Being the agency of the Federal Government of Nigeria charged with the responsibility of developing and regulating information technology in Nigeria, the National Information Technology Development Agency (NITDA) is empowered by its enabling Act to create a framework for the planning, research, development, standardisation, application, coordination, monitoring, evaluation and regulation of information technology practices in Nigeria developing standards, guidelines and regulations for that purpose.
Consequently, the introduction of the Nigerian Data Protection Regulation (NDPR) by the National Information Technology Development Agency (NITDA) on 25th January 2019 signalled the gradual institutionalisation of a culture of data privacy and protection in Nigeria. A deeper awareness and appreciation of relevant issues around data privacy and protection has begun to take root. Before the NDPR came into force, Nigeria’s regime of data privacy and protection existed in multiple legislations that sought to protect subject-specific data and information from unlawful use. These ultimately proved inadequate in addressing the concerns of owners, users and regulators of data, thus giving birth to the NDPR.
The NDPR is currently Nigeria’s singular most comprehensive body of rules that govern data privacy and protection, albeit a subsidiary legislation birthed through powers granted under the NITDA Act. In execution of its mandate, NITDA had issued a deadline for mandatory data compliance audit for July 2019, which it subsequently revised to October 2019. Owing to widespread non-compliance with the provisions of NDPR, NITDA was then constrained to initiate the issuance of non-compliance notices to about 100 defaulting companies in December 2019. In addition, NITDA has also embarked upon several investigations into the affairs of the Immigrations Services, financial services institutions and telecommunications companies in its quest to bring sanity into this space.
That being said, NDPR has not been spared the typical challenges that bedevil every new piece of regulation. This article attempts to engage some of these challenges with a view to attracting robust conversations around them and identifying remedial measures that need to be adopted in addressing them.
Challenges Confronting Data Privacy and Protection in Nigeria
Every fledgling piece of legislation comes with teething issues which may range from the need to introduce amendments, adequacy of its provisions to deal with prevailing issues in the industry to which it relates to the ease of its applicability to the environment it covers. We now consider a few of those challenges that require to be addressed if appreciable progress is to be made in this sector.
2.1 Lacuna in the NDPR
Despite NITDA's admirable step of issuing the NDPR in January 2019, concerns have developed about the somewhat restrictive nature of its provisions. For instance, the definition of data under the NDPR 2019 is limited to electronic data thereby excluding matters concerning or relating to paper-based data violations without remedies or protection.
2.2 Status of data privacy and security laws
The world is a data-driven global economy. Nigeria, like any other nation, needs to protect the personal data of her citizens wherever they are, regardless of the means of data processing or the location of the data controller or processor. Before the NDPR was released by the NITDA in January 2019, Nigeria ran with the Guidelines on Data Protection 2013 ('NITDA Guidelines'). However, right from the commencement of the NITDA Guidelines until when repealed, there were lingering doubts over its status and what appeared to be an absence of enablement to enforce its provisions.
Instructively, NDPR represents the most significant sector-specific law regulating data in Nigeria and is clearly more comprehensive than the NITDA Guidelines. In spite of this seeming improvement in regulatory guidance for data privacy and protection, the same affliction that mired the Guidelines has again reared its head with the NDPR i.e. its efficacy is being called to question. Arguments that having been issued by NITDA pursuant to her powers to issue regulations clothe NDPR with the force of law, have not quite cut it with stakeholders. Thankfully, the NITDA has initiated the process of elevating NDPR to the status of an Act of the National Assembly, and in this regard, has published the draft Data Protection Bill 2020 ('the Draft Bill') for public comments. In particular, the Draft Bill aims primarily to promote a code of practice that ensures the privacy and protection of personal data without unduly undermining the legitimate interests of commercial organisations and government security agencies to collect such data. It is also designed to minimise the harmful effect of personal data misuse or abuse of data subjects and other victims, as well as ensure that personal data is processed in a transparent, fair, and lawful manner, under the data protection principles stipulated in the Draft Bill or any other legislation. Hopefully, this Draft Bill, when made an Act, will be able to address some of the inadequacies of the NDPR 2019.
2.3 Poor Implementation, Application and Enforcement of Extant Regulations.
Beyond the apparent inadequacies that have characterised attempts to institutionalise a data privacy regulatory framework in the country, there are still apprehensions over the ability of government to conform to the provisions of data protection regulations. This is because of the unenviable reputation of the country’s ministries, departments and agencies (“MDAs”) for according scant regard to the laws which enactment they may even have championed. There is thus the concern that the mere elevation of the NDPR to the status of an Act may not be sufficient to effect an attitudinal change.
In spite of the fact that NDPR was designed to take effect from 25th April 2019, with Data Collectors distributing their protection policies, at the minimum, as compulsorily required by under NDPR , there has been little or no compliance with this mandatory requirement, despite the obvious dire implications for flouting its provisions. This author is not aware of any recorded instance of punitive action being taken against defaulters. Also, NITDA has looked on, somewhat helplessly, as the stipulation that every Data Controller should designate a Data Protection Officer to undertake specified functions is flagrantly being violated by corporate organisations and MDAs alike.
2.4 The shortage of judicial decisions on data privacy violations
Judicial precedents constitute the building blocks on which every jurisprudential system is hinged. The Nigerian judiciary is no exception. There is a dearth of questions/issues emanating from the current body of rules regulating the industry before the courts. This state of affairs has and continues to make it extremely difficult for a body of decided cases that could provide guidance for this area to be developed and followed. There are several issues yawning for authoritative resolution and, unless interpreted by the courts, may limit development and growth in this space. For example, the question of the full purport of who a data subject is a daunting enquiry that needs urgent elucidation.
Although, the NDPR 2019 defines data subject to mean an identifiable person; one who can be identified directly or indirectly, in particular by reference to an identification number or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity, the question remains as to whether that definition could be extended to cover companies of any description. The issue of whether only a human entity can have his/her data breached is a very important legal question to broach.
2.5 Issue of Consent to Data Collection
Another important issue is the requirement to secure the consent of a Data Subject before personal data may be sourced and utilised for any purpose. Consent implies that valid consent must be obtained before the collection of data, especially through clear stipulation of the purpose of data collection and indication of the need for additional consent where personal data might be shared with third parties. Furthermore, a Data Controller is required to take and keep a record of the consent of individuals, and there must be provision for withdrawal of consent by such Data Subject at any time (European Data Protection Board, 2016). Regrettably, in Nigeria, both government agencies and private firms have consistently failed to comply with these aspects of the NDPR by their actions, thus causing untold embarrassment and hardship to affected persons. In Nigeria, it is not uncommon to experience data about one being generated and captured by companies and agencies without knowledge of its owner or first seeking and securing consent.
2.6 Lack of Data protection Practitioners in Nigeria
Yet another pertinent challenge facing the industry in Nigeria has to do with the role that a credible professional body could play in ensuring strict adherence to a regulatory framework by all practitioners and stakeholders within both the private and public sectors of the economy. This body may also be charged with the responsibility of monitoring developments in regulatory governance and technology to keep abreast with international standards and best practices. This author expects that professionals such as Data Protection Officers, Data Controllers and similar players would help populate this body and grow it from strength to strength.
It is not unusual for assimilation and acculturation of a new idea to be slow on the uptake by stakeholders. This author expects that over time, internalisation of the broad principles that guide data privacy and protection would occur and, gradually, institutions set up to act as watchdogs for the industry would help engender and bed in a culture of respect for and preservation of data privacy and security.
Article provided by: Uche Val Obi (Alliance Law Firm, Nigeria)
Dr. Tobias Höllwarth (Managing Director INPLP)