Understanding consent in the age of GDPR – lessons for Nigerian entities.

Technology has increasingly eased the condition of our living. Often, these technologies rely on data generated by our interactions with it to serve us better. As we increasingly produce data, our privacy rights becomes vulnerable. The exponential growth of technology and the internet relies on data produced by human interaction. This requires balancing the comfort of technology, the interest of commerce,  and privacy rights.

The internet has open a new vista sprawling varying business models. These models are data-driven. The past decade has witnessed an unprecedented accumulation and collection of data. This has allowed both private and public institutions to utilise personal data to take business decisions, enhance operations, create new products, optimize delivery and services, increase profitability, and to design market intelligence. The aggressive commodification of the data is an existential threat to privacy.

Complete privacy is almost technically impossible and does not exist absolutely, legally. This is noted in Recital 4 of the GDPR that states “the right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.” Natural persons are increasingly making personal information available publicly. This has allowed for an unmatched degree of monitoring, profiling and processing of personal data of consumers.

HOW IMPORTANT IS CONSENT?

In the wake of the Facebook-Cambridge Analytica tussle, it is important to put certain issues about consent in suitable perspective.

Countries have attempted to enact legislative framework for data protection. These laws seek to balance the privacy rights of its citizens with private use of their data. The European Union General Data Protection Regulation (EU-GDPR) is one of the most advanced framework for data protection globally. The GDPR has an extra-territorial application, which brings global businesses processing, monitoring personal data of EU residents under its application. The GDPR expanded the rights of the data subject and guarantees stronger protection for their personal data.

Nigerian businesses processing personal data emanating from the EU by way of offering goods and services to the EU, and monitoring of behaviour that takes place within the EU are bound by the framework and are enjoined to position their business in compliance with the regulation to avoid the risk of the penalty and more severe reputational loss. Nigerian businesses should not wait till there is a local legislation to transpose their business for compliance. Respecting privacy is going to be the global norm rather than the exception. The Facebook-Cambridge Analytica saga costs facebook in shares and reputation. The penalty for breach is nothing compared to reputation loss, loss of trust and negative market reaction.

According to the World Wide Web Foundation, “willing consent from all parties involved in a transaction is generally accepted to be a cornerstone in the foundation of ethical behaviour, no matter if the interaction is of a personal…, professional … or public… nature”

UNDERSTANDING CONSENT UNDER THE GDPR

Article 4 of the GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

The GDPR imposes an obligation on data controllers collecting and processing personal data to be more accountable for data protection. Obtaining consent forms one of the basis and bedrock for data collection and processing. This is further underlined by the data protection principle of lawful processing. Obtaining data without the consent of the owner is clearly a violation of privacy rights of a data subject and breach of the GDPR.

The maximum penalty under the GDPR, which is a fine up to 4% of annual global turnover or €20 Million (whichever is greater) applies to data controllers and processors not having sufficient customer consent to process data. According to the GDPR, compliance is not a choice. The Regulation demands that data controllers demonstrate compliance with the requirement of consent before processing their personal data.

CONSENT IN CONTEXT

For consent to be validly given, It must be clearly unambiguous, detailing what will be collected and for what purpose. If a personal data will be used for another purpose outside the purpose it was originally collected, the owner should be notified and consent re-sought. The data subject should opt-in rather than opt-out.

Using personal data obtained with consent for other purposes or obtained without consent exposes the personally identifiable information (PII) of individuals to risk and it is a gross violation of a data subjects’ rights to privacy.

STATUS OF CONSENT IN NIGERIA

The absence of a general data protection framework in Nigeria means there is no legislation defining the standard for obtaining consent. This has resulted in unhealthy practices by businesses that disrespect the privacy rights of consumers. It is in common practice for personally identifiable information of a consumer to be obtained for a specific purpose(s) and subsequently used for contrary purposes or sold to third parties. Hence, implying receiving or been harassed with unsolicited adverts, mailing list. It is worse when you unsubscribe, you continue to get the messages or you simply are not given the option to unsubscribe. A good number of people have been victims where PII is handed to a company for a specific purpose and who ends up selling to another entity.

A number of businesses in Nigeria do not respect data protection, largely because they are uninformed, do not care or simply ride on the inelegant horse of absence of legislation. The lack of legislation puts a strain on consumers. It is well established that there is a black marketplace for buying and selling of personal data (they are popularly referred to as data brokers). The ethics and legality of data mining, and data scrapping is an ongoing debate, in practice the personal data could be misused. The Cybercrimes Act did not help by criminalising dealing in the sale of data, though makes interception of data punishable.

In a 2018 survey conducted by World Wide Web Foundation on personal data protection in Nigeria, the report shows Nigerians are concerned about the collection and use of personal data. The concerns include: that the use of personal data may be incompatible with the purpose for which it was collected; individuals have no rights in relation to the collection, use, and storage of their personal data; there is lack of transparency in the processing of data and there is little information about the processing of their data, how the data is stored and used, with risk of data breach; children are exposed to privacy risks; and Nigerians are not offered adequate opportunities to consent to or opt out of data collection.

The interest of commerce has to be balanced with privacy rights of individuals. The Nigerian Communication Commission had in 2016 banned network operators from sending unsolicited messages and calls to subscribers. However, the ban only affects Internet Service Providers (ISPs). This is nothing compared to the volume of PII publicly traded without constraints.

LESSONS FROM THE GDPR

Consent is one of the bases for processing personal data under the GDPR. There are stricter rules for obtaining consent under the GDPR and will be highlighted below.

• Consent must be freely given, specific, informed and unambiguous. The purpose for which consent is sought must be expressly stipulated. According to Recital 32 of the GDPR “when the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.”

This is a way for data subjects to signify agreement to the processing of personal data that relate to them and this can be done by a statement or by a clear affirmative action.

Recital 42 provides that data controllers should “ensure that the data subject is aware of the fact that and the extent to which consent is given” For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

• A request for consent must be intelligible and in clear, plain language. The common practice of using pre-ticked boxes and inactivity will not be adequate as consent. According to Jon Baines, “consent must also now be separable from other written agreements, and in an intelligible and easily accessible form, using clear and plain language. For instance, if individuals are asked to give consent to the use of their property and in addition consent to the processing of their personal data is requested, the consent request with regard to the processing must be distinguishable from the other type of consent request
• Consent can be withdrawn at any time. Article 7(3) of the GDPR gives data subjects the right to withdraw consent at any time and “it shall be as easy to withdraw consent as to give it.” Controllers must inform data subjects of the right to withdraw before consent is given. Once consent is withdrawn, data subjects have the right to have their personal data erased and no longer used for processing. If you give consent to the processing of personal data, it does not mean that your personal data can indefinitely be processed. Data subjects may withdraw their consent at any time, but the processing taking place before the withdrawal is still considered lawful.

• Consent for online services from a child under 13 is only valid with parental authorisation. The processing of personal data of a child can be lawful if the child is at least 16 years old. If a child is younger than 16 years, the processing can be considered lawful only when consent is given and authorised by the parent or legal guardian of the child.

• Organisations must be able to evidence consent. Whenever a controller relies on consent as a basis for processing, the controller bears the burden of demonstrating that consent was obtained lawfully according to the principles above.
• Recital 43 provides that there is no valid consent when there is an imbalance between data subject and controller. This is instructive for employers processing data of employees. Employers should find another lawful basis for processing personal data outside consent.
• Furthermore, Recital 51 designated certain species of personal data as sensitive personal data. According to Article 9, Sensitive personal data requires a higher level of consent – “explicit” consent – for the processing of “special categories of personal data.” These special categories relate to personal data that are “particularly sensitive in relation to fundamental rights and freedoms” and, therefore, “deserve specific protection.” They include data “revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.”

CONCLUSION

Interestingly, the EU GDPR applies to individuals and organisations outside the EU processing personal data in the EU regardless whether such individual or organization maintains a physical office in the EU or otherwise.

This is a wake-up call to individuals and organizations collecting and processing personal data of people to model their compliance with the GDPR. More instructively, those processing data emanating from the EU to avoid running afoul of the GDPR to avoid the sanction, reputational loss and loss of confidence. However, those not within the whims of the GDPR should act responsibly with personal data of data subjects and this will position them for a global competitive advantage too.

There is an urgent need for a data protection framework that will give individuals rights to seek legal remedy for misuse or unauthorised use of their personal data. The law should also mandate the use of data for the purpose for which it was collected, and consent should be obtained before collecting the personal data of an individual. Companies will need to have legal practitioners draft privacy notice and policy that mirrors their business model and build a privacy conscious culture.