The Nigeria Information Technology Development Agency (NITDA), the government agency responsible for the regulation of the use and exchange of information recently issued the Nigeria Data Protection Regulation, 2019 (The Regulation). The Regulation contains the Nigerian government’s definitive policy statement on Data Protection and was preceded by the Draft Data Protection Guidelines (The Guidelines) released in 2017. The Regulation provides for the operational modalities for the protection of data in Nigeria. Given the recent experiences and rising implications associated with the use of data internationally, this report analyses the provisions of the Regulation, its sufficiency in relation to international data protection standards and implications on individuals, firms and governments in Nigeria.
2018 marked a very important year for the data protection regime worldwide. On the 25th of May 2018, the European Union General Data Protection Regulations (GDPR) took effect and this led to several corporations in the European Union (EU) upgrading and improving their data protection regimes to align with the provisions of the GDPR. The scope of the GDPR extends to all member states of the EU, however, it is also of global application because it governs all companies seeking to market products to EU residents irrespective of the company’s location. Therefore, the General Data Protection Regulation has led to a worldwide data protection law upgrade and Nigeria is not exempt from this development.
Despite the lack of a single and comprehensive data protection regime in Nigeria hitherto, the recognition of data protection in Nigeria was hinted in several generic and sector specific legislation. For example, Section 37 of the 1999 Constitution of the Federal Republic of Nigeria introduced a basic level of protection for Privacy and Data Protection. It provides thus: “The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected.” Similarly, in 2007, the Nigerian Communication Commission (NCC) issued the General Consumer Code of Practice Regulations for Telecommunications Services, which amongst other things, imposes a duty on telecommunication licensees to take reasonable steps to securely store and prevent improper or accidental disclosure of customer information. Additionally, Section 8 of the Childs Right Act, 2003 recognises the right to privacy and protection from any publication of a child’s identity.
The NITDA Draft Data Protection Guideline 2017
As earlier mentioned, in performing its duties under Section 6 of the NITDA Act, the NITDA released its draft Data Protection Guideline in 2017 (hereinafter “the 2017 Guidelines”).
The Guidelines merely set out the minimum requirements for the operation and management of personal data of Nigerian Citizens, as well as provide working definitions used in information processing. Listed below are some of the definitions given in the Guidelines:
- Personal data - is defined as “any information relating to an identified or identifiable natural person, whether it relates to his or her private, professional or public life. It includes any information which can be used to distinguish or trace an individual's identity, such as names, addresses, photographs, email address, bank details, social networking details, medical information or computer IP address.”
- Similarly, the Guidelines define a data subject as an identifiable person or one who can be identified directly or indirectly by reference to an identification factor. The effect of this definition is that the Guidelines contemplate only natural persons as data subjects. i.e. legal persons such as companies will be exempt from this definition.
- Lastly, the Guidelines define data controllers thus “refers to the person or entity who, whether alone or with another, determines the purposes and means of processing “personal data” i.e. any the organization which collects personal data”.
As stated above, the Guidelines established a minimum data protection requirement for the storage, processing, management, transfer and control of information and personal data. For example, Section 2.1 of the Guidelines provides that the data collected could not be processed without the consent of the data subject.
Nonetheless, the provisions of the Guidelines were of limited scope because it only applied to federal, state and local government agencies/institutions as well as private sector organisations that own, control, store or process the personal data of Nigerian residents within and outside Nigeria. Therefore, outside the shore of Nigeria, it would only have applied to organisations (and not persons) who processed the personal data of Nigerian citizens/residents.
The Guidelines marked the first attempt at a single body of provisions governing the protection, storage and transfer of personal data in Nigeria, however the fact that it was a draft meant that the Guidelines were inoperative.
The Nigeria Data Protection Regulation 2019
Nevertheless, in 2007, the NITDA Act was introduced. Section 6(c) of the Act authorises NITDA to create guidelines and regulations governing the use and exchange of electronic data on all matters pertaining to government, commerce, public and private parties in Nigeria. Acting on that power, NITDA issued the Draft Guidelines on Data Protection in 2017 and the Data Protection Regulations in 2019.
The Data Protection Regulation (2019 Regulation) became effective on 25th January 2019 and mandates that all public and private organizations in Nigeria, that control data of natural persons, are required to make their respective data protection policies available to the general public within three months after the date of issuance of the Data Protection Regulation.
The Regulation takes into consideration the current technological advancements leading to the migration of businesses and other information online, therefore recognising the need to protect such information from potential breaches. The main objectives of the Regulation include the following:
- To safeguard the rights of natural persons to data privacy;
- To promote a safe environment for the exchange of personal data;
- To prevent the manipulation of personal data and ensure that Nigerian businesses remain competitive by providing a regulatory framework for data protection which is compliant with global best practices.
Although the definition section of the basic concepts in data protection such as; data, data controller, data subject etc. remains the same, the scope of the regulation now extends to all organisations processing the personal data of natural persons in Nigeria or/and of Nigerian descent residing in foreign countries.
This broader scope further enhances the protection of the data subject and increases the chance of achievement of the objectives listed above. The Regulation also sets out certain principles for data processing as listed below:
- Data must be collected and processed for lawful purposes with the consent of the Data subject: Therefore, it is the responsibility of all data controllers to ensure that the purpose for which any data is collected is specific, legitimate and lawful in accordance with the procedures of the regulation. Additionally, the purpose for which any data is collected must be made known to the data subject and the requisite consent obtained before processing of the data.
- Data collected shall be adequate, accurate and without prejudice to the dignity of human person: This means that only data necessary for a specific lawful purpose can be obtained and processed and such data must always be accurate. Therefore, data controllers must provide data subjects the opportunity to update their personal data when necessary.
- Data shall be stored only for a certain period: The Regulation provides that personal data shall be stored for a reasonable period; however, the question as to what constitutes a reasonable period remains open to interpretation.
- The Duty of Care and Accountability in respect of all personal data: The Regulation further provides that any person in possession of the personal data of a data subject owes a duty of care to the data subject, and such a person shall be held accountable for his acts or omissions resulting in the failure to secure personal data without exposure to any foreseeable hazards and breaches in accordance with the provisions of the Regulation.
The provisions of the Regulation are very similar to its predecessor, the Guidelines, particularly in relation to its guiding principles. Notwithstanding, the Regulation contains further inclusions which address some of the inadequacies of the Guidelines. First, unlike in the Guidelines, the 2019 Regulation has been codified into law and has been made enforceable in Nigeria since the 25th of January 2019.
The previous Guidelines made no provisions for sanctions and penalties to be meted out for non-compliance with the Guidelines, however under the Regulation, Section 2.10 stipulates the penalties for the breach of the data privacy rights of any data subject. It states that for any data controller dealing with more than 10,000 data subjects, a fine of 2% of the annual gross revenue of the preceding year or the payment of
N10 million, whichever is greater. While for a Data controller with less than 10,000 data subjects, the payment of a fine of 1% of the Annual Gross revenue of the preceding year or payment of the sum of N2 million, whichever is greater.
Furthermore, by virtue of Section 3.2, the Regulation creates an Administrative Redress Panel for the investigation and determination of all allegations of breach against the provisions of the Regulation, thereby providing an alternative redress mechanism to the traditional courts.
Finally, one of the major setbacks of the Guidelines was the absence of a subsidiary body for enforcing compliance. In addressing this, the Regulation empowers NITDA to register and license Data Protection Compliance Organisations (DPCOs) who have the responsibility of monitoring, training and consulting with Data controllers to foster compliance with the provisions of the Regulation.
The GDPR and the 2019 Regulation
As earlier stated, the GDPR is the apex regulation on data protection in the world and other jurisdictions have drawn from its robust legislation, Nigeria being no exception. In 2018 the GDPR introduced and implemented laudable changes which Nigeria has rightly emulated.
The GDPR widened its regulatory landscape of data privacy to include all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location. Previously, territorial applicability of the directive was ambiguous and referred to data process ‘in context of an establishment’. This input has broadened the coverage of data subjects worldwide and the inclusion of this in the 2019 Regulation shall uphold the rights of all data subjects in Nigeria.
However, despite the 2019 Regulation’s attempt to mirror the GDPR, there remain a few areas in which the 2019 Regulation can further be bolstered. An example of this is the timeline in which complaints by the data subject is to be resolved by the data controller. In the GDPR a timeline of seventy-two (72) hours is given to any data controller to remedy any violation of the regulation or any complaint filed by a data subject. This highlights the need for swift resolution of issues regarding data, the absence of which could result in the risk of violation of the rights and freedoms of individuals. The 2019 Regulation stipulates a timeline for remedy of one (1) month which does not reflect the need to protect the sensitive data and privacy of individuals.
Implementation of the Regulation
In line with the principles of data processing, Chapter 3 of the Regulation also provides implementation mechanisms to aid compliance with the provisions of the Regulation. Flowing from that, all public and private organisations in Nigeria engaged in the collection, processing and control of data are expected to update and publish their respective data protection policies in compliance with the provisions of the Regulation within 3 months after the date of issuance. This entails that all companies operating in Nigeria are expected to have complied with the publication of data protection policies on or before 25thApril 2019. Additionally, all data controllers are always expected to have a Data Protection Officer responsible for ensuring compliance with the provisions of the Regulation. However, the role of the data protection officer may be outsourced to a “verifiably competent” firm or person.
Although the Regulation is still not as robust as the EU’s GDPR and the Data Protection Laws of a few other countries, there is commendable progress pertaining to the creation of a regulatory framework for the protection of data and information in Nigeria. Be that as it may, the Regulation could be strengthened in several ways. One of such ways would be the enhancement of the rights of the data subjects by including provisions such as; the right of data subjects to access information on whether their data is being processed and to subsequently order deletion or data sharing as the data subject may please. The Regulation also inhibits the rights of the data subject by setting the deadline for remedy of complaints by the data controller at one month. The GDPR stipulates a deadline of 72 hours for remedy of all complaints and the Regulation may be further strengthened if such an approach is adopted given the sensitive nature of the information in question.
In all, significant improvements have been made by the Regulation to the Guidelines and are largely commendable. However, there remains room for improvement as certain areas remain somewhat deficient and uncertain.