Lawful Bases for Processing Personal Data in Nigeria
Article 2.2 NDPR listed the grounds upon which the processing of personal data may be undertaken on lawful bases. It provides that processing shall be lawful if it is on the basis of at least one of the following grounds: (a) consent of the data subject has been obtained (b) where processing is necessary for performance of contract between the data subject and the controller or in order to take steps at the request of the data subject prior to entering into a contract (c) where processing is necessary for compliance with a legal obligation (d) where processing is necessary to protect vital interest of the data subject or another natural person(e)where processing is necessary for the performance of a task carried out in the public interest or in exercise of official authority. Unlike Article 6 (f) General Data Protection Regulation, NDPR did not provide legitimate interest as a basis for processing personal data in Nigeria.
Why Is Legitimate Interest Important to Data Controllers?
Oftentimes, data controllers tend to process personal data to carry out business or professional related activities that may not fall within the purview of the other lawful bases but for their own- or third-party legitimate interests. In these circumstances legitimate interest becomes their legal ground provided they balance the interest with that of the data subject. Therefore, legitimate interest is very important to data controllers because it is more flexible than the other lawful bases and could apply in a wide range of circumstances once the balancing test is met.
Assessing Legitimate Interest for Use
The law provides that the legitimate interest pursued by the controller must not be overridden by the interests and fundamental rights and freedoms of the data subject which require protection. To ascertain whether or not the interest of the controller is overridden by the rights and freedoms of data subject, the controller has to conduct legitimate interest assessment which may be broken down into three tests : purpose test, necessity test and balancing test.
The controller has to access the purpose of the intended processing to ascertain whether it falls within legitimate interest. As a matter of fact, legitimate interest may include a wide range of interest ranging from personal interest to third parties’ interest, commercial interest as well as societal benefits. Thus, a controller may rely on legitimate interest for the purpose of processing client or employee data, marketing purpose, fraud prevention, intra-group transfer or IT security or for the purpose of disclosing information about possible criminal act or security threat to the security etcetera.
The controller should access if the processing activity is the only reasonable and proportionate means of achieving the purpose. Where the purpose of the processing can be achieved by alternative and less intrusive means, legitimate interest may not be the appropriate lawful basis.
The controller must, before relying on the legitimate interest, balance the controller’s interest and that of the data subject. In other words, the processing activities must not be such that will cause harm to the interest of the data subject. Also, the data subject should reasonably expect the controller to use the personal data. However, the interest of the controller may override data subject’s interest although the processing maybe adverse provided there is a clear justification of such impact on the data subject.
Can A Controller Still Rely on Legitimate Interest in Nigeria?
A straight theoretical answer will be no because the NDPR omitted legitimate interest as a lawful basis. However, in practice, it is inevitable controllers must rely on legitimate interest in certain circumstances. The fact that certain processing activities may not fall within the listed lawful bases in Article 2.2 makes reliance on legitimate interest certain and a matter of business decision which aligns with the Nigeria vision of ease of doing business. Even the NDPR in its objectives aims to facilitate business transaction and make Nigerian business competitive in international trade . A practical way out of this hurdle will be for the controller to reach out to the Nigerian Data Protection Bureau (NDPB), the Regulator either through the Data Protection Officer with evidence of legitimate interest assessment to show the need for reliance on legitimate interest and that the processing activities will not be detrimental to the rights and freedom of data subjects and that undertaking such processing is the only reasonable and proportionate way to achieve the purpose and keep the business floating.
Legitimate interest is such an important aspect of lawful bases that controllers cannot do without to keep the business a going concern. It’s omission in the NDPR is bad on its own but not irredeemable. The regulator should either issue guideline to address this flaw or be ready to approve controllers who show adequate mechanism to protect the rights and freedom of data subjects. This is even so as complying with the lawful bases does not in itself guarantee protection of personal data.
Article provided by INPLP member: Uche Val Obi SAN (Alliance Law Firm, Nigeria)
Dr. Tobias Höllwarth (Managing Director INPLP)