ARTIFICIAL INTELLIGENCE AND LAW: CHAT GPT AND ITS IMPACT ON DATA PRIVACY AND PROTECTION

By Bulus Eunice Dyep

Philomath University, Abuja.

ABSTRACT  

Artificial Intelligence (AI) is reshaping industries across the globe, and the legal field is no exception. Through technologies like ChatGPT, AI now assists with document analysis, legal research, and client communication, but it also raises new privacy and data protection concerns that demand urgent attention. This article explores the growing role of AI in the legal profession, the regulatory framework surrounding it in Nigeria, and the challenges posed by ChatGPT to existing data privacy laws. It further examines the Nigeria Data Protection Act (NDPA) 2023 and related instruments, Recommendations made for policymakers and stakeholders to ensure compliance in the use of AI systems. 

 

 

INTRODUCTION 

Artificial Intelligence (AI) is a rapidly advancing field of computer science that focuses on creating intelligent machines capable of performing tasks that typically require human intelligence. AI systems are designed to analyse data, learn from patterns, make decisions, and solve complex problems. AI encompasses several subfields, such as machine learning, natural language processing, computer vision, and robotics. Machine learning, in particular, plays a significant role in AI development.  

It involves training algorithms to learn from data and improve their performance over time without explicit programming. AI has already made significant contributions in areas like speech recognition, image and object recognition, recommendation systems, and virtual assistants. In addition to its applications in various industries, AI is also being explored in scientific research, healthcare diagnostics, autonomous vehicles, and even space exploration. However, the rapid advancement of AI also raises important ethical and societal concerns. Questions about privacy, security, job displacement, bias in decision-making, and the overall impact on society need to be carefully addressed.  

 

HISTORY OF ARTIFICIAL INTELLIGENCE

AI has a rich history that dates back to the 1940s when the term "artificial intelligence" was first coined. The field has since evolved and expanded, with significant milestones achieved in different decades. In the 1960s, the development of the General Problem Solver (GPS) marked a breakthrough in symbolic reasoning and problem-solving. The 1970s witnessed advancements in robotics, neuroscience, and computer vision. Expert systems gained prominence in the 1980s, enabling AI to draw inferences based on knowledge bases and rules. The 1990s saw practical applications of AI in speech recognition, natural language processing, and machine learning. In the 2000s, AI became more sophisticated and began transforming various industries, including the legal profession. Today, AI is utilized to automate tasks, enhance efficiency, and support legal professionals in legal research, contract review, and document analysis.

 

ARTIFICIAL INTELLIGENCE TECHNOLOGY AND ITS VERSATILITY 

AI has a wide range of applications across various industries, including the legal profession. Some key aspects of AI versatility include: 

1. Automating routine tasks: AI can handle mundane tasks, freeing up time for professionals to focus on more strategic and creative aspects of their work. 

2. Enhancing decision-making: AI can analyse large datasets and provide insights, recommendations, and predictions, improving the quality of decision-making in various fields. 

3. Language translation: AI-powered translation tools can provide instant translations, making communication easier across language barriers. 

4. Education: AI can be used to create personalized learning plans, adapt to students' learning styles, and provide intelligent tutoring systems to improve educational outcomes. 

5. Environmental monitoring: AI can be used to monitor environmental conditions, such as air quality or climate change, providing valuable insights for scientists and policymakers. 

6. Art and entertainment: AI can be used to create art and music, and even write books, showcasing its versatility in creative fields. 

As AI technology continues to evolve, it is expected to play an increasingly significant role in the legal profession, with the potential to revolutionize the practice of law and improve the quality of legal services.

 

ARTIFICIAL INTELLIGENCE AND LAW

AI in the legal profession is indeed being used to automate routine tasks, improve efficiency, and assist in various aspects of legal work. AI-powered legal research platforms are enabling lawyers to conduct research more efficiently, enhancing the quality of their work. These platforms can scan vast libraries of documents and cases, collect critical information, and help lawyers build their arguments. AI can also automate routine tasks such as searching for specific cases, and contracts, creating invoices, or conducting due diligence. 

 

The use of AI in law also raises ethical, legal, and social implications. It is crucial to consider the potential impact on the legal industry and address concerns related to fairness, accountability, transparency, and privacy. Institutions like Harvard Law School's Initiative on 

Artificial Intelligence and the Law (IAIL) are actively involved in addressing these challenges and opportunities.

AI in law often involves interdisciplinary approaches, collaborating with disciplines such as artificial intelligence, logic, machine learning, cognitive psychology, linguistics, and philosophy. This collaboration helps in developing AI systems that can effectively analyse legal data, understand complex legal concepts, and provide valuable insights to legal professionals. 

Research and initiatives in the field of AI and law are focused on leveraging AI technologies to automate searches of case law and statutes, saving time and increasing accuracy. AI can also scan electronic information to obtain non-privileged information relevant to a case or claim, allowing lawyers to scan documents using search terms or specific parameters. 

As AI continues to evolve, law firms and professionals must adapt and leverage these technologies to remain competitive and provide high-quality legal services. However, it is essential to strike a balance between the benefits of AI and the ethical considerations associated with its use in the legal profession. 

 

EXAMPLES OF ARTIFICIAL INTELLIGENCE TECHNOLOGY IN LAW

AI technology is revolutionizing the legal profession by offering various benefits and transforming the way lawyers work. One area where AI is making a significant impact is in legal research. AI-powered platforms such as Legal Robot, OneLaw.ai, Harvey AI, and CARA by Case text are helping streamline the research process, improve efficiency, and assist legal professionals in finding relevant information quickly. 

Legal Robot utilizes AI to analyse and summarize legal documents, making it easier for users to understand and draft legal documents. OneLaw.ai uses natural language processing to provide quick access to case law, statutes, and regulations, along with intelligent search capabilities. Harvey AI combines natural language processing and machine learning to assist firms with tasks like contract analysis, due diligence, litigation, and regulatory compliance, while also generating data-based insights and predictions. CARA by Case text is an AI tool that analyses citations and suggests relevant cases, helping lawyers find on-point authorities in seconds. These AI-powered platforms not only save time but also enhance productivity and improve decision-making in the legal profession. 

 

Overall, AI technology is transforming the legal landscape by increasing productivity, improving decision-making, and enhancing client services. As AI continues to evolve, it is expected to play an even more significant role in the legal profession, offering new opportunities and advancements for legal professionals in Nigeria and beyond.

 

LAWS ON ARTIFICIAL INTELLIGENCE 

In Nigeria, there is currently no specific legislation dedicated solely to the regulation of artificial intelligence (AI). However, AI companies need to be aware of general and sectorspecific laws that may apply, such as data protection laws and intellectual property laws. The Nigerian government recognizes the potential of AI and is actively investing in research and development to drive innovation, productivity, and future job opportunities. Initiatives like the National Centre for Artificial Intelligence and Robotics (NCAIR), the Nigeria Artificial Intelligence Research Scheme (NAIRS), and the 3 million Technical Talent (3MTT) Program demonstrate the government's commitment to advancing AI technology. 

To provide guidance and address potential risks associated with AI, the development of a National AI Policy Framework is underway. This framework aims to provide directions for Nigeria to leverage AI effectively while mitigating complexities and ensuring responsible use. Although the Nigerian legal jurisprudence does not currently have an AI policy framework, the government is working towards creating an enabling policy environment for AI.

Internationally, other countries have been actively working on AI regulation, recognizing the potential threats to privacy and safety that AI systems can pose. The laws and regulations on AI technology vary across countries, with some having comprehensive legislation while others focus on specific use cases or voluntary guidelines and standards. In Nigeria, the Federal House of Representatives has initiated work on a bill to establish a codified legal framework for the adoption and use of AI systems, which will provide a more structured approach to AI regulation in the country.

 

UNITED NATIONS (UN) AI ADVISORY BODY 

The United Nations has proposed a new UN AI advisory body to better include views of developing countries and to establish international technical standards, such as those developed via ISO and IEEE. These regulations and initiatives highlight the growing importance of AI governance and the need for effective, flexible, and future-proof AI regulations to address the complexities and potential risks associated with AI technology 

 

GUIDING PRINCIPLES OF THE UN AI ADVISORY BODY 

“Guiding Principle 1. AI should be governed inclusively, by and for the benefit of all… Guiding Principle 2. AI must be governed in the public interest…Guiding Principle 3. AI governance should be built in step with data governance and the promotion of data commons… Guiding Principle 4. AI governance must be universal, networked, and rooted in adaptive multistakeholder collaboration… Guiding Principle 5. AI governance should be anchored in the UN Charter, International Human Rights Law, and other agreed international commitments such as the Sustainable Development Goals…” 

 

EU AI ACT 

The Act focuses on ensuring that AI systems used in the EU are safe, transparent, traceable, non-discriminatory, and environmentally friendly. 

PROPOSED AMENDMENT OF THE EU REGULATION OF ARTIFICIAL INTELLIGENCE 

“(2b) 

The fundamental right to the protection of personal data is safeguarded in particular by Regulations (EU) 2016/679 and (EU) 2018/1725 and Directive 2016/680. Directive 2002/58/EC additionally protects private life and the confidentiality of communications, including providing conditions for any personal and non-personal data stored in and accessed from terminal equipment. Those legal acts provide the basis for sustainable and responsible data processing, including where datasets include a mix of personal and non-personal data. This Regulation does not seek to affect the application of existing Union law governing the processing of personal data, including the tasks and powers of the independent supervisory authorities competent to monitor compliance with those instruments. This Regulation does not affect the fundamental rights to private life and the protection of personal data as provided for by Union law on data protection and privacy and enshrined in the Charter of Fundamental Rights of the European Union (the ‘Charter’).” 

 

THE PROPOSED REGULATORY FRAMEWORK OBJECTIVES 

“Ensure that AI systems placed on the Union market and used are safe and respect existing law on fundamental rights and Union values; ensure legal certainty to facilitate investment and innovation in AI; enhance governance and effective enforcement of existing law on fundamental rights and safety requirements applicable to AI systems; facilitate the development of a single market for lawful, safe and trustworthy AI applications and prevent market fragmentation.” 

 

PROPOSED AU – AI CONTINENTAL STRATEGY  

The African Union High-Level Panel on Emerging Technologies (APET) and the African Union Development Agency (AUDA-NEPAD) recently convened African Artificial Intelligence experts at a Writing Workshop in Kigali, Rwanda.  

Following this workshop, the draft strategy shall be submitted to AU Member States for review and validation to sustain ownership, after which a continentally adopted version shall be launched at the January 2024 AU Summit by Africa’s Heads of State and Government. 

“The goal is to create a comprehensive strategy to develop and strengthen competition laws, legal liability frameworks, and intellectual property laws, the democratization of AI, ethical considerations, and supporting AI ecosystems should be prioritized. AU Member States should have clear implementation frameworks, monitoring, and evaluation mechanisms to ensure implementation success. Funding and investment programs and mechanisms across various industries can quantify the return on investment for AI projects and ensure the expected impacts are realized.” 

 

ARTIFICIAL INTELLIGENCE TECHNOLOGY IN THE NIGERIAN LEGAL SYSTEM  

AI technology is rapidly gaining traction in Nigeria, particularly in the legal industry. The history of artificial intelligence (AI) can be traced back to the early 1900s, with significant advancements occurring in the 1950s and subsequent decades. Over time, AI has experienced periods of rapid growth and interest, leading to its widespread application in various fields. 

In Nigeria, AI has the potential to greatly enhance legal research and decision-making processes. AI-powered legal research platforms offer efficient and effective ways to conduct research, analyse data, and build stronger legal cases. These platforms enable legal professionals to scan entire databases in a matter of moments, saving valuable time and effort. By utilizing data analytics, AI can identify patterns, trends, anomalies, and gaps in legal information, ultimately improving the quality and accuracy of research outputs.

Furthermore, AI can provide legal professionals in Nigeria with data-driven insights and recommendations, enabling them to make more informed decisions. By leveraging AI for legal research, professionals can streamline their research tasks, enhance their legal reasoning and creativity, and ultimately bolster their firm's reputation and success. 

By integrating AI into their workflows, legal professionals in Nigeria can experience increased productivity, improved efficiency, and enhanced client services. AI technology has 

 

the potential to revolutionize the legal landscape in Nigeria, empowering legal professionals to deliver better outcomes for their clients and drive positive change within the industry.

 

DATA PRIVACY AND PROTECTION LAWS IN NIGERIA

 

PRIVACY AND ITS OBJECTIVES 

The main principles and objectives of privacy include proactive prevention, respect for user privacy, transparency, and data protection by design and default. Privacy by Design, a framework for integrating privacy into business operations, is built on seven core principles, such as proactive, not reactive; preventative, not remedial, and respect for user privacy. 

In the context of artificial intelligence (AI), privacy principles and objectives are crucial to ensure the responsible use of AI technologies while protecting individuals' data and privacy rights. Some key principles and objectives include Transparency which involves disclosing the uses of algorithmic decision-making and the inner workings of AI systems to ensure users understand how their data is being used and protected, fairness and nondiscrimination which ensure that AI systems do not perpetuate or amplify unfair or discriminatory outcomes in crucial areas such as hiring, lending, criminal justice, and others and robustness and security: Ensuring the resilience of AI systems to various forms of attacks, including those related to privacy 

 

PRIVACY AND PROTECTION LAWS IN NIGERIA 

Nigeria has established a robust and comprehensive data protection framework to safeguard the privacy and security of personal data. This framework consists of key legislations such as the Nigeria Data Protection Act, 2023 (NDPA), the Nigeria Data Protection Regulation, 2019 (NDPR), and the Nigeria Data Protection Regulation, 2019: Implementation Framework (Implementation Framework).  

The NDPA serves as the primary legislation governing data protection in Nigeria. It outlines the rights and obligations of data subjects and data controllers, establishes principles for lawful data processing, and provides mechanisms for enforcement and penalties for noncompliance. Complementing the NDPA, the NDPR, and other regulations or circulars provides additional guidance and specifications on various aspects of data protection. These regulations further clarify the requirements for data protection practices, data breach notification, cross-border data transfers, and the role of the Data Protection Commission in overseeing compliance. Together, these legislations and regulations form a comprehensive 

framework that aims to ensure the responsible and secure handling of personal data in Nigeria. By establishing clear guidelines and enforcement mechanisms, the framework seeks to protect individuals' privacy rights and foster trust in the digital ecosystem. 

Data protection laws, such as the General Data Protection Regulation (GDPR) in the European Union, impose certain obligations on organizations that collect and process personal data. These obligations include obtaining informed consent from individuals, ensuring data security, providing transparency about data processing activities, and allowing individuals to exercise their rights over their data. 

 

IMPACT OF CHAT GPT ON DATA PROTECTION

Chat GPT is a powerful AI tool that can process and generate text based on user input. However, it raises concerns about data protection and privacy due to its potential to collect and process large amounts of data, including personal and sensitive information. Chatbots can expose various sensitive information, including Personally identifiable information, financial data, medical records, Trade secrets, confidential business information, User discussions and interactions, 

Since its inception, there are have concerns over its capabilities. Some claim that the AI tool cuts across personal privacy and thus its powers or abilities need to be closely monitored.  The general concerns related to Chat GPT range from Data breaches; Chat GPT logs every conversation, including any personal data users share, and uses it as training data which some claim violates personal privacy. Therefore, if an unauthorized party gains access to conversation logs or user information, it could lead to data breaches and compromise user privacy. Lack of transparency about data use; Chat GPT has faced criticism for not providing sufficient information about the personal and legal basis for the collection and storage of personal data. There are no age controls; Chat GPT does not have age controls in place to prevent minors from using the platform. This leads to the collection of personal data from individual’s underage. Data security; Chat GPT is vulnerable to cybersecurity risks that could result in the compromise of data.  For example, a bug-related data leak has been reported. 

The use of ChatGPT in businesses raises concerns about compliance with data protection laws, such as the General Data Protection Regulation (GDPR). ChatGPT's potential impact on data protection laws includes the risk of losing control of information, potential fines for non-compliance, and security risks associated with its use 

The impact of ChatGPT on data protection laws is a significant concern, as its use in businesses must comply with regulations to ensure the protection of user data and privacy. AI chatbots can inadvertently expose users' sensitive information, such as their name, address, phone number, and other pieces of personally identifiable information. Cybercriminals can exploit chatbots to gather sensitive information from users by impersonating a chatbot or manipulating it into revealing the information10

RISKS AND BENEFITS FOR DATA PRIVACY AND PROTECTION  

BENEFITS OF CHAT GPT CONCERNING DATA PRIVACY AND 

PROTECTION 

ChatGPT enhances user experiences by providing more efficient and accurate responses to user queries. This improvement in response quality contributes to an overall enhanced user experience. Additionally, ChatGPT simplifies data collection and analysis for businesses. By assisting in data collection and analysis, ChatGPT enables businesses to gather valuable insights that can be utilized to enhance customer service and product development. 

 

RISKS OF CHAT GPT CONCERNING DATA PRIVACY AND PROTECTION 

The usage of ChatGPT entails several risks that need to be considered. One such risk is unauthorized data access, which occurs when ChatGPT processes and stores personal and sensitive data that could be exposed if the system is compromised. Another risk is insufficient consent mechanisms, as ChatGPT may not have adequate measures in place to obtain proper consent, potentially raising privacy concerns. In terms of data security, there may be a risk of inadequate protection against unauthorized access, theft, or disclosure of sensitive data within the ChatGPT program. Additionally, the ownership of data generated by ChatGPTmay be unclear, leading to potential intellectual property disputes. Data leakage is another risk, where employees may unintentionally or intentionally share sensitive company information, resulting in data breaches. Lastly, the misuse of information derived from ChatGPT conversations can lead to various problems, including breaches of confidentiality and violations of intellectual property rights. These risks highlight the importance of implementing robust security measures and clear data ownership policies when using ChatGPT.11

 

LEGAL PENALTIES  

Failure to comply with data protection laws when utilizing chatbots can result in significant repercussions. The potential risks encompass data breaches, unauthorized access, privacy infringements, substantial fines, and harm to reputation. In Nigeria, non-compliance with data privacy and protection laws can lead to various legal penalties and consequences. 

 

 

These may include fines and penalties imposed by government agencies, civil lawsuits resulting in monetary damages, reputational harm, criminal liability in cases of intentional or reckless violations, loss of control over data, and heightened security risks. Organizations must prioritize compliance with data protection laws to mitigate these risks and safeguard privacy Organizations must prioritize the security of user data as enshrined under the following provisions. 

S 37 OF THE 1999 OF THE CONSTITUTION OF THE FEDERAL REPUBLIC OF NIGERIA 

“The privacy of citizens, their homes, correspondence, telephone conversations, and telegraphic communications is hereby guaranteed and protected.” 

 

 

ARTICLE 17 OF THE INTERNATIONAL COVENANT ON CIVIL AND POLITICAL 

RIGHTS (ICCPR) 

“No one shall be subjected to arbitrary or unlawful interference with his (or her) privacy, family, home or correspondence, nor unlawful attacks on his (or her) honour and reputation. 

Everyone has the right to the protection of the law against such interference or attacks.” 

 

UNIVERSAL DECLARATION OF HUMAN RIGHTS  

ARTICLE 12 

“No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.” 

 

SECTION 24 AND 25 OF THE NIGERIA DATA PROTECTION ACT, 2023

“24. 

(1) A data controller or data processor shall ensure that personal data is — 

(a) processed in a fair, lawful, and transparent manner; 

(b) collected for specified, explicit, and legitimate purposes, and not to be further processed in a way incompatible with these purposes; 

 

(c) adequate, relevant, and limited to the minimum necessary for the purposes for which the personal data was collected or further processed; 

(d) retained for no longer than is necessary to achieve the lawful bases for which the personal data was collected or further processed; 

(e) accurate, complete, not misleading, and, where necessary, kept up to date having regard to the purposes for which the personal data is collected or is further processed; and 

(f) processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing, access, loss, destruction, damage, or any form of data breach. …  

25. (1) Without prejudice to the principles set out in this Act, data processing shall be lawful, where — 

(a) the data subject has given and not withdrawn consent for the specific purpose or purposes for which personal data is to be processed; or 

(b) the processing is necessary — 

(I) for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject before entering into a contract, 

(ii) for compliance with a legal obligation to which the data controller or data processor is subject, 

(iii) to protect the vital interest of the data subject or another person, 

(iv) for the performance of a task carried out in the public interest or the exercise of official authority vested in the data controller or data processor, or 

(v) for the legitimate interests pursued by the data controller or data processor, or by a third party to whom the data is disclosed. 

(2) Interests in personal data processing shall not be legitimate for the purposes of subsection (1)(b)(v), where — 

(a) they override the fundamental rights, freedoms, and interests of the data subject; 

(b) they are incompatible with other lawful basis of processing under subsection (1)(b) (I)(iv); or 

(c) the data subject would not have a reasonable expectation that the personal data would be processed in the manner envisaged”  

 

 

PART 2.9. THE NIGERIA DATA PROTECTION REGULATION, 2019 

ADVANCEMENT OF RIGHT TO PRIVACY 

“Notwithstanding anything to the contrary in this Regulation, the privacy right of a Data Subject shall be interpreted to advance and never to restrict the safeguards Data Subject is entitled to under any data protection instrument made in furtherance of fundamental rights and the Nigerian laws.” 

 

PART 2.10. THE NIGERIA DATA PROTECTION REGULATION, 2019 

PENALTY FOR DEFAULT 

Any person subject to this Regulation who is found to be in breach of the data privacy rights of any Data Subject shall be liable, in addition to any other criminal liability, to the following: 

a) in the case of a Data Controller dealing with more than 10,000 Data Subjects, payment of the fine of 2% of the Annual Gross Revenue of the preceding year or payment of the sum of 

10 million Naira, whichever is greater; 

b) in the case of a Data Controller dealing with less than 10,000 Data Subjects, payment of the fine of 1% of the Annual Gross Revenue of the preceding year or payment of the sum of 2 million Naira, whichever is greater. 

PART 2.2. THE NIGERIA DATA PROTECTION REGULATION, 2019 

GOVERNING PRINCIPLES OF DATA PROCESSING  

“(1) In addition to the procedures laid down in this Regulation or any other instrument for the time being in force, Personal Data shall be: 

a) collected and processed by specific, legitimate, and lawful purpose consented to by the Data Subject; provided that: I. further processing may be done only for archiving, scientific research, historical research, or statistical purposes for the public interest; ii. any person or entity carrying out or purporting to carry out data processing under the provision of this paragraph shall not transfer any Personal Data to any person;  

b) adequate, accurate, and without prejudice to the dignity of the human person; c) stored only for the period within which it is reasonably needed, and d) secured against all foreseeable hazards and breaches such as theft, cyberattack, viral attack, dissemination, manipulations of any kind, damage by rain, fire or exposure to other natural elements.” 

 

SECTION 1, 3, 4 & 10 GENERAL DATA PROTECTION REGULATION  

“1) The protection of natural persons in the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union 

(the ‘Charter’) and Article 16(1) of the Treaty on the Functioning of the European Union 

(TFEU) provide that everyone has the right to the protection of personal data concerning him or her.  

(3) Directive 95/46/EC of the European Parliament and the Council (4) seeks to harmonize the protection of fundamental rights and freedoms of natural persons concerning processing activities and to ensure the free flow of personal data between Member States. 

(4) The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not absolute; it must be considered about its function in society and be balanced against other fundamental rights, by the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognized in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience, and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and a fair trial, and cultural, religious and linguistic diversity. 

(10) To ensure a consistent and high level of protection of natural persons and to remove the obstacles to the flow of personal data within the Union, the level of protection of the rights and freedoms of natural persons regarding the processing of such data should be equivalent in all Member States. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons about the processing of personal data should be ensured throughout the Union. Regarding the processing of personal data for compliance with a legal obligation, for the performance of a task carried out in the public interest or the exercise of official authority vested in the controller, Member States should be allowed to maintain or introduce national provisions to further specify the application of the rules of this Regulation. In conjunction with the general and horizontal law on data protection implementing Directive 95/46/EC, Member States have several sectorspecific laws in areas that need more specific provisions. This Regulation also provides a margin of manoeuvre for Member States to specify its rules, including for the processing of special categories of personal data (‘sensitive data’). To that extent, this Regulation does not exclude Member State law that sets out the circumstances for specific processing situations, including determining more precisely the conditions under which the processing of personal data is lawful.” 

CYBERCRIME (PROHIBITION AND PREVENTION) ACT 2015 

The Cybercrime Act 2015 is the extant law that regulates and promotes cybersecurity and the protection of computer systems and networks, electronic communications, data and computer programs, intellectual property, and privacy rights, and the retention of records and protection of personal data.

 

CASE LAWS 

In September 2023, Open AI and Microsoft found themselves embroiled in their second class-action lawsuit, currently being heard in a San Francisco federal court. The 

 

lawsuit has been initiated by two anonymous software engineers who are users of Open Ai’s ChatGPT, and it accuses both companies of violating privacy laws during the development of their AI systems. The crux of the claim is that Open AI and Microsoft trained their AI technology by illicitly utilizing personal data that had been stolen from hundreds of millions of internet users. 

What makes this lawsuit particularly noteworthy is its striking resemblance to a previous case filed by the Clarkson Law Firm in June. Significant portions of the complaint in this new lawsuit are nearly identical to the earlier one. The plaintiffs, who are being represented by Morgan & Morgan, assert that Open AI improperly utilized their data from social media platforms to train their AI systems. This has raised concerns among the plaintiffs that their professional skills may become obsolete as a result. As part of their legal action, they are seeking unspecified financial damages and are demanding that both companies implement protective measures to prevent any further improper use of private data. 

In the case of Incorporated Trustees of Paradigm Initiative for Information 

Technology (PIIT) & Sarah Solomon-Esher (Applicants) v National Identity Management Commission (NIMC) & Anor, the Federal High Court (FHC) has upheld the data privacy rights of Nigerian citizens. The court has directed the National Identity Management Commission (NIMC) to enhance its data privacy and security systems to prevent any violation of citizens' right to privacy. This ruling emphasizes the importance of safeguarding personal data and ensuring that appropriate measures are in place to protect the privacy of individuals. 

In 2014, National Identity Management Commission (NIMC) vs. Mastercard  

The NIMC sued Mastercard for alleged unauthorized access to the National Identity Database and the breach of citizens' data. The case emphasized the need for strict data protection measures and the responsibility of companies handling sensitive information. 

In 2021, Facebook vs. Nigerian Communications Commission (NCC)  

Facebook filed a lawsuit against the NCC over allegations of data privacy breaches and unlawful access to user data. The case highlighted the responsibility of software companies to protect user information and the legal implications of data breaches. 

PRECAUTIONS FOR USERS OF CHAT GPT 

To address these concerns, businesses should not enter any personal data into Chat GPT and always ensure they have a legal basis for processing people's information. Users should be cautious when sharing information, especially in public or shared conversations, and exercise their data subject rights under GDPR, such as the right to access, rectify, or erase their data. Organizations must ensure that their data protection strategies align with regulations, allowing users to access, rectify, or delete their data.  

To minimize the risk of sensitive information being exposed, it is crucial to implement robust data protection strategies, such as encryption, access restrictions, secure data storage, and regular security audits. Regular security audits and assessments are critical to identify vulnerabilities and ensure compliance with data protection regulations.  Companies must obtain explicit consent from consumers before using their data in chatbot interactions and clearly explain how and why the data will be used. 

 

EFFECTIVENESS OF DATA PRIVACY AND PROTECTION LAWS ON ISSUES OF CHAT GPT 

The Nigeria Data Protection Act 2023 (NDPA) is the primary legislation governing data protection in Nigeria. It was enacted on June 12, 2023, to safeguard the personal data of Nigerian citizens following internationally recognized data protection principles. However, there are concerns regarding the adequacy and effectiveness of current privacy and data protection laws in addressing the specific issues raised by ChatGPT in Nigeria. These concerns include data ownership, intellectual property infringement, liability for errors, privacy, and data protection. 

Supplementing the NDPA are other regulations and circulars that further enhance data protection in Nigeria. Despite these concerns, Nigeria has taken steps to improve its data protection laws and regulations. The NDPA was enacted to establish a comprehensive framework for data protection in Nigeria, with many provisions aligning with the General Data Protection Regulation (GDPR). Additionally, Nigeria's Constitution and sector-specific laws also address privacy and data protection matters. 

The NDPA represents a significant milestone in Nigeria's data protection legislation. It applies to data controllers, data processors, and third parties involved in the processing of personal data, aiming to ensure robust protection for Nigerian citizens' data in line with international standards. The Act introduces structural changes, elevating the data protection authority from a "Bureau" to a Commission and updating the governing mechanisms. 

 

In comparison to data protection laws in other countries, Nigeria's NDPA shares similarities with the GDPR. It guarantees strong protection for individuals' data and applies to the use, processing, or sharing of personal data, regardless of whether it is obtained online or offline. Furthermore, the NDPA provides a comprehensive set of rules governing data protection, many of which align with the GDPR.

 

 

 

 

RECOMMENDATION TO ADDRESS CHALLENGES THE ISSUES OF CHAT GPT AND DATA PRIVACY AND PROTECTION 

The emergence of artificial intelligence (AI) brings forth both challenges and opportunities for data protection. To address these issues, policymakers, regulators, and other stakeholders can take several important steps. Firstly, they should implement robust safeguards against ineffective and unsafe AI systems. This includes addressing algorithmic discrimination, requiring independent audits, and conducting human rights-based impact assessments. Additionally, there should be increased transparency regarding the design, testing, use, and effects of AI products. 

To ensure user trust in AI systems, it is crucial to protect and handle personal and sensitive data appropriately. Policies should support the use of AI for cybersecurity purposes, integrate AI systems into threat modelling and security risk management, promote the adoption of global security standards, invest in security innovation to counter adversarial AI and develop guidance that upholds privacy and ethical data use. Governments should consider long-term public investment and encourage private investment in research and development, including interdisciplinary efforts. Furthermore, they should facilitate the protected free flow of data across borders. 

Software engineers are advised to prioritize privacy and data protection in the design and development of AI systems. They should only collect necessary data, ensure its security, and retain it for the required duration. Building AI using accurate, fair, and representative datasets is essential to avoid algorithmic bias. Users should be informed when their data is being used and made aware of how AI impacts decisions concerning them. Strong encryption methods should be employed to protect sensitive data during transit and storage when utilizing AI in business processes. Lastly, stakeholders should transparently demonstrate compliance with relevant laws and standards to instil confidence in AI cybersecurity practices.

 

CONCLUSION 

AI in the field of law leverages machine learning algorithms, natural language processing, and data analytics to streamline legal processes. By analysing extensive legal data, AI can assist legal professionals in conducting thorough research, identifying pertinent case precedents, and extracting crucial information from legal documents. This not only saves time but also enhances accuracy and improves overall efficiency.  

However, the ChatGPT feature, which enables the collection of personal data without explicit consent, has raised significant concerns and prompted the implementation of regulations to address the potential misuse of such AI tools. As the world continues to advance and globalization expands, it becomes imperative to prioritize the protection of individual's privacy and dignity, preventing any violation caused by ChatGPT or similar technologies. 

While Nigeria has made progress in enhancing its data protection laws and regulations, it is crucial to continually strengthen the legal framework to effectively address the challenges posed by emerging technologies like ChatGPT. This involves ensuring the effective enforcement of the Nigeria Data Protection Act (NDPA) and other relevant laws, as well as promoting compliance among businesses and organizations to uphold the regulations.