By Olumide Babalola
In the early hours of Wednesday, the 5th day of October 2022, Dr. Lukman Abdulrauf, – one of Nigeria’s most prolific academics on data protection – shared the draft Nigeria Data Protection Bill 2022 (the bill) and the interesting piece of document expectedly sparked varying levels of discussions among stakeholders.
For whatever it is worth, the Federal Government ought to be commended for producing an improved version of the abortive 2020 bill which disappeared after the validation workshop held in September of that year.
Now to this new bill, the following are some of my immediate respectful thoughts:
1. Clarity on fundamental rights
As a preliminary point, the bill is commendable for expressly identifying ‘protection of fundamental rights under the Nigeria constitution’ as one of its objectives. This expands the reach of the legislation beyond privacy to dignity of human persons for as long as both rights relate.
2. Exemption of recreational purpose
In addition to personal and household purposes, the bill introduces ‘recreational purposes’ as one of processing exempted from the application of data protection. While it will be interesting to know the drafters’ raison d’etre for this ‘novel’ or ‘strange’ inclusion, the nuances of ‘recreation’ may engender many complexities for the interpretation of this exemption. For example, is the proposed data protection Act exempted from social parties, amateur sporting activities or club activities?
3. Competent authorities
The bill exempts certain activities carried out by competent authorities but omits to define the parameters of entities covered by the wide umbrella. It seems to me and it is arguable that under the undefined term, the Boys scout can also claim to be competent authorities for the purpose of data processing. So that we don’t create new problems while solving the existing ones, we need to properly define and limit the ambit of certain terms.
4. Minister in charge of communications and digital economy
The bill’s fixation on the minister raises at least, two problems. First, the proposed commission, its council members and the national commissioner are already tied to the Minister’s apron’s strings. They submit proposals to the minister, they communicate intention to resign through him, he recommends their removal, they make regulations on matters that he/she considers necessary etc.
The second problem is the confusion that may ensue where we have separate minsters for communications and digital economy or where we do not even have a minister for either of the portfolio. However we choose to look at them, these provisions have already taken away the independence of the commission and its members.
5. Appointment of Governing Council
Still on independence of the commission. Even though the bill provides that the commission shall be independent in the discharge of its functions, independence is not exercised on paper but in deeds and functionalities. The President of Nigeria is empowered to exclusively appoint and fire the council members of the commission without any role for the national assembly in the appointment and dismissal processes. There is also the ‘little favour’ of remuneration of council members which is also exclusively fixed by the President. All these create a familiar situation of – he who pays the piper dictates the tune – for the commission and its council members. Under such an arrangement, a data protection authority cannot be or seen to be independent. Incidentally, in September 2021, I led a team of stakeholders to produce a report on African data protection authorities (DPAs) and their independence. This provision reminds of the ‘sin that easily besets’ DPAs in their functions as regulators. (see https://paradigmhq.org/report/data-protection-authorities-in-africa-dpas-report/)
6. Licencing of Data Protection Compliance Organisations
It is again commendable that the bill has moved away from the erstwhile rigid licensing regime to accommodate the terms ‘accreditation’ and ‘registration’ of entities to aid the commission in its regulatory work. This improvement is important to avoid double or adverse licensing especially when considering lawyers who have been statutorily licenced to practice law and give advisory on issues of law, data protection inclusive. Again, two provisions are conflicting on this. While section 7(n) envisages accreditation and registration, section 35 only contains licencing. This must be resolved in favour of other forms of regulatory inclusion in the earlier section.
7. Designation of Data Protection Officers (DPOs)
The bill obliges data controller and processors ‘of major importance’ to designate DPOs. In spite of the rather long definition provided in the bill, it remains nebulous and a problem waiting to explode especially since the meaning is not conclusive in the same bill. The terms ‘ordinarily resident ‘ and ‘ordinarily operating’ may add to the confusion in the absence of authoritative definition and examples.
8. Omission of some terminologies
The bill contains concepts like recipient, pseudonymization, third parties, profiling, cross border but omits their definitions. The bill also completely omits concepts like joint controllers, anonymization, etc.
9. Transitional provision and the NDPR
Curiously, the transitional provision preserves the NDPR until it expires or replaced etc. It remains doubtful whether this bill, upon becoming an Act is deemed to have replaced the NDPR. This uncertainty needs to be clarified one way or the other.
On the whole, the introduction of this new bill raises new hopes and excitement in the industry. Notwithstanding its drawbacks, if/when passed into law, the new Act ushers in a new era for the privacy and data protection industry in Nigeria.