The Draft Data Protection Bill 2022: An Interesting Approach to Cross-Border Data Transfers

This is going to be very different from my typical more structured mode of writing because like my favourite academic paper on this subject, there will be no headings. In addition, because I like to distinguish my legal writing from my personal writing, my language choice will be rather informal, almost “gist-like” (I seek your indulgence ahead of time).

On Monday, October 4, 2022, the Draft Data Protection Bill 2022 was published for comments from the public. This publication came after a validation meeting for the bill was held in Abuja and the Chairman Senate Committee on Information Communication Technology (ICT) and Cybercrime, Yakubu Useni promised an accelerated passage of the bill earlier in the week.

I found the bill early in the morning on Tuesday, October 4 during my morning LinkedIn run and thought “another one!”. It is important to point out that this is probably the 3rd bill in the last 5 years. For some unknown reason, the bills never see the light at the end of the passage (or tunnel). But things may be different this time due to the energy and enthusiasm from the executive and the legislative arm of government concerning data protection. We should remember that just a few months ago, the Nigerian Data Protection Bureau (NDPB) was established, constituted, a website launched which is up and running and the data protection activities of the National Information Technology Development Agency (NITDA) passed on to the NDPB. So yes, this bill is full of promise and maybe after a long period of going back and forth on data protection bills, we’ll have a winner, the Data Protection Act 2022 or maybe 2023.

I hate to rain on everyone’s parade (whom am I kidding? I love it!). However, although the bill is great (kind of), the bill cannot and should not be passed in its current form. This is why I am excited that it has been opened up to comments from the public so we can get contributions and comments from data protection professionals, legal practitioners and policy analysts alike and even the average person on the street. I believe that laws and legal provisions should be simulated before they are passed because no matter how nicely worded or revolutionary a law is, it is important to find out if it works or is capable of working. This is the problem with the implementation, a lot of times we blame the government and the unwillingness of the executive to implement the. The problem however in a lot of cases is that while the laws may be fantastic in theory, they simply do not work in practice. And this is my opinion on the cross-border transfer provisions of the new bill.

I have read and you too have probably read my friend Ridwan Oloyede ’s review and Olumide Babalola ’s review of the bill (2 very distinct approaches I must say) so I don’t think I need to go over the good and bad highlights of the bill (but you know I will). We can see an improvement on the Nigeria Data Protection Regulation (NDPR) 2019 and its Implementation Framework 2020 with the inclusion of the legitimate interest of the data controller as a lawful basis for processing, more robust provisions on the protection of personal data of children, the establishment of a data protection authority (you see I didn’t say “independent” because that is a discussion for another day), an actual express mention of the concept of data protection impact assessment (I have a theory that a lot of people think a DPIA and a data protection/processing audit are basically the same thing and the good people of NITDA do too! Well, we are all still learning, every day), more robust provisions on the obligations and controllers and processors abbl (wouldn’t you want to know what this means).

So yeah thumbs up to the drafters on covering some of the gaps in the current framework. That being said, what is actually going on with the new concept of ‘’data controllers and processors of major importance”? I know it was defined in the definition section but yeah, that is a perfect example of how to define without defining. And don’t get me started on all the extra obligations and maximum sanctions imposed on these controllers/processors of major importance, (wahala for who dey important oh). Sometimes I feel bad for big tech companies because some of these smaller guys get away with even worse atrocities. After all, people are so focused on Zuckerberg that nobody sees them. My personal opinion is that more attention should be paid to the gravity and impact of the “offence” rather than the size of the offender (but what do I know?).

I also think that the sections on data protection rights can be more robust, it’s easy to see that we adopted the General Data Protection Regulation (GDPR) provisions on data subjects’ rights while stripping them of the details that give better context. The details were put there for a reason, put them back!...please.

On the matter of administration, I see that the idea of the DPCO was retained (kind of) and their powers expanded to issue codes of conduct and exclude or suspend people from these codes of conduct. There will have to be a lot of reconciliation between this provision and the current DPCO structure because several organizations have already been licensed under a differently structured regime.

I also find the penalties section very interesting. Apart from the general antagonism towards the big guy, I thought the introduction of the punishment of forfeiture in accordance with the Proceeds of Crime (Recovery and Management) Act very strange but whatever works for the drafters I guess. I promised not to repeat what my bosses have written about, but I just had to get some things off my chest.

Now to the crux of the issue, international /cross-border transfer. This aspect of data protection has weighed very heavy on my mind in recent times. I have been mentally troubleshooting the practicality of the GDPR international transfer approach, especially in the African context, the ever-so-elusive “African Approach” to data protection and everything international transfer. It is my personal opinion that a good cross-border transfer of personal data law should not stifle transfer but encourages transfer while seeking and ensuring maximum protection or maybe reasonable protection for the data in transit. The world is a global village and for the world to properly function personal data must move across borders (we know how much headache cloud storage is giving regulators). Total data localization is dumb, even China can’t pull it off (technically speaking), yeah even North Korea. Now in the African context, because we are in an era where we are trying to build our economies and open up our borders to international investors and investments, it is more important than ever to pay attention to our approach and policies around cross-border transfer.

A few weeks ago, I was in Ghana for a conference, the Data Protection Law Conference and it opened my eyes to a lot of things. Chief among my discoveries is the fact that African scholars are beginning to advocate for an “African Approach” to data protection (I still don’t know what that is) and align with the “risk-based approach” to international transfer which is a shift from the GDPR adequacy requirement. This risk-based approach broadens the scope of permitted transfers, allowing certain data transfers to proceed, even where the text of the laws of the recipient country does not satisfy transfer requirements, so long as certain conditions are met. There is a shift of attention to the potential risk of transfer (so we have transfer impact assessments) and the responsibility to ensure security and regulatory compliance when transferring data across borders rests on the participants in the transfer process not just on national laws or standards of the recipient country.

I understand this perspective very well, especially in the African context. I think the preference for this risk-based approach stems from one thing, a lot of African countries will never meet the requirements for an adequacy decision because look at the requirements for an adequacy decision (c’mon we literally just had a coup in Burkina Faso and we know that the guys in the military are not human rights crusaders and quite several African countries don’t have data protection laws). So yeah, some African scholars are beginning to advocate for a risk-focused approach that shifts responsibilities for international transfers to the individual controllers/processors rather than the national governments due to certain African “peculiarities” that always put us at a disadvantage when we take the country-based approach. I think it is important to state that this is not a strictly African thing, it has been advocated for in the EU and the European Data Protection Board issued final recommendations on it in 2021. I think that this approach might be extremely cumbersome to administer because it may require very hands-on regulatory supervision. We know that one of the perks of adequacy is its administrative convenience of it. I find the risk-based approach very interesting, and I look forward to more academic scholarship on the subject as it continues to be investigated, tested and troubleshot (this word gave me a lot of trouble).

Where am I going with the rant I did in the last two paragraphs? I wanted to give a sort of background so we can see the unique almost confusing approach to international transfer that was adopted by the drafters of the new bill. ?(Now I may have to write like a lawyer)

Under the bill, there are two instances where a controller/processor can transfer data outside Nigeria: (a) adequacy and (b) any of the derogations in section 45 (which are somewhat similar to the NDPR and GDPR). The first thing that struck me as interesting about section 43 (1) (a) was the attempt to tie adequacy to “the recipient being subject to a law, binding corporate rules, contractual clauses, code of conduct or certification mechanism” (these items are identified as safeguards, a different mechanism from adequacy under the GDPR and the NDPR) which is a major shift from the NDPR’s approach which is “adequacy of safeguards in a foreign country”. Section 44 (2) of the bill then lists the conditions that will be taken into consideration for assessing the adequacy of the items in section 43 (1) (a).

It almost appears like the drafters were trying to shift from the adequacy of national safeguards approach to a more risk-based approach until you read section 44 (4) which provides that “The Commission may from time to time designate any country, region or specified sector within a country, or standard contractual clauses as affording or as not affording an adequate level of protection under subsection (1).” There we have it! the adequacy provision we know and recognize (maybe love?) trying to disguise. Again, when you look at the conditions for assessing the adequacy of the items in section 43 (1) (a), another thing strikes you as odd: all the conditions for determining such adequacy are outside the control of the controllers and processors and are all national/government based or determined. So, are we sticking with individuals or countries? What exactly are the drafters trying to say?

I understand that it is difficult to deviate heavily from the GDPR structure given that it is currently the holy grail of data protection, and it will be counterproductive to do so if Nigeria wishes to ever do business with Europe or specifically the EEA ever again, hence the inclusion of section 44 (2) and (4) as some sort of balance to Section 43 (1) (a). The bill’s approach, however, creates an implementation difficulty and when you try to simulate these provisions, you run into even worse issues than those created by the NDPR and the Implementation Framework. The provisions just don’t work. Let us ask ourselves these questions:

(a)??Given that the country-based adequacy decision is not mentioned as one of the two (2) instances data can be transferred outside Nigeria, what role does the provision in section 44 (4) really play? Of what use is it and will data controllers/processors be able to rely on it alone for cross-border transfers independent of section 43(1)?

?(b)??Given the conditions for determining the adequacy of SCCs, BCRs etc. itemized in section 44 (2), does this framework actually differ from the current framework and doesn’t it create the same difficulty that the country-based adequacy mechanism creates?

?(c)??Will the Commission have the capacity, funding, and manpower to implement the approach the bill is trying to introduce?

?(d)??Where the law is passed, will it be termed “adequate” or in alignment with “international best practices” or will it be even more difficult to do business with the world, especially concerns around the onward transfer of personal data to other countries?

What exactly am I suggesting? A rethink before a reworking of the cross-border transfer provisions of the bill. International data transfers are extremely complex (writing this gave me a headache). Unfortunately, they are also extremely important, especially because of the kind of world we live in, a world that lives and thrives and flourishes on personal data and incidentally the flow of personal data across borders. So yes while I am also advocating for more robust data subject rights provisions, a rethink of the approach to controllers/processors of major importance, and provisions around data protection by design and default, my personal agenda is the rethink of Part IX of the bill. The drafters should consider extensive consultations with practitioners, academics, and policy people to draft a fit-for-purpose section for cross-border transfer of personal data that also doesn’t alienate us from the world.