A NEW ERA OF DATA PROTECTION AND PRIVACY: UNVEILING INNOVATIONS & IDENTIFYING GAPS IN THE NIGERIA DATA PROTECTION ACT OF 2023

ABSTRACT

Data has been referred to as the new oil because like oil, data when correctly collected, managed, and stored is an asset. However, like oil, data when mishandled or stored improperly can have disastrous outcomes such as theft of confidential information and intellectual property, etc. This justifies the statutory intervention aimed at ensuring data protection and privacy. In Nigeria, the issuance of the Nigeria Data Protection Regulations by the National Information Technology Development Agency was a significant step in that direction as it provided the much-needed framework for the protection of the data privacy rights of Nigerians. Despite this milestone, there had been incessant calls by stakeholders for the creation of a more comprehensive framework for data protection- cue the Nigeria Data Protection Act. This Act provides a more robust data protection regime, adopting some of the provisions under the NDPR as well as making some innovations. The thrust of this article is an attempt at analyzing some innovations made under the Nigeria Data Protection Act 2023.

KEY WORDS: Data, Privacy, Innovation, Data Breach, Cross-border, Sanctions.?

INTRODUCTION

The Nigeria Data Protection Act was presented in October 2022 by the Nigeria Data Protection Bureau which was established by the immediate past President- Muhammadu Buhari. It was passed by the Senate and House of Representatives Chambers of the National Assembly in May 2023. The Harmonized Bill was assented to by President Bola Ahmed Tinubu on 12th June 2023.[1]

The comprehensive data protection regime which builds on certain provisions of the Nigeria Data Protection Regulations 2019 and its Implementation Framework positions Nigeria as one of the progressive countries championing data protection globally[2].?This article analyses some of the innovations made under the Nigeria Data Protection Act and identifies areas for improvement.?

A.???INNOVATIONS IN THE NIGERIA DATA PROTECTION ACT

1.?????Scope of Application of the Act.

According to Section 2, the Act applies to the processing of personal data by automated means or otherwise where the data processor or data controller is domiciled in, resident in or operating in Nigeria, or where the processing of personal data occurs within Nigeria or where the data being processed is that of a data subject in Nigeria. This is a departure from the scope of the NDPR which according to Paragraph 1.2 applies to Nigerian citizens residing within or outside the country.

Thus, while the application of the NDPR is based on the citizenship status data subject, the Act appears to focus more on the data controller and the circumstances of the particular data processing scenario. However, there is some difficulty in determining whether a data processor or data controller is domiciled in, residing in or operating in Nigeria as the Act does not define either of the terms used. It is suggested that the words be given its plain meaning based on the literal rule of interpretation. [3] Literally interpreted, it would appear that Nigerians living abroad are exempted from the application of the Act.[4]

?

2.?????Fundamental Rights

The Act provides clarity on the constitutional right angle to data protection and privacy right. This is vital because Section 37 of the Constitution which guarantees Citizens’ right to the privacy of their homes and correspondences does not specifically refer to data protection and privacy. Also, the NDPR made no reference to the constitutional provisions on privacy as a basis for its existence?This was discussed by the Court of Appeal in Digital Rights Lawyers Initiative v. National Identity Management Commission,[5] where the ?court held that the NDPR must be construed as a legal instruments that protects or safeguards the right to privacy of citizens as it relates to the protection of their personal information or data as guaranteed by section 37 of the Constitution of the Federal Republic of Nigeria 1999.” Undoubtedly, decisions such as this influenced the Legislature to clearly trace the data protection and privacy rights under the Act to constitutional rights and freedom (which include a right to privacy under Section 37 of the Constitution).

Notably, Section 1 of the Act expressly states that its objective is to safeguard the fundamental rights and freedoms of data subjects guaranteed under the Constitution.

?

3.?????Establishment of the Nigeria Data Protection Commission

The Act establishes the Nigeria Data Protection Commission which replaces the Nigeria Data Protection Bureau in overseeing the implementation of the Act as well as data protection and privacy issues[6]. Among other things, the Commission has the power to register data controllers and data processors of major importance, accredit and license suitable persons as Data Protection Compliance Officers, receive complaints relating to violations of the Act[7] as well as sanction those who violate the provisions of the Act[8].

Worthy of note is Section 64(1) of the Act which states that a reference to the Bureau existing prior to the commencement of the Act, shall be read as a reference to the Commission established under the Act and all persons engaged by the Commission shall have the same rights, powers and remedies as existed in the Bureau before the commencement of the Act. This transitional provision implies that the powers and duties of the Bureau are to be transferred to the Commission[9].

?

4.?????Introduction of Legitimate Interest as a Lawful Basis of Processing

One of the innovations of the Act is the recognition of legitimate interests as a lawful basis of processing. Section 25 (1) (b) (v) of the Act extends the lawful basis of processing data to include processing for the purposes of the legitimate interests pursued by the data controller or data processor, or by a third party to whom the data is disclosed. Although the Act does not define what “legitimate interest” as used therein entails, but this may cover processing of personal data for purposes not clearly covered by the other available bases of data processing, for instance, processing for the prevention of fraud, and employee-employer relationships[10].

However, “legitimate interest” will not be a basis for processing personal data where such interests are overridden by the data subject’s fundamental rights and freedom or are incompatible with the other lawful bases or the data subject would not have a reasonable expectation that the personal data would be processed in the manner envisaged[11].

?

5.?????Protection of Children

Unlike the NDPR which is silent on children, Section 31 of the Act makes copious provisions for protection of children. It requires data controllers to obtain the consent of the parent or legal guardian of a child or other individual incapable of giving consent. Data controllers are also required to take steps to verify the age and consent of the child. Section 65 of the Act reconciles the age of a child to what obtains under the Child Rights Act 2003[12].?‘Persons incapable of giving consent” is not defined by the Act, but may include imbeciles and persons of unsound mind.

6.?????Consent

By Section 26 of the Act, the burden of establishing that the data subject’s consent was obtained prior to the collection of data is on the data controller. Silence or inactivity of the data subject will not be taken to imply consent. Placing the burden of proving that consent was obtained on the data controller is a welcome provision which will protect the data subject better and reduce the burden of proof especially in a civil claim for damages.

This forces data processors/ controllers who use customers data for a purpose different or further to the purpose for which h it was collected (such as profiling and automated decision making), to ensure that they obtain the customers consent prior to using the data for that other purpose.

7.?????Data Protection Impact Assessment

Section 28 of the Act requires data controllers to carry out a data protection impact assessment where the processing of personal data may likely result in high risk to the rights and freedoms of a data subject due to its nature, scope, context, and purpose. Where the assessment indicates that the data processor may likely result in high risks to the rights and freedom of a Data Subject, the Data Controller must consult the Commission. The assessment is meant to identify the risks and impact of the envisaged data processing.

The provisions are similar to Paragraphs 3.2 (viii) and 4.2 of the NDPR Implementation Framework 2019.?However, under the Act, there is an additional requirement that data controllers consult the data protection commission in instances where the DPIA conducted indicates that the processing would result in a high risk to the rights and freedoms of data subjects[13].

8.?????Data Protection Officers

Section 32 of the Act mandates a data controller of major importance to designate a Data Protection Officer (DPO) with expert knowledge of data protection law and practices and the ability to carry out the tasks prescribed under the Act and its subsidiary legislation.

DPOs are already provided for in the NDPR which[14] obligates data controllers to designate appropriate Data Protection Officers to ensure compliance with the data protection laws. The Act, however, restricts the appointment of DPOs to only data controllers of major importance.

?

9.?????Prohibition of Automated Decision Making

Section 37 of the Act prohibits data processors from automated decision making based solely on automated data processing subject to the existence of a contract, legal backing, and the consent of the data subject. The Section also preserves the right of the data subject to obtain human intervention on the part of the data controller. Although the NDPR requires the data processor to intimate the data subject on the existence of automated decision-making, including profiling and their consequences, the Act goes a step further by ensuring that no decision is taken solely on automated data without human intervention to safeguard the fundamental rights of data subjects.

?

10.?Data Breach

Another notable addition to the Act is the provision of detailed steps to be taken in the event of a data breach of the personal data stored or processed by a data processor.

According to Section 40 of the Act, win the event of personal data breaches a data processor is obligated to notify the data controller. The data controller is required to assess the risk level of the breach to determine if it is likely to result in a risk to the rights and freedoms of the affected data subjects. If it is likely to in the data controller’s opinion, the data controller must notify the Commission of the breach within 72 hours of becoming aware of the breach. On a separate note, where the breach is likely to result in a high risk to the rights and freedoms of a data subject, the data controller is required to immediately communicate same to the data subject[15].

Thus, the Act imposes separate obligations on the processor and controller with the processor being answerable to the controller. Additionally, there is a distinction between ‘risk’ and ‘high risk’; both of which are to be determined by the data controller. The data controller is mandated to report breaches that could result in ‘risk’ to the Commission and is only required to report to the data subject when the said breach is likely to result in ‘high risk’ to the rights and freedoms of a data subject[16]. The data controller and processor must also keep a record of personal data breaches.

?

11.?Cross Border Transfer of Data

Sections 41-43 of the Act establish the basis for cross-border transfer of personal data.[17] Section 41 prohibits data controllers from transferring personal data from Nigeria unless the recipient of the personal data is subject to a law, binding corporate rules, contractual clauses, or certification mechanism that affords an adequate level of protection with respect to the personal data in accordance with the Act or one of the conditions set out in Section 43 apply. By Section 42, a level of protection is adequate if it upholds principles that are substantially similar to the conditions for processing personal data under the Act and this adequacy is assessed based on, among other things, the existence of effective data protection law, availability of enforceable data subject rights, existence of independent data protection or a similar supervisory authority with enforcement powers and binding international conventions and commitments. However, such data may still be transferred notwithstanding the absence of such laws if the data subject’s consent is given and not withdrawn, processing is for the purpose of performing a contract which the data subject is party to, transfer is for the benefit of the data subject and it is reasonably predictable that consent will be given or it is not practicable to obtain his consent, transfer is necessary for public interest or to establish or defend a legal claim, inter alia[18].

Notably, the Act grants the Commission the authority to determine the adequacy of the recipient country’s protection regime[19]. Also, Annexure C of the Framework for the Implementation of the NDPR contains a Whitelist of Jurisdictions deemed to have adequate level of data protection. These provisions are still operational in view of Section 64(2)(f) of the Act.

?

12.?Registration of Data Controllers and Data Processors

Section 44 of the Act requires Data controllers and Processors of major importance to register with the Commission within six months of the commencement of the Act or becoming a data controller or data processor of major importance. The Commission is also empowered by Section 45 to prescribe fees payable by data controllers/processors of major importance. The Act defines data controller or data processor of major importance as one domiciled, ordinarily resident, or ordinarily operating in Nigeria and processes or intends to process personal data of more than such number of data subjects who are within Nigeria as the Commission may prescribe, or such class of data of significance to the economy or security of Nigeria as the Commission may designate[20]

This definition is ambiguous, as it fails to prescribe the quantum of data processed by a data controller or data processor to qualify as a data controller or data processor. Thus, the Commission’s further guidance as to the specific applicable threshold for qualification as data controllers/processors of major importance is required.[21]

?

13.?Sanctions for Breach of the Act

Part X of the Nigeria Data Protection Act makes extensive provisions for the enforcement of the provisions of the Act including sanctions. Section 46 permits persons who are aggrieved by the act or omissions of data controllers or data processors in violation of the Act to lodge a complaint with the Commission and the latter has the discretion to investigate same if it is not frivolous. The Commission may also suo motu investigate possible violations of the Act.

Section 47 permits the Commission to issue compliance orders (such as a warning and a cease-and-desist order) where it is satisfied that a data controller or data processor has violated or is likely to violate the provisions of the Act. Furthermore, after investigating, the Commission is permitted by Section 48 to make enforcement orders against or impose sanctions on a data controller found in violation of the provisions of the Act apart from any criminal sanctions that may be imposed. Such enforcement order may include requiring the data controller or data processor to remedy the violation; ordering the data controller or data processor to pay compensation to a data subject, who has suffered injury, loss, or harm resulting from the violation; or to account for the profits realized from the violation; or to pay a penalty or remedial fee. The penalty or remedial fee is an amount up to the higher maximum amount in the case of a data controller or data processor of major importance, or the standard maximum amount, in the case of a data controller or data processor not of major importance. By 48(4), the "higher maximum amount" is the greater of N10,000,000, and 2% of its annual gross revenue in the preceding financial year while the "standard maximum amount" shall be the greater of N2,000,000, and 2% of its annual gross revenue in the preceding financial year.

Section 49 makes non-compliance of such an order a criminal offence punishable by a fine of up to the higher maximum amount, in the case of a data controller or data processor of major importance or the standard maximum amount, in the case of a data controller or data processor not of major importance; imprisonment for a term not exceeding one year; or both fine and imprisonment. By Section 52, the court may still make a forfeiture order against a convicted data controller or data processor. By Section 53, liability may be joint or vicarious unless it is proven by the principal officers or the firm that the offence was committed without their consent or connivance and that they exercised diligence to prevent the commission of the offence.

?

14.?????Provision of Civil Remedies

One notable gap which existed under the NDPR, was the absence of civil remedies for data subjects who suffer loss or injury due to violations of the provisions of the Regulations. Thankfully, the Nigeria Data Protection Act fills in this lacuna.

Section 51 of the Act allows a data subject who suffers injury or harm due to the violation of the Act to recover damages from the data controller or data processor responsible for the breach in a civil claim.?This compensation which is payable directly to the affected data subject allows data subjects who suffer the actual effects of the violation gain monetary payment that may be commensurate with the loss suffered rather than only fines which is payable to the State.

?

15.?The Status of the NDPR and other Regulations

Section 64 of the Act which is titled “Transitional Savings” preserves Regulations, Rules, Licenses, etc, issued by the erstwhile Nigeria Data Protection Bureau and the National Information Technology Development Agency until they are repealed, replaced, or altered. These include the Nigeria Data Protection Regulations (NDPR), the NDPR Implementation Framework, etc. ?

?

?

?

GAPS IN THE NIGERIAN DATA PROTECTION ACT OF 2023

I.??????????????????The Use of Ambiguous Phrases

One of the challenges in the enforcement of the provisions of the Act is it use of ambiguous and open-ended phrases. Chief among these phases is the use of “data controller and data processor of major importance.” It would be difficult for a data processor or controller to ascertain whether it is a controller or processor of major importance in order to comply with its obligations under the Act timeously. Setting a threshold as is what obtains in cases of merger notification under the Notice of Threshold for Merger Notification which defines large mergers (for which notifying the Federal Competition and Consumer Protection Commission is required) and small mergers (for which notifying the Federal Competition and Consumer Protection Commission is not required) based on their annual turnover[22] would ensure some certainty in the area for the purpose of aiding compliance.

Other ambiguous phrases requiring clarification include “legitimate interest[23]” and “persons incapable of giving consent”[24]

II.???????????????The Independent Status of the Commission

By Section 7 of the Act, the Commission is to be independent in the performance of its functions.?This independent status of the Commission has however been questioned[25] due to the composition of the governing council which shows heavy reliance on the Executive arm of government since the appointment and removal of the members of the Council are based on the President’s prerogative[26]. This situation casts doubt on the independent status of the Commission. Making the appointment and removal of the members of the governing council of the Commission subject to the President’s prerogative can make its members loyalty tied to the President which can hinder the honest and transparent performance of its duty.

CONCLUSION

The innovations introduced in the Nigeria Data Protection Act 2023 are a significant step towards a comprehensive data protection and privacy regime in Nigeria to safeguard the data privacy right of individuals.?The Act's approach to data protection evident from its incorporation of enhanced consent mechanisms, enlarged scope of application, and provisions for civil remedies, reflects the Nigerian government's commitment to addressing the challenges posed by the evolving digital landscape. Also, the introduction of a more transparent streamlined complaint and enforcement mechanism with the Commission at the forefront serves as a deterrent against data breaches and violation of privacy rights of data subjects, emphasizing the message that data protection is a serious matter with real consequences for non-compliance. Again, the emphasis on collaboration, transparency and accountability between data controllers and processors instills greater trust between individuals and organizations, nurturing a data-driven society.

However, some provisions of the Act require clarification to aid stakeholder comply with their obligations under the Act and protect their rights. It is my recommendation that the Nigeria Data Protection Commission issue an Implementation Framework to clarify certain provisions of the Act and lay a foundation for its implementation. Also, the provision subjecting the appointment and removal of the members of the governing council of the Commission to the President’s prerogative should be amended. The NDPC must cooperate with international data protection authorities to learn best practices and collaborate on global data protection challenges.

Conclusively, as the digital landscape evolves rapidly, the Nigeria Data Protection Act 2023 is essential as it lays a foundation for Nigeria to safeguard the data privacy rights of its citizens, encourage innovation and become a key player in the global digital economy. The Act can also serve as a model for other nations grappling with data protection challenges. Whatever may be the challenges in its implementation, one thing is incontrovertible- its long-term benefits to individuals and businesses and the government. It gives individuals greater control over their personal data, allowing them to participate in the digital world with confidence and forces organizations to adopt responsible data practices, leading to improved data security, reduced reputational risks, and increased customer loyalty. Ultimately, it positions Nigeria as one of the jurisdictions which values the protection of personal data and is interested in advancing the privacy rights of its citizens.

* Emmanuella Oluwatosin Adeoti is a recent First Class Graduate of the Law Faculty of the University of Benin.?She is a writer interested in technology, energy, finance and corporate and commercial practice generally. Gmail: adeotiema@gmail.com.

[1] Lawpavillion, ?‘The Journey Towards the Nigeria Data Protection Act 2023’ (Lawpavillion 5 July 2023) <The Journey Towards the Nigeria Data Protection Act 2023 - LawPavilion Blog > accessed 17 July 2023.

[2] Seun Timi-Koleolu and Omonefe Irabor-Benson, ?‘Nigeria: Regulatory Update- Nigeria Data Protection Act,2023’ (Mondaq 12 July 2023) <Regulatory Update- Nigeria Data Protection Act,2023 - Data Protection - Nigeria (mondaq.com) > accessed 17 July 2023.

[3] Bronik Motors Ltd and anor. v. Wema Bank Ltd. [1983] NGSC 10 where Nnamani JSC stated that it is one of the first rules of interpretation of statutes that words must be given their ordinary, plain, and natural meaning.”

[4] Michael Ango et al, Overview of the Nigeria Data Protection Act, 2023 (Mondaq, 4 July 2023) accessed <Overview Of The Nigeria Data Protection Act, 2023 - Privacy Protection - Nigeria (mondaq.com)> ??accessed 18 July 2023

[5] Appeal Number CA/IB/291/2020.

[6] Nigeria Data Protection Act (NDPA) 2023, s4

[7] NDPA, s5

[8] NDPA, s43

[9] Patience Aliu and Nkechi Udeze, ‘An Overview Of Key Changes In The Nigeria Data Protection Bill 2022’ (Mondaq 22 February 2023) <An Overview Of Key Changes In The Nigeria Data Protection Bill 2022 - Privacy Protection - Nigeria (mondaq.com) > accessed 18 July 2023.

[10] Beverley Agbakoka- Onyejianya and Esther Odunze?‘Unveiling The Nigeria Data Protection Act, 2023: An Expert Appraisal Of Key Provisions’ (Olisa Agbakoba Legal, 19 June 2023) < Unveiling The Nigeria Data Protection Act, 2023: An Expert Appraisal Of Key Provisions - Olisa Agbakoba Legal (OAL)?> accessed 18 July 2023.

[11] NDPA, s26(2)

[12] Below 18 years of age

[13] Michael Ango et al (n4).

[14] NDPR, paragraph 4.1 (2)

[15] Beverley Agbakoka- Onyejianya (n10).

[16] Michael Ango et al (n4).

[17] Unini Chioma, The Data Protection (Communication Service) Regulations, 2023: An Attempt by NCC To Usurp the Powers Of the Nigeria Data Protection Commission? (The Nigeria Lawyer 17 July 2023) < The Data Protection (Communication Service) Regulations, 2023: An Attempt By NCC To Usurp The Powers Of The Nigeria Data Protection Commission? - TheNigeriaLawyer > accessed 19 July 2023.

[18] NDPA, s43

[19] NDPA, s42(3)

[20] NDPA, s65

[21] Michael Ango et al (n4)

[22] Federal Competition and Consumer Protection Commission Act 2018, s95 and s96

[23] As used in Section 25(1) (b) (v) of the NDPA

[24] NDPA, s31.

[25] Ifeoluwa Ebiseni, Nenjom Asuk & Ademayowa Borokinni, An appraisal of the Nigeria Data Protection Bill 2022 (Business Day, 10 November 2022) < https://businessday.ng/news/legal-business/article/an-appraisal-of-the-nigeria-data-protection-bill-2022/ > accessed 20 July 2023.

[26] NDPA,?s9 and s11

* Emmanuella Oluwatosin Adeoti is a recent First Class Graduate of the Law Faculty of the University of Benin.?She is a writer interested in finance, technology and corporate and commercial practice. Gmail: adeotiema@gmail.com.

[1] Lawpavillion, ?‘The Journey Towards the Nigeria Data Protection Act 2023’ (Lawpavillion 5 July 2023) <The Journey Towards the Nigeria Data Protection Act 2023 - LawPavilion Blog > accessed 17 July 2023.

[2] Seun Timi-Koleolu and Omonefe Irabor-Benson, ?‘Nigeria: Regulatory Update- Nigeria Data Protection Act,2023’ (Mondaq 12 July 2023) <Regulatory Update- Nigeria Data Protection Act,2023 - Data Protection - Nigeria (mondaq.com) > accessed 17 July 2023.