Ifeoluwa Ebiseni, Nenjom Asuk & Ademayowa Borokinni
Since the issuance of the Nigeria Data Protection Regulation in 2019 (NDPR), stakeholders have clamoured for a more robust data protection instrument to adequately provide for the collection and processing of personal data in Nigeria. Consequently, there have been several unsuccessful attempts to pass a Data Protection Bill into law since 2018.
The Nigeria Data Protection Bureau (“NDPB”) released the Data Protection Bill 2022 (“the Bill”) on 6 October 2022. The Bill appears to be a beacon of hope for final legislation on the subject, as the National Commissioner of the NDPB had stated earlier in the year that there would be a Data Protection Act by December 2022.
This Bill seeks to establish an independent and effective regulatory commission to superintend over data protection and privacy issues and supervise data controllers and data processors within the private and public sectors. It deals with four core issues, amongst others: the processing of personal data; protecting the rights of data subjects including a framework for such protection; the establishment of a Data Protection Commission; and the contribution to the legal foundations of Nigeria’s digital economy and an improvement of its appeal for participation in the global marketplace.
In this article, we examine the Bill and highlight the attendant issues which need to be addressed before the passage of the Bill.
Applicability of the Bill
Part I of the Bill states that it will only apply where: the data controller or data processor is domiciled, ordinarily resident, or ordinarily operating in Nigeria; the processing of personal data occurs within Nigeria; or the processing of personal data of a resident of Nigeria where the data controller or data processor was actively marketing to, targeting or monitoring such residents within Nigeria.
The following issues are immediately noticeable from this part of the Bill:
a) The provision on the applicability of the Bill seems to be a derogation from the NDPR, which based its applicability on the data subject, as opposed to the controller or processor. The Bill also does not define the terms used. The test to determine whether a controller or processor is domiciled, ordinary resident or ordinarily operating in Nigeria is unknown.
b) The Bill does not apply to the processing of personal data done by a data subject solely during a personal, recreational or household activity. While personal or household activity is a reproduction of the exceptions under the DPIF, the meaning and scope of, “recreational activity” as contemplated under the Bill remain “uncertain”.
c) The Bill also exempts the application of rights and obligations contained in Parts VI to X (other than the principles governing the processing of personal data) from applying to a data controller or processor when processing personal data. This includes processing carried out by “competent” authorities in certain instances; and publication in the public interest for journalism, educational, artistic and literary purposes. The Bill does not define competent authorities or explain the scope of exempted publications.
Independence of the Commission
The Bill makes provisions for the establishment of an “independent” commission and the appointment of a governing council. One question that comes to mind is the status of the Commission as an independent body.
A review of the composition of the governing council of the Commission shows a heavy reliance on the executive arm of government as the appointment and removal of the members lie on the President’s prerogative. The Minister of Communications and Digital Economy (“Minister”) also wields so much power over the governing council, as it has to submit legislative proposals to the Minister, including amending existing laws, with a view to strengthening personal data protection in Nigeria. The Commission is also empowered to make regulations on any matter that the Minister considers necessary or expedient to give effect to the objectives of this Act.
These seemingly supervisory and oversight functions over the governing council casts doubt on the actual independence of the Commission.
Legitimate Interest as a legal basis for processing personal data
A significant improvement on the NDPR, which has been included in the Bill is the recognition of legitimate interest as a lawful basis for processing personal data.
Under the present regulatory regime, controllers and processors have been limited to consent and performance of contracts as their recourse for processing personal data. Certain processing activities, for instance, such as employer-employee relationships which should ordinarily be covered by legitimate interest (with safeguards), were left to be covered by consent, which would then leave us with the question of whether consent in this instance is actually freely given, considering the power imbalance.
Thus, the inclusion of legitimate interest, which can cover such situations, is a commendable addition to the body of rules on data protection in Nigeria.
Data Protection Impact Assessment
The Bill makes provision for the need for a Data Protection Impact Assessment (“DPIA”). As an improvement on the former regime, the Bill defined a DPIA and also empowered the Commission to issue guidelines and directives on DPIA, including the categories of processing subject to the requirement for a DPIA. This is an improvement on the provisions of the NDPR which did not expatiate on the subject.
Sensitive Personal Data
The Bill states rules on the processing of sensitive personal data, which is an improvement on the NDPR which had little or no provision other than the definition of the term. It also gives a long list of the lawful basis for processing sensitive personal data. It further states that the Commission may prescribe in rules, further categories of personal data that may be classified as sensitive personal data, further grounds on which such personal data may be processed, and safeguards that may apply. It also stated considerations to be looked into, in prescribing these rules.
The Bill states that, when a data subject is a child or another individual lacking the legal capacity to consent, a data controller shall obtain the consent of a parent or other appropriate legal guardian of the child or other individual, as applicable, to rely on consent under section 26(1)26(a) or 32(1)32(a) of the Bill.
Data Protection Compliance Organisations
The Bill also makes provisions for the power of the Commission to licence a body to carry out data protection compliance services.
Whilst it is unclear if this role will be carried out by the data protection compliance organisations (DPCOs) under the extant regulations, the intent of the Bill is to vest in the “body”, the power to impose sanctions on data controllers and processors.
It may thus be problematic to effect this under the current regime for DPCOs in Nigeria.
Rights of a Data Subject
While the Bill provides a more comprehensive approach to the rights of the data subjects (compared to the NDPR), the rights outlined in the bill are still not encompassing when compared to the European Union (EU) General Data Protection Regulation (GDPR).
The GDPR thoroughly explains the rights of data subjects, how the rights can be exercised, the process of exercising the rights, limitations to the exercise of the rights etc. However, these are not clearly expressed in the Bill.
In addition, the Bill does not provide a timeline for responding to rights requests. For example, while the GDPR provides that the controller shall provide information on steps taken to address the request within one month or a further two months, the Bill provides no such timeline. Although the Bill provides that the request shall be attended to without unreasonable delay, what amounts to unreasonable delay was not specified.
It is thus recommended that the rights in the Bill be expressly explained, and a time frame affixed.
The provision of data security in the Bill is an abridged replication of the provisions of the GDPR. Although the Bill makes provisions for pseudonymization and de-identification of personal data, there is no comprehensive regulatory framework on pseudonymization and de-identification in Nigeria. This may pose problems in the future.
It is however worthy of note that the Bill provides a detailed data breach management procedure. The data controller may extend the known seventy-two-hour reporting period to accommodate the legitimate needs of law enforcement or as reasonably necessary to implement measures required to determine the scope of the breach, provided that the data controller provides to the Commission the grounds for such extension, including supporting evidence. The data controller and data processor are also mandated to keep a record of all personal data breaches.
Cross-Border Transfer of Personal Data
The provisions of the Bill on cross-border transfer are complicated. The draftsman, in the opening section, seemed to have intended to shift from the requirement for an adequacy decision. It perhaps would have achieved the effect of shifting the focus from the protection afforded in each jurisdiction (adequacy decision) to the security and protection measures of the controllers and processors (i.e. a risk-assessment-focused approach) or offering both as alternates.
The Bill provides that personal data shall not be transferred from Nigeria to another country unless the recipient of the personal data is subject to a law, binding corporate rules, contractual clauses, code of conduct or certification mechanism that affords an adequate level of protection with respect to the personal data in accordance with the Bill, and upon the application of one of the laid down conditions in the Bill. It however complicates this provision by adding a long list of measures for assessing the “adequacy of protection” afforded. For instance, it requires: the existence of any legally binding instrument between the Commission and a relevant Public Commission in the recipient country addressing the elements of adequate protection referred to in subsection; the existence and functioning of an independent, competent data protection or similar supervisory authority with adequate enforcement powers; international commitments and conventions binding on the relevant country; and its membership of any multilateral or regional organisations.
This brings us back to the GDPR model. Under the GDPR, the transfer of personal data outside the EU and the European Economic Area (EEA) is based on three exceptions- adequacy, appropriate safeguards and derogation. It would appear that the draftsman intended to adopt this in the Bill. However, the Bill has certain shortcomings in comparison to its counterpart. An example is a reference to binding corporate rules and standard contractual clauses, with no guide or pre-approval in relation to the clauses. This is no improvement from the presently confusing provisions of the DPIF. What the draftsman has essentially done is muddle up the concepts of adequacy decision and appropriate safeguards. Perhaps, the intention is for the Commission to exercise its powers in making up for the lapses by issuing regulations and guidelines that will provide further clarity on these matters.
While some of the provisions are substantially the same as those provided for under the NDPR, the Bill also makes novel additions to the legal framework of data protection in Nigeria, such as the establishment of an “independent” body called the Nigeria Data Protection Commission (“Commission”), a new classification of data controllers and processors called “data controllers and data processors of major importance” and compulsory registration with the Commission and the recognition of legitimate purpose as a legal basis for processing data, among others. Clarifications and changes, as highlighted in this article and by other stakeholders need to be made to ensure that the Bill, when passed, does not pose more problems than it seeks to solve.