Inflamed by a conflux of factors such as: rapid advancements in globalized digital networks, the ever-heightening dependence on financial platforms, and the expansion of sophisticated information and communication technologies (ICTs), modern societies have become deeply entangled in a complex network of personal data exchanges. As such, an epoch of unprecedented datafication has been ushered in. The complex data-based ecosystem necessitates the storage, processing and transmission of personal information, piercing through every facet of individuals’ lives—from daily transactions to participation in the political sphere to engagement with diverse sectors like energy, entertainment, fintech, healthcare, etc. There are, however, grave risks, such as: fraud, data breach, abuse, manipulation, corruption, compromise, as well as loss and theft of information, associated with the aforementioned use of personal data. It has, therefore, become extremely crucial for there to be the safe keeping of a person’s or organization’s information in the possession and control of a Data Controller.
Nigeria considers its electric power industry to be on par with its national security. This means that the power industry is not left out from being in the vanguard of digital and technological advancements, as they strive to continually break the barriers of innovation. The (renewable) electricity industry, for instance, is going through a significant technological revolution, whereby households and organizations are being digitally connected to renewable energy systems. This is aimed at increasing and easing up the way in which natural resources are used by way of technology, as opposed to relying on conventional fossil fuels. The ineludible use of technology in the power industries would, therefore, automatically give rise to the processing of data. Consequently, this leads to the dire need to protect the said personal data/information from the negative ramifications connected to personal data breaches and unauthorized access to personal data within this dynamic technological environment. Thus, data protection and privacy have become fundamental to the safeguarding of energy consumers’ (data subjects’) personal information to such an extent that there is the prevention and protection of the occurrence of the risks attached to the processing and transfer of data. Effective data protection can be attained by developing and putting into practice solid data security protocols in addition to inviolable data protection regulations designed to address the risks connected to personal data processing activities.
This article explicates the connection between technology, privacy, and data protection in Nigeria’s electricity industry. It also analyzes the pertinence of sound data privacy practices in the electricity sector and how the relevant data protection regulatory frameworks, when adhered to judiciously, can attenuate the risks connected to the industry’s inexorable use of technology.
Personal data is considered by Section 65 of the Nigeria Data Protection Act 2023 to be any information that directly or indirectly identifies an individual. Privacy rights, in Nigeria, are recognized as constitutional rights, as they guarantee and protect the citizens’ privacy, including their household; phone, email, or telegraphic communications. For example, in the case of Bi-Courtney Aviation Services v. Kelani (2021), it was held by the Court of Appeal that a person’s image forms an integral part of their ‘right to privacy’ as enshrined within Section 37 of the Constitution of the Federal Republic of Nigeria 1999 (as Amended) (the CFRN).
Following on from the above, the protection of data, i.e., ‘Data Protection’ can be defined as the process of safeguarding important data/information from corruption, theft, compromise, or loss (data breaches) and supplying the tools or resources necessary to restore the data to a functioning state in the event that something happens that makes it unavailable or unsuitable. The principle of data protection mandates every organization processing and in control of sensitive (personal) information, whether digitally or otherwise, to ensure the information is appropriately protected. This principle is predicated on the rights and proclivity of individuals to decide on the degree to which they disclose their personal information to others.
Data protection regulations were created in response to the dangers associated with the processing of personal data and the imperative to safeguard individuals’ or organizations’ critical and confidential information. Furthermore, data protection regulations mandate the deployment of data security techniques that safeguard personal data from unauthorized access, theft, or loss. The relevant laws governing data protection and privacy activities in Nigeria are the:
Organizations in the electricity industry are mandated to adhere to the above-listed laws regarding the protection of the personal and sensitive data they control and process. Failure to comply with the regulations could lead to the imposition of sanctions, fines, business disruptions brought on by investigations, jail terms for principal officers of organizations, and so on. It is, therefore, beneficial for organizations carrying out operations in the sector to comply with data protection regulations, as it would help with the mitigation of risks like security breaches and data losses. Also, organizations that mismanage data and fail to take cognizance of the said laws could expose themselves to: license revocations, damaged reputations, loss of customers, regulatory penalties, associated losses, and legal liabilities.
The Nigerian Data Protection Commission regards the electric power sector as strategically significant to the economy—akin to national security—and organizations or service providers within the sector that process personal data are regarded as Data Controllers and Data Processors of Major Importance (DCMIs and DPMIs).
According to the Nigeria Data Protection Commission’s Guidance Notice on the ‘Registration of Data Controllers and Data Processors of Major Importance (DCMIs and DPMIs)’ issued on the 14th of February 2024 by the Nigeria Data Protection Commission (NDPC), DCMIs and DPMIs are companies that operate, offer services, or handle personal data in the electric power industry.
DCMIs and DPMIs are considered to have “particular value or significance to the economy, society or security of Nigeria”. Thus, companies in the electric/power industry as DPMIs and DCMIs, do not only have a legal duty to comply with data protection regulations, but also a critical responsibility in ensuring that personal data entrusted to their care is conscientiously protected. This would foster trust and confidence in stakeholders of the industry and facilitate the successful implementation of technology-driven electricity initiatives.
Therefore, the robust safeguarding of information is paramount for electricity companies as they transition into data-driven businesses that use both personal and electricity data as tools for energy efficiency mechanisms. One of the primary objectives of the energy industry is to successfully achieve the decarbonization of the industry by way of transitioning from the use of carbon-intensive fossil fuel energy to renewable energy options. This is aimed at curtailing greenhouse gas (GHG) emissions and achieving zero fossil carbon existence. Such energy decarbonization efforts in recent years have been heavily impelled by advances in digital technology. The power sector is primarily herded by technology – which is a tool necessary for the decarbonization, efficacy and productivity of the said industry. As more electricity companies leverage technology, new security and personal data breach risks arise. As such, a proactive viewpoint and understanding of the practice of data protection is needed if the energy sector is to continue its digital transformation. Only when such safeguards of personal data are in place can the advantages of digitalization be fully harvested and enjoyed.
3.1 The Importance of Privacy and Data Protection in the Electricity Industry
As a matter of course, an electricity organization’s sensitive data, such as its intellectual assets, employee/management’s information, as well as trade secrets, are at the core of its competitive advantage and success. The exposure of these valuable assets to illicit parties may have severe consequences for the organization, including lost revenue, lower market share, and a damaged reputation. Businesses may face regulatory sanctions, damage control costs, and legal expenses—in conjunction with direct financial losses. Also, the illegal access of an organization’s data by unauthorized persons leads to criminal activities, e.g., identity fraud, blackmail, illegitimate financial gains, information misappropriation, etc.
In view of the fact that a company’s most precious assets in today’s digital environment are the data it manages and processes, cyber threats are becoming more complicated, with potentially devastating outcomes as discussed above. Therefore, (electricity) companies are required to take notice of the pertinence of data security and cyber-attack risks that may negatively affect them. A company’s sensitive and personal data must be protected at all cost, and one of the best ways to achieve this is by having sturdy data privacy and protection structures in place. This includes the strict compliance with all applicable laws pertaining to data protection.
Companies within the electricity industry strive for advancements in technology to spur development, as the sector is the cornerstone of global infrastructure and trade. This digitalization of the electricity sector calls for responsible data management, collection, sharing, storage and communications – to ensure the protection of data in companies’ possession against the risks connected to data usage. For ease of comprehension of the subject matter, the intersection between data protection and privacy and the energy industry will be discussed in seriatim.
3.2 The Interconnection between Privacy and Data Protection, and the Electricity/Power Industry
Durable data protection practice becomes more critical as organizations and homes adopt digitally connected technologies and information-driven devices, particularly in the electricity sector. Thus, the bridge between the energy sector and data privacy and protection is largely predicated on the varied and continuous use of personal data-driven technology to adeptly carry out operations relating to the industry. For example, the payment of electricity bills electronically i.e., via online platforms, is the benefit (financial) technology proffers to electricity consumers in a bid to avoid the laborious and hazardous task of making payments with physical cash. However, this produces data protection-related issues – because processing personal data via technology has prompted the escalating frequency of data breaches, privacy violations and cyber-attacks.
Within digitalized electricity distribution networks, smart meters and all other comparable smart applications serve as a medium through which electricity consumers actively monitor their energy consumption rates instantaneously. This is made practicable by the fact that such devices collect and process comprehensive data on patterns of energy consumption at brief intervals. This transparency is further enhanced by interactive online energy retail platforms, serving as a vehicle through which a variety of innovative services are made available. These innovative services foster empowered consumer engagement through data-driven insights, enabling proactive management strategies for cost reduction and environmentally conscious choices. Ultimately, the promotion of energy conservation within communities is the goal of companies operating within the electricity/power sector.
The electricity Distribution Companies (Discos) in Nigeria play the important role of providing electrical power to the end-users – by way of technology. A technology that has profoundly impacted the Nigerian electricity industry is the smart meter. A smart meter is an electrometer that periodically captures data on a customer’s voltage level and power consumption – without the need for physical meter readings.. So, in an effort to improve Nigeria’s Discos financial viability while reducing their loss of earnings, the emplacement of the prepaid smart meter technology serves as a catalyst to ensure the sustainability of the electricity sector. Smart meter usage is essential to the stability of Nigeria’s electrical system and is necessary for a dependable, reasonably priced, and sustainable energy economy. In comparison to the traditional electromechanical meters – of which an employee from the electricity distribution company would manually take down information on the power user’s consumption matrix at certain intervals by logging the reading on the meter, digital smart meters allow for communication between the consumer and utility company in addition to recording customers’ kilowatt-per-hour usage. They also allow for the breakdown of energy usage into smaller, discrete time intervals. This information aids households with reducing energy expenses and amplifies reliability by availing electricity suppliers with relevant data about the quantity of electricity being used throughout their service areas. This availability of data reduces energy prices for homes and improves dependability by giving electricity end-users and electricity suppliers better insight into the amount of electricity consumed.
However, there are identifiable data protection challenges that spring up regarding the utilization of a smart meter. In using the smart meters, data such as the quantity of power usage of the consumers would be conveyed to the customer such that he/she possesses the requisite information about his/her consumption use. This said data would also be communicated to the electricity supplier as a means to monitor and secure payments for the power afforded to the customers. As such, it can be said that the detailed information collected on energy usage patterns brings to bear data protection issues. The data collected and stored can reveal insights into an electricity consumer’s behavior and routines – thereby requiring strong privacy security measures. For example, such information can be used to detect fraud, support, or refute an alibi etc. Relevant authorities or personnel, such as law enforcement or electricity distribution companies would be able to obtain personal information from smart meters, including: a person’s daily schedule, the types of appliances he/she uses in his/her home, and whether or not they are in their place of abode. The disclosure and flow of the personal information or data to the various relevant parties involved, thus, introduces data protection-related concerns.
Another issue of import regarding data protection matters in the electricity sector revolves around the adoption of financial technologies to facilitate the payment of electricity bills by energy consumers. Cashless or online payments are, therefore, great technological innovations by fintech companies that aid the electricity sector with the ease of conducting business and transactions. Such payments are typically made by way of licensed information communication technology platforms e.g., the internet, mobile applications, smartphones etc. Nigerian Distribution Companies, such as the Eko Electricity Distribution Company Plc (EKEDC), in pursuit of eliminating cash-based transactions, have encouraged their customers to consider modern e-payment mediums for payment of electricity bills. There is thus, an urgent need for there to be accessibility to cashless/online payments options via fintech/mobile payment companies, for Discos in Nigeria – as they are more feasible, convenient and affordable. Following on from the above, it can thus be stated that in this modern financial technology era, energy companies can be deemed to be data processors or controllers of major importance.
Personal or sensitive data, as well as online transactions are typically maintained by a database/ledger known as ‘blockchain’. Payment systems use blockchain technology to collect, process and analyzes data. Such online payment systems used in the electricity sector, are consequently and unfortunately vulnerable to cyber-attacks, fraud and unauthorized access to personal/consumer data, as well as sensitive data belonging to organizations. Additionally, when electricity consumers seek to pay their electricity bills via the energy companies’ websites, they are exposed to website/internet Cookies. Internet Cookies permit web servers to save, monitor or track the website visitor’s online/browsing activities, and connect individual web requests into a session – depending on the type of cookie. Unauthorized access to and abuse of the personal data in the possession of the company is a possibility – and the consequent damages attached thereto are dire and could threaten the integrity of a company that acts as a data controller/processor. This, thereby, necessitates: the need for the existence of sturdy data protection frameworks; the investment in robust security measures; the necessary compliance; the safeguarding of energy consumers’ personal data; and the promotion of corporate digital responsibility.
Another point worthy of note is that Discos may use Client Management Systems or Customer Engagement Platforms to help manage energy consumers’ accounts, track the services rendered, maintain a relationship and communication with (potential) customers and proffer possible personalized recommendations. Also, for certain (agreed-upon or not) purposes, the said energy consumers’ personally identifiable information may be shared with third-party vendors or external parties. Third-party service providers play a critical role in supporting the electricity industry through the outsourced service they render. Such third-parties may include: data analytics firms, insurance companies, healthcare and technology vendors, auditors, regulatory bodies, outsourced labor contractors, etc. Identifiable privacy issues such as increased personal data breach risks will, therefore, arise during the electricity companies’ course of operations when dealing with third-party vendors and adopting the use of client management systems. Electricity firms are advised to have the necessary and appropriate measures in place to mitigate these risks associated with their third-party partners.
In the context of the safeguarding of personal data, it is also important to consider an electricity company’s employees – as almost all organizations have at least one or more employees supporting the organization in achieving its goals and objectives. In a general sense, the employees of companies carrying out operations in the electricity sector would, in the ordinary course of business, have their (and possibly families’) personal data processed, controlled and distributed. Such information may be required for the application of health insurance/coverage, for instance. Furthermore, personal information pertaining to visitors of the company – which may be imputed in the ‘Visitors Registers’ or their images captured on CCTVs, are also in the control of the electricity companies. Such information could be an easy target for personal data security breaches – thereby leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the said personal information processed, transmitted or controlled. This triggers an urgent need for the establishment of the apposite technical and organizational initiatives that guarantee the protection of the personal data the electricity company possesses or handles.
The Nigerian Data Protection Act imposes on, electricity companies the legal obligation and duty to ensure the adequate protection of all personal data it processes. As earlier noted, if an organization in the electricity power sector processes personal data, it is regarded as having “particular value or significance to the economy, society, or security of Nigeria” and is, therefore, adjudged to be a data controller of major importance by the Nigeria Data Protection Commission. Electric power companies are mandated, by virtue of the Nigeria Data Protection: Registration of Data Controllers and Processors of Major Importance Guidance Notice 2024, issued under Section 5(d) of the NDPA, to be registered as data controllers and data processors of major importance. It is, thus, pertinent for companies operating in the electricity sector to comply with all the relevant laws governing the practice of data privacy and protection.
Also, electric power companies must take into consideration and embed in their privacy programs, the following principles when processing (personal) data they control:
On the principle of fairness, electricity companies must ensure that their processing activities do not negatively impact data subjects and must be done in accordance with their reasonable expectations. Thus, electricity consumers and employees of electricity companies (data subjects) should be notified about the electricity companies’ processing activities and display the requisite compliance.
Last, electricity companies must also be completely transparent in their operations by providing to their customers specific data about their policies and practices relating to the collection, use, processing, retention, destruction, and reporting of the personal data they control or process.
Essentially, the principle of accountability notes that the data controller has the primary duty to ensure compliance with the relevant data protection laws and is responsible for the personal information within its control. Should any problems arise with regard to the personal data of the data subjects considered, the data controller will be held liable or accountable.
An electricity company, as a DCMI, bears a legal duty to data subjects with regard to protecting their data within its control. They are also held accountable for any actions or inactions regarding the processing of such data. This means that an electricity company is legally obligated to handle the data subjects’ personal information in its possession and control, adequately and appropriately. This fosters an environment of openness and trust.
Furthermore, electric power companies, when processing the personal data of more than 1000 data subjects, must, as a matter of obligation, submit an annual data protection audit return to the Nigerian Data Protection Commission by the 15th of March of the subsequent year. Within the electricity sector, a data protection audit consists of a comprehensive assessment of the records, processes, and procedures surrounding personal data processing employed by organizations acting as data controllers or processors. This examination, via the audit, ideally strives to ascertain data controllers’ and processors’ adherence to the stipulations outlined in all pertinent regulations, standard industry practices, and the organization’s established data protection policies during its processing activities.
iii) stored correctly and securely.
Considering the above, any policy, tool, or recommendation that would be effective in mitigating the risks associated with consumer data use in electricity systems must be grounded in robust data protection legal frameworks. The Nigerian data protection legal regime is structured such that it caters to the rising proportions of processing of personal data in the electricity industry. Electric power companies, which are defined by law as data processors and controllers, are mandated to implement measures that cater to the protection of their data subjects. This is to guarantee the security, availability, integrity, and confidentiality of personal data in the possession of electricity companies—for the purpose of protecting against incidents relating to data breaches. Some measures electricity companies should consider for the effective practice of data privacy and protection are:
The pertinence of privacy and data protection in Nigeria’s electricity/power industry cannot be overemphasized. The utilization and advancement of technology in the electricity sector—in conjunction with the digitalization of the industry—has occasioned the inadvertent control, processing, and transfer of (personal) data. Nigeria’s data protection regulatory framework addresses all issues that may stem from an electricity company’s data processing activities and expounds on the importance of safeguarding the data privacy rights and personal data of its data subjects. Electric power companies are to integrate data protection principles, as outlined in the relevant data protection regulations, into their daily data processing activities. Such data protection processing activities must be lawful, fair and transparent; necessary and proportional; accurate, etc. Furthermore, electricity companies must ensure that they adhere to the relevant data protection laws to avoid sanctions from the relevant regulatory bodies, preserve their business reputation, mitigate the risk of personal data breaches, and protect their stakeholders’ information. The said laws play the role of a guide by offering succinct information on the principles and practice of data protection, which electricity companies can easily make reference to. This can be achieved by complying with all applicable data protection regulations, managing third-party risks, conducting annual data compliance audits, and developing and adopting security measures to protect personal data. It is also noteworthy to mention that the NDPA 2023 General Application and Implementation Directive (GAID) 2024 is a highly anticipated regulation that electricity companies should watch out for.
By Lynda Ugo Ezike
B.A Economics (Memorial University of Newfoundland)
LL.B (Hons) (University of Southampton)
LL.M in Oil and Gas Law (Distinction) (University of Aberdeen)
B.L (Hons) (Nigerian Law School)Call Bridget Edokwe Esq on 08060798767 or send your email to barristerngblog@gmail.com
Source: @BarristerNG
CASE TITLE: NCS BOARD v. LAWAL (2024) LPELR-62774(CA)JUDGMENT DATE: 18TH JULY, 2024PRACTICE AREA: CIVIL PROCEDURELEAD…
CASE TITLE: KASUWAV v. NIGERIAN NAVY (2024) LPELR-62921(CA)JUDGMENT DATE: 19TH AUGUST, 2024PRACTICE AREA: CRIMINAL LAW…
CASE TITLE: EDIDIONG EYEN DEEP SEA FISHING CO-OPERTIVE INVESMENT AND CREDIT SOCIETY LTD v. MOBIL…
INTRODUCTION The new Supreme Court Rules 2024 (the “2024 Rules”) effectively repealed and replaced the…
CASE TITLE: OKORIE & ANOR v. INEC & ORS (2024) LPELR-62967(CA) JUDGMENT DATE: 9TH OCTOBER,…
In the Supreme Court of Nigeria Holden at Abuja On Friday, the 16th day of…