Artificial Intelligence And Nigerian Data Protection

INTRODUCTION

By 2025, the global Artificial Intelligence (AI) market is projected to reach a staggering $190 billion, growing at a compound annual growth rate of 36%.¹ In Africa, the International Finance Corporation projects that the strategic adoption of AI could add up to $234 billion to Africa's GDP by 2030. This makes AI an essential industry, with the potential to significantly impact economic growth and social progress.² The adoption of AI technologies across various sectors and industries is reshaping the way businesses operate and interact with consumers, from healthcare to finance, agriculture to manufacturing and retail. However, the effectiveness of AI systems largely depends on the availability and processing of large datasets, which often contain sensitive personal information and raises concerns about data protection and privacy.

AI ADOPTION ACROSS NIGERIA

In Nigeria, AI technologies are increasingly being adopted across sectors:

1. Healthcare Sector: In Nigeria, AI is revolutionizing healthcare by transforming diagnostics, treatment planning, and patient management. Telemedicine platforms such as 247Medic and Reliance utilize AI-powered chatbots and virtual assistants to improve services. These tools facilitate preliminary consultations, answer health-related questions, broaden healthcare access, and support services like lab testing and doorstep drug delivery.³
2. Financial Sector: AI algorithms are being used in the financial sector for detecting and preventing fraud by analyzing transaction patterns in real time. AI-powered chatbots equipped with Natural Language Processing (NLP) ensure 24/7 customer engagement and enhance online interactions. Notably, thirteen (13) Deposit Money Banks (DMBs) including Zenith Bank (Ziva), Fidelity Bank (Ivy), and UBA (Leo) have incorporated AI chatbots into their operations, boosting customer satisfaction and operational efficiency. ⁴
3. Education Sector: AI is also transforming education in Nigeria by making learning more accessible and personalized. E-learning platforms leverage AI to tailor learning experiences to individual needs. AI-driven tutoring systems analyze students' strengths and weaknesses to customize learning paths and resources. Platforms like uLesson and Edves employ AI for personalized learning, performance assessments, and interactive educational content in subjects such as math, physics, chemistry, and biology, aligned with the Nigerian curriculum.
4. Economic and Developmental Impact: The potential for economic growth through AI, coupled with a growing pool of skilled professionals and academic institutions focusing on AI research, drives its adoption in Nigeria. Despite these promising advancements, challenges remain, particularly concerning the heavy reliance on vast amounts of data, including sensitive personal information. This raises significant concerns about the methods of data collection, storage, processing, and protection, highlighting the need for stringent regulatory measures to safeguard data privacy.

ADDRESSING PRIVACY CONCERNS

The Nigeria Data Protection Act, 2023 (the "NDPA" or "the Act") applies to all forms of processing personal data, including those used in AI systems, both during development and after deployment.⁵ Under the NDPA, 'data' refers to any information relating to an identified or identifiable natural person (data subject). This can include anything from names and addresses to an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, cultural, social, or economic identity of that individual⁶. The Act outlines obligations for data controllers and processors, requiring them to adhere to certain privacy principles and to implement appropriate data protection measures⁷.

RESPONSIBILITIES OF DEVELOPERS AND ORGANIZATIONS UNDER NDPA

1. Compliance and Data Handling Principles: AI developers and organizations must uphold principles of lawfulness, fairness, and transparency in processing personal data. This involves obtaining consent or justifying the processing based on legitimate interests or legal obligations, while maintaining transparency through clear privacy notices.⁸ A legitimate interest under the NDPA could include scenarios where data processing is necessary for fraud prevention, ensuring network and information security, or conducting direct marketing activities, provided these activities respect the fundamental rights and freedoms of the data subject or are compatible with other lawful bases of processing. Moreover, data minimization principles mandate that AI systems collect and process only the data that is essential for their intended functions, thereby minimizing the potential for data breaches.
2. AI developers might act as either data controllers or data processors based on their role in handling personal data.
   • Data Controllers: Developers that determine the purposes and methods of data processing, such as a tech startup analyzing consumer behavior, are data controllers. They decide which data to collect, e.g., shopping habits and purchase history, and how to analyze it. Their responsibilities include adhering to privacy laws, obtaining necessary consents, implementing protective measures, and conducting impact assessments to mitigate privacy risks.
   • Data Processors: Developers processing data strictly according to another entity's specifications act as data processors. For example, if a healthcare company hires an AI firm to develop a predictive model using specific data, these developers must follow the company's directives strictly. Their role is to ensure that their processing aligns with NDPA's security and compliance standards, with the contracting entity acting as the data controller.
3. Operational Compliance Requirements: Organizations are required to maintain records of their processing activities and conduct Data Protection Impact Assessments (DPIAs). DPIAs help organizations assess how AI technologies process and analyze data, which can affect individuals' rights and privacy. They also address the risks associated with automated profiling, where AI systems make decisions or predictions based on data patterns. Implementing these assessments helps organizations identify and mitigate risks, such as unauthorized access to personal information early on.⁹
4. Security Measures: It is important that organizations implement adequate technical and operational measures to secure personal data against unauthorized access, disclosure, alteration, or destruction. This includes deploying encryption, establishing access controls, and conducting regular security audits to ensure the comprehensive protection of personal data.

ADVANCEMENTS AND INITIATIVES

A significant advancement in Nigeria's AI landscape is the establishment of the National Centre for Artificial Intelligence and Robotics (NCAIR) and its digital fabrication laboratory (FabLab) by the National Information Technology Development Agency (NITDA) in 2020.¹⁰ The NCAIR is a hub for AI research and development, aiming to drive innovation and practical applications of AI in sectors critical to Nigeria's national interest.

In addition to the NDPA, there is a growing regulatory focus on AI. While there is no specific AI regulation yet, in 2022, NITDA announced it was seeking stakeholder contributions to develop the National Artificial Intelligence Policy (NAIP). By March 2023, NITDA had completed the first draft of the NAIP and in August 2023, the Federal Ministry of Communications, Innovation and Digital Economy (FMCIDE) released a white paper announcing steps to expand on the draft NAIP by developing a comprehensive National Artificial Intelligence Strategy (NAIS) for the development, use and adoption of AI in Nigeria.¹¹ By aligning with global best practices, the NAIS seeks to harness AI's potential for economic growth and social progress while ensuring fairness, accountability, and the protection of individual privacy.¹²

ESTABLISHING A REGULATORY FRAMEWORK FOR AI IN NIGERIA

Nigeria must develop an inclusive regulatory framework to fully harness the benefits of AI. The EU AI Act offers an exemplary model, providing clear guidelines and obligations for AI developers and deployers. This Act mandates transparency, categorizes risks, and enforces stringent compliance measures. High-risk AI applications, such as those used in biometric identification or healthcare, undergo thorough assessments to meet safety and ethical standards. Additionally, the EU AI Act requires lawful AI training processes and imposes significant fines for non-compliance. By adopting similar principles, Nigeria can create a regulatory environment that promotes responsible innovation.

REDRESS FOR DATA SUBJECTS IN THE EVENT OF RIGHTS BREACHES BY AI DEVELOPERS

The NDPA provides an interim safeguard for data subjects against potential breaches by AI developers. If AI applications misuse or mishandle personal data, data subjects can seek redress under the NDPA. They can file complaints with NITDA or initiate legal proceedings for damages.

The NDPA requires organizations, including AI developers, to implement mechanisms to address grievances related to data processing effectively. This ensures AI developers are held accountable, promoting a culture of responsibility and adherence to privacy norms until specific AI regulations are enacted. However, establishing a comprehensive regulatory framework will ensure that AI development in Nigeria proceeds ethically and sustainably, balancing technological advancement with fundamental rights and protections.

SUPPORTING BUSINESSES THROUGH DATA PROTECTION

At SimmonsCooper Partners, we understand the complexities of managing data protection in today's digital landscape.

For inquiries about data protection compliance, customized data compliance trainings and comprehensive data audits, please contact: Ema Ogbe or Chinelo Obiekwe

Footnotes

1. MarketsandMarkets, "Artificial Intelligence Market - Global Forecast to 2026" (May 2024) https://www.marketsandmarkets.com/Market-Reports/artificial-intelligence-market-74851580.html

2. Federal Ministry of Communications and Digital Economy, 'National Artificial Intelligence Strategy (NAIS)' (Federal Ministry of Communications and Digital Economy) https://fmcide.gov.ng/initiative/nais/

3. https://techeconomy.ng/247medic-is-addressing-healthcare-inefficiencies-in-benin-city-edo-state/

4. https://businessday.ng/technology/article/unlocking-the-potential-of-artificial-intelligence-in-nigeriasbankingsector

5. Section 2 of the Nigeria Data Protection Act, 2023.

6. Section 65 of the Nigeria Data Protection Act, 2023.

7. Section 29 of the Nigeria Data Protection Act, 2023

8. Section 24 Nigeria Data Protection Act, 2023.

9. Section 28 Nigeria Data Protection Act, 2023.

10. National Information Technology Development Agency, 'National Centre for Artificial Intelligence and Robotics (NCAIR)' (National Information Technology Development Agency) https://nitda.gov.ng/ncair/

11. https://www.whitecase.com/insight-our-thinking/ai-watch-global-regulatory-trackernigeria#:~:text=There%20is%20currently%20no%20specific,Artificial%20Intelligence%20Policy%20(NAIP)

12. Federal Ministry of Communications and Digital Economy, 'National Artificial Intelligence Strategy (NAIS)' (Federal Ministry of Communications and Digital Economy) https://fmcide.gov.ng/initiative/nais/

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.