Coursing a New Path: Nigeria's Journey in Data Protection and Prospects for the Future

Until recently, data protection was an underemphasized topic. Although the right to privacy has always been a fundamental right, one protected by most countries and recognized by international statutes on fundamental rights[1], issues of privacy have long been underplayed and remained in the backdrop both in societal conversations and in the dockets of law. That was until the internet.

With the internet and contemporaneous advancements in technology came the "information explosion", which compelled a re-evaluation on the approach to privacy, as data became ubiquitous, fluid, and easily accessible. The new character of data came with an increased risk of compromising personal data through usage of data on internet, through the cloud and and other similar mediums. This coupled with the realized value of data in today’s society (which gives commercial incentive to misuse data) triggered reactions from governments and regulators around the world meant at nipping the brewing problem in the bud - leading data privacy and data protection to become one of the more urgent conversations in society at the time.

One of such responses was by the European Union (EU) in the form of the General Data Protection Regulation (GDPR), adopted in 2016, said to be one of the Union’s greatest achievements in recent years. It replaced the 1995 Data Protection Directive (which was adopted at a time when the internet was in its infancy) and has since been held as a golden standard in data privacy and data protection. Other countries have since followed the lead of the EU either by enacting data protection laws or emphasizing data protection. Brazil’s Lei Geral de Prote?ao de Dados (LGPD)[2] for example was modeled directly after the GDPR and is nearly identical in terms of scope and applicability[3]. Countries like Germany who always boasted relatively sophisticated data protection regimes, have further strengthened their systems, with the Country promulgating the Federal Data Protection Act 2017, which replaced the Federal Data Protection Act 2001 and works alongside the GDPR to outline the general obligations pertaining to data protection[4] and jurisdictions like Argentina with relatively older data protection legislations (the Argentinian Personal Data Protection Act 2000) are working to reinforce their laws.[5]

In the wake of the recent wave of consciousness on data protection compelled by the internet and jump-started by the promulgation of the GDPR, Nigeria also embarked on her own response project, with the Nigeria Data Protection Regulation (NDPR), released by the National Information Technology Development Agency (NITDA) on the 25th of January 2019, setting the course for a new dispensation for data protection in Nigeria. The NDPR regulates the processing of personal data belonging to Nigerian citizens and residents in Nigeria by organizations, solidifying a much-needed data protection framework for Africa’s biggest economy and follows attempts to standardize what has hitherto being a largely insufficient framework on data protection constituted by; (a) Section 37 of the 1999 Constitution of the Federal Republic of Nigeria which guarantees a right to privacy, (b) the NITDA Guidelines on Data Protection of 2013, as well as sparing provision in the (c) Child Rights Act of 2003, (d) the Freedom of Information Act No. 4 of 2011, (e) the Cybercrimes Act, 2011 and (f) the Consumer Code of Practice Regulations, 2007.

The NDPR makes extensive provisions on data protection, touching on critical aspects of data privacy and protection. Some of the more pointy provisions of the regulation include the provision of an obligation to process data lawfully placed on data controllers[6] ,an obligation to publish of privacy policies and notices[7], an obligation on communicating data retention schedules [8], an obligation to store data safely and ensure adequate organisational and technical measures to protect personal data[9], the requirement of data processing agreements for transfer of personal data and most remarkable, the requirement to conduct data protection audit and file annual data protection audit reports with the National Information Technology Development Agency (NITDA).[10]

While the regulation incorporates a fair amount of global best practices, there is no gainsaying that the provision for compulsory data audits is the single most outstanding inclusion in the regulation. The provision for compulsory data audits (for companies within the relevant threshold[11]) is one which is in many ways unique to Nigeria as it is not replicated in most major laws across the globe and it serves a great function, particularly in the Nigeria context – that of hotwiring data protection awareness and stimulating a culture of data protection compliance amongst corporates.

Over the one-year period since the regulation was made, there has been some level of increase both in data privacy mindfulness of corporates and in the activities of corporates geared towards compliance with data protection obligations. Many companies have engaged Licensed Data Protection Compliance Organizations (DPCOs), another innovation of the regulation, to help them in assessing their business processes to identify personal data inflows and outflows, ensure that data protection standards are met and to make recommendations towards remediating shortfalls in their processes, so as to ensure positive compliance rating in the data audit report filing.

With the drive towards compliance, there has been complimentary increase in the knowledge and appreciation of data protection amongst corporates, other data data controllers, and by and large, on the part of individuals. This has been due in some measure to sensitization programmes organized by NITDA, the wakefulness to possibility of sanctions which have caused corporates and the likes to inadvertently engage data protection evangelism through privacy notices and privacy policies, as well as due to the efforts of DPCOs and other stakeholders who have organized data protection events and trainings to enlighten corporates and members of the general public and the activities of interested stakeholders in the data protection space. The activities of bodies, associations and civil societies who have data protection and data privacy within their mandate, have also contributed to improving the consciousness on data protection. Some of these activities have included class action/public interest suits against companies who infringe on privacy rights or fail to comply with data privacy obligations.

In this period, there has also been some number of enforcement actions taken by NITDA towards enforcing data protection and they have been received with enthusiasm by members of the relevant public, indicative of generally positive posture to the new drive to data privacy and protection within the country. The investigation and indictment of TrueCaller[12], as well as the recent investigation of the Lagos Internal Revenue Service (LIRS) for publishing some Lagos State taxpayers by NITDA[13] are notable instances.

In many ways then, the journey towards fitting data privacy and data protection regime in Nigeria has not fared too badly – especially given the fact that the legal framework for data protection in Nigeria was only recently fleshed out. It is worth noting however, that data protection is not without its setbacks in Nigeria. The foremost of these setbacks remains the enduring lack of awareness of data privacy rights by majority of members of the general public and corporates alike (despite the progress already made) as well as the aversion/disregard for the obligation of data protection which many data controllers/corporates continue to entertain. For the most part, the average individuals/data subjects in Nigeria are oblivious of their property rights in data while a good percentage of Data collectors/administrators insist on being numb to their duty to protect and/or respect the privacy data they process.[14] Those corporates who are aware of their duty to protect data are hoping they wouldn’t have to and continue to disregard their obligations, and a lot of them still eye the NDPR with a level of disregard, considering it as some sort of fad that will blow cold soon, or wishing it goes away because of the compliance costs in time and resources.[15] This reluctance towards compliance with the NDPR is further enabled by the lack of emphatic enforcement of the NDPR by NITDA. With the exception of few publicized instances, there hasn’t been many outstanding actions taken by the body to compel compliance. While this might be attributable to lack of manpower, teething problems, or a policy decision to approach compliance tactically, it remains that much more needs to be done to emphasize the importance of data protection (and the NDPR) through punitive enforcement.

Another lingering setback for data protection in Nigeria remains the fact the legal status and outright enforceability of the NDPR still appears to be between and betwixt. The NDPR is not established as an act, but as a subsidiary legislation, and there is the lingering believe that it does not hold much weight in Law. Some quarters believe the NDPR, being a regulation and not a statute enacted by the National Assembly, lacks the requisite force of law and that in any case, the NITDA is not empowered by law within the ambit of the NITDA Act to make such a regulation.[16] While this argument is not without its merits, it has been held by judicial decision that “a subsidiary legislation is made or enacted under and pursuant to the power conferred by a principal legislation or enactment and derives its force and efficacy from the principal legislation”[17]. It therefore follows that the NDPR is just as binding as the principal law which empowers NITDA to make the guidelines.[18] It can also be recalled that the NITDA Act empowers the body to create frame work for regulation of Information Technology practices.[19]

In any case, there remains the sense that the enactment of a data protection act (with much needed statutory flavour and improvements based on the experience of the NDPR) will go a long way in consolidating efforts to create a more compelling landscape for data protection in Africa's premier economy. Already, a Nigeria Data Protection Bill has been published and is currently being reviewed and should be made into law soon. It is hoped that with that single legislation and by capitalizing on the momentum built over the past year, Nigeria may well be on course to realizing a data protection regime of global standards. It remains to be seen how this goes, but for now, it has been an interesting journey, and one that should continue.

[A more intricate analysis of the innovations and shortfalls of the NDPR will be published soon]

[1] See the Universal Declaration on Human Rights, the African Charter on Human and Peoples Right, the International Covenant on Civil and Political Rights etc.

[2] Regulamento (Ue) 2016/679 Do Parlamento Europeu E Do Conselho https://data.europa.eu/eli/reg/2016/679/oj accessed 18 September 2020.

[3] Dan Simmons ‘9 Countries with GDPR-like Data Privacy Laws’ (Comforte Insights, 17 January 2019) < https://insights.comforte.com/9-countries-with-gdpr-like-data-privacy-laws> accessed 17 September 2020.

[4] I-Sight Software, ‘A Practical Guide to Data Privacy Laws by Country’ (i-Sight, 5 November 2018) < https://i-sight.com/resources/a-practical-guide-to-data-privacy-laws-by-country/#India> accessed 17 September 2020.

[5] Ibid

[6] Article 2.2, Nigeria Data Protection Regulation 2019

[7] Article 2.5, Nigeria Data Protection Regulation 2019

[8] Article 3.1 (7)g, Nigeria Data Protection Regulation 2019

[9] Article 2.6, Nigeria Data Protection Regulation 2019

[10] Article 4.1 (5) & (7), Nigeria Data Protection Regulation 2019

[11] i.e Companies who process data of up to 200 data subjects.

[12] Emmanuel Paul, ‘NITDA Investigating Alleged Privacy Breach by Truecaller’, (Techpoint Africa, 25 September 2019) < https://techpoint.africa/2019/09/25/nitda-truecaller-privacy-breach/> accessed 17 September 2020.

[13] Nkechi Onyedika-Ugoeze, ‘NITDA to Investigate Breach of Data Protection Regulation by Lagos State Internal Revenue Service’ (Guardian Nigeria, 28 December 2019) < https://guardian.ng/news/nitda-to-investigate-breach-of-data-protection-regulation-by-lagos-state-internal-revenue-service/> accessed 17 September 2020.

[14] Olumide Babablola, ‘Data Protection and Privacy Challenges in Nigeria’ (Modaq, 09 March 2020) <https://www.mondaq.com/nigeria/data-protection/901494/data-protection-and-privacy-challenges-in-nigeria-legal-issues-> accessed 17 September 2020.

[15] Enyioma Madubuike, ‘What is Really Happening in the Nigerian Data Protection Compliance Space?’ (Techpoint Africa, 21 November 2019) < https://techpoint.africa/2019/11/21/ndpr-what-is-happening/> accessed 17 September 2020.

[16] Francis Ololuo, ‘Data Privacy and Protection Under the Nigerian Law’ (Mondaq, 19 February 2020) < https://www.mondaq.com/nigeria/privacy-protection/895320/data-privacy-and-protection-under-the-nigerian-law#_ftn31> accessed 17 September 2020.

[17] Njoku v. Iheanatu (CA/PH/EPT/454/2007).

[18] Ngozi Aderibigbe, ‘Nigeria Has a Data Protection Regime’ (Mondaq, 20 July 2018) <https://www.mondaq.com/nigeria/data-protection/721166/nigeria-has-a-data-protection-regime> accessed 17 September 2020.

[19] Section 6(a) National Information Technology Development Act 2007.