Digital information unlike any other resource has been extracted, refined, valued, bought and sold in different ways. The number of smartphone users in Nigeria, Africa’s biggest economy and most populous country, is forecast to grow to more than 140 million by 2025. Currently, estimates from different sources put the number of smartphone users in Nigeria at roughly 25 and 40 million, a testament to the reach the digitalized world has on a country that boasts of over 200 million people. Protecting data and regulating its usage has become more pertinent.
Data privacy and protection is an extension of the right to privacy which is enshrined in the 1999 Constitution of the Federal Republic of Nigeria (“constitution”) as a fundamental human right. The Constitution guarantees and protects the privacy of citizens. However, despite several regulations and frameworks to guide data protection, there have been several breaches recorded. The Nigerian Information Technology Development Agency (“NITDA”), realizing this and the need for a regulation on data protection in Nigeria especially in the light of the developments in the international community, issued the Nigeria Data Protection Regulation (NIPR) on January 25, 2019.
However, after the NIPR was established, stakeholders clamoured for a more robust data protection instrument to adequately provide for the collection and processing of personal data in Nigeria, and in October 2022, the Data Protection Bil 2022 released by the Nigeria Data Protection Bureau (NDPB), an improvement of the Nigeria Data Protection Regulation in 2019 (NDPR).
This bill seeks to establish an independent and effective regulatory commission to superintend over data protection and privacy issues and supervise data controllers and data processors within the private and public sectors. It deals with four core issues, amongst others: the processing of personal data; protecting the rights of data subjects including a framework for such protection; the establishment of a Data Protection Commission; and the contribution to the legal foundations of Nigeria’s digital economy and an improvement of its appeal for participation in the global marketplace.
Key Provisions Of The Data Protection Bil 2022
- Establishment of the Nigeria Data Protection Commission
The Bill introduces, amongst others, the Nigeria Data Protection Commission (“the Commission”) and tasks the Commission with the power to oversee the full implementation of the Bill. The Commission, which is to be independent, shall:
- promote awareness to data controllers and data processors on their obligations under the Bill;
- promote awareness and understanding of personal data protection and risk to personal data as well as rights and obligations stipulated in the Bill;
- collect and publish information on protection of personal data and breaches;
- license, accredit and register bodies to provide data protection compliance services;
- advise the government on policy issues relating to data protection and privacy; and
- submit legislative proposals to the Minister, including amending existing laws and ensuring the deployment of technological and organisational measures to enhance personal data protection, and regulating the processing of personal data, amongst others.
Worthy of note is the fact that the Bill has a transitional provision, which means that all powers and duties of the NDPB are to be transferred to the Commission. It is our opinion that the establishment of the Commission is a step in the right direction as a review of the functions of the Commission reveals an intention to expand the regulatory oversight of the existing NDPB.
- Application of the Bill to Data Subjects resident in Nigeria
Unlike the NDPR which applies to every natural person residing in Nigeria or Nigerians residing outside Nigeria, the Bill seeks to limit its applicability to data controllers or data processors domiciled, ordinarily resident or ordinarily operating in Nigeria or where the processing of personal data occurs within Nigeria. The Bill will also apply where the data controller or data processor is not domiciled, ordinarily resident or ordinarily operating in Nigeria, but is processing personal data of data subjects in Nigeria.
In effect, where a data controller or processor resides or carries on business operations in Nigeria, data is processed within Nigeria or where the data controller or processor is resident abroad but processes the personal data of data subjects resident in Nigeria, the provisions of the Bill will apply. Although “domiciled”, “ordinarily resident” and “ordinarily operating” used in the Bill were not defined, it appears that Nigerians living abroad are excluded from the scope of application of the Bill. Without doubt, the focus of the Bill on its applicability appears directed at data controllers and data processors, unlike the NDPR, which has its focus on the data subjects.
iii. Legitimate Interest as a basis for processing Personal Data
Under the NDPR, the legal bases for processing personal data are Consent, Contractual obligation, Legal obligation, Vital Interest and Public interest. The Bill, however, introduces legitimate interest as a basis for processing personal data, in addition to the five other existing legal bases under the NDPR. A legitimate interest will however not be a basis for processing personal data where the fundamental rights and freedom of a data subject override such interest, or where the interest is incompatible with the other lawful bases or where the data subject would not have a reasonable expectation that the personal data would be processed in the manner envisaged.
The introduction of legitimate interest as a ground for processing data will provide a lawful alternative for data controllers to process personal data. Although the Bill establishes legitimate interest as a basis for processing data, it does not define the phrase. It is therefore unclear what the scope of legitimate interest will be in order to invoke its applicability.
- Registration of Data Controllers and Data Processors of major importance
The Bill creates the requirement for data controllers and data processors of major importance to register with the Commission within six months of the Bill being passed into law. The quantum of data processed by a data controller or data processor to qualify as a data controller or processor of major importance was not stated in the Bill, however, the Bill provides that the Commission may prescribe the number. Consideration will also be had to classes of data controllers or data processors that process personal data of particular value or significance to the economy, society or security of Nigeria.
In registering with the Commission, the data controller and data processor of major importance shall provide a description of the personal information of the Data Protection Officer (DPO), the categories and number of data subjects and the purposes for which the personal data is processed, any country to which the data controller or data processor intends to directly or indirectly transfer the personal data, amongst other information. Regular updates are expected to be provided to the Commission within 60 (sixty) days of significant changes to the information provided.
Where, however, the Commission considers a registration to be unnecessary, it shall exempt a class of data controllers and data processors from the registration requirement.
It should be noted that the data controllers and data processors of major importance may be required under the Bill to pay prescribed fees or levies as shall be determined by the Commission.
- Personal Data Breach
The Bill extensively provides for steps to be taken in the event of a data breach of the personal data stored or processed by a data processor. If such an event arises, the data processor is obligated to notify the data controller or data processor that engaged it without delay of the details of the breach and respond to all information requests from the data controller or data processor. Where a breach occurs which is likely to result in a risk to the rights of individuals, the data controller is obligated under the Bill to notify the Commission within 72 (seventy two) hours of becoming aware. Other measures to be taken are outlined in the Bill and they are aimed at ensuring that details of the breach are adequately reported and documented and that measures are put in place to curtail the impact of the breach as well as prevent occurrences of same in the future.
“The key innovations in the Bill, without doubt, create higher obligations for data controllers and data processors and this is due to the high level of accountability that is expected of any organisation entrusted with the personal data of data subjects.”
It apears that the Bill creates a reporting obligation to the Commission with respect only to the data controller where a breach is likely to result in a high risk to the rights and freedoms of a data subject. To determine if a breach is high risk, regard will be had to the technical and administrative measures in place to mitigate the breach, any subsequent measures taken to mitigate the risk and the nature, scope and sensitivity of the personal data involved.
- Consultation with the Commission prior to processing data that is high risk
By the provisions of the Bill, where processing of personal data is likely to result in high risk to the rights and freedoms of data subjects, prior to processing such data the data controller shall carry out a data protection impact assessment. The data controller is in such a circumstance also obligated under the Bill to consult the Commission prior to processing.
Although this provision appears directed at data controllers, it is important to note that data processors may also be faced with occasions of processing personal data that is high risk and it is unclear if data processors are obligated to consult the Commission in such circumstances.
vii. Sensitive Personal Data
The Bill provides for the rules for processing sensitive personal data, including listing the lawful basis for processing sensitive personal data, unlike the NDPR, which simply provides for the definition of sensitive personal data. The Commission is empowered by the Bill to prescribe rules detailing further categories of personal data that may be described as sensitive personal data, grounds for processing and attendant safeguards.
Provision is also made in the Bill for data controllers to obtain the consent of a parent or guardian where the data subject is a child, or the appropriate individual where the data subject is without legal capacity to consent.
The key innovations in the Bill without doubt create higher obligations for data controllers and data processors and this is due to the high level of accountability that is expected of any organisation entrusted with the personal data of data subjects. Data, it is said, is the new gold. The gold miners or keepers must have and indeed demonstrate the capacity to be accountable with respect to the valuable information they hold.
The Bill makes provisions for the establishment of an “independent” commission and the appointment of a governing council. One question that comes to mind is the status of the Commission as an independent body. A review of the composition of the governing council of the Commission shows a heavy reliance on the executive arm of government as the appointment and removal of the members lie on the President’s prerogative.
The Minister of Communications and Digital Economy (“Minister”) also wields so much power over the governing council, as it has to submit legislative proposals to the Minister, including amending existing laws, with a view to strengthening personal data protection in Nigeria. The Commission is also empowered to make regulations on any matter that the Minister considers necessary or expedient to give effect to the objectives of this Act. These seemingly supervisory and oversight functions over the governing council cast doubt on the actual independence of the Commission.
Also, there might difficulty for the NDPB in enforcing the law against erring public and private organizations, according to Ibrahim Oredola, Co-founder of Sanwo Technologies Limited and a Data Security Expert. According to him, the effectiveness of the NDPB in enforcing those laws against erring companies will depend largely on two things, political will and enforcement resources.
“However, the effectiveness of the NDPB in enforcing those laws against erring companies will depend largely on two things, political will and enforcement resources. What kind of resources will be given to the NDPB to carry out its mandate? Or will the commission be another toothless bulldog? And all these are determined by the political will of Government. Is the Nigerian government willing to prioritize data protection and privacy issues? As long these two are present, there’s nothing stopping them.” he said.
Oredola noted that many individuals and organizations in Nigeria may not be aware of their obligations under the NDPB or understand the importance of protecting personal data., and this can make it challenging to enforce the Data Protection Bill 2022 effectively.
According to him, the NDPB may face resource constraints in terms of funding, staffing, and infrastructure and this could limit their ability to carry out their mandate effectively. He also noted that many organizations may lack the technical capacity and expertise to implement the necessary security measures and data protection protocols required by the Data Protectoion Bill. “For instance, how many companies and organisation collecting citizens’ data have the tech infrastructure to protect them against unauthorised breaches? This will be a great issue.” he said.
He called for a massive publicity and awareness drive for both public and private organisations to start drawing up their own data protection policy in line with the provisions of the bill and investment by the NDPB in developing a robust enforcement regime to ensure that the bill is taken seriously.
“While the NDPR provides for significant fines and penalties for non-compliance, the enforcement mechanisms may not be robust enough to deter violations effectively. The NDPC will need to invest in developing a robust enforcement regime to ensure that the NDPR is taken seriously. And this enforcement system must be accessible to the citizens.
“For instance, Safe Boda, the mobility company, left Nigeria recently going with hundreds of thousands of Nigerians’ personal data. I am one of their users, and I had to email them to delete all my personal data from their system but up till now, no response. Who do I report them to? How do I get redress? How do I verify that the data has indeed been deleted? These are issues for enforcement considerations.” he said.