New Technologies in International Law / Tymofeyeva, Crhák et al.

of similar stringent data protection regulations to avoid data exploitation, which includes the illegal use of individuals’ private data, illegal identification and tracking of individuals due to data breaches. Other risks that developing countries that seek to apply AI tools to address access to healthcare issues must be aware of include risks relating to re-identification and de-anonymization of sensitive medical and personal data. To address these issues successfully, developing countries will need to proactively adopt stringent regulations like the GDPR for example, which introduced strict consent requirements for data collection, giving individuals the right to control their data while strictly regulating parties that collect, control, and process data, with significant fines for failure to comply with the Regulation. Emulating these laws and adopting them to address our local peculiarities will make actors, data controllers, and stakeholders applying AI tools in healthcare settings in these developing nations accountable and responsible. 478 Developing countries seeking to ensure adequate data protection may also take a page from Nigeria, which recently adopted the Nigeria Data Protection Act (NDPA), 2023, to replace the Nigerian Data Protection Regulations (NDPR) 2019 and the NDPR Implementation Framework 2019, issued under the National Information Technology Development Agency (NITDA) Act. The NDPA establishes the legal framework for regulating personal data in the country and seeks to ensure that personal data protection is a guaranteed fundamental human right, with the aims of safeguarding the fundamental rights and freedoms of data subjects protected under the Nigerian Constitution, regulating the processing of personal data, promoting data processing best practices that ensure the security of personal data and the privacy of data subjects’s rights by regulating data collectors and processors, as well as strengthening the legal foundations of the Nigerian digital economy and guaranteeing the Nation’s participation in regional and global economies through beneficial and trusted use of personal data. 479 The NDPA also establishes the Nigeria Data Protection Commission (NDPC), which implements and enforces the rules and regulations set out in the Act and regulates the processing of personal information and other related matters. 480 The Act also establishes a Governing Council of the Commission, which is responsible for formulating and providing overall policy directions for the affairs of the NDPC. 481 The NDPC is responsible for investigating data privacy complaints and can autonomously initiate inquiries when there is suspicion of privacy violations. This mandate upholds transparency and fosters accountability among businesses processing personal data. 482 The NDPA stipulates penalties for contravention of the Act and or its subsidiary regulations, subject to variation based on the significance of the roles played by the data controllers or data processors involved in the breach, wherein entities engaged in the processing of larger volumes of personal data are held to an elevated data protection standards and increased accountability measures. This approach ensures that entities 478 Wakunuma K, Jiya T, Aliyu S, ‘Socio-Ethical Implications of Using AI in Accelerating SDG3 in Least Developed Countries’ (2020) 4 Journal of Responsible Technology 100006. 479 Data Protection Act , Nigeria (2023), Section 1.

480 Ibid., Section 4. 481 Ibid., Section 8. 482 Ibid., Section 46.

114