By Ifeoma Peters
On Monday, 12th June, 2023, the Nigeria Data Protection Bill was signed into law by the President of the Federal Republic of Nigeria, His Excellency, Bola Ahmed Tinubu. The Nigeria Data Protection Act, 2023 (the Act), is the very first principal legislation on data protection in Nigeria. The signing of the Act was a positive response to the various campaigns by stakeholders in the Data Protection ecosystem for a unified primary legislation on data protection. It was believed that a unified primary legislation would help to position Nigeria as one of the progressive countries championing the Data Protection movement globally. It would be recalled, that despite several stakeholders’ engagements and lobbying, the President Mohammadu Buhari’s administration failed to pass the bill into law. Therefore, the passage of the Act by President Bola Ahmed Tinubu few weeks after his inauguration was seen by practitioners as a glimmer of hope and a sign of more positive developments in data protection and privacy in Nigeria.
One of the significant features of the Act was the creation of the Nigeria Data Protection Commission (the NDPC) tasked with the responsibility of ensuring compliance with the provisions of the Act.
Prior to the passage of the Act and the establishment of the NDPC, the Nigeria Data Protection Regulation (the NDPR), a subsidiary legislation of the National Information Technology Development Act (NITDA), was the only law on data protection in Nigeria. NITDA was directly in charge of enforcing data protection compliance in Nigeria. Two years ago, the Nigeria Data Protection Bureau (the NDPB) was set up to take over the data protection regulatory compliance task from NITDA and remained the regulator until the passage of the bill when it transitioned into the NDPC.
Few days ago, a regulation styled as the “Data Protection (Communications Services) Regulations, 2023 (the draft Regulations),” found its way into the public domain. It is assumed that the draft Regulations is a proposed subsidiary legislation being introduced by the Nigeria Communications Commission (NCC) for data protection in Nigeria’s telecommunication sector. Although there has not been any official communication regarding the draft Regulations, a cursory look at same shows that it is a replication of the content of the major provisions in the NDPA. Although the essence of the draft Regulations is still unknown, a wild guess would suggest that NCC plans to initiate a regulation that would enable it take charge of regulating data protection and privacy within the telecommunication sector.
While the introduction of the draft Regulations may appear a laudable idea, data protection practitioners who have been involved in the campaigns leading to the birth of the NDPA and NDPC would not have difficulties in identifying the negative impact the draft Regulations will have on the advancement of data protection in Nigeria. Compliance would become a burden and enforcement would occasion avoidable hardship on industry practitioners, particularly the telecommunication (telecom) industry who are the target of the draft Regulations. Some may in fact see the move by NCC as a clear attempt, to undermine, stifle and render redundant the recently created NDPC, particularly in the telecom industry. What is more? The draft Regulations is silent on the provisions of the NDPA and failed to recognize the existence of the NDPC.
In order to drive home the point being made on the danger of the draft Regulations, let us examine some of the similarities and conflicts between the draft Regulations and the NDPA.
The Similarities and Conflicts between the Draft Regulations and NDPA
Reporting Breach of Personal Data
Section 40 of the NDPA and Regulation 9 of the NCC draft Regulations outline steps that data controllers/processors should take in the event of a data breach. However, the differences in the specific reporting requirements and timelines mentioned in the two laws are potential recipe for contradiction and confusion.
Under the NDPA, in the event of a breach, the initial step is for data processor to notify the data controller. If the breach is likely to result in a risk to the rights and freedoms of individuals, the data processor must also notify the NDPC within seventy-two hours. Additionally, if the breach is likely to result in a high risk to the rights and freedoms of a data subject, the data controller must immediately communicate the breach to the affected data subject.
In contrast, the draft Regulations mandates licensee (data controller/ processor), to immediately notify the data subject of any leak of their personal information. Furthermore, it requires the data controller to rectify the breach within seventy-two hours of becoming aware of it. The provision also stipulates that the licensee must report the breach to the NCC.
The differences between the two laws regarding reporting obligations and timelines indeed create a contradiction in the steps that data controllers/processors should take in the event of a breach. The NDPA emphasizes the notification to the NDPC, while the draft Regulations focuses on immediate notification to the data subject and reporting to the NCC.
Sanctions for Violations
Both Section 48 of the NDPA and Section 40 of the draft Regulations address the enforcement measures and sanctions that can be imposed on data controllers/processors for violating the provisions of their respective laws. Both laws provide for the imposition of fines as a form of sanction. Section 48 of the NDPA mentions penalties or remedial fees, while Section 40 of the draft Regulations specifically outlines an administrative fine of N10,000,000.00. Both laws emphasize the importance of remedying the violation. Section 48 of the NDPA includes a provision requiring data controllers or data processors to remedy the violation, while Section 40 of the draft Regulations mentions that the infraction should be remedied or discontinued.
The duplication of provisions between the draft Regulations and the NDPA would create challenges and potential hardships for data controllers/processors. When two sets of regulations overlap and impose similar but potentially conflicting requirements and sanctions, it can lead to confusion, increased compliance burdens, and potential contradictions.
In the scenario where both the draft Regulations and the NDPA have overlapping provisions and sanctions, it is crucial for clarity and harmonization to be established. Data controllers may face difficulties in determining which set of regulations to follow and how to comply with both simultaneously. Ideally, efforts should be made to avoid duplicating provisions and ensure consistency and coherence in data protection legal framework. Instead of introducing sector-specific regulations that replicate the provisions of the NDPA, the NCC ought to collaborate with the NDPC and work towards a unified approach that recognizes the authority and expertise of the NDPC in data protection matters.
Consent of a child
Section 31(5) of the NDPA states that the NDPC shall create regulations in line with the objectives of the Act when processing personal data of a child aged 13 and above. This specifically applies to the provision of information and services through electronic means at the child’s explicit request. On the other hand, Regulation 11(5) of the draft Regulations allows for reliance on the consent given by a child aged 13 or older. This consent is applicable for the provision of information and services through electronic means when individually requested by the recipient.
These two provisions indeed present a contradiction. Data controllers/processors faced with these conflicting laws may find themselves unsure about the appropriate course of action.
Cross border transfer of personal data
Sections 41, 42, and 43 of the NDPA establish the basis for transferring personal data to another country, particularly focusing on the adequacy of protection and steps to be taken when adequate protection is lacking. Notably, the Act grants the authority to determine the adequacy of the recipient country’s protection regime. However, Regulation 34 of the draft NCC Regulation seems to introduce a potential conflict of power. It empowers the NCC to determine the adequacy of the recipient country’s protection regime. According to Section 34(2) of the Regulation, licensees are required to obtain approval from the NCC, which will consider whether the location provides a sufficient level of data protection before issuing such approval.
This raises questions regarding the compliance obligations for data controllers and processors who obtain consent from the NCC. Does obtaining consent from the NCC eliminate the need to comply with the requirements listed in Section 41 of the NDPA? Additionally, a data controller (licensee) will become confused whether he can proceed with data transfers solely based on obtaining consent from the NCC without adhering to the requirements outlined in Section 42 of the Act.
The NDPA in Section 38 provides for the data subject’s right to data potability. There is no mandate to a data controller and processor to refuse the data subject the right to data portability, it only provides for the conditions upon which data subject may exercise such right. It also provides the obligations it would impose on a data controller or data processor, in relation to costs and timing. However, Regulation 31 of the draft Regulations, empowers the licensee to refuse data portability in certain cases. This section again directs data subject to refer written complain to the NCC.
As final thoughts on the challenges the coexistence of the draft Regulations and NDPA portends for data protection in Nigeria, below are few of the immediate concerns:
The existence of overlapping and conflicting regulations will create a burdensome compliance process for data controllers and processors. They would need to navigate and adhere to multiple sets of requirements, leading to additional costs and administrative complexities. This duplication of compliance obligations hampers efficiency and would be particularly challenging for organizations operating within the telecommunication sector.
The presence of conflicting provisions between the NDPA and the draft Regulations introduces ambiguity and confusion regarding the interpretation and application of data protection principles. Different standards and requirements set forth in the two laws can make it difficult for data controllers and processors to understand their legal obligations clearly, potentially resulting in inadvertent non-compliance.
Inconsistent Enforcement Mechanism
When two separate regulatory bodies, the NDPC and the NCC, become responsible for enforcing compliance with data protection laws, inconsistencies in enforcement are likely to arise. Different interpretations and enforcement approaches by these entities may lead to unequal treatment and arbitrary outcomes, eroding public trust in the regulatory framework.
Costs and Delay
Duplicity in laws often leads to prolonged legal disputes and litigation as conflicting provisions require clarification and resolution by courts or other legal bodies. This results in delays in legal proceedings, increased legal costs, and a diversion of resources that could have been utilized more effectively.
Addressing these challenges requires coordinated efforts and a streamlined approach to data protection regulation in Nigeria.
It is important to note that allowing the NCC to proceed with establishing a sector-specific regulation that disregards the NDPA entirely would set a precedent for other sectors to create their own separate data protection regulations. This would lead to fragmentation and setbacks within the Nigerian data protection landscape. Looking at the European context, the General Data Protection Regulation (GDPR) is a uniform legislation recognized across all European countries. Similar harmonization of data protection laws is crucial for the development of a robust data protection ecosystem in Nigeria.
In conclusion, it is essential to recognize that the NDPA, as an act of the National Assembly, takes precedence over any proposed subsidiary legislation such as the draft Regulations. The NCC should focus on collaborating with the NDPC to ensure that the telecom industry is adequately addressed and regulated under the NDPA. If the NCC intends to introduce industry-specific regulations, those regulations must emanate from the NDPC as Regulations made pursuant to the NDPA. This position will also apply to any other sector that believes that its operations have some unique features which needs to be specifically addressed. A situation where every sector decides to introduce a regulation seeking to data protection within its sector is not appropriate and it is antithetical to the spirit of the NDPA and the creation of the NDPC.
Ifeoma is the Managing Partner at DNL Partners
DNL Partners is a licensed Data Protection Compliance Organization (DPCO).
Ifeoma may be reached by email through email@example.com.