INSIGHT TO THE NIGERIA DATA PROTECTION BILL, 2022

Introduction

Nigeria is running a huge digital identity program which makes it necessary to put in place specific legal framework to govern the management of biometric and demographic data being collected from citizens. Data is the raw resource with which information and knowledge are generated. It is the fuel that powers different business activities, particularly in the digital economy, and is a major driver of globalization[1]. As the largest economy and population in Africa, Nigeria is not left out of the effects of the utilization of this asset[2].

Data protection is a constitutional right guaranteed under section 37 of the Nigerian constitution. At present, the Nigerian Data Protection Regulation, 2019 (NDPR) is the main data protection regulation in Nigeria. The regulation was issued by the National Information Technology Development Agency (NITDA). The NDPR provides for the rights of data subjects, the obligations of data controllers and data processors, transfer of data to a foreign territory amongst others[3].

There is an urgent need to have a principal legislation in place to ensure safety, privacy, and confidentiality of the citizen’s data. Prior to this point, there have been several attempts to pass a data protection law. The Nigeria Data Protection Bill, 2022 will be presented before the National Assembly as an executive bill. The hope is that the current efforts will see the light of the day.

This article provides an insight to the changes introduced by the?new Nigeria Data Protection Bill, 2022?(the Bill) that have direct impact on the Nigerian data protection regulatory framework across key aspects of national life, including digital and biometric identity, surveillance, encryption and anonymity, cybercrime and cybersecurity[4], as well as government registration. ?

Legal Frameworks

• The 1999 Nigerian Constitution (As Amended)
• ECOWAS Supplementary Act on Personal Data Protection.
• The African Union Convention on Cybersecurity and Personal Data Protection (Malabo Convention)[5]
• The Nigeria Data Protection Regulation ("the NDPR") 2019
• The Nigeria Data Protection Regulation Implementation Framework ("the Framework") 2020[6],
• Guidelines for the Management of Personal Data by Public Institutions in Nigeria ("the Guideline") 2020[7]
• The Framework and Guidelines for Public Internet Access (PIA), 2019.
• Cybercrime (Prohibition, Prevention etc.) Act 2015
• The Nigeria Data Protection Regulation, 2019
• NITDA (Amendment) Act 2021
• Nigeria Data Protection Bill, 2022

Nigeria Data Protection Bill, 2022.

This Bill will apply where the controller or processor is a Nigerian resident, where the processing of the data takes place in Nigeria, or where the organization actively targets, markets to, or monitors Nigerian residents. The Bill will not apply to personal, or household use devoid of economic benefits. Certain provisions of the bill will not apply where processing is required for national security, crime investigation and prevention, public health emergency control, and journalistic exemption.?

The Bill and the NDPR Compared

The Bill is a significant improvement over the?NDPR.

• The Bill emphasized on the principles of fairness, transparency, and accountability.?
• Legitimate interest is recognized as a lawful basis. The legal basis for processing sensitive personal data was clearly stated, and how to provide a privacy notice when the data is not collected directly from the data subject was addressed.
• The Controller’s and the Processor’s mutual responsibilities was expanded.
• The rules on child protection are more explicit, and there is new requirement for age verification.?
• The Bill reconciled the age of a child to 18 in order to be consistent with the provisions of the Child Rights Act rather than the confusion created by the?Data Protection Implementation Framework?(DPIF), which defined a child as anyone under the age of 13.?
• The DPIF's mandatory requirement for multinational corporations to have data protection officers in Nigeria is no longer in effect. It provided additional clarification on the exercise of data subject rights.
• The Bill is creating an opening for departing from the DPIF's requirement that references to the African Union Convention on Cybersecurity and Personal Data Protection (Malabo Convention).
• Mandatory registration.
• Transformation of the NDPB into the new Data Protection Commission.
• Inclusion of a journalistic exemption that will strengthen freedom of expression.
• The introduction of prior consultation with the regulator for data protection impact assessment where the risk cannot be mitigated, among other things.
• The Bill also introduced the concept of a controller and processor of “major importance.” While an attempt was made to define these terms, the classification threshold remains unknown, but the commission promised to define the tiering.
• Licensing of Data Protection Compliance Organizations.
• Designation of Data Protection Officers (DPOs).

Mandatory Registration

The Bill requires Data controllers and Data processors to register with the commission.?The registration fee will also be set by the commission. It also outlines several obligations for data controllers, such as breach notification and restrictions on the cross-border transfer of personal information, including transfers based on adequate protection. The bill establishes the Nigeria Data Protection Commission for the regulation of the processing of personal data, and for related matters, and will apply to the processing of personal data whether by automated means or not where:

• The data controller or data processor is domiciled, ordinarily resident, or ordinarily operating in Nigeria;
• The processing of personal data occurs within Nigeria; or
• The processing of personal data of a resident of Nigeria where the data controller or data processor was actively marketing to, targeting, or monitoring such residents within Nigeria.

Enforcement

The Bill establishes investigations, compliance orders[8], enforcement orders, judicial review, as well as civil remedies. More specifically, it provides for penalties of up to 10 million naira and 2% of its annual gross revenue derived from Nigeria in the preceding financial year.

Possible Concerns

????????i.???????????Failure to pigeonhole or classify "Competent authorities".

This is a loophole for institutions to hide under this wide umbrella for the purpose of data processing.

??????ii.???????????Minister in Charge of Communications and Digital economy

The Minister has been allocated enormous powers which can make him exhibit overbearing influence over the Proposed Data Protection Commission. The commission should be made independent. The ministry being a new creation by this present administration may be split into two or out rightly scrapped by successive government. This can affect or impact on the administration of the commission.

????iii.???????????Appointment of Governing Council

For the Commission’s governing council to function effectively, their appointment should be subject to Senate confirmation. This oversight is needed to ensure competent individuals are appointed into the Council.

????iv.???????????Omission of some terminologies

The Bill contains concepts like recipient, pseudonymization, third parties, profiling, cross border but omits their definitions. The Bill also completely omits concepts like joint controllers, anonymization, etc.

??????v.???????????Special Categories of Personal Data

Special attention is not given to certain types of sensitive personal data which ought to enjoy additional protection under the Bill. These includes:

a.??????Personal data revealing racial or ethnic origin.

b.??????Political opinions.

c.??????Religious or philosophical beliefs.

d.??????Trade union membership.

e.??????Genetic data and biometric data processed for the purpose of uniquely identifying a natural person.

f.???????Data concerning health.

g.??????Data concerning a natural person’s sex life or sexual orientation.

????vi.???????????Mandatory Registration

Upon signing the Bill into Law, a timeline for such registration should be stipulated. Penalty for late registration or failure, neglect, or refusal to register should also apply in different class of fine. Timeliness for registration approval, data subject rights, and complaint resolution, among other things are missing.

???vii.???????????Transitional provision and the NDPR

The transitional provision saves the NDPR until it expires or replaced etc. It remains doubtful whether this Bill, upon becoming an Act is deemed to have replaced the NDPR. The status of the NDPR upon the Bill becoming Law should be clearly defined.

?viii.???????????Data Retention

Another potential operational difficulty is the storage limitation provision. Anyone who has attempted to create a data retention schedule knows how difficult it can be. The Bill restricts the retention period to where the law allows it or where the data subject consents. This could simplify the complexities of data retention, where contracts, research, a court order, or the defense or establishment of a legal claim could all play a role[9].?

????ix.???????????Data Subject Rights

The Bill's provisions on exercising rights are far more comprehensive than those in the NDPR. However, it lacked a timeline for responding to the right requests.

??????x.???????????Sanctions and Enforcement?

The Bill risks falling into the same trap as the NDPR, where the number of data subjects affected by a violation was the sole determinant of fines[10].?The Bill classified violators as either controllers or processors of “major importance.” The risk of violation and other factors, not just the size of the organization, should be considered regardless of size.?Other factors to consider?include the nature, gravity, and duration of the infringement; the purpose of the processing; the number of data subjects involved; the level of damage and damage mitigation measures implemented; intent or negligence; degree of cooperation with the Commission; and personal data categories.

Conclusion

In sum, the introduction of this new Bill raises new excitement in the industry. For whatever it is worth, the Federal Government should be commended for producing an improved version of the abortive 2020 Bill. ?Notwithstanding its apparent flaws when passed into law, the new Act ushers in a new era for the privacy[11] and data protection industry in Nigeria. The Bill is a necessary intervention, and its passage is an important outcome. However, the desire to pass a law in record time will be defeated if the Bill is enacted with it apparent flaws. Given how difficult it is to amend a law in Nigeria, the people whom the law is meant to serve will be the most affected. The Bill should avoid the trap of focusing on large market players while ignoring small players who are capable of even more sharp practices with the tiering of controllers and processors of "major importance."?

REFERENCES

[1] The Economist, “The World’s Most Valuable Resource is no Longer Oil, but Data”, 6 May 2017, available at https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data accessed on 10 October 2022.

[2] According to the World Bank, Nigeria's GDP for the year 2020 was 432.30 billion US dollars. See also Adedayo Akinwale and Dike Onwuamaeze, “Nigeria Overtakes South Africa As Africa's Largest Economy”, 5 March, 2020 https://allafrica.com/stories/202003050216.html accessed on 09 October 2022.

[3] Chinerem Ubaka, “Data Protection in Nigeria: How Has the Journey Been?”, available on https://www.dhirubhai.net/pulse/data-protection-nigeria-how-has-journey-been-chinecherem-ubaka/ accessed on 07 September 2022; NITDA: “Nigeria Data Protection Regulation Performance Report 2O19-2O2O”, pg. 9 available on https://www.nitda.gov.ng/wpcontent/uploads/2021/03/NDPR-Lite-Performance-Report-2O19-2O2O.pdf, accessed on 8 September, 2022.

[4] Temitayo Ogunmokun, “Assessing Data Protection in Nigeria: A Look at Biometric Identity, Surveillance, Encryption and Anonymity, and Cybercrimes”, available on https://www.file:///C:/Users/Great%20Ijomah/Downloads/ARTICLE%20Assessing-data-protection-in-NigeriaFinal.pdf assessed 08 October 2022

[5] Dike Ibegbulem, “The Protection of Consumers’ Personal Data in the Era of e-Commerce in Nigeria”, (2019), https://www.researchgate.net/publication/334837471_The_Protection_of_Consumers'_Personal_Data_in_the_Era_of_Ecommerce_in_Nigeria, Accessed 21 September 2022

[6] Oluwafemi Jemilohun and Ifedayo Akomolede, “Regulations or Legislation for Data Protection in Nigeria? A Call for a Clear Legislative Framework”, Global Journal of Politics and Law Research Vol.3, No. 4, pp.1-16, August 2015, available on https://www.eajournals.org/wp-content/uploads/Regulations-or-Legislation-for-Data-Protection-in-Nigeria1.pdf accessed 22 September 2022

[7] Babalola, Olumide, “A Bird’s Eye Rundown on Nigeria’s Data Protection Legal and Institutional Model”, (March 20, 2021), Available at SSRN: https://ssrn.com/abstract=3808570 accessed 10 September 2022

[8] Diyoke Michael Chika and Edeh Stanley Tochukwu, “An Analysis of Data Protection and Compliance in Nigeria”, International Journal of Research and Innovation in Social Science (IJRISS) |Volume IV, Issue V, May 2020|ISSN 2454-6186, Pg.

[9] Ridwan Oloyede, “The New Data Protection Bill, 2022”, available on https://www.dhirubhai.net/pulse/new-data-protection-bill-nigeria-ridwan-oloyede-/ Accessed 9 October 2022

[10] See the NITDA Amendment Act 2021, Electronic Communications and Transactions Bill 2009; Electronic Commerce (Provision of Legal Recognition) Bill of 2008; and the Digital Rights and Freedom bill 2017.

[11] Alex B. Makulilo, “The Quest for Information Privacy in Africa”, Journal of Information Policy, (2018) pg. 317.