Nigeria Data Protection Regulation 2019 (NDPR) was established to regulate the collection and processing of personal data of natural persons in Nigeria and Nigerian citizens outside Nigeria. Amongst other things, NDPR seeks to safeguard personal data and prevent the manipulation of same. The NDPR identifies posts on social networking websites as one of the categories of personal data. This article analyses the regulation and classification of posts on social networking websites as personal data
Posts on Social Networking Websites
Under the NDPR, personal data was defined as:
“any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM, Personal Identifiable Information (PII) and others.”.
It is interesting to point out that posts on social networking websites are classified as personal data and are protected by the NDPR. Under the NDPR, processing means:
“any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
The definition of processing is not exhaustive as it provides that processing may mean ‘any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means’. The import of the above provision is that use, adaptation, dissemination or transmission of posts on social media platforms by a person or organization can be regarded as processing. Hence, any processing of posts on social media by any person or organization must have a lawful basis. Albeit, resharing or reposting is not expressly mentioned by NDPR, the umbrella of the definition of processing is wide enough to cover resharing or reposting. However, It is not clear what the rationale was for classification of social media posts as personal data and whether resharing or reposting of social media posts can be regarded as processing.
The NDPR provides that personal data must be processed in a lawful manner. Section 2.2 of the NDPR provides that:
“processing shall be lawful if at least one of the following applies:
- the Data Subject has given consent to the processing of his or her Personal Data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the Controller is subject.
- processing is necessary in order to protect the vital interests of the Data Subject or of another natural person, and
- processing is necessary for the performance of a task carried out in the public interest or in exercise of official public mandate vested in the controller.”
Let’s make use of a hypothetical case (which is actually an everyday occurrence); A tweets on Twitter and B retweets A’s tweets. By retweeting, B has processed A’s tweet. Recall that A’s tweets is protected as personal data under the NDPR. What will be the lawful basis for processing (retweeting) of A’s tweets by B?
In the event of a legal action by A, B can contend that A has given consent to Twitter under its terms of use and privacy policy for other users inclusive of B to retweet A’s tweets. After all, the NDPR provides that consent is a lawful basis for processing. Nonetheless, in a situation where A configures his/her account settings to prevent all other users from retweeting, and B screenshots A’s tweet and shares it by tweeting or posting it on other social media platforms, B might not have a successful defense predicated on consent.
Further, B might also be inclined to use contractual necessity as a lawful basis for processing if he retweets A’s tweets. Here, the contract (via Twitter’s terms of use and privacy policy) is between A and Twitter (Data Controller), and B will be regarded as a third party processor given that B also has a contract with Twitter. Again, B might have difficulties in defending a suit by A if retweeting/resharing is restricted by A and B tweets or posts a screenshot of A’s tweets.
Lastly, regardless of whether or not retweeting/resharing is restricted by A, B will be able to post/reshare A’s tweets to protect A or another natural person or to carry out a task in public interest i.e preclusion or reporting of a crime.
The main objective of the NDPR is to protect the privacy rights of Nigerians. Social media posts are not within the four corners of privacy, as such posts are within the public domain due to the advertent action of the person posting. Consequently, it should not be classified as personal data neither should resharing or reposting of a person’s post on social media be regarded as processing. Hence, regulation of social media posts is inconsequential.
Other Jurisdictions
The General Data Protection Regulation (GDPR) was drafted and passed by the European Union (EU). It regulates the processing of personal data in the EU and imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The GDPR which is the toughest privacy and security law in the world does not regulate social media or social networking posts. Personal data is defined in the GDPR as any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.. Also, the definition of personal data in Data Protection Act 2018 (DPA) of the United Kingdom (UK) is an exact copy of the definition in the GDPR. Posts on social networking sites or social media are not encompassed under the GDPR neither is it covered under UK’s DPA. In fact, the GDPR provides that it does not regulate the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. The GDPR further provides that personal household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities.
Conclusion
Social networking sites are public spaces and it is not clear why the NDPR categorized posts on such sites as personal data, save to the extent that the contents of posts on social networking websites can identify a natural person or might be identifiable information. Indeed, the GDPR which is widely regarded as the best data protection law excludes social networking and online activity from its purview. A person making a post on social media should be willing to bear the consequences of his actions considering that such posts form part of the public domain. Regulation of posts on social networking sites is not necessary and the exclusion of same from the NDPR is recommended.
