By Oghenechovwe Toka & Etisang Solomon
INTRODUCTION
To ensure that the personal data of data subjects are handled ethically and fairly, several regulations and laws guiding the processing of personal data have been promulgated in Nigeria. The most recent is the long-anticipated Nigeria Data Protection Act 2023. However, regulations and laws alone cannot guarantee the protection of personal data hence the importance of Data Protection Authorities (DPAs).
DPAs are independent public agencies that supervise and oversee the enforcement of data protection laws through the use of their quasi-legislative, investigative, and corrective powers. They address complaints involving outright breaches, and violations of data protection laws and offer advisory on data protection matters. The most important, of its functions, is to enforce the legal safeguards provided under the Act for the processing of personal data and protection of the rights of data subjects.
By virtue of the recent enactment of the Nigeria Data Protection Act, 2023 (the Act), the Nigeria Data Protection Commission (NDPC) was established. The NDPC is the enforcement, supervisory and regulatory authority for data protection and privacy in Nigeria – a function previously performed by Nigeria Data Protection Bureau (NDPB) and the National Information Technology Development Agency (NITDA) before it. The NDPC is set up and empowered as the sole data protection authority to attain the objectives of the NDPA 2023 and is headed by the National Commissioner (Section 65). It also derives its policy direction from the Governing Council.
This article gives brief insights into the areas where the NDPA 2023 empowers NDPC to make further regulations, directives, guidelines, and codes.
THE POWERS OF THE NIGERIA DATA PROTECTION COMMISSION(NDPC)
The Nigeria Data Protection Commission (NDPC) is established by section 4 of the Act as Nigeria’s sole DPA. A summary of its functions as copiously provided in Section 5 of the Act shows clearly that NDPC is instituted to independently see to the implementation of the Act and to check compliance with international best practices relating to the regulation of data protection and privacy (Section 62).
Under the Act, the NDPC is empowered to ensure compliance, fix registration fees, make regulations and give directions, receive and resolve complaint, investigate violations and penalize erring controllers (Section 6)
The NDPC by virtue of section 6(c) of the Act has been empowered with powers to issue regulations, rules, directives and guidance on any matter the Commission considers necessary or expedient to give full effect to the objectives of the Act.
The miscellaneous provisions of the Act further empowers the NDPC to make regulations on its financial management; protection of personal data and data subjects; discharge of its duties and functions; forms and applications; procedures of submission of complaints to the commission; frequency of filing and contents of compliance returns; fees & charges; and any matters the Commission considers necessary or expedient to give full effect to the intent of the Act (Section 61 (1)& (2)a-i).
The regulations made under the Act by the Commission may, create offence and impose penalties, however not more than what is prescribed under the Act (Section 61(3)).
It is worthy of note that section 61(4) of the Act provides that the Commission may, prior to making any regulation under the Act, publish a draft of such regulation on its official website, inviting the public to submit comments on the proposed regulation within a stipulated time.
NDPA PROVISIONS REQUIRING NDPC TO MAKE FURTHER GUIDELINES/ DIRECTIVES
While we await the NDPC’s actions, below are some of the notable provisions of the Act that give express powers and authority to the NDPC to issue regulations, rules, directives, and guidance:
- Self-Regulation: The NDPC is mandated to make staff regulations, relating to the conditions of service and discipline of staff of the commission as seen in Section 17. The commission may also where necessary issue directives on the conduct of the business of the commission, budget & expenditure, governance code and other matters relevant to the operation of the Commission with the aim of fostering accountability, transparency and compliance with international best practices relating to the regulation of data protection and privacy (Section 62).
- Sensitive personal data: The Act equally empowers the NDPC to issue regulations prescribing the types of personal data that may be exempted from the application of the Act (Section 3(3)). Furthermore, in Section 30 (2) of the NDPA 2023, the Commission may make regulations and directives prescribing more categories of personal data that may fall under the class of sensitive personal data (section 65), lawful bases for processing such sensitive personal data as well as applicable safeguards that should apply to such sensitive personal data. In providing directives on applicable safeguards for the processing of sensitive personal data, the Act provides that the NDPC should have regard for the risk of harm that may be caused and confidentiality of the affected class of data subjects as well as the adequacy of protection afforded to personal data generally.
- Exemption; Data processing refers to any activity done with personal data. The NDPC is directed by section 3(4) to issue a guidance notice containing legal safeguards to a data controller or processor, in respect of data processing exempted from the applicability of the Act where in the opinion of the Commission, such processing violates or is likely to violate the principles and lawful basis of data processing.
- Age of Consent; Children lack the legal capacity to give consent for the processing of their data. The Child Rights Act defines a Child as a person under the age of 18 and mandates that when a child is concerned, their best interest is to take precedence. The Act in section 31(5) provides that the NDPC may make regulations in accordance with the objectives of the Act where the circumstances relate to the processing of personal data of a child of 13 years and above in relation to the provision of information and services by electronic means at the specific request of a child of 13 years and above. We hope that in giving expression to the provisions of this NDPA under this section, the Commission will take into strict consideration the best interest of the child with regard to the protection of the personal data and privacy of Children.
- Data portability: Section 38 (1) & (3) of the Act gives the NDPC the authority to make regulations establishing a right to personal data portability. The Commission may prescribe the circumstances and conditions on which the right to data portability can be exercised by the data subject as well as the obligations and categories of data controllers and data processors in relation to cost and timing.
- Data breach: The Act warrants the NDPC in Section 40 (6) to issue and publish regulations on steps to be taken by data controllers to adequately inform data subjects of personal data breaches where such breach is likely to result in a high risk to the rights and freedoms of a data subject.
- Cross-border transfer of personal data: The Act has also permits the NDPC to make regulations in relation to cross-border transmission of personal data and adequacy of protection of such transfers of personal data out of Nigeria. The said regulation may require data controllers and data processors to notify the NDPC of the measures they have put in place in compliance with the basis for cross-border transfers, as well as designate categories of data that are still subject to restrictions from cross-border transfer based on the nature and risk to data subjects. See Section 41(3) & (4), 42 (3).
CONCLUSION
The Nigeria Data Protection Commission as the independent supervisory authority with the responsibility of enforcement and implementation of the Nigeria Data Protection Act, 2023 must work to cover the lapses and deficiencies in the provisions of the Act. We see that the Commission by virtue of the provisions of the Act is no ‘toothless dog’ as the Act makes so many windows for the Commission to guide, enforce, and supervise the protection of personal data in Nigeria.
As we await the exercise of the powers of the NDPA to issue directives, codes, and guidelines to attain its objectives we recommend that this power is exercised judiciously and ethically to cover the gap areas in the provisions of the Act with the aim to safeguard the fundamental rights of data subjects and fostering accountability, transparency and compliance with international best practices relating to the regulation of data protection and privacy.
The Authors:
Etisang is a Senior Associate with Olumide Babalola LP. He is an experienced legal expert on policy making, data privacy and protection, and has a wealth of experience helping startups navigate the intricate landscape of Nigerian and international regulatory and compliance requirements.
Oghenechovwe is an in-house legal counsel with exceptional experience in regulatory compliance, immigration, insurance and offering high-quality legal advice to companies with steller results.