Background

In today’s digital economy, data has emerged as one of the most valuable assets, driving business strategies, enhancing customer experiences, and unlocking new revenue streams. This includes various types of data such as demographic information, customer or business contact information, geographical location information, user data, internal metrics, market research, historical data and future projections, weather patterns, and transportation routes.

Overview of Data Monetization Practices

Data monetization refers to the process by which companies generate revenue from data. This practice has become increasingly prevalent across various industries in Nigeria. However, as companies leverage data to boost their bottom line (profit making), they must navigate a complex landscape of legal and ethical considerations to ensure that data privacy rights are respected.

In Nigeria, data monetization practices are commonly seen in sectors such as telecommunications, banking, and e-commerce. For example, telecommunications companies may sell anonymized customer data to advertisers, while e-commerce platforms might use purchasing patterns to offer personalized product recommendations. Financial institutions also leverage customer data to create tailored financial products and services.

Legal Boundaries of Data Monetization in Nigeria

The legal framework governing data monetization in Nigeria is primarily shaped by the Nigeria Data Protection Act (NDPA), 2023 enforced by the National Data Protection Commission (NDPC). The NDPA sets out stringent guidelines on the collection, processing, and sharing of personal data, with the overarching goal of safeguarding individuals’ privacy.

Additionally, Section 37 of the Constitution of the Federal Republic of Nigeria, 1999 (as amended) serves to protect citizens’ privacy rights, covering their correspondence and communications.

Key legal boundaries for data monetization by Nigeria Companies include:

Lawful Basis for Data Processing

Consent: Companies must obtain explicit, informed, and freely given consent from individuals before using their personal data for any monetization purposes. This involves securing clear and unambiguous consent from data subjects[1].

Contractual Necessity: Data monetization may be permitted if it is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract[2].

Legal Obligation: Data may be monetized if it is necessary for compliance with a legal obligation to which the data controller is subject[3].

Legitimate Interests: In certain cases, data may be processed for the legitimate interests of the data controller or a third party, provided that such interests do not override the rights and freedoms of the data subject[4].

Transparency and Disclosure Requirements[5]

Privacy Policy: Companies must maintain a clear and comprehensive privacy policy that informs data subjects about the purposes for which their data will be processed, including whether it will be monetized. This policy should be easily accessible and understandable.

Data Subject Rights: Data subjects have the right to be informed about how their data is being used, including whether it is being sold or shared with third parties. They also have the right to access, rectify, or erase their data, as well as to object to or restrict its processing.

Data Minimization and Purpose Limitation[6]

Specific Purpose: Data should only be collected and used for specific, explicit, and legitimate purposes. Monetization must align with the purposes for which the data was originally collected.

Data Minimization: Organizations should only collect the data that is necessary for the intended purpose. Excessive data collection for the sole purpose of monetization may be considered a violation of the NDPA.

Data Security and Breach Notification

Security Measures: Companies involved in data processing or the control of data must implement appropriate technical and organizational measures to protect personal data from unauthorized access, disclosure, alteration, or destruction. These measures include protecting systems from hackers, setting up firewalls, secure data storage, access control, data encryption, and continuous capacity building for staff[7].

Breach Notification: In the event of a data breach which is likely to result in a risk to the right and freedom of individuals, companies are required to notify the NDPC within 72 hours of becoming aware of the data breach and immediately notify the data subjects of the said breach[8].

Third-Party Transfers and Data Sharing[9]

Data Transfers: Any transfer of personal data to third parties, including for monetization purposes, must comply with the NDPA. This includes ensuring that third parties provide an adequate level of protection for the data.

International Data Transfers: Data transfers outside Nigeria are subject to additional safeguards, and such transfers can only occur if the receiving country provides an adequate level of data protection or if other specified conditions are met[10].

Penalties for Non-Compliance[11]

Fines and Sanctions: Non-compliance with the NDPA can result in substantial fines and sanctions for companies. Specifically, a fine of up to the — (i) higher maximum amount, in the case of a data controller or data processor of major importance, or (ii) standard maximum amount, in the case of a data controller or data processor not of major importance or (b) imprisonment for a term not more than one year or both. These penalties apply for data breaches or unlawful data processing activities.

Ethical Considerations in Data Monetization

Beyond legal compliance, ethical considerations play a crucial role in how data monetization is perceived and practiced. Ethical issues arise when there is a disconnect between the company’s profit motives and the privacy rights of individuals.

Key ethical considerations include:

Respect for Privacy: Companies must thoroughly assess whether their data monetization practices uphold individuals’ privacy, and whether or not they are legally permissible. This includes evaluating whether the monetized data is sensitive and assessing the potential risks of unintended harm, such as discrimination or exclusion, that could arise from its monetization.

Informed Consent: True informed consent extends beyond legal requirements. Ethically, companies must ensure that individuals fully comprehend what they are agreeing to, including how their data will be used and the potential risks involved.

Data Ownership and Control: The ethical principle of data ownership and control requires that individuals retain full ownership and control over their data. Companies should enable data subjects to easily access, correct, or delete their data and to opt out of data monetization practices at their discretion.

Fair Compensation: When companies profit from personal data, it raises ethical questions about whether individuals should receive compensation. Consideration should be given to developing models where data subjects share in the financial benefits generated from their data.

Conclusion

Data monetization presents significant opportunities for companies in Nigeria, but it must be approached with a keen awareness of the legal and ethical implications. By adhering to the Nigerian Data Protection Regulations and upholding the highest standards of data privacy, companies can unlock the value of data while maintaining the trust and confidence of their customers. In the long run, a balanced approach that respects data privacy rights will be the most sustainable and profitable strategy.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[1]             Section 26 of Nigeria Data Protection Act 2023

[2]            Section 25(1a) (i) of Nigeria Data Protection Act 2023

[3]            Section 25(1a) (ii) of Nigeria Data Protection Act 2023

[4]            Section 25(1a) (v) of Nigeria Data Protection Act 2023

[5]            Section 25 of Nigeria Data Protection Act 2023

[6]            Ibid.

[7]            Section 39 of Nigeria Data Protection Act 2023

[8]           Section 40 of Nigeria Data Protection Act 2023

[9]           Section 41 of Nigeria Data Protection Act 2023

[10]        Ibid

[11]        Section 49 of Nigeria Data Protection Act 2023