By Ademola Adeyoju
This topic is important—first because if you want to begin a career in privacy/data protection, then it is important to have some knowledge of how things work in other climes, especially in Europe where they have the most advanced, most comprehensive regime, anywhere in the world, in the form of the General Data Protection Regulation (or GDPR, for short) and relevant Directives. Understanding the European regime gives one a firm foundation to build one’s capacity and expertise.
On a related note, if you have been playing in these fields for a while, then you can attest to the fact that some of the companies/firms you have advised—or are advising—have thought or asked you about the GDPR and its impact on their compliance framework design, usually because they suspect that they offer or will, sooner or later, offer services to persons covered under the GDPR.
Finally, considering that new-generation businesses are going beyond compliance to embrace ethics, understanding the GDPR is essential even when advising clients who are not ordinarily subject to the GDPR, clients who desire to hold themselves to higher standards such as those imposed by the GDPR.
Also, really, considering the GDPR’s extraterritorial scope (the GDPR applies to all companies that offer goods or services to EU residents, whether their home operation is in the EU or not), it just makes sense, to use the GDPR as the gold standard when advising clients or helping with data protection compliance.
- Catalysts for the emergence of data protection laws in Europe
It is imperative to first consider some of the catalysts for the emergence of data protection laws; it will then compare the regimes in the EU and Nigeria, and finally delve into a quick analysis of the principal data protection legislation in the aforementioned jurisdictions (that is, the NDPR and GDPR).
In the UK, computer-based record-keeping and its implication for privacy also gradually became a concern in the 1960s leading to the introduction of several unsuccessful bills, the publication of a 1970 report entitled ‘Privacy and the law’, the subsequent setting up of the Committee on Privacy and Committee on Data Protection, under the respective chairmanship of Younger and Lindop, and the enactment of the UK Data Protection Act of 1984.
The making of the EU GDPR itself was driven by technological developments which has increased the scale of the collection and sharing of personal data and allowed both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities.
We will first take a quick look at some of the catalysts that have spurred the development of data protection laws in Europe and Nigeria, for context and clarity sake.
2.1 Technology and Data-intensive Systems
Perhaps the biggest catalyst for the emergence of data protection laws was—and still is—technology. From the dawn of the computer age in the 1950s to the proliferation of digital machines in the 1960s, governments and private organisations have developed and expanded the capability to aggregate, process, and transfer data over arbitrary paths.
However, there has been concerns about technology and automated data processing, which led directly to governments’ creation of task forces and subsequent legislative responses. For instance, the German federal state of Hesse passed its Data Protection Act in 1970—also the first national data protection law in the world—to address concerns about state surveillance, profiling, and racial discrimination, all of which had become possible through technology. This was soon followed by the Swedish Data Act of 1973, which was the direct outcome of the public concern generated by the development of an electronic identification system through personal identification numbers which began in the 1940s and the public census of 1969.
Furthermore, in 1977, the German Federal Government enacted its first Federal Data Protection—the result of a 1991 draft bill submitted by a federal government-commissioned research group, which heavily drew inspirations from the writings of US authors: Alan Westin and Arthur Miller, both of whom had headed state-sponsored commissions of inquiries in the US and had written extensively on how computers and their data processing capabilities have the capability to seriously undermine the right to (informational or data) privacy. For further details, see Recital 6 to the GDPR.
2.2 Public Fear and Anxiety
If ‘technology’ was the fire behind the enactment of many DPP laws, then public fear was the fuel. One set of fears relates to increasing transparency, disorientation and disempowerment of data subjects vis-à-vis data controllers. Another set of fears concerns loss of control over technology.
Regarding the first set of fear, there has always been mass skepticism around the manner and purposes for which governments and businesses process citizens’ personal data. There was a time when it was practically impossible for individuals to understand or control how their data is being processed. In a potentially all-seeing state, freedom was, thus, inhibited and it became difficult to exercise any real democratic rights. This chilling effect is obviously justified in light of technical possibilities to re-use, misconstrue, re-purpose, and misapply data that had been collected through lawful means. For instance, it was fear of public surveillance, profiling and racial discrimination, and unjust invasion of privacy that led to the mass opposition of the proposed German government’s statistical census of 1983.
2.3 Cross-border Trade and Data Flow
Regarding the second set of fears, people fear that the environment resulting from technology’s incredible development and complexity will elude full human comprehension. They warn of a future in which humans will increasingly come under the sway of runaway technology that cannot be effectively steered. With the rise of artificial intelligence and incredible progress in the development and deployment of fully autonomous systems, this fear still exists today. Even the technology mogul, Elon Musk, thinks AI is humanity’s “biggest existential threat” which “will destroy humanity as a matter of course”.
2.4 The Second World War
The Second World War witnessed barbarous and outrageous violations of fundamental rights on an unprecedented level. Many countries conducted intrusive and unwarranted surveillance on their own citizens, under the guise of national security and welfare. Perhaps the most well-known of these incidences happened in Germany where the Nazi regime used numerous instruments to monitor the public, control behavior and use citizens to monitor their neighbors, colleagues and friends.
The history of trade revolves around the efficient movement of goods and services. As digital commercial transactions and automated data processing became a thing, it became obvious that the one most important facilitator of global trade would be the free flow and security of data, especially personal data which many governments and businesses began to realize was economically valuable. (To put this in context, some figures estimate that the value of European citizens’ personal data will grow to nearly €1 trillion annually by 2020.
Now, as cross-border trade grew in the 1970s, trans border transfers of computerised data, including personal data, became more common—from airline and ferry boat reservation systems, co-ordination between tax authorities, money transfers, payroll processing, circulation of periodicals, mail orders, credit cards, insurance transactions, and hotel bookings. The need to enact concrete and compatible data protection laws thus became clear. Without adequate laws, it was apparent that free flow of information across borders—which was necessary for trade and development—would be greatly affected.
In today’s digital and inter-dependent economy, the stakes have become higher. As information is now power and money, international data transfer has become more important than ever and is still driving conversations on DPP regulations and law reforms, especially in the US and EU where trans-border information flows represents the fastest growing component of trade.
The atrocities of the Second World War—and Italy and Germany’s devastating experiences with fascism and Nazism respectively—directly inspired post-war legislative efforts such as the Universal Declaration of Human Rights—the first document to recognise the right to privacy on an international level. And then in 1949, the Council of Europe was formed to unite the whole of Europe, promote political freedoms, democratic values, social development, and human rights. (the Council is now an international organisation that has 47 member countries, including all EU Member States). In 1950, the council adopted the European Convention on Human Rights, still one of the most crucial agreement on privacy and data protection in Europe. The European Convention on Human Rights is based largely on the Universal Declaration of Human Rights and sought to guarantee the right to respect for one’s private and family life, home and correspondence.
- Catalysts for the emergence of data protection laws in Nigeria
While Europe has had a comprehensive data protection legislation for a long time—the main features of which has been the traditional protection of certain basic principle of data and the establishment of supervisory authorities, the story is a bit different in Nigeria (and Africa), where things are at a pretty nascent stage.
Data protection in Nigeria (and Africa) has largely been driven by economic circumstances, by the need to ensure the sustenance of business process outsourcing from across the Atlantic, and send signals of trust for entities willing to do business that involves any form of data processing…which in this age basically transforms to all forms of businesses? But why is this big deal?
In this era where tech start-ups are springing up from everywhere in Nigeria, the desire to regulate the data processing of personal data by players in the tech industry has also been a particularly serious motivation.
Well, you see, Article 45 of the GDPR—which is quite possibly the most influential instrument of all international codes of data protection policies in the world—restricts the transfer of personal data from Europe to third countries if such countries do not provide an ‘adequate’ level of protection of personal data. In other words, a transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection.
- Comparison between the data protection regime in the EU and Nigeria
Now, let us compare the data protection regime in the EU and Nigeria;
From the adoption of the European Convention on Human Rights in 1950 to the issuance of the GDPR in 2016, data protection in Europe has grown to the stage where the EU has been accused of legislating for the whole world. Apart from a comprehensive legislation in the shape of the GDPR and other applicable Directives, the data protection regime in Europe is further bolstered by a rich compendium of judicial decisions and jurisprudence. (I will share a document on some of the finest cases on data protection in Europe immediately after the webinar—this may especially be helpful if you are ever involved in litigating a data protection suit and need to cite persuasive authorities).
In comparing the data protection regime in the EU and Nigeria, the first thing that should be said is that the data protection regime in Europe is the most advanced anywhere in the world.
In sharp contrast to the EU, Nigeria is still growing in this space and our current regime is nowhere near Europe’s—although the NDPR is seen as ‘revolutionary’ (which it is, in many ways) the truth is, unlike the EU, the general approach to data protection regulation in Nigeria (and Africa) has been afflicted with a certain laziness and lethargy. As most of our laws, the NDPR is a classic example of a legal transplant, as it borrows heavily from the GDPR, with several articles containing very similar, or identical phrasing. However, the NDPR is not alone. I recently had the privilege of reviewing the data protection bill of a state in Nigeria, which when passed will become the first state-enacted data protection law in Nigeria. During my review, I discovered, to my utter disappointment, that the Bill is an almost exact replica and has been copied almost word for word from the UK Data Protection Act of 1998 which has now been repealed and replaced by the Data Protection Act of 2018 (For clarity, please note that the Data Protection Act of 2018 is a UK law that complements the EU GDPR).
By way of digressing, it is noteworthy that here in Nigeria, not only is our regime only just taking shape, there is also a paucity of judicial decision on data protection/privacy matters. To make things worse, data controllers don’t take compliance seriously, data subjects don’t know what their rights are; and compliance and enforcement are a joke.
Anyway, current data protection laws in the EU entails, principally, the GDPR—which we are going to consider in more depth below—and Directives/Regulations, such as Directive (EU) 2016/680 on the protection of natural persons regarding processing of personal data connected with criminal offences or the execution of criminal penalties, and on the free movement of such data. (This directive protects citizens’ fundamental right to data protection whenever personal data is used by criminal law enforcement authorities for law enforcement purposes); and Regulation 2018/1725, which sets forth the rules applicable to the processing of personal data by European Union institutions, bodies, offices and agencies. (This Regulation is aligned with the General Data Protection Regulation and the Data Protection Law Enforcement Directive and entered into application on 11 December 2018.)
For a high-level summary of the current data protection legislation in Nigeria, I wrote a short guide awhile back on the Data Protection Regime in Nigeria. So, to avoid repetition and save time, I will just note that Nigeria does not currently have a comprehensive data protection regulation. What we have instead—apart from the NDPR, which is really a subsidiary legislation— are general and sector-specific legislation.
I will now attempt to compare some of the key similarities/differences in the NDPR and GDPR under at least 6 subheadings.
It is germane to state that, this is an extremely useful knowledge that will come in handy when advising clients, when drafting such documents as a Privacy Notice, or even when discussing data protection law and policy issues. So let us take them one by one;
The GDPR applies to: companies or entities which processes personal data as part of the activities of one of their branches established in the EU, regardless of where the data is processed; and companies or entities established outside the EU and are offering goods/services (paid or for free) or are monitoring the behaviour of individuals in the EU. So, the GDPR would not apply where a company is based outside the EU, and provides services to customers outside the EU. Such company’s clients can even use its services when they travel to other countries, including within the EU, but the company is still not subject to the GDPR if it doesn’t specifically target its services at individuals in the EU.
On the other hand, the NDPR applies to all residents of Nigeria, all citizens of Nigeria residing outside of Nigeria and all organizations processing personal data of such individuals. To the extent that it applies to Nigerian citizens outside Nigeria, the NDPR also has extraterritorial application.
4.2 Definition and Key Provisions
Remember how I said that the NDPR seriously copies from the GDPR? Well, both legislations contain many similar provisions, but there are still huge differences.
So, for instance, while the NDPR and the GDPR provide similar definitions for ‘processing,’ ‘personal data’ and ‘sensitive personal data’, unlike the GDPR, the NDPR does not define or have any provisions on anonymous data, pseudonymized data, or data processed by automated means.
Also, while the NDPR and the GDPR provide for some similarities regarding the scope and responsibilities of data controllers, including the appointment of a DPO and the publication of the contact details of the DPO to data subject, the NDPR does not provide that the contact details of the DPO must be communicated to the supervisory authority (that is, the NITDA).
Another difference is that while the GDPR specifically provides for a Data Protection Impact Assessments in certain circumstances, including when processing is likely to result in a high risk for the rights and freedoms of individuals, in particular if a data controller utilises new technologies to process personal data, the NDPR is quiet and has no directly equivalent concept. However, the NDPR outlines that data controllers must have completed, within six months of the NDPR being issued, a detailed audit of privacy and data protection practices for assessing the impact of technology on privacy and security.
Furthermore, while the GDPR imposes an obligation to both controllers and processors to maintain a record of the processing activities under their responsibility and specifies what needs to be included in such records, the NDPR does not impose any obligations related to recordkeeping.
Yet another difference revolves around the reporting obligation of data controllers when there is a data breach (there is currently none in the NDPR—although I should note that this obligation is now included in the Version 2.1 of the Draft NDPR implementation framework).
Finally, unlike the GDPR, the NDPR does not grant special protection to children’s personal data, nor does it specify whether the consent of a parent or guardian is needed when processing children’s data.
4.3 Data Processing Principles
Under both the NDPR and GDPR, data processing principles include lawfulness, data minisation, accountability, purpose limitation, storage limitation, integrity and confidentiality, fairness and transparency, lawfulness and accuracy.
4.4 Legal Basis for Processing
Under both the NDPR and GDPR, Personal data may only be processed if at least one of five legal bases are met: (1) the data subject provides consent, or if the processing is necessary; (2) for the performance of a contract; (3) to meet a legal obligation; (4) to protect the vital interests of the data subject; or (5) for the performance of a task carried out in the public interest.
4.5 Data Transfer
However, the GDPR goes one step further to include legitimate interests as a lawful ground for processing data.
Both the GDPR and the NDPR provide for restrictions and exceptions to the cross-border transfer of personal data to a third country or international organisation—essentially, both legislation stipulate that such a transfer must be made based on legitimate grounds or to a third country or international organisation with an adequate level of data protection as prescribed by the relevant authority. However, the GDPR goes two steps further, as stated below;
Firstly, it expressly allows cross-border transfers based on international agreements for judicial cooperation (which is very important when states need to investigate or prosecute offences).
Secondly, in the absence of a decision on an adequate level of protection, a transfer is permitted when the data controller or data processor provides appropriate safeguards—these safeguards include Binding Corporate Rules, Standard Contractual Clauses adopted by the EU Commission or by a supervisory authority; an approved code of conduct; or an approved certification mechanism.
Let me just say that the penalty under the GDPR seems stiffer. Depending on the violation, the penalty may be up to either: 2% of global annual turnover or €10 million, whichever is higher; or 4% of global annual turnover or €20 million, whichever is higher.
Finally, both the NDPR and GDPR provide the right for a data subject to lodge complaint with the supervisory authority.
The GDPR goes further by providing that a data subject may also mandate a not-for-profit body, association, or organisation that has, as its statutory objective, the protection of data subject rights to represent him/her. Unlike the GDPR, the NDPR does not explicitly provide for individuals with a cause of action to seek compensation from a data controller or a data processor for a violation of its provisions.
This article was facilitated by and written under the auspices of the Nigerian Fintech Lawyers (NFL). All rights are reserved. No part of this article shall be used without the express consent of NFL admin group and the author.