Yes, No or Maybe? The Dos and Don’ts, and Importance of Consent in Data Processing and Protection By Similoluwa Opayemi
Most data protection legislations have included consent as one of the lawful bases for processing information of data subject. Other bases include the performance of a contract, a legitimate interest, a vital interest, a legal requirement and public interest.
While the other bases are less ambiguous and require minimal involvement from the data subject, consent requires the data subject to take an affirmative decision before his data can be lawfully processed. For this reason, consent must be clearly defined and properly obtained to avoid issues of data processing breach.
What is Consent?
According to the Merriam-Webster Dictionary, consent can be an output or an action. Consent as a noun means “agreement as to action or opinion”, while consent as a verb means “to give assent or approval”.
Black’s Law Dictionary defines consent as “agreement, approval, or permission as to some act or purpose, especially given voluntarily by a competent person.” It is also defined as “legal effective assent”.
From a combined reading of the above definitions, it is apparent that valid consent is a product of conscious decision making and requires affirmative action. Thus, knowledge of the subject of consent is required to make a decision. Furthermore, valid consent is not a product of inactivity, as consent requires freewill and communication by the person giving consent.
The Relevance of Consent in Data Protection Framework
From the onset of modern civilization, privacy has always been an important and sacrosanct concept across various societies. The right to privacy is recognized and protected by most constitutions and considered a fundamental human right.
Consequently, when an individual’s unique and indefinable information is exchanged, transferred, stored in a medium (collectively known as data processing), there are expectations of privacy and protection, and measures must be put in place to ensure the security of the information.
As mentioned earlier, consent is one of the lawful bases for processing information of data subjects. Consent is usually the fallback or last resort option when there is no other appropriate lawful basis.
Given that consent is data subject determinant, it must be obtained before any processing and it must comply with the relevant data protection laws.
Consequently, public authorities, employers and other data managing organizations should avoid relying on consent unless they are certain they can demonstrate that it is freely given since consent cannot be a precondition of a service.
The 2018 Nigerian Data Protection Regulation and the 2020 Data Protection Bill on Consent
Under the extant Nigerian, Data Protection Regulation stipulates that the “data controller is under obligation to ensure that consent of a Data Subject has been obtained without fraud, coercion or undue influence” where consent is the basis for data processing.
It should be noted that this is the only general regulation applicable in Nigerian on data protection, until the draft Data Protection Bill is passed into law.
Nevertheless, the draft Data Protection Bill has a robust discussion on consent. Consent, under the Bill, is defined as “any freely given, specific (relating to such separate purpose) informed and unambiguous indication of the data subject’s wishes by which he, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him.”
Furthermore, the Bill makes provision for data processing based on consent and stipulates the requirements to lawfully process data based on consent. These requirements include:
- The data controller must show evidence of consent from the data subject;
- The consent must be communicated freely and clearly by an affirmative statement either in writing or orally;
- Silence and inactivity cannot be considered as consent;
- The data subject must be informed of their right to withdraw consent; and
- If a data subject withdraws consent, it does not affect the lawfulness of data processing before the withdrawal.
These requirements mirror the EU GDPR requirements that have become the standard for data protection regulations around the world.
Collecting and processing consumer’s data is a focus of the world’s regulators. This is unsurprising considering that the world’s five of the six largest companies -Apple, Microsoft, Amazon, Google and Facebook- deal in and profit from processing the data of its consumers. Recall that they all have been visited by queries and fines in most recent times.
The situation would not be any better for Nigerian businesses in the coming years as the regulators are waking up to the reality of protecting the data of its citizens. The Nigeria Data Protection Regulations (NDPR) by the National Information Technology Development Agency (NITDA) in 2019 is just a beginning.
It is actually laudable that Nigerian authorities through their laws and various regulations are taking bold steps to protect the personal data of her citizens.
The recent case between NITDA and TrueCaller (2019) is a well-known instance of a regulator protecting users in Nigeria. The case involving MTN Nigeria Communications Ltd v Barrister Godfrey Eneye (2013) is another instance. You cannot be left behind.
Practical Tips to Properly Obtain Consent
Given the provision of the regulations and the draft bill, the following are recommended to ensure consent is properly obtained for lawful data processing:
- The data controller should give the data subject clear explanations of the nature of processing activities and parties involved in processing to enable the data subject can make an informed decision whether to give consent to the procession of his data;
- As a good record practice, consent should be in writing;
- Consent forms should avoid pre-ticked options and should be in plain readable language;
- Consent must be attached to a specific purpose or processing activity;
- Consent must be voluntary and on an “opt-in” basis;
- The data subject should be informed of their right to withdraw consent at any stage;
- The data controller should keep a log of consent, related/surrounding information and withdrawals;
- The data controller should update consent procedures and notify affected parties of changes in the laws and procedures on consent.
A partnership is another better way to protect yourself from processes that might count as infringements. For instance, YouVerify has been awarded the ISO 27018 and 27001 certifications by the International Standards for Organisation. This implies that a company complies with international security management best practices and comprehensive security controls.
Outsourcing your identity management concerns to such company will assure you of commitment to quality, security and customers’ confidentiality while you focus on your primary business concerns.
Similoluwa is the In-House Counsel and Data Protection Officer at Youverify Inc. She can be reached at email@example.com.