The Emergence and Evolution of the Nigerian Data Protection Regulation

Introduction

It was not too long ago when the internet was invented and since its proliferation, the internet has made data exchange flexible and broken-down silos. However, with the level of sophistication and innovation that comes with the internet today, there are associated risks with digital privacy, cybersecurity, and ethical use of data. The dot com boom brought about an exponential increase in the amount of data created and stored across the internet. As a result, the security of personal data shared online has become a real national concern, with state actors, organizations, and hackers constantly attempting to exploit information of data subjects that should be handled ethically for commercial or malicious purposes.

?

Nigerian Data Protection Regulation (NDPR)

The origins of the NDPR can be traced to the European Union General Data Protection Regulation (GDPR), which went into effect on May 25, 2018. The GDPR is the strictest privacy law in the world and was passed by the EU parliament promising harsh penalties running into tens of millions of Euros for non-compliant and defaulting organizations. This marked a turning point for data protection globally after governments, trading blocs, and privacy advocacy groups took notice. New data privacy laws have been passed in several countries across the globe in the last four years because of GDPR. A country may choose to implement a version of the GDPR for two reasons, in addition to ensuring the privacy of its residents' data:

?

Extraterritoriality: The GDPR is applicable to the processing of personal data relating to European residents anywhere in the world where their data is processed (technically, all inhabitants of the EU as well as residents of those European nations that have accepted the GDPR). To transact with Europeans, you must comply with the GDPR.

?

Data export: This ensures that only nations with equivalent data protection laws may receive information on European individuals (technically, the European Commission (EC) helps to determine if these nations have an adequate equivalence). Therefore, most countries and organizations are forced to adopt the GDPR in one way or another.

?

Furthermore, according to article 5.1-2 of the EU GDPR, there are 7 data protection and accountability principles:

1.?????Lawfulness – This is where processing of data must be lawful, fair, and transparent to the data subject

2.?????Purpose limitation – This is where you must process data for the legitimate purposes specified explicitly to the data subject when you collected it.

3.?????Data minimization – This is where you should collect and process data only the necessary data for the purposes specified

4.?????Accuracy – This is where you must keep all personal data accurate and up to date.

5.?????Storage limitation – This is where you may only store personally identifying data for as long as necessary for the specified purpose.

6.?????Integrity and confidentiality – Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g., by using encryption)

7.?????Accountability – The data controller is responsible for being able to demonstrate GDPR compliance with all these principles

?

As with the GRPD, the National Information Technology Development Agency (NITDA) issued the Nigerian Data Protection Regulation (NDPR) in 2019 as it relates with the use and protection of Nigerians' data. The NDPR is a subsidiary of the NITDA Act of 2007, and it applies to all Nigerian Citizens, whether they live within or outside the country; furthermore, it applies to personal data processing transactions (transactions that entail collecting, organizing, making accessible, etc., an individual's personal data) of a natural person from Nigeria. For context some of the terms of references used in the NDPR are as follows.

?

Personal data: This is defined as any information pertaining to an identified natural person. Personal data might include information on an organization's workers, customers and subscribers, vendors, and service providers, and so on. Personal data typically include the following information such as:

·???????Gender, ethnicity, health records, and sexual orientation.

·???????Name, phone numbers, and contact information.

·???????Location information, financial information, and transaction history.

?

Data Subject: A data subject is a person who may be recognized either directly or indirectly.

Data Controller: The term "data controller" refers to the person(s) or statutory entity that determines the purposes for and the way in which personal data is to be or is handled.

Processing: Is any action conducted on personal data, such as collection, recording, organization, structuring, storage, adaptation, or alteration, making available, restriction, or deletion, is considered processing.

Personal data breach: This is a security breach that results in the unauthorized destruction, loss, disclosure, or access to personal data that has been sent, stored, or processed.

?

To expand this, the rights of the data subject are defined as well as the responsibilities of the data controller and data processor in the NDPR as follows:

A.???Your Rights as a Data Subject

The NDPR gives data subjects the power to exercise the following rights and privileges.

·???????The right of access to their data

·???????The right to rectify or update their data

·???????The right to object to processing their personal data

·???????The right to restrict processing of their personal data

·???????The right to data portability

·???????The right to be forgotten

?

B.????The responsibilities of a Data Controller

Companies and organizations should determine the purpose and manner for processing data, their responsibility is to ensure methods by which data is collected is strictly in line with the principles of Data Protection.

?

C.???The role of a Data Processor

The data processor is required to ensure that data processing is in accordance with the governing principles of processing data on behalf of the controller. While this was a commendable step by NITDA, there are differing views and opinions on the NDPR's efficacy and enforceability, given that it is not an Act of the National Assembly thus the NDPR is limited in form and scope to adequately protect Nigerians' data. This has fueled calls for a unified data protection act, like what other countries such as Canada, Brazil, and Japan.

?

The scope and objectives of the NDPR are listed and expanded in detail in the regulation however they include the following features:

• The Legitimate Use of Personal Data
• The Duty of Care Owed to Data Subjects
• The Requirement of Lawful Data Processing
• The Requirement of Obtaining Express Consent
• The Requirement of Privacy Policy
• The Requirement of Providing Data Security
• Penalty for Default
• The Requirement of Transferring Data to a Foreign Country
• The Rights of a Data Subject

?

The benefits of the NDPR

There are at least four benefits attributed to the emergence of the NDPR. Section 1 of the NDPR contains the following objectives.

·???????To protect a natural person's rights to data privacy - The NDPR is a legislation put in place to safeguard the security and safety of Nigerians' personal data by establishing acceptable criteria for data processing.

·???????To promote the safe conduct of transactions involving the exchange of personal data - The NDPR prohibits any possible breach of personal data and data manipulation to the prejudice of the data subject.

·???????To prevent manipulation of personal data - The NDPR grants Nigerians the right to withdraw or not withhold permission when providing personal data for processing; and

·???????To ensure that Nigerian businesses remain competitive in international trade; through the safeguards afforded by a just and equitable legal regulatory framework on data protection, which regulatory framework is in line with global best practices - The NDPR provides Nigerian firms a competitive advantage in international commerce over other nations that lack a Data Protection Regulation, or any other type of Act designed to protect a company's or an individual's information. As a result, the NDPR is in line with worldwide best practices, which is great for the country's image.

?

Challenges with the NDPR

The following are challenges that should be addressed by Government to ensure that the NDPR becomes a national success story in Nigeria. While there is no doubt that data processing legislation was long overdue, and the NDPR was a commendable effort by the government, enforcing data protection compliance has been riddled with difficulties.

·???????There is very poor Data Protection Sensitization

·???????There is a vacuum in the absence of an Independent Regulatory Authority or Ombudsman

·???????The absence of a strong legal framework leaves more to be desired and the NDPR should become an Act of parliament and not just a subsidiary of the NITDA Act of 2007

·???????The absence of harsh punishments to act as a deterrent in Nigeria in comparison with penalties in the EU

?

The evolution of the NDPR

Previously, the National Information Technology Development Agency (NITDA) was entirely in charge of data privacy regulation and compliance in Nigeria. However, In February 2022, President Muhammadu Buhari approved the establishment of the Nigeria Data Protection Bureau (NDPB). The NDPB will become a counterpart of the European Data Protection Board (EDPB) and take over the governance and regulation of the NDPR and oversee consolidating the gains of the NDPR and aid the process of creating a primary law for data protection and privacy in Nigeria.

?

This evolutionary process may address the existing challenges of the NDPR as well as address the many ambiguities in the couching of the of the Data Protection Regulation as it relates to natural persons and the responsibilities of organizations amongst many other issues. Organizations that comply with the NDPR in Nigeria must appoint a Data Protection Compliance Organization to carry out yearly Audits and file with the bureau by 30 June of every year. These organizations are also required to appoint a Data Protection Office whose role as an independent is to oversee data protection responsibilities and ensure compliance with the NDPR.

?

The Nigeria Data Protection Bill 2020

As the NDPR continues to evolve, the Federal Government of Nigeria is working to pass a new bill to bring the NDPR to become an act of Parliament. According to Scott and Eke (2020) “the draft Data Protection Bill 2020 ("the Proposed Bill" "the Bill" or "the Proposed Act") was recently introduced by the Federal Government through the Legal and Regulatory Reform Working Group (LWG) which was constituted in March 2020”.

?

The main goals of the proposed bill are to create an effective legal framework for the protection of personal data and control how individuals' information is processed etc. It aspires to advance the gains of the NDPR that protects privacy and personal information without seriously compromising the interest of for-profit businesses and governmental entities in such information. Additionally, it aims to ensure that personal data is processed fairly and legally in accordance with the bill and other applicable laws, reduce the effects of exploitation and abuse of personal data, and establish an impartial regulatory authority backed by the constitution.

Furthermore, when approved into law, the Bill, which can be considered as a reaction to the need for a completer and more effective legal framework for data privacy and protection in Nigeria, may likely close the gaps now present in the current regulatory framework.

?

Conclusion

Nigeria ranks highly amongst the list of countries that have data privacy laws like the GDPR. This goes to show that on the global scene the country aspires to have a solid grip on ensuring the privacy and rights of data subjects under the law and the government has begun to take steps to properly structure the regulation of Data Privacy by framing the Nigeria Data Privacy Act 2020 and this was necessitated by the Federal Government working closely with the World Bank Identification for Development (ID4D) program which lists data protection and privacy laws as well as cybercrime and cybersecurity as part of the legal framework for ID systems which must be established on trust and accountability among government agencies, people, international organizations, and the corporate sector, both inside and beyond borders. ?

?

The establishment of the Nigerian Data Protection Bureau as the national ombudsman and watchdog for the governance and regulation of Data Protection in Nigeria is also a welcome development because the NDPR as a subsidiary of the NITDA act limits the scope and governance of the data protection regulation under NITDA. There is still much work to be done but so far, the country is going in the right direction from all indications and data privacy is now taking a front seat as a national issue.

References

Adenekan, A. (2020). .:: the Nigerian Data Protection Regulation 2019: Its Key Features and Benefits | Insights | Michaelmas Chambers. [online] www.michaelmaschambers.com. Available at: https://www.michaelmaschambers.com/insight-page.php?i=19&a=the-nigerian-data-protection-regulation-2019-its-key-features-and-benefits [Accessed 19 Aug. 2022].

Baig, A. (2022). 10 Data Privacy Laws Every Business Should Know. [online] Techopedia.com. Available at: https://www.techopedia.com/10-data-privacy-laws-every-business-should-know/2/34759.

European Union (2016). EUR-Lex - 02016R0679-20160504 - EN - EUR-Lex. [online] Europa.eu. Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02016R0679-20160504&qid=1532348683434.

Federal Government of Nigeria (n.d.). DATA PROTECTION BILL, 2020 a Bill for an Act to Establish the Data Protection Commission Charged with the Responsibility for the Protection of Personal data, Rights of Data subjects, Regulation of the Processing of Personal Data and for Related matters. [ ] Commencement. [online] Available at: https://www.ncc.gov.ng/documents/911-data-protection-bill-draft-2020/file.

GDPR (2016). General Data Protection Regulation (GDPR). [online] General Data Protection Regulation (GDPR). Available at: https://gdpr-info.eu/.

Ibanga, I. (2022). For a Sustainable Data Protection and Privacy agenda, by Inyene Ibanga. [online] Premium Times Nigeria. Available at: https://www.premiumtimesng.com/opinion/516752-for-a-sustainable-data-protection-and-privacy-agenda-by-inyene-ibanga.html [Accessed 19 Aug. 2022].

Nigerian Data Privacy Bereau (n.d.). Home Page - NDPB. [online] ndpb.gov.ng. Available at: https://ndpb.gov.ng/ [Accessed 19 Aug. 2022].

NITDA (2019). NIGERIA DATA PROTECTION REGULATION 2019. [online] Available at: https://ndpr.nitda.gov.ng/Content/Doc/NigeriaDataProtectionRegulation.pdf.

OECD (2013). OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data - OECD. [online] www.oecd.org. Available at: https://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm.

Ololuo, F. (2020). Data Privacy and Protection under the Nigerian Law - Privacy - Nigeria. [online] www.mondaq.com. Available at: https://www.mondaq.com/nigeria/privacy-protection/895320/data-privacy-and-protection-under-the-nigerian-law.

Oneyibo, O. (2022). Nigeria Has a New Data Protection Enforcing body; Here’s Why You Should Care. [online] Techpoint Africa. Available at: https://techpoint.africa/2022/03/10/nigeria-data-protection-bureau [Accessed 19 Aug. 2022].

PWC (2020). The NDPR and the Data Protection Bill 2020. [online] PWC. Available at: https://www.pwc.com/ng/en/assets/pdf/the-ndpr-data-protection-bill-2020.pdf [Accessed 19 Aug. 2022].

Scott, B. and Eke, S. (2020). A Review of the Nigerian Data Protection Bill 2020 - Privacy Protection - Nigeria. [online] www.mondaq.com. Available at: https://www.mondaq.com/nigeria/privacy-protection/983116/a-review-of-the-nigerian-data-protection-bill-2020 [Accessed 19 Aug. 2022].

United Nations Conference on Trade and Development (2021). Data Protection and Privacy Legislation Worldwide | UNCTAD. [online] unctad.org. Available at: https://unctad.org/page/data-protection-and-privacy-legislation-worldwide.

Wolford, B. (2018). What Is GDPR, the EU’s New Data Protection law? [online] GDPR.eu. Available at: https://gdpr.eu/what-is-gdpr/.

Woodward, M. (2021). 16 Countries with GDPR-like Data Privacy Laws. [online] securityscorecard.com. Available at: https://securityscorecard.com/blog/countries-with-gdpr-like-data-privacy-laws.

World Bank (2019). Data Protection and Privacy Laws | Identification for Development. [online] id4d.worldbank.org. Available at: https://id4d.worldbank.org/guide/data-protection-and-privacy-laws.

?