NBA Elections: Addressing The Increasing Spate of Data Breaches and Privacy Intrusion
Table of Contents
What is Happening?
“Okay so this is no longer funny and is a data protection issue. Who in the NBA released our phone numbers to candidates to keep disturbing us with campaigns?? It’s so annoying, I literally receive calls every hour. If this isn’t a breach of my privacy, I don’t know what is.” (via Twitter)
The above quote from a twitter user @tunnie__, echoed the thoughts of thousands of other irritated persons who had recently experienced the same unpleasant situation in the wake of campaigns for the recently concluded NBA elections.
If you are a legal practitioner in Nigeria, chances are that prior to the election and even on the day, someone from an NBA candidate’s camp reached out to you via telephone calls, texts, Whatsapp or emails to ask whom your preferred candidate was and ‘politely’ solicit for your vote, on too many occasions as to border on harassment.
At some point, you may have wondered how this stranger got your contact details and shrugged it off with some nagging disquiet albeit. You may or may not then have realised then that the Nigerian Bar Association (“NBA”) has your personal information and may have shared it with certain third parties without your knowledge or approval.
Cold-calling and direct marketing of candidature is not a new phenomenon. It has become a norm with each election cycle but if things were bad before, they are certainly worse now. The near total digitalisation of the electioneering process due to the pandemic has amplified the use of this privacy invasive mechanism.
Our findings in the past few weeks revealed that some persons (lawyers inclusive) were commissioned by their bosses and equipped with “surveillance” software to record in real-time telephone conversations on candidates of choice and capture relevant details; an act that is not only criminal, but also constitute a complete betrayal of trust and confidence, especially since Section 37 of the Nigerian 1999 Constitution guarantees the right to privacy, communications inclusive.
The barrage of intrusive calls, text messages and emails were not the only incidents of privacy violation in the recent election cycle. In June, the NBA’s electoral committee published a list of accredited voters which included the full names, email address and phone numbers of thousands of lawyers on its publicly accessible online database.
Despite the ire it drew from several privacy conscious stakeholders, this list is still available online. Addressing the anomaly, Temitayo Ogunmokun, a Privacy & Data Protection Consultant with TechHive Advisory, a Lagos-based technology advisory firm, noted: “this is not a first time or one-off occurrence. The trend of publishing the personal information of thousands of members in the months leading to NBA elections on open access platforms with minimal or non-existent safeguards, started a couple of years ago. While the motive is in itself understandable, the execution leaves plenty to worry about, with grave and multifaceted implications. The NBA is a data controller by the definition of the Nigerian Data Protection Regulation and is bound by the obligations created in the law. Therefore, not only are data subjects exposed to potential physical and security attacks by such disclosures, the laid back approach of the organisation towards personal data management generally, especially considering its status as a strong professional body of lawyers, falls alarmingly short of the compliance requirements in the NDPR and global best practices in data protection”.
Temitayo further noted that an exhaustive notice highlighting potential and actual breaches and proposing practical recommendations, was sent to the Electoral Committee of the NBA to remedy these violations. Part of the recommendations were implemented when a subsequent accredited voters list was published with only the full names of members and verification introduced.
The predominant legislation regulating the processing of the personal data of Nigerians is the Nigerian Data Protection Regulation (2019). Further to the stated objectives of the NDPR, it intended to give Nigerians control over the processing of their personal data. It therefore requires that processing of personal data must be undertaken on specific legal bases grounded in the law. Verification of voters is an essential process in any free and fair election but there are less privacy intrusive ways to undertake this.
Also, while campaigns are necessary for elections, sharing the personal information of NBA members with political candidates with the consequence of making such members the targets of persistent calls, emails and messages, is contrary to the principles of the necessity and proportionality and falls short of ethics and best practices. The situation is worsened by the absence of a mechanism for data subjects to exercise their right to object to the processing of their personal data for marketing purposes in express violation of the law. Direct marketing calls or emails must be done in a responsible way and for a legitimate purpose. In this context, it requires the express consent of the affected data subjects, a requirement that was disregarded in this case.
Actual and Potential Risks Inherent in the NBA’s Disclosures
So, the NBA collects and processes its members’ personal information, yet no one can say with certainty, how such personal information is processed or for what purposes; what safeguard mechanisms are in place (if any); and what third parties have access to such personal information. The publication of members’ full names, email addresses and phone numbers and proliferation of members’ contact information in the hands of candidates’ camp could expose them to unintended and unpredictable abuse of both privacy and data protection rights. This opens members to the danger of becoming victims of phishing, identity theft, cloning of their personal information to commit crimes, profiling for social engineering, and exposure to barrage of unsolicited phone calls and emails that may interfere with their personal space.
According to Ridwan Oloyede, Privacy and Data Protection Partner at TechHive Advisory, “there is a clear violation of the principles of lawfulness, fairness, transparency, purpose limitation and data minimisation. It does not matter if the NBA claims it did not hand over these data to candidates directly. It is for the NBA to establish it has exercised sufficient technical and organisational measures to protect the confidentiality of members’ personal data.
Another unpredictable outcome is what happens to the data after the election? Will the candidates destroy it? Are they accountable for all the third parties that could have been exposed to it? What happens if a candidate contracted its PR to a marketing agency, who in turn decides to hawk or use these data for unrelated purposes?”… This are some of our concerns
We could go on and on, but here is the point: by publishing the personal data of thousands of lawyers, the NBA may have unwittingly created the perfect recipe for a cyber-disaster. While, many may be oblivious to the gravity of the unfortunate situation, the question is: are we really prepared for the wave of security and privacy risks that we have now been potentially exposed to by the actions of the NBA?
The year is 2020. Cybercrime is now more profitable than the global trade of all major illegal drugs combined, it will cost the world roughly $6 trillion by 2021. As privacy, data protection and security failures and threats multiply, we are continually being ‘seen’ in ways we never intended to be seen—the digital age equivalent of being caught naked. Yet, one of the greatest tragedies of our current way of life is the failure of our institutions (that should know better) to uphold, protect, and enforce basic fundamental rights.
What the Law Says
First, the NDPR requires processing to be lawful. To be lawful, it has to be done on a legal basis recognised under the Regulation. The NBA is far from compliant with this requirement and many others contained in the law. The organisation does not have a privacy notice to inform members of such legal basis nor is the rationale for this available, among others. Article 2.5 of the NDPR obliges the display of a simple and conspicuous privacy notice of the website or any other medium by which an entity collects and processes personal data.
This notice is required to show the legal basis for collecting the data, the type, purpose and means of storing the data collected, and other relevant information. Further, there is a violation of other cumulative principles of processing e.g. data minimisation, and purpose limitation. Similarly, the Court of Appeal in the case of EMTS v Eneye upheld the applicant’s right to privacy and stated that the sending of unsolicited messages is a violation of right to privacy.
As previously highlighted, the disclosure of personal data of members of the Bar is a genuine cause for alarm because it poses grave privacy and security risks to members of the NBA and amounts to a violation of the Nigerian Data Protection Regulation.
The Uncomfortable Monologue
Although, there is a growing distrust and displeasure from lawyers, some of whom have expressed their views on social media.
For Bolanle Oduntan, a legal practitioner, “ïn the last 6 weeks, I have received more than a dozen calls from random individuals who call to confirm the identity of the receiver and then go ahead to introduce their candidates on whose behalf they called. I have also received countless text messages from aspirants on the registered phone number which I provided to the NBA. These calls and text messages are intrusive and clearly targeted as part of campaign mechanics of some NBA hopefuls.”
Unfortunately, we do not know the extent of the cold calling and emails referenced in this commentary. We cannot ascertain the scope of profiling and volume of information available in databases maintained by the various NBA candidates’ camp.
The big question is: what happens to this information after the current election cycle? Will the Bar and candidates be held accountable? Will the next leadership fix this problem or continue to enable the abuse and misuse of members’ personal information and constitutional right to privacy? Are there sufficient safeguards in place to secure the personal information already littered in diverse silos?
The persistent refusal of relevant entities to comply with privacy laws is disturbing and constitutes a sufficient ground for the institution of infringement proceedings, complaints to the supervisory authority and sanctions against the NBA. If the ignorance of the law will not excuse a layman from liability, then the NBA does not have any justification for its continuous violation of its members’ fundamental right. Bolanle concluded that, “it is unfortunate that the NBA is on the wrong side of the law with respect to the protection of its members’ personal details and information. That this information was provided to candidates, without the consent of individual members” or any other justifiable legal basis, “is wrong, illegal and a clear violation of members’ respective privacy.”
Conclusion: Time to re-educate ourselves
It appears we need to re-educate ourselves on the value of privacy and data protection. It is time the NBA, third parties, and political aspirants in the organisation, begin to take cognisance of their continuing violation of the constitutional right of Nigerians to be let alone and related obligations created in the NDPR. Indeed, it is an irony that an institution that ought to be a vanguard for the protection of human rights is the violator, and not awake to its compliance obligations under extant laws.
Congratulations to the new leadership, but it is a wake up call to do the right thing. Finally, we should not stay quiet until someone seriously gets hurt. At the end, we all need to do more.
For context, the official website of the NBA, the NBA Section on Business Law (SBL), the NBA Section on Legal Practice (SLP), Lagos and Port-Harcourt branches do not have a privacy notice;. Members are left in the dark about the associstion’s transparency obligation under relevant data protection law. To get a clearer picture, the association’s website host membership platform, legal mail, registration of events, a directory to find lawyers, a complaint channel to report erring members and other data processing activities. This is clearly a violation of Article 2.5 of the NDPR.
In addition, the website of Lagos NBA branch makes the names, phone numbers and email address of members publicly available. These are information that can be mined by cybercriminals with ulterior motives. The are more privacy preserving ways to do this.