Author: Olika Daniel Godson,
Student (LL.B), Faculty of Law, University of Lagos.
Service providers play an important role in the provision of internet and data services to its subscribers. A corollary to this service it provides is the submission of information by the subscribers to the Service Providers and this gives the Service Providers access to a wide array of subscribers’ information as well as correspondence. The Government or any of its agencies in the discharge of its duties may request that Service Providers disclose the identity of its subscribers and Service Providers are obliged to provide the necessary information as provided for in Section 38 of the Cybercrimes Act 2015. Although the 1999 Constitution of the Federal Republic of Nigeria provides in Section 45 that legitimate restrictions be placed on the right to privacy in the interest of public order and security, no procedure is outlined either in the Cybercrimes Act 2015, the Constitution or any other law in force in Nigeria to disclose the identity of subscribers by service providers. The implications of these provisions on the privacy rights of subscribers with reference to other jurisdictions shall form the crux of this paper.
The learned author E.S. Nwauche in ’The Right to Privacy in Nigeria,’ Review of Nigerian Law and Practice, Vol 1(1) 2007 opines that;
Although the right to privacy and privacy of correspondence, telephone conversations and telegraphic communications are guaranteed and protected by Section 37 of the Constitution, the right has not received adequate protection or elaboration both in the definition, philosophical basis or the key issues in the concept of privacy.
Thus, reference shall be made to the position; at common law, under the American legal system and under other legal systems in other to espouse the nature of this right. Therefore, in Campbell v. MGN Ltd,  UKHL 22, the House of Lords held that various aspects of the right to privacy are evolving and the Courts of equity have long afforded protection to the wrongful use of private information by means of the cause of action which became known as breach of confidence. It appears the Court in this case equated privacy protection to breach of confidence. The requirements for the breach of confidence were stated in Coco v AN Clark (Engineers) Ltd,  RPC 41, 47 where the Court stated as follows;
- the information must have the necessary quality of confidence about it;
- the information must have been imparted in circumstances importing an obligation of confidence; and
- there must be an unauthorised use or disclosure of that information to the detriment of the party communicating it.
It appears from the foregoing that a Service Provider that discloses the identity or reveals the information or correspondence of its subscribers should be held liable for a breach of confidence or a breach of the right to privacy. However, given the responsibility of the Government to ensure public order, national security and balance the interest of a particular citizen against the rights of other citizens; Section 45 of the Constitution provides that the right to privacy shall lawfully be derogated from by any law in the interest of public order, public safety, public morality, public health and for the interest of protecting the rights and freedom of others. Pursuant to this provision, the legality of Section 38 of the Cybercrimes Act 2015 is not in doubt. The Section provides that Service Providers shall keep all traffic data and subscriber information which the Service provider is obliged to reveal at the request of any relevant authority. The section further provides that; the information should only be used for legitimate purposes, due regard should be paid by anyone exercising this authority to the right to privacy and appropriate measures should be taken to safeguard the confidentiality of the data retained, processed or retrieved for the purpose of law enforcement. Although the Law apparently seeks to protect the privacy interest of the subscribers and provides for appropriate measures to be taken to prevent a violation, it is submitted that the absence of a procedure to be followed in exercising this function (in both the Act and the Constitution) leaves it open to abuse. The Federal High Court berated the situation when considering a similar order, the Anton Piller Order, in Sony Kahushiki Kaisha v Hahani & Co Ltd, FHC/L/35/81. The Court held that;
Can one say the use of a police to enforce an obligation is compatible with the defendant’s fundamental rights when he had not had a hearing at all whether fair or unfair? It is common knowledge here in Nigeria that many business premises are also living accommodations, can intrusion on one’s privacy without fair hearing be compatible with Section 34 of the 1979 Constitution (Section 37 of the 1999 Constitution)
The Court further stated in Rokana Industries v Maun, (1993) 243, 251 that in considering an Anton Piller order, the Courts must take due cognizance of all statutory and constitutional guarantee.
Although these cases reveal the courts skepticism to grant orders that have far-reaching privacy rights implications, the Courts failed to seize the opportunity in any of the cases to outline the procedure to be followed before it can grant these orders.
The United States Courts appear to have developed rules to be followed before a Service Provider can reveal the identity of a subscriber when requested to by a private individual or governmental agency or authority. Thus, in Dendrite International v Doe, A-2774-00T3 (2001) the Court adopted the test first enunciated in Columbia Ins. Co. v. Seecandy.com, 185 F.R.D. 573 (N.D. Cal.1999) where it stated that the following requirements must be satisfied before a Service Provider will be allowed to reveal the identity of a defendant;
- identify the missing party with sufficient specificity such that the court can determine that defendant is real person or entity who could be sued in federal or state court;
- identify all previous steps taken to locate the elusive defendant;
- establish, to the court’s satisfaction, that plaintiff’s suit could withstand a motion to dismiss; and
- file a statement of reasons justifying the specific discovery requested, as well as the identification of a limited number of persons or entities on whom discovery process might be served and for which there is a reasonable likelihood that the discovery process will lead to identifying information about the defendant that would make service of process possible.
The Court further espoused the fair hearing requirement before a person’s identity can be revealed in the Dendrite Case and in the UK case of Norwich Pharmacal Co. and Ors. v Customs and Excise Commissioners,  3 WLR 164. In these cases, the Courts stated that the party seeking that another’s identity be disclosed or unmasked should notify the other party and give the party time to respond.
Conclusively, the use of service providers in this digital age is inevitable and it is important that subscribers know that their privacy rights are protected and not subject to abuse. The analysis of the duty of Service Providers to disclose the identity of its subscribers when requested to by any governmental agency or authority above reveals the serious privacy rights which are left without legal protection and may be subject to abuse. It is recommended that the Cybercrimes Act 2015 be amended to include the procedures to be taken before a Service Provider be made to reveal the identity of a subscriber or; the Courts take note of these measures and submissions, and seize the earliest opportunity to apply them in order to ensure that the privacy rights of subscribers are not breached in the process of protecting public order, public security, public health or the rights and interests of others. Thus, unless these measures or well defined procedures are outlined; violating the right to privacy of the Citizens in order to protect public order or national security will be tantamount to cutting the hand in order to save the body.
Olika Daniel Godson is a 500 Level Student of the Faculty of Law, University of Lagos. He is the Director of Research 1 of the Mooting Society, University of Lagos and the Editor-in-Chief of the Unilag Law Review. His primary research interest is Cyber Law and his secondary research interests are ; Human Rights Law, Constitutional Law, Intellectual Property Law, Petroleum Law, Taxation Law and International Commercial Law.