Actions: Beyond the Nigerian Data Protection Regulations (NPDR) 2019

Introduction

The evolution of the Internet has changed the world in many ways. Physical (traditional) operations and daily interactions have over time been supplemented, overshadowed or totally supplanted by online versions riding on the back of developments in information and communication technology (ICT), and consequent migration into cyberspace. ICT has become, within a very short time, one of the basic building blocks of modern society, forcing and creating a culture of dependence on innovative technology.[1] The Fourth Industrial Revolution (4IR) is characterised by a fusion of technologies and they have blurred the lines between the physical, digital, and biological spheres.[2]

The concept of data security becomes even more important, considering that we now live in a ‘database society.’[3] It is this concern that births the concept of data privacy and protection with a view to finding adequate and well-established legal framework and infrastructure for the protection of data on the internet.[4]

Aside the above, the problem of data privacy and its invasion came up as an accessory to the Internet. Privacy entails the right to decide which details of our personal lives should be outside the public domain.[5] Though right to privacy (as a subset of right to dignity of the human person) remained a guaranteed right vide section 37 Constitution of the Federal Republic of Nigeria 1999 (as amended),[6] concerns however remained that section 37 is only generic and cannot apply to data privacy.

Nigeria rose up to the challenge, albeit belatedly, starting with issuance of the National Information Technology Development Agency (NITDA) Draft Guidelines on Data Protection 2013. Later, the Nigeria Data Protection Regulation 2019 (NDPR) and the Guidelines for the Management of Personal Data by Public Institutions in Nigeria 2020 (Guidelines) were issued. Currently, there is a Data Protection Bill 2020 (DP Bill) proposed as an executive bill by NITDA to address the germane issue of data governance and protection. The highlights of the NDPR, the Guidelines, the DP Bill, their interventions and challenges are the focus of this paper.

The Concept of Data Protection and Privacy

Data insecurity is borne out of the fact that data is often not in the absolute control of Data Subject (DS) and as such, might be prejudicial if not in safe hands, given the advent of information technologies to create, collate, manage, manipulate, store, and share information regardless of time and space.[7]

Data is defined by NDPR to mean “characters, symbols and binary on which operations are performed by a computer, which may be stored or transmitted in the form of electronic signals is stored in any format or any device.”[8] Meanwhile, data privacy relates to the collection, storage or usage of Personal Data (PD) while data protection refers to the action and activities dealing with data security against unauthorised access.[9]

History of Data Protection Regulation in Nigeria

The history of data protection is as old as ICT. Though there has been the provision for the protection of one’s privacy under the Universal Declaration of Human Rights 1948 and in Nigeria’s Constitution, this has however not fully guaranteed the right to privacy of one’s data, especially given technological developments.

Nigeria’s first attempt at data protection can be traced to the Nigerian National Policy for Information Technology (IT Policy).[10] Apart from the NDPR, some Nigerian legislation and institutions that impact data protection regulation in Nigeria include the Cybercrime (Prohibition, Prevention etc.) Act 2015, Freedom of Information Act 2011, Nigerian Communications Commission Act[11], NITDA Act,[12] etc. However, an in-depth analysis of these laws and institutions have shown the insufficient attempt to regulate data privacy and protection in Nigeria.

The NITDA issued the NITDA Draft Guidelines pursuant to section 6(c) NITDA Act in September 2013, which metamorphosed into the extant NDPR. Later, in May 2020, NITDA issued the Guidelines in July 2020, for public institutions to ensure compliance with the NDPR, and the Framework.

Meanwhile, the Protection of Personal Information Bill 2019[13] and the DP Bill[14]  were also introduced; they seek to address the challenge of the dearth of adequate regulation of data privacy and protection in Nigeria.

Analysis of the NDPR, the Guidelines and the Framework

The NDPR seeks to safeguard the rights of natural persons to data privacy, foster safe conduct for transactions involving the exchange of PD, prevent manipulation of PD and to ensure that Nigerian businesses remain competitive in international trade through the safeguards - afforded by best practices just and equitable legal regulatory framework on data protection.

Article 2 NDPR provides for governing principles for data protection which include that: PD must be lawfully collected and processed with the consent of the DS, used in accordance with the purposes for which it was collected, be adequate, relevant,[15] and without prejudice to the dignity of human person, be kept for no longer than is necessary,[16] and also be kept against all foreseeable hazards. Where the DS’ PD is to be transferred outside Nigeria, section 7 of the Framework applies. It mandates the Data Protection Officer (DPO) to provide the privacy policy of the Data Controller (DC), the overview of the encryption method, data security standards and other details that will guarantee the safety of the PD to be supplied to NITDA who shall in return coordinate the transfer request with the office of the Honourable Attorney General of the Federation (HAGF).

A DC who obtains data from the DS cannot plead ignorance of these provisions - there is imposition of strict liability duty of care. Therefore, once there is a processing contract with a third party who is Data Processor (DP), the DC must ensure that the DS’s PD in his (DC’s) care must be handled in such a way that the right of the DS will not be violated.

Consent of the DS is mandatory to every data collection to be processed by a third party[17] or transferred to a foreign country.[18] Consent must be obtained without fraud, coercion or undue influence,[19] and in circumstances that may engender direct or indirect propagation of atrocities, hate, child rights violation, criminal acts and anti-social conducts.[20]

In case of data transfer to a foreign country, the NDPR obligates the HAGF to ensure that the foreign country ensures an adequate level of protection and puts into consideration issues such as the rule of law, the relevant legislation, both general and sectoral including public security, defence etc.[21] However, there can be derogation from this provision provided: there is consent by the DS, the transfer is necessary for the performance of the contract between the DS and the DC, for public reasons, the establishment, exercise or defence of legal claims or to protect the vital interest of the DS.[22]

The Rights of the DSs contained in Article 3.1 NDPR constitute the core of the NDPR and these include: the right to be informed of the appropriate safeguards for data protection in the foreign country, right to request the DC to delete PD, right to obtain from the Controller restriction of processing of data, right to receive the PD of the DS in a structured, commonly used and machine-readable format and right to data portability. Notably, these rights cover all information on identified or identifiable individuals whereas right to privacy under the Constitution does not.

The NDPR further provides for implementation through the imposition of time-bound actions for compliance, including detailed audit of the privacy and data protection practices.[23] Article 4.2 NDPR provides for an Administrative Redress Panel to investigate (within a maximum of 28 working days) alleged breach(es) of the NDPR; invite parties as necessary, issue requisite administrative orders and make determination of appropriate redress. NITDA is also mandated to take steps for local and international cooperation in fostering the implementation of the NDPR, providing international mutual assistance for enforcement, engaging relevant stakeholders in discussion and promoting the exchange and documentation of PD protection.

The Guidelines on the other hand was issued to help Public Officers[24] handle and manage personal information in compliance with the NDPR since government at all levels is the largest processors of PD. Some of the Guidelines’ provisions are similar with that of the NDPR. Unlike the NDPR, it provides the circumstances wherein the grant of a consent must be obtained - such as processing of sensitive information health, ethnic, political affiliation, religious beliefs etc.

The Guidelines seek to designate some information as sensitive, requiring a higher standard consent-seeking approach: direct, unambiguous and distinct communication of request through electronic means or by writing. The Guidelines mandates every public institution (however without any corresponding liability for non-compliance), to have a DPO and retain the services of a Data Protection Compliance Organisation (DPCO) with the aim to guiding the implementation the institution to compliance with the data protection regulations and principles amongst other things.[25]

Status Check: A Critique of Extant Provisions

The constitutional provisions on the right to privacy does not fully cover data protection; analytically, what is protected is only informational privacy. Privacy is different from data protection - whilst private life does not necessarily include all information on identified or identifiable persons, data protection covers exactly this information. Also, the permissible interference is another distinction. While the condition of processing information fairly and in accordance with other conditions may be met, thus leading to no interference with data protection; collection, storage or disclosure of such data may still interfere with private life and therefore demand justification.[26]

A joint reading of Article 1.2(b) and (c) NDPR excludes its application to artificial persons. This exclusion can have a far-reaching impact on natural persons who are at the helm of affairs of these artificial persons. In Volker und Markus Schecke GbR and Hartmut Eifert v Land Hessen,[27] the European Union Court of Justice held that legal persons can claim protection under EU data protection law, only insofar as the official title of the legal person identifies one or more natural persons.  Given that section 18(2) Companies and Allied Matters Act 2020 now allows single member private companies, lack of protection for data of companies may prejudice the interest of the director and the shareholder.

The provision of the NDPR (Article 2.8(a)) that limits the objection of the consent of the DS regarding his data to where the DC “intend to process for the purpose of marketing” is too restrictive. The implication is that the DC, once granted consent for data processing, can always be held to process the data of the DS, provided there is a proof that such processing is not for marketing purposes. What if circumstances change that could amount to deemed withdrawal of consent or makes continued consent no longer tenable?[28]

The NDPR, rather than state the rights of the DS and the obligation on the DC separately, subsumed both under the heading “Rights of a Data Subject.”[29] Unlike the NDPR, the European Union General Data Protection Guideline (EuGDPR) has by Articles 15 - 21 specifically provided the DS the right of access, right to rectification, right to erasure, right to restriction in processing, right to data portability and the right to object.

The NDPR and the Guidelines have failed to, (and cannot), provide a remedy in case of the non-compliance with their provisions. For instance, though the NDPR gave the DS the right to seek redress in Court, it also provides (vide Article 4.2.(6)), that a breach of the NPDR is a breach of the provisions of the NITDA Act. Meanwhile, sections 17 and 18 NITDA Act only provides for offences, which are criminal in nature and which punishment ranges from a fine of N200,ooo or N500,000; and/or one or three year imprisonment in case of first and/ or subsequent offences respectively.

Particularly, Article 2.10 NDPR has provided that “any person subject to this Regulation who is found to be in breach of the data of the privacy rights of any Data Subject shall be liable, in addition to any other criminal liability, to …(a)…fine of 2% of Annual Gross Revenue…(b)…fine of 1% of Annual Gross Revenue…”  The question thus arises, does criminalising breach of the NPDR erode the DS’ right to civil action against the DC? We respectfully submit otherwise:  such a DS can, depending on the facts, sue under tort for defamation,[30] trespass to land and nuisance,[31] breach of confidentiality obligation[32] or for copyright infringement.[33]

The close ended designation of some information as being sensitive by the Guidelines, therefore demanding higher standard of consent seeking is counter-productive. Unlike the Guidelines, the NDPR has defined sensitive PD to include “…any other sensitive personal information.” Thus, strict compliance with the Guidelines will lead to challenges as some sensitive information is not covered in the list provided by the Guidelines.

Looking Beyond Extant Provisions: The DP Bill

As discussed above, the Guidelines and the NDPR are largely insufficient to address detailed regulation, or guarantee data privacy and protection in Nigeria. However, the DP Bill pending before the National Assembly, portends some hope for regulation of data privacy and protection in Nigeria.

The DP Bill seeks to establish the Data Protection Commission (DPC) charged with responsibility for the protection of PD, rights of DS, regulation of the processing of PD and for related matters. The objectives of the DP Bill include the promotion of a code of practice that ensures the privacy and protection of the DS, minimise harmful effect of PD misuse, and ensure the processing of PD in a transparent, fair and lawful manner with the provision of the Bill and other laws of the nation.

The DP Bill gives an exhaustive and open-ended definition of what constitutes data, including personal and biometric data revealing a DS’ identity, racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation or trade union membership; personal banking and accounting records etc.[34] The principles of processing  PD under the DP Bill is synonymous with NDPR’s provisions. The provision of consent and withdrawal of same is an improvement on the NDPR’s equivalent, in that the “data subject shall have the right to withdraw his consent at any time.”[35]

The right of the DS under Part V, DP Bill include access to the data he has provided the DC, to have it erased or rectified as may be necessary in the circumstances.  Also, the DS is entitled to be informed about the processing of his PD[36] and where need be, have the processing of his data suspended.[37]

The fact that these rights are termed ‘rights’ does not make them fundamental rights that can be enforced using the Fundamental Right Enforcement Procedure Rules 2009 (FREP Rules).[38]  The proposed constitutional amendment should factor in the inclusion of these rights or rather adopt these rights as contained in the DP Bill as fundamental human rights so that the FREP Rules can apply.

A key aspect of the DP Bill is the provision for the DPC under Part III as a supervisory and regulatory body. The DPC’s powers include the power to investigate complaints, impose fines/penalties and apply to court for issuance of warrant for any act or omission under the provision of the DP Bill. However, the power of regulatory bodies like NITDA to impose fines have been reviewed in cases like NOSDRA v. Mobil Producing Nigeria Unlimited[39] vis a vis constitutional provisions on fair hearing.

In NOSDRA, the Court held that the power to impose fines and penalties reside in the court or tribunal established by law, since it borders on the determination of the civil rights and obligations of such party. Consequently, where the regulatory body is to impose such fines and penalties, section 36(2) 1999 Constitution provides that the law must grant the other party the opportunity to be heard; furthermore, the determination of such administrative body is not final and conclusive. The absence of these fair hearing (safeguard) provisions in the DP Bill is fundamental and portend some risk of being declared null and void, given decisions like NOSDRA.

Unlike the NDPR and the Guidelines, the DP Bill’s Part VI seeks to regulate the management and processing of sensitive data. Sensitive data involves that of a child under parental or guardian’s control, religious or philosophical beliefs, ethnic origin, race, political opinions, health, sexual life or behaviour of a DS. In the case of a child, there is also an imposition of vicarious liability on the DC for actions of the DP.[40] This should put the DC on its toes to be able to secure the necessary protection of data in its care.

One of the revolutionary provisions of the DP Bill is the right of the DS to be notified of any data breach, within forty-eight (48) hours of such breach.[41] There is also provision for compensation or making restitution to the victim[42] in addition to the penal sanctions provided under Part XI. However, (as noted above), since this is not a fundamental right action, the speedy enforcement afforded fundamental rights actions will not apply.

Conclusion

The above analysis has revealed the present state of the data protection regime in Nigeria; clearly the progress made is not yet substantial. The lack of a true legislation that creates rights, obligations, penalties and civil liabilities will continue to be a clog in the wheel of progress of data governance in Nigeria. “Data is life” and must be guided through a combined effort of pro-active institutions, up-to-date legislation and clear-cut regulations as necessary.

As already captioned in the National Digital Economy Policy and Strategy (NDEPS) that developmental regulation is the first pillar in achieving a digitised economy, data protection is a backbone to a digital economy and therefore must be duly ensured and regulated. The government must not rest on its oars, having issued the NDPR and the Guidelines, but proceed to enact subject specific legislation that would have far-reaching effect on data privacy and protection of Nigerians.

No doubt, the DP Bill is a boost to winning the war over the dearth of proper regulation and protection of PD in Nigeria. Whilst the National Assembly is enjoined to give it speedy passage, and the Executive to follow suit vide prompt presidential assent and scrupulously implementing its provisions. Aside the signing of the DP Bill into law and setting up of the DPC, there must be will power to enforce these rights and sensitise the citizenry on the rights guaranteed by the legislation.