By Solomon Nwabueze
Nigeria is Africa’s most populated country and largest economy, with a population of around 211 million and a GDP of $467 billion. As of 2020, the number of Nigerians using the internet was estimated at 100 million, with a 46.6% penetration of the population. This figure is projected to grow to 131.7 million internet users by 2023, and internet penetration is set to reach 65.2% in 2025. Furthermore, the COVID-19 pandemic has made digital transformation and transition a top priority for Nigerian governments and businesses. A natural consequence of digitization is the increase in day-to-day activities conducted online. As more users continue to go online, their data and digital rights, particularly the rights to data privacy are increasingly essential and require adequate protection. At the core of data protection legislation is the ambition to protect individual’s right to informational privacy. This is achieved through series of measures designed to curb unauthorized access or disclosure of personal information and incidences of data breach in a growing and progressively volatile data environment. A strong data protection framework provides a legal basis for individuals for challenging excessive collection and unlawful use of data, negligent data handling, incorrect documentation of sensitive information and growing corporate and state-sponsored surveillance activities. It is essential to provide the much-needed governance framework and to ensure individuals have strong rights over their data.
Unlike Europe and other parts of the western world where data protection boasts of rich legislative development, Nigeria does not have such law-making trajectory regarding data protection as efforts towards enacting a primary legislation on data protection has always proven abortive.
Data protection gained prominence in Nigeria with the issuance of the Nigeria Data Protection Regulation (NDPR) by the National Information Technology Development Agency (NITDA) on January 25, 2019. The NDPR which undeniably got its inspiration from the European Union’s General Data Protection Regulation (GDPR), now forms the main bedrock for data protection in Nigeria. It is noteworthy that asides the NDPR, there are a number of legislations and subsidiary regulations which make provisions bordering on data protection.
The NDPR issued by the National Information Technology Development Agency (NITDA) pursuant to its powers under section 6(a and c) of the NITDA Act. The NDPR is currently the most-encompassing regulation on data protection in Nigeria, the NDPR is hailed as a game changer as it applies to all transactions intended for the processing of personal data. In February 2022, the Federal Government of Nigeria established the Nigeria Data Protection Bureau (NDPB), replacing the NITDA as the regulatory body for data protection in Nigeria.
Inadequacies of the NDPR
It should be noted that some of the lapses in the NDPR such as the absence of provision relating to the processing of children’s data, impact assessment and data breach notification have been addressed by the NDPR Implementation Framework.
1) Limited Scope of the NDPR:
The scope of the NDPR applies to all transactions regarding processing of personal data irrespective of the means, it covers on all natural persons residing in Nigeria or natural persons outside Nigeria who are citizens of Nigeria. This restricts the protection offered under the regulation to only the rights of natural persons and fails to put in consideration organizations or juristic persons who may fall victim to a data breach. The safeguard of natural persons from data breach is as important as its consideration and extension to legal entities which process data in any form especially when taking cognizance of the prevalence and seemingly omnipotence of digital hackers and cyber terrorists. Jurisdictions like South Africa and Switzerland extends data protection rights to cover on both natural and legal persons.
The NDPR in its territorial scope applies to “natural persons residing in Nigeria or residing outside Nigeria but of Nigerian descent.” While this can be said to be laudable, enforcing penalties against companies with no physical presence in the country may be daunting especially with the absence of an international cooperation mechanism.
2) Absence of Relief to Data Breach Victims:
The regulation is silent on remedies for victims of data privacy breach. The penalties as contained therein would only generate income for the government at the expense of the actual victims of data privacy breach. One would have expected the drafters to take a cue from the GDPR which has comprehensive provisions on “Remedies, Liabilities and Penalties”. Worthy of note is the provision under the GDPR on the right to compensation receivable by any person who suffered “material or non-material loss” as a result of infringement under the regulation. This is missing in the NDPR which seeks to confer a right without giving remedy in the event of infringement, thereby defying the age long legal principle of Ubi Jus Ibi Remedium – where there is a right which is wronged, there must be a remedy. The only relief available to a victim of data breach currently in Nigeria is an injunction which restrains the data controller or processor from further processing the victim’s personal data in a manner inconsistent with the regulation. Allowing victims of data breaches to receive compensation or damages will further encourage data subjects to pursue their data rights when they are violated.
3) Conflict of Interest for Data Protection Compliance Organizations (DPCOs):
The DPCOs have the role to conduct audit exercises, evaluate the status of data controllers’ compliance, appraise adequacy of protection offered to data subjects, identify current and potential non-compliance. In reality, the DPCOs’ duty of monitoring compliance is however tainted by the NDPR’s provision that allows them to consult for data controllers in what appears to be a striking example of conflict of interest, where a compliance organization simultaneously plays the dual role of an external auditor and consultant for the data controller/processor.
4) Regulatory Bottlenecks:
In March 2022, the Federal Government of Nigeria through the Ministry of Communications and Digital Economy designated the Nigerian Data Protection Bureau (NDPB) as the regulatory agency for data protection, taking over from NITDA. The NDPB is charged with the responsibility of overseeing the implementation of the NDPR. The scope of the Bureau’s powers is still unclear as there is no enabling law which establishes the Bureau. The absence of an enabling law can create possible hindrances for the effective administration and functioning of the bureau.
One of the hallmarks of an effective data protection regime is the operation of an independent regulatory authority. There is need for an independent regulatory agency which is free from undue executive influence to step up in line with international best practices. There is little information as to the level of independence of the NDPB. Going by the manner in which the bureau was established, through an executive fiat without an enabling statute. It is presumable that the Bureau is under the control of the Ministry of Communications and Digital Economy. As an agency that will be responsible for monitoring and ensuring compliance for both the private and public sector, it is important that the agency enjoys some level of independence.
5) The Constitutionality of Regulating Data Protection:
Lateef and Taiwo (2020) raised questions as to the constitutionality of the powers of the federal government through the NITDA (the federal government agency which issued the NDPR) to enact laws on data protection. It is said that the statutory function of the NITDA to monitor, govern and regulate information technology systems and practices, use and exchange of electronic data and the internet are not matters specifically contained or contemplated by both the Exclusive legislative list and the Concurrent legislative list under which the National Assembly may enact a federal legislation such as the NITDA Act. It has been argued that such matters are residual and thus reserved for the states houses of assembly in Nigeria. Lagos State has become the first state in Nigeria to initiate a data protection law. The Lagos state Data Protection Bill which has currently passed second reading at the Lagos State House of Assembly and is currently at the consultative stage. The implications of its co-existence with the NDPR, continues to be an issue for debate amongst industry stakeholders.
6) Inadequate Awareness on Data Privacy Rights:
One of the major issues regarding the enforcement of data protection rights is the low level of awareness. Most Nigerians do not have sufficient knowledge regarding their rights as data subjects under the NDPR and other relevant legislations that touch on data privacy, thereby making the enforcement of such rights in event of a breach almost impossible. In Nigeria, many sectors are not familiar with the data protection rules stemming from the regulations because of the accessibility and clarity of the laws. For the data and digital rights ecosystem to function efficiently, the actors and participants in the system need to be aware of the rules they are bound by. Thus far, there have not been too many coordinated and concerted efforts to educate stakeholders on data and digital rights. Sensitization of citizens on what constitutes a violation of their data rights and how they can take action against it is necessary for an attitude shift that will inspire widespread grassroots activism and advocacy.
7) Judicial Attitude to Data Privacy rights:
There is still uncertainty as to the nature ascribed to data protection whether fundamental right or tort under the relevant laws. There is controversy regarding the enforcement of data protection rights under Section 37 of the 1999 Constitution. Section 37 provides for “the privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications…” There is a divided opinion on whether data protection rights can be categorized under the right to privacy provided in section 37 of the constitution. Varying judicial decisions have emerged regarding this. In the case of Digital Rights Lawyers Initiative vs. L.T Solutions Multimedia Limited, the court held that right to privacy under section 37 extends to data protection rights and may be enforced as a constitutional right under the FREP Rules. Similar decision was also reached in Digital Rights Lawyers Initiative v. National Identity Management Commission. Two judicial decisions have also held in the contrary, In Digital Rights Lawyers Initiative v. Unity Bank and in the case of Laws and Rights Awareness Initiative v. National Identity Management Commission, the court held that a breach of a data subject’s right is not a breach under section 37 of the constitution and such an action cannot be brought under the Fundamental Rights Enforcement Procedure (FREP) Rules. Outside Nigeria, data rights are increasingly being seen as a human rights issue. Article 8 of the EU Charter of Fundamental Rights, for instance provides for the right to the protection of personal data. Jurisdictions like California, India, Singapore and Japan are also actively pursuing this idea.
Towards a Primary Data Protection Regulation
In August 2020, the national government published a draft Data Protection Bill which seeks to correct some of these issues. The effort at the regulatory reform was being driven on behalf of the Presidency by the Legal and Regulatory Reform Working Group of the Digital Identity Ecosystem Project which consists of representatives of the Ministry of Justice, FMCDE, NIMC, NITDA, NCC, National Population Commission, NIS, Office of the Secretary to the Federal Government and the Independent National Electoral Commission (INEC). The draft Data Protection Bill was presented for public input from stakeholders and the general public in August 2020 with the aim of enacting Nigeria’s first primary data protection legislation. The Bill among other things, provided for the establishment of the Data Protection Commission as the supervisory authority for data protection in Nigeria. The 2020 bill however seems to have been abandoned as much has not been heard about it. In November 2021, it was reported that the Federal Government are planning to engage a new consultant for the drafting of a new bill.
As the country continuously transitions into a digital economy, the need to ensure compliance through the proper implementation and enforcement of the data protection laws becomes more necessary. A strong data protection framework helps foster consumer trust and increased use of digital tools, which in turn can incentivize investment, competition and innovation in the digital economy. Establishing a solid data protection regime is a foundational step in developing a broader approach to modern digital governance.
A lot of work still needs to be done in relation to raising awareness on data privacy rights and ensuring that the data protection landscape remains up to date with the ever-changing digitalized world. It is important that the legislature and other stakeholders involved in the process takes cognizance of the importance of data protection in Nigeria’s thriving digital economy, amend some of the loopholes in the current regime and ensure the speedy passage of a primary legislation. The Policymakers’ choices in creating and enforcing data protection laws will further chart a trajectory for how the government and its citizens will interact with data and the digital ecosystem.
Solomon Nwabueze writes from Lagos, Nigeria and can be reached at firstname.lastname@example.org