On July 6, 2023, BIXO Academy hosted a forward-thinking Twitter Spaces conversation titled “Protecting Privacy in the New Era of AI”. This Space assembled an eclectic mix of professionals with expertise in law, technology, and privacy, fostering an enriching environment for intellectual exploration and exchanging ideas around AI and privacy. Among the thought leaders sharing insights was Afolasade Banjo, a talented Associate at Broderick Bozimo and Company. This recap provides a concise yet comprehensive overview of the critical legal questions and solutions explored during this enlightening event.
What fundamental privacy laws and regulations should companies and individuals be aware of?
Navigating data privacy requirements can be daunting, given its multifaceted and diverse nature across various jurisdictions. In Nigeria, two fundamental aspects form the foundation: the Nigerian Constitution and the more recent Nigerian Data Protection Act of 2023. The Constitution, particularly Section 37, enshrines a citizen’s right to privacy, establishing the initial legal framework for privacy. The Nigerian Data Protection Act of 2023 regulates the processing and safeguarding of personal data (information that can be used to identify a specific individual). Although the Nigerian Data Protection Regulation of 2019 has been partially integrated into the 2023 Act, it still holds relevance and should not be disregarded.
Businesses operating within or in conjunction with entities in the European Union must pay attention to the General Data Protection Regulation (GDPR). This Regulation sets out guidelines for data protection and endows individuals with certain rights related to their personal data.
The United States, on the other hand, takes a sector-specific approach to privacy laws, with different legislations governing various types of data. Notably, the Health Insurance Portability and Accountability Act (HIPAA) oversees healthcare data, the Children’s Online Privacy Protection Act (COPPA) caters to children’s data, and the California Consumer Privacy Act (CCPA) establishes privacy rights specifically for residents of California.
Additionally, we must not lose sight of the forthcoming AI Act proposed by the European Union, which aims to regulate artificial intelligence systems. This new regulation underscores the increasing intersection of privacy laws and AI.
Keeping pace with these evolving privacy laws and regulations is paramount for businesses and individuals. These laws can change swiftly and vary significantly from one jurisdiction to another, making it critical to stay updated to maintain continuous legal compliance.
What is the importance of a Privacy Policy under the Nigerian Data Protection Regulation of 2019?
A privacy policy is a crucial element in collecting and processing personal data, according to the Nigerian Data Protection Regulation (NDPR) of 2019. This Regulation, encapsulated in paragraph 2.5, essentially states that any organisation or platform collecting personal data must have a comprehensive privacy policy.
For those unfamiliar with the term, a privacy policy is a statement or legal document that discloses how an organisation collects, uses, discloses, and manages a customer or client’s data. It’s a fundamental tool in the data protection landscape that informs individuals about their data rights and how their data is handled.
In the context of the NDPR, the privacy policy must be clear, readily accessible, and easily understood by individuals, often referred to as data subjects in legal terms. The Regulation outlines specific information that must be included in the policy, such as what data is being collected, how it’s being used, and the measures taken to protect it. However, the list is not exhaustive. Data controllers – the individuals or entities determining the purposes and means of processing the personal data – are encouraged to add any additional relevant information that helps make their data handling practices transparent and understandable to the data subjects.
How has the notion of consent in data collection shifted? What entails informed consent in this process?
The notion of consent in data collection has progressively evolved to be more participatory and informed. Where in the past, consent might have been implicitly assumed or derived from passive actions such as pre-ticked boxes, contemporary advancements in technology and data protection laws have caused a paradigm shift in how consent is obtained.
In Nigeria, the Data Protection Act of 2023 mandates that the data subject explicitly provide consent, whether written, oral, or electronic. The Nigerian Data Protection Regulation of 2019 further amplifies this by specifying what ‘informed consent’ entails. In essence, it necessitates that the party collecting the data, known as the data controller, disclose the purpose of data collection and ensure that data subjects can retract their consent at any point in time.
Similarly, in Europe under the GDPR and certain regions of the U.S. under the CCPA, transparency and lucid communication about the objectives of data collection are paramount. Consent should be expressed via a clear affirmative action, and withdrawing consent should be as straightforward as giving it.
Crucial elements to bear in mind about consent include the necessity for legal capacity to give consent, the requirement for clarity and assertiveness in providing consent, the obligation to inform about the purpose of data processing, the right to rescind consent at any point, and the responsibility of data controllers to erase personal data upon the withdrawal of consent unless there exist legitimate reasons for further processing.
What role does data anonymisation play in privacy protection, and how does it work in practical terms?
Data anonymisation is a process that transforms personal data into a format that can’t be linked back to an individual, thus preserving privacy. For businesses, data anonymisation offers a method to harness and disseminate data without disclosing personal information, thereby aligning with privacy regulations like Nigeria’s Data Protection Act of 2023.
Nonetheless, it’s crucial to underscore that anonymising data does not absolve businesses from their other data protection obligations. They must still have a valid legal basis for processing the data, which could be explicit consent or a legitimate business interest. Various techniques, including pseudonymisation (replacing identifiable information fields with artificial identifiers or pseudonyms) or encryption (converting data into a code or cypher to prevent unauthorised access), can be harnessed for data anonymisation, each presenting unique benefits and considerations.
In instances where AI breaches privacy laws, who is held accountable?
The attribution of liability in cases where AI infringes privacy regulations is often convoluted. Typically, the accountability falls on the shoulders of the organisation that deploys the AI instead of the AI system itself. The deploying organisation, acting as the data controller, is responsible for how personal data is processed and for any actions implemented by the AI system. However, if the breach emanates from a defect in the AI’s design, the entity responsible for creating or developing the AI might also face liability.
Internationally, the legislation about AI liability diverges. Regulations such as the GDPR in the EU and the CCPA in the US predominantly cast the onus on corporations for any data breaches involving AI systems.
Recent legal battles, like the defamation case brought against OpenAI, underscore the ongoing dialogues and challenges surrounding the question of AI liability in the context of privacy laws. For an in-depth exploration of the OpenAI defamation case and its ramifications, we recommend reviewing our analysis in the piece entitled OpenAI Lawsuit: Unpacking AI Liability for Tech Companies.
What should be the core data privacy best practices for businesses and individuals?
Businesses can sidestep punitive measures and simultaneously cultivate customer trust and loyalty by placing a high premium on data privacy. Adopting best practices is crucial in the dynamic landscape of technology and AI, where privacy standards continually evolve. Here are several measures worth considering:
Transparent and Effective Consent Management: Actively procure clear and informed consent from users. This involves educating them about how their data will be used and providing a straightforward mechanism for them to withdraw their consent.
Data Minimisation: Aim to collect only the data that is strictly necessary. This approach minimises risks and simplifies data management.
Cryptography: Deploy advanced cryptographic techniques such as pseudonymisation to render data incomprehensible to unauthorised parties.
Differential Privacy: This mathematical technique allows the use of data while maintaining individual privacy by introducing random ‘noise’.
Regular Data Protection Impact Assessment: Continuously monitor and evaluate potential data risks and breaches to ensure prompt and effective responses.
Cultivation of a Privacy Culture: Instil a corporate culture where privacy is valued, understood, and embedded in the organisation’s policies and actions.
Innovative Privacy Design: Investigate emerging technologies like blockchain for secure data storage and transfer or AI-powered tools for identifying privacy risks.
Active Legal Engagement: Cultivate relationships with legal professionals to navigate the intricacies of data privacy and stay updated about legislative changes.
We encourage you to explore our AI Legal Audit Checklist for a more in-depth understanding and comprehensive solutions.
How is legislation likely to evolve in response to advances in technology?
While predicting the precise trajectory of technology and legislation is a complex task, we can still make a series of educated predictions:
Increased Global Integration: A trend towards more unified global privacy standards could simplify business compliance and offer consistent consumer protection across borders.
Bolstered Protection Mechanisms: Future legislation may amplify safeguards against AI misuse, including stricter regulations on obtaining consent, the use of personal data, the transparency of automated decision-making processes, and the clarification of what constitutes personal data.
Addressing Emerging Technologies: Legislative frameworks will need to evolve to tackle the unique challenges posed by advancements in biometrics, quantum computing, and synthetic media.
Stricter Enforcement and Penalties: Future legislation may augment the severity of punitive measures for non-compliance, possibly imposing more significant fines or even criminal penalties for serious data breaches.
AI and Machine Learning Regulations: We may see the formulation of explicit regulations focusing on transparency in algorithmic processes, standards for AI decision-making in critical areas, and provisions addressing concerns related to autonomous systems.
Expansion of Individual Data Rights: We could see a continuation of the trend towards data ownership models, which would grant individuals increased control over their data and potentially enable them to monetise it.
Disclaimer:The information provided in this recap is for general informational purposes only and should not be construed as legal advice on any subject matter. You should not act or refrain from acting on the basis of any content included in this recap without seeking legal or other professional advice.
Should you find this article insightful and have further inquiries, or if you need assistance navigating the legal aspects of AI deployment, please do not hesitate to contact our specialised team via legalAI@broderickbozimo.com. We would be delighted to guide you through these processes and address any areas of concern.
Trackbacks/Pingbacks