The National Information Technology Development Agency (NITDA) recently issued the Nigerian Data Protection Regulation 2019. Of a truth, this is a bold attempt by a government agency to push the bounds of its inherent powers. Generally, most government agencies have been too shy to, on their own, embark on initiatives that would foster social and economic growth in the country, with few exceptions. An important reason for delegated legislation is to ensure that expert agencies of government are empowered to make necessary rules for specialized aspects of the society. Information technology an its derivatives such as electronic data fall under that special genre of legislative items that need constant review, improvement and stakeholder inputs.
The lack of a data protection regulation in Nigeria had hitherto been a major turn-off to foreign investment and opportunities for Nigerians. The EU General Data Protection Regulation which came into effect on 25th May, 2018 made businesses liable if they or their contractors handle European citizens’ data without complying with the GDPR. What this meant was that entities of European origin or having European affiliation could not contract non-compliant Nigerian companies to provide service for them, even in Nigeria. This of course, has led to further job and opportunities loss. For this reason alone, it is pertinent for Nigeria to quickly issue an enforceable data protection regulation. it is for this reason that the effort by NITDA at issuing this regulation should be applauded and supported. This is without prejudice to the powers of the National Assembly to enact a Data Protection Act.
Authority of NITDA to issue the NDPR
NITDA was established pursuant to Strategy 19 of the National Information Technology Policy 2000 which states-
In order to achieve the short to medium term objectives of this policy with maximum effectiveness, Government will establish a National Information Technology Development Agency (NITDA) to implement the IT Policy, regulate, monitor, evaluate and verify progress on an ongoing basis… This strategy was quickly implemented as the Agency was established in 2000 with an over-arching mandate to create a framework for the planning, research, development, standardisation, application, coordination, monitoring, evaluation and regulation of information technology practices, activities and systems in Nigeria.
The NITDA Act was enacted in 2007. Section 6 of the Act establishes the mandate of the Agency. Section 6 a, c are relevant for our current discussion.
The Agency shall-
(a) Create a frame work for the planning, research, development, standardization, application, coordination, monitoring, evaluation and regulation of Information Technology practices, activities and systems in Nigeria and all matters related thereto
(c) Develop guidelines for electronic governance and monitor the use of electronic data interchange and other forms of electronic communication transactions as an alternative to paper-based methods in government, commerce, education, the private and public sectors, labour, and other fields, where the use of electronic communication may improve the exchange of data and information.
It can be deduced from this that the Agency has the mandate to regulate electronic governance and electronic data interchange. The Regulation which was made pursuant to this section speaks for itself. Except there is an express overriding enactment of the National Assembly on the same subject, the NDPR remains the national law on data protection. While the debate on the optics of having a subsidiary legislation on a subject as important as Data Protection rages, it must also be noted that there has been no one-size-fit-all approach to data protection regulation. Europe has a continental legislation that binds its member countries, while the US has a federalist structure where each state makes its data protection law. In many African countries, there is a national law on the subject.
Nigeria’s model may be another landmark in the progression towards an acceptable global data protection regime. Most of the preceding models have been bedeviled with the problem of inadequate details in the face of multifaceted issues in data protection regulation. Since modern data emanates majorly from electronic platforms, it is difficult to make laws that would cover all the bases. The ability of government to be able to timeously reform and reissue the regulation may be an advantage. On the other hand, fluidity of the data protection regime may limit public confidence in the law. Nevertheless, the NDPR has come to the rescue of Nigerian businesses at this point where there is no legislative issued law on the subject.
Femi Daniel Esq. LL.M; B.L
Technology Lawyer; Author- COMPUTER LAW IN NIGERIA (2015)