Highlight of the NDPR Implementation Framework

The Nigerian Information Technology Development Agency (NITDA) recently released the Implementation Framework to the Nigeria Data Protection Regulation. The Framework is an addendum to complement the NDPR. The first draft was issued in July 2019 and it has since gone through different alterations.

You can read the framework here: https://tinyurl.com/y2wg6lxb

I have highlighted some of the key provisions of the Framework below:

1.   Consent is required as the lawful basis for direct marketing and installation of cookies;

2.   Obligation to conduct a Data Protection Impact Assessment (DPIA) for certain categories of processing;

3.   Requirement to obtain consent of guardian before processing a child’s personal data and  prescribing a child as any person below the age of 13;

4.   Requirement to implement Data Protection by Design;

5.   Clarity on the kinds of organisations that should appoint a Data Protection Officer (DPO);

6.   Obligations on multinationals to appoint a country-resident data protection officer;

7.   Clarity on exceptions to the law, which was absent in the NDPR. The exception now includes national security, public health, public safety, investigation of crime, processing of anonymised data and household exceptions;

8.   Guidance on the determination of retention period;

9.   Publishing of whitelist of countries considered to have adequate data protection laws;

10. Mandatory obligation to report data breach to NITDA if the risk is high and notification of data subject where it will result in high risk to the rights and freedoms of the data subject;

11. Clarification on the administrative powers of NITDA, which allows the regulator to impose other sanctions outside fines and criminal prosecution;

12. Introduced a code of conduct for Data Protection Compliance Organisations (DPCO); and

13. Guidance on the content of processing agreement with third parties.

Comments

The Framework is a good move, which is expected to set the tone for implementation. The NDPR had a blanket provision mandating all organisations to appoint a DPO. Under the Framework, only government agencies, organisations processing data of over ten thousand data subjects, organisations processing sensitive personal data regularly, and organisations processing personal data considered critical national information are mandated to appoint a DPO. The clarity is much needed.

The exceptions to the law introduced brings certainty to the scope of application of the law. Personally, I am excited to see the household exception being included. Other commendable aspects of the Framework comprise; the introduction of DPIA, specifying content of processing agreement, specification of lawful basis for direct marketing and use of cookies, guidance on age of a child, and the requirement to report and notify when there is a data breach.

However, I do not agree with the list of countries. It appears NITDA did not follow its own rules in Art. 2.11 of the NDPR. For example, both Namibia and Rwanda that have ratified the Malabo Convention do not have a data protection law, and are yet to set up their supervisory authority. There are also countries without “independent supervisory authorities” in the sense conceived under Article 2.11 (d) of the NDPR. I recommend the list should be revisited to avoid a situation where threshold for safeguard is lowered, which may not confer sufficient protection on data subjects.

The express provision on the use of consent only as the condition to process sensitive personal data is restrictive. There are situations where consent will not be appropriate, especially where vital interest, public interest, defence of legal claim or even where the data is made available publicly by the data subject will be more instructive. My recommendation is that the provision should be revisited in the future.

The requirement of transparency on cookies and consent for installing cookies is laudable, but the provision failed to cater for scenarios where cookies are essential. In addition, on one hand, the Framework requires consent for cookies, but nose-dived to state “consent for cookies does not necessarily need the ticking of a box or similar methods; the continued surfing of a website upon a clear notice indicates consent.” I recommend this should be revisited, and non-essential cookies should require consent and users should have the option to accept or reject it.

The requirement for multinationals to use Binding Corporate Rules (BCR) and Standard Contractual Clauses (SCC) to transfer data outside Nigeria is not clear. First, both BCR and SCC are not mentioned in the NDPR. Second, the intention of NITDA is not clear if BCR and SCC can be used only in countries where it is specifically provided in its law. I recommend that the regulator should be clearer on its intent. Till then, international transfer of data should be subject to the NDPR adequacy and derogations.

Finally, pending when the proposed Data Protection Bill becomes a law, the regulator should do more in the area of enforcement, especially the use of cookies, which is currently a mess in the country. They now have administrative powers to more. It would be nice to also see the regulator issue more guidance to proffer clarification on subjects like the use of CCTV, use of emerging technologies, etc.