It sounded harmless, even helpful, especially in these tough economic times. But behind that offer lies a much darker reality.

The National Identity Management Commission (NIMC) is deeply concerned about a disturbing trend recently highlighted by the Economic and Financial Crimes Commission (EFCC): a growing number of Nigerians, especially the youth, are being enticed into selling their personal data for as little as ₦1,500 to ₦2,000.

These details are then resold to certain fintech platforms for as much as ₦5,000, fueling an underground economy that puts every NIN holder at risk.

“This is not just a case of minor fraud, it’s a threat to national security and personal safety,” said Dr. Kayode Adegoke, head of Corporate Communications at NIMC. “When you hand over your data to unknown agents, you are essentially handing over control of your identity.”

The Commission wishes to make one thing unequivocally clear: NIMC will not be held liable for any misuse of personal data shared willingly by individuals or through third parties for money or inducement.

The public has been repeatedly warned not to disclose their NIN or related information to anyone not officially authorised.

Moreover, NIMC reminds all service providers that every NIN presented for services must be properly verified using the appropriate channels before access is granted.

To protect yourself and your identity, Nigerians are strongly encouraged to download the NINAuth App, available on both Apple iOS and Google Play Store.

This tool empowers you to manage, secure, and control access to your personal NIN data, anytime, anywhere.

The story of your identity should be written by you, not sold for a quick payout.

A U.S. federal appeals court has ruled that the company can be sued in California over how it allegedly tracks and profits from users’ data—despite not being based there.

Brandon Briskin, a resident of California, claims Shopify secretly planted tracking cookies on his iPhone when he shopped online at I Am Becoming, a local retailer using Shopify’s services. Those cookies allegedly harvested his personal data and helped Shopify build a profile it could sell to other businesses.

Shopify didn’t deny placing the tracking software. Instead, the company argued it shouldn’t be dragged into court in California. It insisted that any legal action should happen in places where it has stronger legal ties—like Delaware, New York, or back home in Canada.

But the 9th U.S. Circuit Court of Appeals in San Francisco wasn’t having it. In a strong 10-1 decision, the court said Shopify aimed its data-gathering practices directly at Californians—and that’s enough to be held accountable in the state.

“Shopify deliberately reached out … by knowingly installing tracking software onto unsuspecting Californians’ phones so that it could later sell the data it obtained, in a manner that was neither random, isolated, or fortuitous,” wrote Circuit Judge Kim McLane Wardlaw, siding with the majority.

That statement alone slices through all the legal fog. Shopify’s actions weren’t vague or incidental. The court said they were intentional and targeted—and that has consequences.

A lower court had previously tossed the case, agreeing with Shopify’s argument. Even a three-judge panel from the same appeals court had said the lawsuit didn’t belong in California. But this full bench decision reversed all of that and signalled that courts are now willing to take a harder stance when companies reach across borders through the internet.

Unsurprisingly, Shopify isn’t thrilled. A company spokesperson said the decision “attacks the basics of how the internet works,” suggesting it could force small online businesses to defend themselves in faraway courtrooms just because someone clicked from a different state.

If courts begin to take this position broadly, internet-based companies won’t be able to hide behind the argument that “we operate everywhere, so you can’t sue us anywhere.”

Matt McCrary, Briskin’s lawyer, welcomed the decision. He said the court made it clear that businesses can’t operate in digital marketplaces without also being subject to the laws of those markets. “The idea that a company is jurisdictionally ‘nowhere’ because it does business ‘everywhere’—that argument doesn’t hold up anymore,” he said.

Backing Briskin in this case was a coalition of 30 states and Washington, D.C. Their concern? If companies like Shopify are allowed to operate without being answerable to local laws, consumer protections become meaningless. 

These states want the power to hold internet giants accountable when their residents are targeted, no matter where the company’s headquarters may be.

But not everyone agreed. Judge Consuelo Callahan, the lone dissenter, warned that the majority had opened the floodgates. She criticised what she called a “traveling cookie rule,” which she argued would allow lawsuits to pop up anywhere a user travels, turning jurisdiction into a guessing game.

On a business level, Shopify has been doing well. It reported a 31% revenue increase in Q4 of 2024, hitting $2.81 billion. Full-year revenue was up 26% to $8.88 billion, and subscription income grew by over 9%.

That growth has come with deeper market penetration too. “In the U.S. alone, Shopify is now over 12% of the eCommerce market share,” said President Harley Finkelstein. “And we continue to grow rapidly in places like Europe and Japan.”

Still, these numbers may not shield Shopify from what comes next. The court ruling could influence dozens of pending and future cases. Tech companies handling consumer data across state lines can be held to account where users live, not just where your offices are.

Without any prior announcement or consent from its users, the social networking platform is now using user-generated content to enhance its AI tools.

Users can, however, opt out of this arrangement by navigating to their account settings. Under the ‘Data Privacy’ section, a feature labelled “Data for Generative AI Improvement” allows individuals to disable the use of their data for AI training. 

While this stops LinkedIn from using your data in the future, it does not reverse the use of information already processed for this purpose.

This issue has led to complaints regarding transparency and user autonomy, particularly as LinkedIn rolled out this update without making a public announcement. 

Users argue that defaulting users into such programmes without their informed consent is a violation of privacy. In response, LinkedIn has added details about its generative AI practices to its privacy policy, which now explicitly states that the platform may use personal data to develop AI-driven services and insights.

The company claims it employs privacy-enhancing technologies to anonymise or redact personal data from its AI training sets. However, some users remain uneasy about the potential misuse of their data, particularly given the broader concerns over privacy in the digital space.

Notably, LinkedIn has confirmed that the use of personal data for AI training does not affect users residing in the European Union (EU), European Economic Area (EEA), or Switzerland due to stricter data protection regulations in those regions.

Users outside these regions who wish to prevent further use of their data must manually opt-out.

Apart from generative AI, LinkedIn also relies on machine learning for content personalisation and moderation.

Opting out of the generative AI training does not exclude users from other data-driven activities unless they also submit a LinkedIn Data Processing Objection Form, which offers more comprehensive data protection.

Under the EU’s primary data privacy law, the General Data Protection Regulation (GDPR), for personal data to be transferred from the EU to another country without additional safeguards, an adequacy decision must be made by the European Commission in relation to the level of protection afforded to the information being transferred by the receiving country.

The power of the European Commission to make an adequacy decision is set out in Article 45 of the GDPR, which provides that “a transfer of personal data to a third country or an international organization may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection.”

An ‘adequate level of protection’ means that the level of protection afforded to the data is essentially equivalent to the level of protection provided to the data within the EU.

The effect of an adequacy decision is that personal data may be transferred from the EU to another country without any additional safeguards having to be put in place.

According to Baker McKenzie’s Global Data Privacy and Security team, on 10 July 2023, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework (DPF).

US companies that participate in the DPF will be deemed to provide “adequate protection” under Article 45 of the EU General Data Protection Regulation for personal data transfers received from the EU and European Economic Area.

In response to the EU’s Schrems II, the US government and the EC worked collaboratively to develop the DPF as a successor to Privacy Shield, and a means to provide greater certainty for transatlantic personal data transfers.

Among other activities, the US Administration adopted Executive Order 14086 to establish enhanced privacy protections for personal data in the context of government surveillance and a new process for individuals to seek redress on these issues concerning personal data transfers from a “qualifying state” to the United States.

The adequacy decision eliminates the uncertainty around the transfer of data across borders. This is particularly important for multinational companies that operate in both the EU and the US and allows these companies to continue processing personal data in the manner in which they did prior to the adequacy decision. The adequacy decision ultimately benefits companies and individuals on both sides of the Atlantic.

African multinationals that operate across the EU and the US will also be impacted by this decision with respect to their cross-border data flows, for example, between their group entities in these regions. However, the adequacy of the flow of data in the context of Africa is uncertain.

At present, the EU has not made a finding in relation to the adequacy of the data protection legislation of any African country. Over the last few years, there has been a rise in the implementation of data protection laws in African countries.

South Africa, Algeria, Eswatini, Tanzania, Botswana, Kenya and Uganda, for example, are among the jurisdictions in Africa that have implemented privacy laws.

Although personal data may still be transferred from EU countries to African countries, additional safeguards are still required.

The rapidly increasing flow of data between the EU and other regions, including Africa, means that the EC might in the future focus on launching adequacy decisions to assess data protection laws that have recently been adopted in countries across the continent.

Many of Africa’s data privacy and security laws have been modelled, at least to some extent, on the GDPR and its earlier iteration, the EU Data Protection Directive.

Data privacy laws in Africa with some similarities to the GDPR include those in Ghana, Kenya, Mauritius, Nigeria and Uganda.

Data privacy laws in Rwanda also closely follow the GDPR. Data protection laws in South Africa and Morocco, for example, were modelled on the earlier EU Directive, resulting in laws that are similar but with some differences to the GDPR (notably, and in contrast to the GDPR, South African data protection law protects the personal data of juristic persons in addition to natural persons).

This could mean that data flowing from these countries will be more likely to be recognized as having an adequate level of protection.

[Featured Image Credit]