Data protection is the process of safeguarding important information from corruption, compromise or loss. The importance of data protection increases as the amount of data created and stored continues to grow. Consequently, a large part of any data protection strategy is hinged on ensuring that data can be restored quickly after any corruption or loss. Protecting data from compromise and ensuring data privacy are other key components of data protection; however, where there are no laws to enforce in the event of breach, the value of those rights is lost. In order to uphold the sanctity of these rights, sovereign nations of the world put in place regulations and other mechanisms to guarantee them. Nigeria is not left out in this global community of data privacy and protection regulation. This paper seeks to evaluate the laws which regulate and protect data in Nigeria and how they could impact her data privacy and data protection regime.
Keywords: Data Protection, Data Privacy, Safeguards, Corruption, Compromise.
This paper seeks to interrogate the significant provisions of the National Information and Technology Development Agency Regulation (NITDA Regulation) that impact data protection and data privacy in Nigeria. The challenge of securing data privacy/protection is a worldwide phenomenon. The NITDA Regulation is Nigeria’s most comprehensive attempt yet to tackle this phenomenon and to bring it within tolerable limits.
The world’s most valuable asset is no longer oil, but data1. Data has been described as individual units of information, which may be measured; collected and reported; stored and analysed. In computing, data is information that has been translated into a form that is efficient for movement or processing2. Data is considered to be the ‘oil’ of the digital era3. The world’s most valuable companies include tech giants such as Google, Apple, Facebook and Amazon (GAFA) and Baidu, Alibaba and Tencent (BAT) whose subscribers are routinely required to provide their data to facilitate access. The internet and smartphones have contributed significantly to making data more valuable, available and abundant. Almost every human activity generates a digital trace. For example, our heart beat, our pulse, a running event, navigating through traffic are all activities which produce data when connected to the internet. The more cars, watches and phones that are connected to the internet the more data that can be generated. Artificial Intelligence through algorithms has become so smart today that they can now review contracts, conduct legal research and mediation, predict exposure to disease and determine when a machine needs servicing. The data industry has demonstrated such exponential growth that certain multinationals now position themselves as data purveyors and merchants.
Typically, internet subscribers and social media users are required to provide personal data and sensitive information to facilitate access and use of these platforms. Almost all transactions conducted online require the release of some form of personal data. Although, social media users are often advised of data privacy terms, they do not necessarily preclude the use or sharing of such personal data in specified circumstances. This introduces the risk of having personal sensitive information being potentially shared with or sold to high level security agents or blue-chip companies to enable surveillance and data gathering.
According to a survey by McAfee, more than 40% of people worldwide are of the view that they lack control over their personal data, and one–third of parents do not know how to explain online security risks to their children4. In 2008, there was widespread information regarding how top brands such as Facebook, Panera Bread and Sacramento Bee experienced data breaches that exposed several millions of personal records to abuse by criminals5. There appears to be a lucrative market for data, and hackers tend to sell data they steal to professional scammers.
These worrying statistics and developments have generated widespread concerns around how to improve security frameworks over the personal data we provide, in the knowledge that data protection laws never fully offer complete protection against malicious attacks and users are best advised to understand the basics of data privacy and how to protect themselves. Google, Uber and Facebook have experienced breaches of the private data of users over the years and, on each occasion, these supposedly trusted companies failed to report/disclose the breaches (when they occurred) to enable customers take steps to protect themselves. The failure by these companies to disclose data privacy violations when they should have, underscores the importance of users taking personal data security as their personal responsibility.
The General Data Protection Regulation (EU) 2016/679 (‘GDPR’) and the 2018 reform of the GDPR are regulations under EU law concerning data protection and privacy for all individual citizens of the European Union (EU) and the European Economic Area (EEA). It also deals with the export of personal data outside of the EU and EEA. In Nigeria, while there are several legislations containing ancillary provisions which seek to protect data privacy, the most comprehensive statutory instrument for this purpose is a subsidiary legislation made pursuant to the National Information Technology Development Agency Act, 2007 (‘NITDA Act’). The NITDA Act empowers the National Information Technology Agency (NITDA) to inter alia develop guidelines/regulations for electronic governance and monitor the use of electronic data interchange in both the private and public sectors of the economy6. Deriving from this provision, NITDA then developed and issued the 2013 Guidelines for Data protection and thereafter, the Nigeria Data Protection Regulation 2019 (‘NITDA Regulation’), which is the extant body of rules regulating the subject in Nigeria. A significant feature that distinguishes the NITDA Regulation from other legislation in Nigeria is the element of it being a data protection-specific body of rules as opposed to it being an ancillary provision in a legislation which is not primarily concerned with data privacy protection.
2. RELEVANT LEGISLATION IMPACTING DATA PROTECTION AND DATA PRIVACY UNDER NIGERIAN LAW
Based on the functions of the Governing Board, National Information Technology Development Agency7, NITDA would appear to be the apex regulator for data privacy and protection in Nigeria. However, this is without prejudice to the powers exercisable by the regulators listed in the specific legislations which have data privacy and protection provisions, regarding their enforcement of those provisions in the manner set out in the legislations creating them. The provisions contained in the NITDA Regulation do not also affect the existing rights of natural persons or Nigerians under any other extant law, regulation, policy or contract8.
2.1 NITDA Regulation
In Nigeria, while there are several legislations containing ancillary provisions which seek to protect data privacy, the most comprehensive statutory instrument for this purpose is a subsidiary legislation made pursuant to the NITDA Act. The NITDA Act empowers the National Information and Technology Agency (NITDA) to issue guidelines to cater for electronic governance and monitoring the use of electronic data exchange. Deriving from this provision, NITDA then developed and issued the Nigeria Data Protection Regulation 2019. A significant feature which distinguishes the NITDA Regulation is that it is a data privacy and protection-specific body of rules as opposed to it being an ancillary provision in a legislation whose primary objective is not data protection.
2.2 The 1999 Constitution of the Federal Republic of Nigeria
As is applicable to most jurisdictions, Nigeria’s data privacy and data protection regime emanates from the fundamental legislation of the land i.e. the Constitution of the Federal Republic of Nigeria 1999, as amended (“the Constitution”), which, by virtue of section 37 thereof protects the rights of citizens to their privacy and the privacy of their homes, correspondence, telephone conversations and telegraphic communication. Data privacy and protection are thus extensions of a citizen’s constitutional rights to privacy.
2.3 The Child Rights Act
Nigeria adopted the Child Rights Act (CRA) in 2003 to domesticate the United Nations Convention on the Rights of the Child, which is a human rights treaty designed to guarantee the civil, economic, political, social, health and cultural rights of children. The CRA is a legislation to provide for and protect the rights of a Nigerian Child, who is defined as a person under the age of 18 years. Section 3 of Part II CRA incorporates by reference the provisions of Chapter IV of the Constitution, which deal with the fundamental rights of citizens. Also, section 8 of the CRA which covers a child’s rights to private and family life states that a child is entitled to his privacy, family life, home, correspondence, telephone conversations and telegraphic communication.
2.4 Freedom of Information Act 2011(FOIA)
The purpose of the FOIA is to make public records and information held by Government agencies more freely accessible by the public. However, it specifically makes an exception with respect to personal records and information and matters concerning personal privacy. In this regard, section 14 of the FOIA limits Government agencies from disclosing the personal information of citizens unless the individual’s consent is obtained, or the information is publicly available.
2.5 Cybercrimes (Prohibition, Prevention etc) Act 2015 (CPPA)
The fundamental purpose of the CPPA is to establish a framework for the prohibition, prevention, detection, prosecution and punishment of cybercrimes in Nigeria. It imposes an obligation on mobile networks, computer and communications service providers to store and retain subscriber information for a period of two years. Significantly, it requires such service providers to accord premium to an individual’s right to privacy as enshrined in the Constitution and to take steps towards safeguarding the confidentiality of data processed.
2.6 Central Bank of Nigeria Consumer Protection Framework 2016 (CPF)
The Central Bank of Nigeria (CBN), in furtherance of its mandate to promote stable financial system, established the CPF to, among other objectives, engender public confidence in the financial system. The CPF itself is a subsidiary legislation made pursuant to the Central Bank of Nigeria Act 2007 (CBN Act) as amended and the Banks and Other Financial Institutions Act, 2007 (BOFIA). The provisions of section 3.1(e) of the CPF are to the effect that consumer information must be protected from unauthorised access and disclosure. In order to enable disclosure, financial services institutions are required to obtain written consent of customers before their data may be shared with third parties or for promotional purposes.
2.7 The Nigeria Communications Commission (Registration of Telephone Subscribers) Regulations 2011 (NCC Regulations)
Pursuant to section 70 of the Nigerian Communications Act 2003 (NCA 2003), the NCC is empowered to make and publish regulations concerning multiple subjects including but not limited to permits, written authorisations, licenses, offences and penalties relating to communication offences. Drawing from this authority, the NCC issued the NCC Regulations which apply to telecommunications companies. Regulation 9 of the NCC Regulations specify that, in furtherance of the rights guaranteed by section 37 of the Constitution and subject to any guidelines issued by the NCC or a licensee, any subscriber whose personal information is stored in the Central Database is entitled to request updates9; to have the data kept confidential10; not to have subscriber information duplicated except as prescribed by the NCC Regulations or an Act of the National Assembly11; and to preserve the integrity of the subscriber’s information12. Also, licensees are required to utilise subscriber’s information in accordance with the law13; likewise, licensees and other named parties are required not to retain biometrics of any subscriber after transmission to the Central Database14. Regulation 10 of the NCC Regulations is to the effect that any release of the personal information of a subscriber must be subject to the consent of the subscriber or in accordance with the provisions of the Constitution of the Federal republic of Nigeria or any other Act of the National Assembly or the NCC Regulations as may be amended from time to time.
2.8 The Credit Reporting Act 2017 (CRpA)
The CRpA was enacted for the purpose of improving access to credit information and standardising risk management in credit transactions. It provides the framework for credit reporting, licensing and credit bureaux. Section 9 of the CRpA is to the effect that Data Subjects i.e. persons whose data are maintained by credit bureaux, shall be entitled to the privacy, confidentiality and protection of their credit information subject to certain exceptions listed under section 9(2) to 9(6) of the CRpA.
3. A REVIEW OF THE NIGERIA DATA PROTECTION REGULATION 2019
The objectives of the NITDA Regulation are to safeguard the rights of natural persons to data privacy, foster the safe handling of transactions which involve the exchange of personal data, prevent acts of manipulation relating to personal data, and ensure that Nigerian businesses remain competitive in the international market place through adoption of legal and regulatory frameworks which secure personal data and meet standards of international best practices.
3.1 Scope of Application
The data protection provisions embodied in the NITDA Regulation extend to all transactions regarding processing of personal data irrespective of the means, all natural persons residing in Nigeria or natural persons outside Nigeria who are citizens of Nigeria, in so far as the operation of the NITDA Regulations does not impair the privacy rights of natural persons or Nigerians under other extant laws, regulations, policies or contracts.
3.2 Governing Principles of Data Processing
Personal data should be collected and processed observing specific, lawful and legitimate purpose as consented to by a Data Subject i.e. owner of the data being collected and processed:
- Personal data shall be adequate, accurate and respect dignity of the human person;Storage of Personal data should be on a need-to-retain basis;
- Personal data should be secured against foreseeable hazards;
- The custodian of personal data owes a duty of care to the Data Subject;
- The custodian of personal data is accountable for his acts or omissions;
- Lawful Processing of Personal Data.
The conditions under which Personal Data would be deemed to have been lawfully processed have been highlighted below15:
- Where consent of the Data Subject has been procured;
- Where processing is necessary for the performance of contract to which the Data Subject is a party;
- Where it is required for compliance with a legal obligation which the Data Controller i.e. the person or body of persons who determine the purposes for which and manner in which Personal Data is being or to be processed, is required to discharge;
- Where it is required to protect the vital interests of the Data Subject;
- Where it is required for carrying out a task in the public interest or in the exercise of an official public mandate imposed on the Data Controller.
3.3 Procuring Consent from a Data Subject
The NITDA Regulation prescribe the circumstances under which consent may be extracted from a Data Subject as follows16:
The specific purpose of collection of Personal Data must be made known to the Data Subject before his consent may be secured and deemed lawful;
- What represents consent for the Data Subject;
- Description of personal information that is collectible;
- Purpose of Personal Data being collected;
- Technical methods deployed to source and store personal information, cookies, web tokens etc.;
- Whether third parties have access, and if so, nature of;
- Principles governing data processing;
- Limited period for exercising remedy;
- No limitation clause would avail any Data Controller who is in default of the NITDA Regulation.
3.5 Data Security and Third-Party Data Processing Contract
The NITDA Regulation imposes an obligation on persons involved in data processing or control of data to develop security measures to protect data including safeguards against hackers, setting up firewalls, employing data encryption technologies and similar approaches18.
NITDA Regulation provides that data processing by third parties should be governed by written contracts between such third parties and the Data Controller19.
3.6 Penalty for Default
Breach of the privacy rights of any Data Subject under the NITDA Regulation shall, apart from other criminal liability, attract, with respect to Data Controllers dealing with more than 10,000 Data Subjects, payment of a fine of 2% of annual gross revenue of the preceding year or payment of N10 million, whichever is greater; and with respect to Data Controllers dealing with less than 10,000 Data Subjects, a fine of 1% of the annual gross revenue of the preceding year or payment of ₦2 million, whichever is greater20.
3.7 Transfer of Personal Data to a Foreign Country and Exceptions
NITDA Regulation circumscribe the manner in which the transfer of Personal Data to a foreign country is to be effected. While observing the provisions of the Regulation and conducting such transfers under the supervision of the Honourable Attorney General of the Federation (HAGF), the following considerations shall be taken into account:
- The foreign country provides an adequate level of protection;
- Legal system and enforceability of human rights in the foreign country;
- Effectiveness of supervising authority for data privacy in the foreign country;
- International commitments of the foreign country with respect to protection of Personal Data.
In the absence of a decision by the HAGF as to the adequacy of the above considerations, such transfers shall only take place where consent of the Data Subject has been secured; transfer is necessary for the performance of a contract or is required for the performance of a public interest purpose; or in establishment, exercise or defence of legal claims or in defence of the vital interests of the Data Subject.
3.8 Rights of a Data Subject
The NITDA Regulation provide elaborately for the rights of the Data Subject and these rights include the minimum requirements for processing personal data, right of the Data Subject to be informed of appropriate safeguards for data protection, rights of the Data Subject to request deletion of personal data in appropriate cases and reiteration of the protection of fundamental rights as afforded by the constitution of the Federal Republic of Nigeria.
3.9 Implementation Mechanism
The NITDA Regulation has established rules which govern the manner in which the provisions of the Regulation should be implemented. The major planks on which implementation rests are discussed below21.
All public and private organisations in Nigeria that control the data of natural persons must publish to the general public their respective Data Protection Policies within three months of issuance of the NITDA Regulation.
Furthermore, a Data Protection Officer shall be designated by every Data Controller to ensure adherence with the provisions of the NITDA Regulation and such Data Controllers are required to ensure continuous capacity building for Data Protection Officers;
NITDA shall register and license Data Protection Compliance Organisations (DCPOs), which shall have responsibility for monitoring, auditing, training Data Controllers on its behalf.
All organisations are required to, within six months of the issuance of the NITDA Regulation, conduct an audit of its privacy and data protection practices having regard to the provisions of the Regulation. Also, where a Data Controller processes the Personal Data of more than 1000 Data Subjects over a six-month period, a soft copy of the summary of the audit mentioned above should be submitted to NITDA.
Finally, on an annual basis, Data Controllers who manage the Personal Data of over 2000 Data Subjects over a twelve-month period, shall no later than 15 March of the following year, submit a summary of the Data Protection audit in the manner specified by the Regulation to NITDA.
4. EFFECTS OF THE PROVISIONS OF THE NITDA REGULATION AND ITS STATUS IN THE NIGERIAN DATA RIVACY AND DATA PROTECTION REGIME
The establishment of NITDA Regulation is one deserving of commendation by all. It is, indeed, the most elaborate attempt by Nigeria to codify the private right to data and its protection. What this portends is that it provides confidence to all stakeholders, local and foreign, who seek to invest and do business in Nigeria that it has data laws comparable to any in the world. It represents an important step towards keeping abreast with the digital revolution and a stamp of approval for the value of safeguarding digital rights within Nigeria. Nigeria’s technological advancement is perennially on an upward trajectory and the net effect of embracing a comprehensive data privacy and protection regime will manifest in a number of positive ways, some of which we have attempted to highlight in the paragraphs that follow.
4.1 Upholding and Guaranteeing the Right to Privacy
The adoption of a data privacy and protection legislation is an acknowledgement of the right of persons to preserve those rights as guaranteed under the Nigerian constitution. This promotes information exchange and development of our digital economy space.
4.2 Reinforcement of Nigeria’s Cyber Security Regulations
With the establishment of NITDA Regulation, Nigeria has assumed a definitive stand on the war against cybercrimes, which has become a domestic and cross-border menace. It has placed Nigeria as a respectable member of the comity of serious-minded nations who are committed to stamping our cybercrimes or, at least, mitigating the debilitating consequences they wreak on several economises across the world. It is important to mention that security upgrades in networks, servers and infrastructures have been a primary source of cyber protection along with other policy and security changes until recently. The passing of the NITDA Regulation has directly impacted data privacy and security standards while also indirectly encouraging businesses to develop and improve their cyber security measures, limiting the risks of any potential data breach.
4.3 Uniformity of Data Protection
Prior to the establishment of the NITDA Regulation, it was safe to assert that Nigeria had no uniform or comprehensive body of rules regulating data privacy and protection save for those earlier highlighted in this paper. The NITDA Regulation has thus, brought about a sense of sanity and standardisation in this space which satisfy international expectations.
4.4 Premium Budgeting for compliance with NITDA Regulations
With consequential enforcement action, this legislation provides a credible basis for cracking down on offenders for non-compliance with its provisions. We expect that companies will increasingly channel resources towards bringing their operations in alignment with the provisions of the NITDA Regulation including appointment of Data Protection Officers.
4.5 Reforms in Marketing
Marketers have, typically, relied heavily on the personalised data gathered from our internet practices and tendencies to reach target markets and shape their campaigns. They will have to get explicit permission to use personal data and be clear about how they gather that information, going forward. The changes and increased barriers brought about by data privacy laws may turn some in-house marketing teams and agencies back to traditional marketing methods. Also, many sites charge their users nothing to use their site but will pay to keep everything running by selling data about their users to advertisers. Some speculate that there may be an increase in sites charging for memberships and subscriptions to maintain their sites without the free data.
Without question, the NITDA Regulation constitutes a transformational attempt to radicalise the data privacy and protection regime in Nigeria. As shown in this paper, several countries of the world have adopted the principles set out in the internationally recognised standards of the GDPR in formulating their domestic laws in this area. Nigeria has similarly followed suit and come up with the NITDA Regulation which encapsulates wholesale changes to what hitherto existed.
We expect a paradigm shift in the way corporations and individuals carry on business and interact with respect to the data in their possession. While we have highlighted scenarios that could landscape this space in a post-NITDA Regulation era, we challenge the government to ensure that its provisions are effectively enforced. A robust enforcement framework primed to give teeth to its provisions will, in our view, enable realisation of its promise.
1The Economist, ‘The World’s Most Valuable Resource is no Longer Oil, but Data’ Economist (6 May 2017) <https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data> accessed 25 October 2019
2Jack Vaughan, ‘Guide to telling stories with Data: How to share analytics insights’ (Techtarget, July 2019) <https://searchdatamanagement.techtarget.com/definition/data> accessed 25 October 2019
3The Economist (n 1)
4 The Manifest; ‘Data Privacy Concerns: An Overview for 2019’ <https://medium.com/@the_manifest/data-privacy-concerns-an-overview-for-2019-2ccea79aa6f8> accessed 5 August 2020
6NITDA Act, s 6(c)
7NITDA Act, s 6(a) – (n)
8NITDA Regulations, Paragraph 1.2(c)
9NCC Registration of Telephone Subscribers, reg 9(1)
10ibid reg 9(2)
11bid reg 9 (3)
12ibid reg 9(4)
13ibid reg 9(5)
14ibid reg 9(6)
15NITDA Regulation, para 2.2(a-e)
16ibid paras 2.3 (1) & (2)
17ibid para 2.5(a) – (i)
18ibid para 2.6
19ibid para 2.7
20ibid para 2.10
21ibid para 3.0(3.1)-(3.8)
Article provided by: Uche Val Obi SAN (Alliance Law Firm, Nigeria)
Dr. Tobias Höllwarth (Managing Director INPLP)