There is a growing view that Section 37 of the 1999 Constitution (“Nigerian Constitution“) guarantees data protection as a fundamental right. In Re Incorporated Trustees, the Court reached the conclusion that “data protection is guaranteed under section 37 of the Constitution of the Federal Republic of Nigeria”. In our view, this interpretation and the applicable submissions are questionable. What the Nigeria Constitution guarantees is not “data protection” as we understand it in modern regulatory terms, but rather data privacy in the narrow sense of confidentiality, albeit to a greater degree and within the context of security and integrity.
The difference between data protection and data privacy is not just academic. It has real legal and practical consequences.
What’s the Difference?
“Data protection” refers to the entire body of rules, standards, and obligations that govern how personal data should be collected, stored, processed, and shared. It includes requirements like (a) publishing a privacy policy on your website (b) appointing a Data Protection Officer (c) ensuring cross-border data transfer protocols (d) filing compliance audit reports.
On the other hand, data privacy, which we prefer to describe as confidentiality, is just one principle within the corpus of rules referred to as data protection and that is what Section 37 guarantees. The Constitution protects the private life of individuals, which includes the right to keep certain information confidential. It does not, however, create constitutional obligations around data processing policies, audit filing, or even cybersecurity controls.
The Consequences of Confusing the Two
If we treat every breach of statutory data protection obligations as a breach of constitutional rights, we risk (a) flooding the courts with claims that should be regulatory in nature (b) converting technical compliance failures into human rights violations ( c) undermining the proper role of the Nigeria Data Protection Commission (NDPC) (d) imposing an evidentiary burden on a constitutional court and most importantly, abusing the fundamental rights enforcement process.
Failure to display a privacy policy or appoint a data protection officer as was the allegation in Re Incorporated Trustees, is not a constitutional or fundamental human rights matter. It should be addressed through administrative tribunals or actions grounded on a breach of the Nigerian Data Protection Act, not by triggering a constitutional or fundamental human rights proceedings.
What Should Be Protected Under Section 37?
Only violations that touch on confidentiality, such as unauthorized disclosure of sensitive personal data, surveillance without legal basis, or interception of private communication, should reasonably qualify as breaches of Section 37. In our view, this is the true scope of constitutional data privacy. Every other principle of data protection should remain within the purview of regulatory compliance or grounded on a breach of the Nigerian Data Protection Act. In a case where a breach of confidentiality also bothers on security and integrity, we expect that this ought to be submitted first to an expert tribunal or to a High Court as a statutory matter and where considered necessary, subsequently, to the constitutional jurisdiction of the Federal High Courts.
It may make sense to resist the urge to constitutionalize every regulatory shortfall. It may sound progressive, but in reality, this approach, in our view, distorts data protection law and dilutes the foundational significance of constitutional law.
What do you think?
You may speak with our Technology and Data Protection lawyers, here: 08060817371 or via bhlegalsupport@balogunharold.com
