An Exposé of the Concept of Consent and Third-Party Contracts

Introduction

In the fast growing digital economy, data protection has become a national topic of discourse. Many organisations rely on data to improve on the quality of  the goods or services they render, thus positively impacting their profit margin. However, certain data are personal to individuals such that, when unauthorised access is given, it poses a risk to the individual's business and personal life. This article seeks to give a comprehensive yet concise analysis of the concept of consent as a lawful basis for obtaining personal data as well as the meaning of a third-party contract and its effect on data privacy. It climaxes into a short conclusion embedded with recommendations that will shape the future of Nigeria’s digital space.

The Extant Data Privacy Laws in Nigeria

The Nigeria Data Protection Act 2023(signed into law by President Bola Ahmed Tinubu on June 12, 2023), stands out as a groundbreaking legislation for the protection of personal data. Prior to its enactment, the prevailing legislation guiding the protection and security of data processing was the Nigeria Data Protection Regulation 2019 issued by the National Information and Technology Development Agency (NITDA) under the powers conferred by the NITDA Act 2007. 

This significant piece of legislation specifies salient fair information principles and obligations for data controllers and processors, emphasising transparency, accountability, and most importantly, the consent of data subjects. 

What is Consent?

Generally, according to contemporary English definitions, consent is simply permission or agreement for something to be carried out. When a person consents to a particular act, it means that power is being conferred on another person to do something without any hindrance. 

According to the General Data Protection Regulations EU/679 2016, ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. The interpretation section of the Nigeria Data Protection Act 2023 also aligns with this definition as it defines consent as:

“Any freely given, specific, informed and unambiguous indication whether by a written or oral statement or an affirmation action of an individual’s agreement to the processing of personal data relating to him or to another individual on whose behalf he has the permission to provide such consent.”

The highlight of this definition of consent is its characteristic of liberty which means that it must not be coerced or given under uncomfortable or predetermined circumstances. As stated in the guidelines on consent under the regulation “if consent is bundled up as a non-negotiable part of terms and conditions it is presumed not to have been freely given”.

The guidelines to the GDPR also envisage situations where there is a power inequality between the data controller and the data subject (the individual), giving special reference to government authority and the high probability of consent not being freely given in all the circumstances of the data process. A prevalent example is the employer-employee relationship where there is unequal bargaining power and consent is usually not a viable lawful basis for data processing.

The guideline goes further to state that there is a presumption of consent not freely given in a situation where it is not required for several data processing even though such consent is hinged on the performance of a contract or the provision of a service. This means, the guidelines require consent to be sought and freely given at “every” point of data processing with no exceptions whatsoever. In the wording of Recital 32 of the GDPR, “when the processing has multiple purposes, consent should be given for all of them”.

The second characteristic of consent is that it must be specific. Specific means that the consent should point to a direct affirmation and agreement to the use of one’s data. Descriptively, it could take the form of ticking a box, clicking a button with the words “I Accept/Agree, I have read the terms and conditions, I Accept the terms and conditions etc. It is not specific when the boxes have been previously ticked and it is also coerced where the user has no other choice than to click on the button.

Going further, the consent must be informed and this requirement places a  responsibility on the data controller to provide the following information:

• The identity, residence or place of business of the controller/representatives.

• A specific lawful basis for the data processing.

• Individuals who would receive the data.

• All rights of the data subject (including the right to lodge complaints at the Commission.

• How long the data will be retained.

It’s also important to note that consent can be withdrawn at any time. The NDPA imposes an obligation on the data controller or data processor (as applicable) to inform the data subject of his or her right to withdraw consent before going on to grant consent.

In summary, all facts surrounding or related to the data being processed should be laid bare before the data subject clearly and explicitly to enable the data subject to make an informed decision as it relates to the data being required of him. This is usually done by codifying all the information in a data protection policy or Data Protection Agreement (DPA). The agreement should be drafted in an “intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms.” 

Third-Party Contracts

Under the General Data Protection Regulation (GDPR), a third party refers to any natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorised to process personal data

When entering into third-party contracts, several privacy concerns are raised. This is because a novel entity is being introduced into the data processing equation and the actions and inactions of the entity will affect the privacy and security of sensitive data collected. The following are key points to note when sharing personal data with a third party.

1. Consent: Under the Nigeria Data Protection Regulation, the third party is required to comply with the terms of the written contract between the data processor, the data controller and the data subject. This includes adhering to existing Data Protection Agreements that govern the manner in which consent is obtained and the access granted to the data controller.

2. Compliance Requirements: Under the NDPA 2023, if a data controller or processor desires to engage a third party to process personal data, they are required to ensure that the third party strictly adheres to the provisions of the NDPA 2023.  Third parties are equally required to continue the cycle of data protection to ensure that there is no loose end in preserving privacy and ensuring the security of the personal data of individuals and corporations. 

3. A Functional Data Processing Agreement: Organisations often need to share and transfer data to various third-party vendors and contractors and this transfer poses many privacy risks which necessitates the drafting and management of a functional data processing agreement. The Data Processing Agreement will stipulate the method used in securing the shared data, how long the shared data is to be retained, the technology used in deleting the data after conclusion of the contract, breach notification provisions, technological and organisational measures, security measures put in place for data protection etc.

4.  Data Access and Storage: It is necessary to properly define what data is being shared with the third party and who will have access to the data. Sensitive data should be accessed by only the necessary parties required to process the data. The third party should also ensure that personal data is stored securely. Most of the time, cyber-attacks occur at a weak link, where privacy precautions may not be taken seriously. Hence, Third-party contracts should be taken seriously to ensure that the key is not left at the door.

Conclusion/Recommendations

In order to ensure that the privacy of data subjects is guaranteed and protected, all parties should be committed to complying with data privacy and protection laws. This commitment revolves around adequate training of personnel, periodic assessment of compliance and review of data protection policy.

It is also necessary to have a data privacy deed of adherence that will be signed by all parties that join the data processing transaction. This provides a tidy mechanism for ensuring compliance with the existing data privacy and protection policy of the organisation.

There are penalties for default in complying with this new legislation and digital rights are gaining ground in the face of technological advancements, hence it is resourceful for an organisation to invest in data privacy compliance. It boosts the image of the organisation, making it attractive to potential clients and investors and creates an enabling environment for accelerated growth.

References

1. Cambridge Dictionary, “, Meaning of Consent in English” https://dictionary.cambridge.org/dictionary/english/consent accessed on 10th September 2023

2. Recital 42 and 43 of the EU General Data Protection Regulation 2016.

3. Article 4(10) of the EU General Data Protection Regulation 2016.

4. Nigeria Data Protection Act 2023.

5. Nigeria Data Protection Regulation 2019.

6. Article 2.7 of the Nigeria Data Protection Regulation 2019.

7.  Ian Commins, “Data Sharing and Third Parties: Questions to ask before sharing personal information you’ve collected”(2022) https://privacy108.com.au/insights/sharing-data-with-third-parties/ accessed on 10 September 2023.

This post is for general and educational purposes only and does not constitute legal advice. Consult a legal practitioner for specific guidance.