At the current rate, the world produces about 2.5 quintillion bytes of data every day and it’s only going to keep growing—by the end of this year, our digital universe is expected to reach 44 zettabytes. (That’s 1.7megabyte of data created every second for every person on earth.)
With the advent of new technologies, which enables the extraction of useful and practical insights, the increasingly vast amount of data in our digital universe promises new forms of value, improvement in processes, and unleashes a wave of new opportunities for businesses and people.
As data abounds, more and more people are concerned about the value and security of their data—this has fueled the concept of data protection and made the formulation of data protection laws a global phenomenon. Most of these laws contain the right to be forgotten (which allows individuals to have their personal data erased) and data retention mandates (which compel Internet solution providers, telecommunication service providers, etc. to retain data for a particular period).
This article considers the meanings and scopes of the right to be forgotten and the principle of data retention in Nigeria, with a view to determining the nexus (and precedence) between the two seemingly opposing requirements to “forget” and to “retain” data.
The Right to Be Forgotten—Where Does it Come from and What Does it Mean?
Every time we use the Internet or utilize a digital device, we leave traces of ourselves. We leave information that can be used to track or judge our history, habits, and tendencies.
But things used to be different. In the past, public records of individuals used to exist only in courthouses and government offices. Obtaining these records was tedious and often impracticable. The records were, thus, deemed ‘practically obscure’.
It is from the concept of “practical obscurity” that the right to be forgotten emerged.
The right to be forgotten is a much-cherished privilege in civil societies—it is based on the notion that individuals should have the ability to have untruthful, out-of-date, out-of-context, and other forms of potentially damaging information about them erased, such that third persons can no longer trace or view them.
Ancient, longstanding, and predating the internet, the right to be forgotten is believed to have been conceived in the oft-cited 1931 Californian case of Melvin v Reid. Here is what happened: “Prior to 1918 the plaintiff, [a woman named Gabrielle Darley Melvin] had been a prostitute and in that year was tried for murder and acquitted.
In 1919 she changed her manner of life, married, and thereafter led a respectable life. In 1925 the defendants produced a moving picture, ‘The Red Kimono,’ which portrayed the true story of the past life of the plaintiff, using the plaintiff’s maiden name as the name of the principal character. The advertisements [also] indicated that this was the true story of the plaintiff’s life.” The Court of Appeal of California found, among other things, that:
The use of appellant’s true name in connection with the incidents of her former life in the plot and advertisements was unnecessary and indelicate and a wilful and wanton disregard of that charity which should actuate us in our social intercourse and which should keep us from unnecessarily holding another up to the scorn and contempt of upright members of society.
Seventy-four years later, the European Union Data Protection Directive (Directive) was passed. Article 12(b) of the Directive provides that “Member States shall guarantee every data subject the right to obtain from the controller as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of the Directive…” The Directive was updated a number of times.
Then in January 2012, Viviane Reding, European Commissioner for Justice, Fundamental Rights, and Citizenship, circulated the final drafts of the then proposed General Data Protection Regulation (“GDPR”), in which a new concept—the right to be forgotten—was introduced.
She explained that the novel privilege would give Europeans “the right, and not only the ‘possibility’, to withdraw their consent to the processing of the personal data they have given out themselves.” Days after Reding’s speech, the right to be forgotten was outlined in Article 17 of the GDPR. In particular, the Article states that:
[A] data subject should have the right to have his or her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, where a data subject has withdrawn his or her consent or objects to the processing of personal data concerning him or her, or where the processing of his or her personal data does not otherwise comply with this Regulation…
The Nigeria Data Protection Regulation and the Right to Be Forgotten
In Nigeria, the Nigerian Data Protection Regulation (“NDPR”) is the most comprehensive law regulating the processing of personal data. Covering all transactions intended for the processing of personal data and to the actual processing of personal data in respect of natural persons in Nigeria, the Regulation applies to every person or organization that collects, uses, stores, and processes personal data.
The NDPR vests a data subject with the rights to (a) data access, (b) obtain information on their data (c) data rectification, (d) data portability, (e) object to data processing (f) withdraw consent; and (g) erasure of their personal data (also known as the right to be forgotten).
Our focus is on the right to be forgotten, which can be exercised under the NDPR where:
- the personal data have been unlawfully processed;
- the data subject withdraws consent on which the processing is based;
- the personal data have to be erased for compliance with a legal obligation in Nigeria;
- the data subject objects to the processing and there are no overriding legitimate grounds for the processing; and
- the personal data is no longer necessary in relation to the purposes for which it was collected or processed.
Where a data erasure request is submitted, the Data Controller locates all personal information relating to the data subject and reviews it to see if it is still being processed and comes under one of the grounds listed above. If it does, the Data Controller then deletes the data and informs other entities who have gained access to process the personal data of the data subject to delete links to, copies or replication of that data.
It is important to note that, as most rights, the right to be forgotten is not absolute. It is usually weighed against legal requirements and public interests. Specifically, the right to be forgotten cannot be exercised where processing is necessary:
- for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing;
- for the exercise of the right to freedom of expression and information;
- for the establishment, exercise or defence of legal claims; or
- to comply with a legal obligation.
The Right to Be Forgotten and Data Retention Laws in Nigeria
Data retention provisions form an integral part of our data protection laws. They are oft imposed by legislation on Internet service providers, telecommunication companies, and players in the financial services industry to retain certain forms of information about their users.
This information may include “subscriber identifying information, assignments of Internet addresses to individual users, location information about mobile devices, Internet connection and browsing data, telephone dialing records, and other addressing, signaling or routing information, often time-stamped and often capable of being associated with a particular user”.
Data retention can help law enforcement, judicial authorities, and other competent bodies investigate such serious and complex matters as crimes and terrorism. It can also facilitate the resolution of trifling conflicts between service providers and users.
Data retention laws vary with respect to the types of companies, data, and services that they cover. Retention period also differs. For instance, the Regulatory Framework for Mobile Payment Services in Nigeria requires mobile payment operators to “maintain details of transaction records consummated within their mobile payment system for 5 years” and to maintain the electronic transaction and receipt log online for a for a minimum period of three (3) months. The log is to be archived for another minimum period of seven (7) years, unless a complaint arises before the expiration of seven (7) years, in which case the log in respect of such pending complaints must be maintained until the case is completely resolved or discharged.
Also, the Cybercrime (Prohibition, Prevention, etc.) Act mandates every Internet and telecommunication service providers to “preserve, hold or retain any traffic data, subscriber information or related content”.
As noted above, the right to be forgotten is not absolute—one of the instances where it may not be exercised is where a law mandates the retention of personal data. This means that a Data Controller can refuse a data subject’s request for data erasure on the basis that a law mandates the Controller to retain the data or sets of data, which a data subject wishes to be forgotten.
Having established this precedence, it is worthy to mention that one major problem with Nigerian data retention laws is that they are general and indiscriminate—they capture every form of data about every kind of users.
What this means is a further shrinking down of a data subject’s opportunity to exercise the right to be forgotten. More crucially, by mandating the retention of “a treasure trove of metadata about citizens’ communications, such as the time, date, location, and IP address used in a call or e-mail”, financial and other electronic transaction records, the blanket nature of our data retention laws is considered hostile to the constitutional right to privacy, threatens anonymous speech, and has significant implications on the presumption of innocence.
As long as they are valid and subsisting, Nigerian data retention laws overrides the right to be forgotten; as such, every erasure request made by a data subject has to be evaluated on a case-by-case basis.
 Ahmad, Irfan, “How Much Data Is Generated Every Minute?”: [SocialMediaToday, 2018] https://www.socialmediatoday.com/news/how-much-data-is-generated-every-minute-infographic-1/525692/ [accessed 14 February 2020]
 The digital universe is made up of such things as texts and digital photos uploaded to the Internet, communicating devices, smart televisions, banking data, security footage, voice calls, etc.
 Ibid. (n 1)
 EMC Digital Universe with Research & Analysis by IDC, ‘The Digital Universe of Opportunities: Rich Data and the Increasing Value of the Internet of Things’ https://www.emc.com/leadership/digital-universe/2014iview/executive-summary.htm [accessed 29 January 2020]
 It should be noted that although much of the data produced by our interactions with technologies—for example, climate and weather data (collectively tagged Big Data)—is not personal data, data protection authorities have taken the view that the processing of Big Data must comply with the data protection legislation. In any case, the definition of “data” under the data protection legislation of most countries, including the Nigerian Data Protection Regulation covers Big Data, however described.
 Although both form an integral part of the freedom of expression, the right to be forgotten should not be confused with the right to forget.
 297 P. 91 (Cal. Dist. Ct. App. 1931).
 297 P. 91 (Cal. Dist. Ct. App. 1931). Docket No. 346
 Council Directive 95/46, 1995 O.J. (L 281) 31 (EC)
 See id. arts. 7, 28.
 Patricia Sánchez Abril and Jacqueline D. Lipton, “The Right to be Forgotten: Who Decides What the World Forgets?” (UKnowledge, 2014) https://uknowledge.uky.edu/cgi/viewcontent.cgi?article=1074&context=klj [accessed 2 February 2020]
 Viviane Reding, Vice President, European Comm’n, EU Justice Comm’r, The EU Data Protection Reform 2012: Making Europe the Standard Setter for Modern Data Protection Rules in the Digital Age 5 (Jan. 22, 2012), available at http://europa.eu/rapid/press-releaseSPEECH-12- 26 en.htm [accessed 10 February 2020]
 The word “processing” is defined broadly in the NDPR to cover any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
 The NDPR defines a “Data Subject” as an identifiable person; one who can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
 Information Commissioner’s Office, “Right to erasure” (ICO) https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/ [accessed 10 February 2020]
 CDT, ‘Data Retention Mandates: A Threat to Privacy, Free Expression and Business Development’ (Center for Democracy and Technology, 2011) https://cdt.org/wp-content/uploads/pdfs/CDT_Data_Retention_Paper.pdf [accessed 14 February 2020]
 Paragraph 5.3.4 of the Regulatory Framework for Mobile Payment Services in Nigeria, (CBN, 2010) https://www.cbn.gov.ng/OUT/CIRCULARS/BOD/2009/REGULATORY%20FRAMEWORK%20%20FOR%20MOBILE%20PAYMENTS%20SERVICES%20IN%20NIGERIA.PDF [accessed 10February 2020]
 Section 22 (2)(a) Cybercrime (Prohibition, Prevention, etc) Act, 2015 http://www.nigerianlawguru.com/legislations/STATUTES/CYBERCRIME%20ACT%202015.pdf [accessed 11 February 2020]
 Katitza Rodriguez, “Privacy is a Human Right: Data Retention Violates That Right” [Americas Quarterly, 2015] https://www.americasquarterly.org/content/privacy-human-right-data-retention-violates-right [accessed 10 April 2020