Law and Technology


Data is the new Oil! Data is an essential resource that powers the information economy just as oil has fueled the industrial economy. Enormous quantities of data are generated every single day by companies doing business on the internet. Even traditional brick-and-mortar businesses collect tremendous amounts of information from their customers in order to extract value from analyzing the trends that make or break their businesses.1

(Photo Credit : )

What is Big Data? Big Data are extremely large information sets that may be analysed computationally to reveal patterns, trends, and associations, especially relating to human behaviour and interactions. This is largely due to the rise of computers, the Internet and technology capable of capturing data from the world we live in. Nowadays, almost every action we take leaves a digital trail. We generate data whenever we go online, when we carry our GPS-equipped smartphones, when we shop online etc. These information can be anything from a name, an address, a photo, an email address, bank details, posts on social networking websites, medical information etc.

A World Economic Forum report shows that 15 billion devices will be connected to the internet by 2015 and 50 billion by 2020. The amount of data stored on the internet is predicted to grow exponentially and looks set to be 44 times larger in 2020 than it was in 2009.2 Once upon a time, the wealthiest were those with most natural resources, now, we live in a knowledge economy, where the more you know is proportional to the more data you have access to.

According to Forbes Technology Council, if you burned all of the data created in just one day onto DVDs, you could stack them on top of each other and reach the moon – twice.3 Professor William Edwards Deming, the great American engineer sums this quest up when he said, “In God we trust; all others must bring data.” Therefore, data is to the digital economy what oil is to the industrial economy.

Government, retailers and multinational corporations are now able to access more data today than ever before. Companies are now taking advantage of data insights to improve decision-making, enter new markets, and deliver better customer experiences. From understanding and targeting customers, to client’s decision making, understanding user spending habits, to Predictive Equipment Maintenance in the oil and gas industry (predicting the remaining optimal life of their systems and components, ensuring that their assets operate at optimum production efficiency).In the United States, Target, a retail company, is now able to very accurately predict when one of its customers will expect a baby.4 Using big data, Telecom companies can now better predict customer churn; Wal-Mart can predict what products will sell; and car insurance companies understand how well their customers actually drive. In Nigeria, has developed a chatbot that uses AI to understand user requests, drive conversations, understand user spending habits and prevent fraud. Zenvus Technology uses remote IoT (Internet of Things) sensors and cloud computing to help farmers with data-driven advice on improving crop health and yields, as well as access to lending, insurance and commodity trading services.

The International Data Corporation said that worldwide revenues for big data and business analytics will grow from $103.1 billion in 2016 to more than $203 billion in 2020, at a compound annual growth rate of 11.7%. Revenue from the sales of big data and business analytics applications, tools, and services is placed at more than $187 billion in 2019.5Unregulated processing of personal information can have a significant impact on key human rights such as privacy and dignity of human person. This fast-growing industry therefore prompted regulators to step in to restrain those who control its flow. On the 24th of July, 2019, Facebook agreed to pay a $100m fine imposed by the United States Securities and Exchange Commission, for misleading investors about the risks it faced from misuse of user data. In a similar vein, on the 30th of July, 2019, The Greek Data Protection Authority imposed a 150,000 Euros fine on Price Waterhouse Cooper (PWC) for the illegal processing of personal data of its employees and breaching the EU General Data Protection Regulation (GDPR).

(Photo Credit : )

All these can be prevented if adequate legal framework is put in place before a company commences processing personal data. Whether you’re setting up an e-commerce platform, a telecommunication company, a bank or financial agency, abiding by the necessary data protection policy should form part of your business plan. Ensuring your clients, customers and/or employees sign a Data Protection Agreement (DPA) or Data Protection Policy will afford them the opportunity to understand in full how their Data will be processed and it will also serve as a guiding document in case of any dispute. With the immense benefits that can be derived from leveraging big data, companies must be careful in the processing of personal data to avoid sanctions. Data Protection operates on three basic principles to wit, personal data should be processed lawfully, fairly and transparently.

In Nigeria, Data Protection is regulated by the Nigeria Data Protection Regulation, 2019 made by The National Information Technology Development Agency (NITDA) pursuant to the NITDA Act of 2007. The NDPR defines ‘Personal Data’ as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM and others”.

It defines ‘Processing’ as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”. And it defines a ‘Data Controller’ as “any person who either alone, jointly with other persons or in common with other persons or as a statutory body determines the purposes for and the manner in which personal data is processed or is to be processed”.

The NDPR provides that any person subject to the Regulation who is found to be in breach of the data privacy rights of any Data Subject shall be liable in addition to any other criminal liability, to the following:

a) in the case of a Data Controller dealing with more than 10,000 Data Subjects, payment of the fine of 2% of Annual Gross Revenue of the preceding year or payment of the sum of 10 million naira whichever is greater;
b) in the case of a Data Controller dealing with less than 10,000 Data Subjects, payment of the fine of 1% of the Annual Gross Revenue of the preceding year or payment of the sum of 2 million naira whichever is greater.

(Photo Credit :

The African Union Convention on Cyber-security and Personal Data Protection, 2014 is another effort by African States to protect and regulate dealings with personal data. The Convention amongst others, provides for rules on trans-border data flows.Adopted in June, 2014, at the African Union Summit in Malabo, Equatorial Guinea, the Convention commits state parties to ‘establishing a legal framework aimed at strengthening fundamental rights and public freedoms, particularly the protection of physical data and to punish any violation of privacy without prejudice to the principle of free flow of data.’6

In conclusion, every Data Controller should ensure that users of its e-commerce website, its employees, customers and/or clients are adequately informed of their rights as it relates to Data Protection. The Data Protection Agreement (DPA), Data Protection Policy or the Privacy Policy need to be clear and spell out the rights of the Data Subject and what the Data will be used for.

Article Author

Toheeb Amuda Esq.

Toheeb Amuda is a Legal Practitioner in Lagos, Nigeria. He is an Investment Consultant with certification from the World Bank Group on Investment in Emerging Markets. He can be reached via:


  1. Ed Aviza; Data is the Gold of the 21st Century Available at
  2. How much is your personal data worth?
  6. Article 8(1)



Please be informed that the information provided on Law Axis 360° (the “Platform”) are not meant to be legal advice. The content provided by the Platform are for information purposes only and does not constitute legal or other professional advice, and you should not rely on it as an outline of your obligations, duties or rights in respect of any issue. Any entity does not accept any liability in relation to your use or reliance on the information provided by the Platform.

1 comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: