Objectives of the Regulation
The drafters of the Regulation in the preamble addressed the issues of authority of the Issuer, the pervasiveness of information technology systems, platforms and practices in modern day business and society, the emerging global realities in respect of data protection and the import of data protection regulation on the stakeholders. Preamble to the NDPR, although novel in regulations drafting in our clime, should not be compared with the flowery 173-paragraph preamble of the GDPR.
The stated objectives of the NDPR are as follows-
a) to safeguard the rights of natural persons to data privacy;
b) to foster safe conduct of transactions involving the exchange of personal data;
c) to prevent manipulation of personal data and
d) to ensure that Nigerian businesses remain competitive in international trade; through the safeguards afforded by a just and equitable legal regulatory framework on data protection and which regulatory framework is in tune with global best practices.
The objectives of the NDPR is apt and comparable to other global equivalents. The fourth objective on competitiveness of Nigerian businesses in international trade is critical in view of the fact that EU GDPR requires non-EU countries to have comparable and acceptable data protection laws. Where non-EU countries do not have such law, they cannot process EU citizens’ data except they show compliance with the EU GDPR standards. This, would limit the competitiveness of Nigerians as the capacity for compliance with GDPR would be low.
Application of the Regulation
Article 1.2 of the NDPR provides that the Regulation applies to all transactions intended for the processing of personal data and to natural persons residing in Nigeria or residing outside Nigeria but of Nigerian descent. It has been argued in some quarters that the “NDPR covers transactions intended for the processing of personal data and person(s) residing in Nigeria or residing outside Nigeria but of Nigerian descent. But unlike the GDPR, it appears that the DPR does not apply to persons and entities outside Nigeria that collect, store, or process data of persons in Nigeria.” One of the current challenges of the GDPR enforcement is its expansive global scope. The NDPR seeks to restrict its scope to data subjects resident in Nigeria or of Nigerian descent. However, data controllers, processors or administrators resident outside Nigeria seems not to be impacted by the Regulation.
It must be recognized that various factors influence the approaches to the making of data protection laws. Some of these factors are- experience and global economic status. The GDPR is not EU’s first attempt at data protection. Indeed, Article 94(1) of the GDPR repeals Directive 95/46/EC which dealt with Data Protection. The experiences garnered from implementing the Directive, which has been in existence since 1995, contributed to the current Regulation. Also, nations would be increasingly forced to choose between strict data protection regulatory regimes and economic opportunities emanating from relaxed data protection regimes. This reality is what the Regulation sought to accommodate. In extra-territorial breaches, the NDPR relies on a reported breach by a Data Subject to activate remedial actions. Aside from Data Protection law, nations, have had bilateral or multilateral treaties which cover mutual legal assistance protocols. When there is a reported breach, Nigeria can use this medium to institute actions against the Data Controller.
It is also unrealistic and inhibitive of desperately needed foreign investment and opportunities, for Nigeria to aim too high at this point. Moreover, most of the major data processors such as Google, Facebook, WhatsApp etc. all have a Nigerian office, in that regard, the enforcement would apply to them when in breach, even when such occurred outside Nigeria.
Data Subjects Rights
The NDPR provides the most detailed rights to a Data Subject under Nigerian laws. Article 2.13 gives the Data Subject right to-
a) Concise, transparent, intelligible and accessible information on processed data;
b) Information on reason for non-action on Data Subject’s request;
c) Proof of excessive character of request where claimed by Data Controller;
d) The following information prior to Data Collection-
- The identity and contact of the Controller
- The Contact of the Data Protection Officer
- Purpose and legal basis for processing of personal data
- Legitimate interests of controller or associated 3rd party
- Recipients of personal data
- Indication that data would be transferred to a 3rd country (where applicable)
- Period of storage
- Existence of right to withdraw consent at any time
- Right to complain to relevant authority
- Whether provision of personal data is statutory or contractual requirement etc.
A breach of any of these rights entitles the Subject to approach the Administrative Redress Panel (ARP) which is empowered to administratively determine issues arising from the Regulation. This is without prejudice to the right of Subject to seeking remedy in a competent court of law. This provision is another novel input made to the Regulation. Considering the technical nature of data protection, it is practically impossible for regular courts to resolve myriads of complaints brought by Data Subjects in a timely and efficient manner. The window of ARP is an efficient and effective means of Data Protection causes resolution.
Femi Daniel Esq. LL.M; B.L
Technology Lawyer; Author- COMPUTER LAW IN NIGERIA (2015)