Unravelling NDPA's Enigmatic Scope: Navigating Data Protection in Nigeria

As I dive deeper into the Nigeria Data Protection Act (NDPA), new interpretations, or perhaps "gaps" (for lack of a better word), seem to emerge with every read. Today, let's focus on the NDPA's scope, an area that has been causing some concerns for me. I thought to share to check if my concerns are valid.

The Scope of the NDPA

The NDPA applies to:

• data controllers and processors domiciled in, resident in or operating in Nigeria;
• processing of personal data that occurs in Nigeria; OR
• data controllers and processors that are not domiciled in, resident in or operating in Nigeria but who process the personal data of data subjects in Nigeria.

I capitalised "OR" because, with the way it is used in that particular portion of the NDPA, it will be interpreted disjunctively. That is to say, the NDPA will apply in each circumstance stated above, and no one circumstance is dependent on the other for it to fall within the application of the NDPA. This is the foundation for my thoughts.

Data Controllers and Processors in Nigeria: Does include their extraterritorial activities?

The scope of the NDPA is problematic as it is because it can be subject to a wide interpretation that is not specifically stated. Notwithstanding, the interpretation will fly. The first question is, does the NDPA apply to a data controller or processor in Nigeria who processes the personal data of a foreigner residing abroad?

Remember, the NDPA applies to data controllers and processors in Nigeria. This seems to suggest that it encompasses all their activities. The mere fact that the data controller or processor is domiciled, resident, or operating in Nigeria already brings it within the ambit of the NDPA without more.

The General Data Protection Regulations (GDPR) of the European Union, which the NDPA was mirrored after, did a better job by expressly stating that data controllers or processors in the European Union are regulated by the GDPR even if the processing of data does not occur within the European Union. However, for the NDPA, we have to do some legal gymnastics to reach a conclusion on whether the data processing activities of data controllers or processors in Nigeria that occur outside Nigeria are regulated by the NDPA.

"Data subjects in Nigeria": What exactly does this mean?

The second question that arises when reading the NDPA's application clause is: What does "data subjects in Nigeria" mean? This could be interpreted in many ways. Do I have to be a resident or a citizen to be a data subject in Nigeria? What if I am just staying in Nigeria for a 2-day business trip, and an entity collects my personal data at a business event? Does mere physical presence in Nigeria suffice, even if it is transitory?

The Nigeria Data Protection Regulations 2019 (NDPR) was quite clear on this point. It states that the processing of the personal data of data subjects resident in Nigeria will be regulated by the NDPR. Well, the NDPA did not learn from its predecessor. Instead, it employed a rather vague phrase: "data subjects in Nigeria". Even though the NDPR still applies, the NDPA's application takes precedence due to its status as substantive legislation.

Even if the NDPA was couched exactly like the NDPR, it still raises some concerns. Let me use a scenario to illustrate them:

Let's assume that a British citizen, Peter Parker, a seasoned financial adviser, subscribes to an Internet Service Provider (ISP) in the UK. Peter volunteered his personal information to the ISP to have access to their services. A few months later, Peter received an attractive offer from a leading venture capital fund in Nigeria. He accepts the role and moves to Nigeria. At this point, the ISP in the UK shares his personal information with a digital marketing firm in Argentina.

Will the NDPA apply to the sharing of Peter's personal data by the ISP in the UK to the firm in Argentina? I want to believe it will apply because if it does not, then John will be left without the ability to enforce his rights unless he goes to the UK. I hope you see my point.

Conclusion

I have always been of the opinion that the NDPA is a ray of sunshine in the Nigerian data protection jurisprudence, providing a specialised substantive law for the budding data protection regulatory landscape. However, I have reeled out some of the grouse I have with the way it is worded. I still have a few, which I may discuss later, but I believe understanding the scope of a law is very fundamental to compliance. If the scope cannot be easily understood, then more work has to be done. The Nigeria Data Protection Commission needs to be on its toes to educate everyone about the extent of the application of NDPA. This will be very helpful for compliance with the NDPA.

Don't forget, with greater data comes greater responsibility. ???

From your friendly neighbourhood data protection enthusiast.