Introduction
The idea of data protection was a seemingly distant dream in the years prior to 2019. Before now, there was little to no legislation on Privacy and Data Protection in Nigeria up until the advent of the Nigeria Data Protection Regulation (NDPR) on January 25th, 2019. Prior to this time, the only Nigerian legislation which addressed the issue of privacy and by extension data protection in Nigeria was the Constitution of the Federal Republic of Nigeria which recognized privacy as a fundamental right, providing specifically that the privacy of citizens, their homes, correspondences, telephone conversations and telegraphic communications is hereby guaranteed and protected.[1] From the wordings of the Constitution in this regard, it is safe to say that its scope of application is extremely limited as it does not address fundamental issues that are typically associated in data protection and which are addressed by subsequent Nigerian laws and regulations guiding the implementation of data protection in Nigeria.
With the advent of the National Information Technology Development Agency (NITDA) Act in 2007 as well as the NDPR and corresponding Data Protection Implementation Framework in 2019, privacy and data protection in Nigeria has become more developed than it has ever been. The NITDA Act established the National Information Technology Development Agency (the Agency) as the foremost regulatory body responsible for the regulation and monitoring of data protection in Nigeria as well as for the safety and security of the Personal Data[2] of Data Subjects[3] in Nigeria. The Agency has been active in the promotion of data protection in Nigeria as well as the safety and security of the rights and freedoms of Data Subjects in Nigeria as seen in its rapid response to cases of data breaches that have occurred since the inception of the NDPR. An example of this rapid response is seen in the recent breach on the Lagos State Inland Revenue Service (LIRS) website where in the process of harmonizing historical tax data, the Personal Data of taxpayers in Lagos state was leaked to the public from the LIRS platform. The NITDA quickly swung into action, initiating an investigation process which involved questioning LIRS as Data Controller[4] and its Data Administrator[5] as well as the review of relevant policies, procedures and documentation of the parties involved.[6] Upon the conclusion of its investigation, NITDA subsequently imposed a fine on the LIRS while considering the cooperation as well as the prompt remedial actions taken by LIRS during the investigation to mitigate the impact of the breach incident. This goes to show just how far and how seriously the regulatory authority takes issues of data protection as well as how much the application of the NDPR has developed in just over a year of its enactment.
Although the provisions of the NDPR is similar to that of the European Union General Data Protection Regulation which was adopted on the 14th of April 2016 and became enforceable from the 25th of May 2018, the NDPR has also come up with innovations which set it apart from its European counterpart. One of such innovations is the establishment of a nouveau class of professionals known as Data Protection Compliance Organizations duly licensed by NITDA to act as intermediaries between organizations (Data Controllers) in Nigeria which process the Personal Data of customers, employees, vendors etc. (Data Subjects) and the regulatory authority. DPCOs are given the duties and responsibility of carrying on training, auditing, consulting and rendering services and products for the purpose of ensuring compliance by Data Controllers with the provisions of the NDPR as well as any foreign data protection law or regulation having effect in Nigeria.[7]
Another innovation by the NDPR is the compliance requirement of filing by Data Controllers. The NDPR specifies that a Data Controller processing the Personal Data of above 1,000 Data Subjects within six (6) months of the enactment of the NDPR is required to file an Initial Data Protection Audit report with NITDA.[8] Data Controllers who process the Personal Data of 2,000 (Two Thousand) Data Subjects and above are required to file an Annual Data Protection Audit Report on or before the 15th of March of the following year.[9] This innovation particularly has resulted in a massive development on Data Protection in Nigeria as Data Controllers have tried to ensure compliance with the Regulation thereby increasing the level of awareness of data protection in the country. In addition to the NDPR, NITDA also issued a Data Protection Implementation Framework which offers a very in-depth explanation and expatiation of the language and application of the NDPR and also contains a number of drafts of compliance documentation which are required by the NDPR. [10]
To further demonstrate how Nigeria has fared since the inception of the NDPR , there has been a plethora of cases on data protection which goes to show that although slowly but surely, data protection is indeed gaining traction in the Nigerian environment and every day, Data Subjects are becoming more aware of their rights under the NDPR and other data protection legislation. In Paradigm Initiative for Information Technology v Nigerian Identity Management Commission (NIMC), one of the issues for determination was the right of the Respondent to process personal data without adequate security. This case was the first time the Federal High Court took judicial notice of the NDPR as a legislation on data protection in Nigeria. Subsequently, Nigerians have started enforcing their rights under the NDPR in the court of law. In Confidence Staveley v Access Bank Plc,[11] the Applicant sued the Respondent for the disclosure and transmission of the Applicant’s personal data to a third party without her consent or any other legal basis as provided by the NDPR thus constituting a breach of confidentiality as well as a breach of the Applicant’s rights as provided by the NDPR. Another recent case between the Bisola Olukayode v Google Inc.,[12] the Applicant sued for a breach of her rights under the NDPR, particularly of her right to be forgotten/ right to erasure as provided under the NDPR[13] when the Respondent refused to take down news linked to her name from its platform despite numerous requests by the Applicant. It is expected that there would be more cases on data protection in the coming years and judicial pronouncements by the Nigerian courts will further aid the development and improvement of data protection in Nigeria.
The NITDA has also been proactive in its status as a regulatory body for data protection in Nigeria by releasing regulations and guidelines for the management of Personal Data in Nigeria. One of such guidelines is the recently released Guidelines for the Management of Personal Data by Public Institutions in Nigeria released by NITDA on the 18th of May 2020.[14] The government is the biggest Data Controller in Nigeria as it processes the Personal Data of all Nigeria citizens at all levels including at the Federal, State and Local levels. It is based on this observation that the NITDA, in a bid to ensure the continuous safety and security of the Personal Data of Nigerian Data Subjects that it released the Guidelines to monitor and regulate the processing activities of Public Institutions.[15]
However, despite the seemingly increasing level of development in data protection in Nigeria, when comparing the application of and compliance with the NDPR with that of other data protection legislations in other jurisdictions, such as the EU GDPR, Nigeria still has a long way to go and a number of issues to address if it must stand tall among countries that are achieving a high level of implementation of data protection principles. One of the issues of compliance with the NDPR is that of awareness of the Regulation in Nigeria. A survey done by NITDA shows that about 588 organizations were compliant with the NDPR’s requirements, particularly as regards filing their Data Protection Audit Reports. A further analysis showed that about 93% of the compliant organizations were based in Lagos, which is just one state in a country of 36 states. This means there is a long way to go in ensuring that Data Controllers in other states are aware of the provisions of the relevant data protection legislations.
Another challenge the NITDA is facing is the paucity of human and financial resources. One of the key objectives of the NDPR is to ensure that Nigerian businesses remain competitive in international trade through the safe-guards afforded by a just and equitable legal regulatory framework on data protection and which is in tune with best practice. [16] The European Union currently has a list of whitelisted countries to which adequacy decisions have been issued and with which its Member states may transfer personal data.[17] Based on the above highlighted objective by the NDPR, it is safe to say that it is a goal of NITDA to also be given an adequacy decision by the EU so as to commence exchange of Personal Data between both jurisdictions. In order for this to be achieved, it is pertinent that the government offers support to the NITDA both financially and otherwise so as to ensure that the challenge of paucity of funds is adequately managed and eradicated for Nigeria to consequently achieve the same level of implementation of data protection principles as the European Union and even more.
Despite the challenges faced by NITDA as regards the implementation of Data Protection legislation in Nigeria, there is still hope for the future as there are ongoing efforts being made by the Agency as well as the government to ensure the improvement of data protection in Nigeria. One of such efforts is the assent of the Data Protection Bill which is currently being reviewed. NITDA confirms the increased cooperation by all relevant government organs to ensure that Nigeria passes a world class data protection law which is fit for the peculiarities of the Nigerian environment. One of the notable implications of the Bill is the establishment of the Data Protection Commission as well as the grant of powers, duties and obligations which will serve to make the Commission one of the strongest, independent and value adding data protection authorities in Africa.
Conclusion
In conclusion, it is safe to say that given the above highlights, the future of data protection in Nigeria is very bright and will be easily secured with the cooperation of the relevant stakeholders as well as through consistent efforts at enforcement by the NITDA.
written by Uwemedimo Atakpo Jnr.
[1] Section 37 of the 1999 Constitution as amended.
[2] Personal Data means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM, Personal Identifiable Information (PII) and others.
[3] Data Subject means any person, who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity.
[4] Data Controller means a person who either alone, jointly with other persons or in common with other persons or a statutory body determines the purposes for and the manner in which Personal Data is processed or is to be processed;
[5] Data Administrator means a person or an organization that processes data
[6] https://www.vanguardngr.com/2019/12/were-investigating-lagos-revenue-agency-%e2%80%95-nitda/
[7] Article 1.3 (xiii) of the NDPR
[8] Article 4.1 (5) of the NDPR
[9] Article 4.1 (7) of the NDPR
[10] https://ndpracademy.ng/legislations.php
[11] REF/51575/2020
[12] REF/51571/2020
[13] Article 3.1 (9 & 10) of the NDPR
[14] https://nitda.gov.ng/wp-content/uploads/2020/08/GuidelinesForImplementationOfNDPRInPublicInstitutionsFinal1.pdf
[15] Public Institution refers to a Ministry, Department or Agency of the Federal Government, State Government Local Government, or any venture funded either completely or partly by government or a company with government shareholding either at the State and Federal levels.
[16] Article 1.1 (d) of the NDPR
[17] https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en