examined in this article along with its adoption issues in the Nigerian context.
UNDERSTANDING THE RIGHT TO BE FORGOTTEN
The right to be forgotten acknowledges the importance of individuals having control over their personal data and having it deleted or removed from databases and online platforms. It allows individuals to request the deletion of personal information that is no longer required, has been unlawfully processed, or is being used in a way that breaches their rights. This right is an important tool for individuals to gain control over their digital footprint and regulate the information they publish online. It allows a person to have data about them destroyed so that it cannot be discovered by outside parties, notably search engines.
The right to be forgotten allows a Data Subject to have his or her personal data erased by a Data Controller or Data Processor as a result of a previous action or occurrence. In other terms, it is the right to have information about a person, particularly unpleasant and obsolete ones, deleted from online searches or directories under specific conditions. This right emanates from the decision of the European Union Court of Justice in the case of Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (2014).
LEGAL FRAMEWORK OF THE RIGHT TO BE FORGOTTEN IN NIGERIA
1. The Constitution of the Federal Republic of Nigeria, 1999
Data protection laws, just like every other law traces its origin to the 1999 Constitution, from which it derives its validity. Section 37 of the 1999 Constitution provides that the privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is guaranteed and protected. This provision is widely acknowledged as the foundation for data protection regulation, particularly in connection to the processing of personal data in the digital age. The provision, however, does not address specific components of the right to privacy, such as the right to be forgotten. Thus, while the constitution has laid a solid framework for the enforcement of the right to privacy, it failed to include adequate provisions for the enforcement of the right to be forgotten as a component of privacy.
2. National Information and Technology Development Agency Act, 2007
Section 6 (a) and (c) of the National Information and Technology Development Agency empowers the agency to make regulations pursuant to which the NDPR was issued on 25th January 2019. This Act was created in acknowledgement of the widespread online migration of business and other information systems by both public and commercial entities. These data systems are now essential components of the information infrastructure that need to be controlled, secured, and protected from breaches involving personal information.
3. The Nigerian Data Protection Regulation, 2019
While the NDPR's data subject rights are not as comprehensive as those under European Union law, the legislation does specifically include the right to erasure.
Paragraph 2.1 (1c) of the NDPR provides that personal data must be stored only for the period within which it is reasonably needed. The ambiguous nature of this provision has been further clarified in paragraph 8 of the NDPR Implementation Framework 2020. The Implementation Framework states that, unless expressly agreed upon by the data subject and the controller, data must not be kept for more than three years from the data subject's last interaction with the digital platform, or six years in the case of an online contractual transaction. In all other circumstances where data is processed without the data subject's consent, the data must be erased immediately upon request, unless a statute prevents such deletion or the retention of the data is required for a court action or inquiry involving the subject.
Further to paragraph 2.1 (1c) of the NDPR, paragraph 3.1 (9) lists the grounds for requesting personal data erasure in the regulation. The grounds are;
I. Where erasure is mandated by the law or agreement entered into between the data controller and the data subject.;
II. Where the information is inaccurate;
III. Where the information has been kept without the consent of the data subject;
IV. Where the data subject objects to the continued processing of the data, and there are no overriding legitimate grounds to keep the data;
V. Where the processing is no longer necessary in relation to the purpose for which they were obtained.
The application of paragraph 3.1(9) is not contingent on the existence of a contractual connection between the data subject and the controller who processes the data in contrast to paragraph 2.1(c). it has the consequence of retaining data subjects' rights to demand erasure from organisations and digital platforms for personal information stored by such entities, regardless of whether it was posted by or obtained from third parties. This implies that data subjects have greater influence over how their personal data is used in the digital environment.
4. The Nigerian Data Protection Act, 2023
The Nigerian Data Protection Act 2023 currently establishes an extra framework for the enforcement of data subjects' rights in Nigeria, which includes the right to be forgotten. Section 34 of the Act expressly addresses the full variety of rights given to a data subject, including the right to request erasure. Section 34(1)(c) of the Act grants a data subject the right to demand from a data controller, without restriction or unreasonably delay, the correction or, if rectification is not possible, deletion of the data subject's personal data that is inaccurate, out of date, incomplete, or misleading. Section 34(1)(d) of the Act provides that a data subject has the right to obtain from the data controller, the erasure of personal data concerning the data subject.
Section 64(2)(f) of the Act states that all existing regulatory instruments, such as regulations, directives, and authorisations issued by the National Information Technology Development Agency (''NITDA'') or the Nigeria Data Protection Bureau (''NDPB''), will remain in force until they expire, are repealed, replaced, reassembled, or altered. In other words, the provisions of the NDPR relating to the right to be forgotten remain in effect and, along with the Act, serve as the legal foundation for direct enforcement of the right to be forgotten in Nigeria.
LIMITATIONS ON RIGHT TO BE FORGOTTEN
Despite the significance of data subjects' privacy rights, which serve as the foundation for the right to erasure, the right is not absolute and has restrictions.
One of the most difficult issues in implementing the right to be forgotten is striking a balance between privacy rights and freedom of expression. There is a need to ensure that the right to be forgotten does not result in the suppression of critical information or historical records. Striking this balance necessitates careful consideration and regulatory frameworks that safeguard both privacy and free expression. In some cases, the public's right to free expression and information may take precedence over the data subject's desire to maintain privacy rights.
Another barrier to data protection enforcement is a lack of understanding of data protection rights. Public education initiatives and easily accessible data privacy information can help users manage their online presence and connect with data controllers more effectively. There is currently no verdict by the Nigerian Court on this matter.
The European Court of Justice in Google Spain SL, Google Inc v. Agencia Española de Protección de Datos, Mario Costeja González recognised that public interest in information connected to public figures may frequently override the rights of such individuals to demand erasure. Accordingly, continuing publication or storage of the data subject's information may be required to meet a legal duty. In this context, the NDPR Implementation Framework 2020 clearly prohibits the use of the NDPR in relation to personal data held for national security, public safety, or public health purposes. As a result, the data subject will be unable to demand the erasure of such information held by statutory organisations and deemed vital for the public's benefit.
CONCLUSION
As Nigeria continues to improve its data protection legislation, the Right to Be Forgotten emerges as a critical component of digital privacy. While the NDPR offers a solid framework, explicit provisions and judicial interpretations are required to properly integrate the RTBF into Nigerian law. Addressing the issues and balancing the many interests will be critical to properly implementing this right and ensuring that it benefits both individuals and society.