By Olumide Babalola
In the last week of May 2024, the Nigeria Data Protection Commission (NDPC) commendably released a draft document titled ‘NDPA General Application and Implementation Directive (GAID) 2024’ to predominantly provide guidance to the provision of the Nigeria Data Protection Act (NDPA). Showing their candid expectation of stakeholders’ comments on the progressive document, the NDPC has released the draft document in anticipation of its scheduled validation workshops across three regions.
After perusing the draft GAID, here are my opinionated views on the highly anticipated document:
Objectives and objectives
Like the NDPA, the draft also fails to (sufficiently) define the parameters of controller ‘domiciled’ in Nigeria. One would expect the document to be more practical in its approach by defining ‘domicility’ in terms of incorporation in Nigeria, establishment of liaison offices, subsidiaries etc. Surprisingly article 2(1) references sub-articles 3 and 4 of same document as guidance on domicility of controllers but the provisions only refer to categories of data subjects.
Reference to an undomesticated Treaty
This may be a good point to comment on the rather ‘over-legalistic’ language of the GAID – a document that proposes to provide guidance to ‘citizens, organisations etc.’
In this stride, article 1(4)(d) references the International Covenant on Civil and Political Rights, 1976 – a treaty that is not currently enforceable by the Nigerian courts due to its non-domestication by virtue of section 12 of the 1999 Constitution. Since the NDPA seeks to protect fundamental rights generally, one would have expected a worthy mention of the African Charter on Human and People’s Rights – a domesticated international treaty. Despite the conspicuous omission of privacy in the treaty, its guarantee of dignity has been argued by scholars and jurists as providing backdoor protection for privacy.
Exemptions
Interestingly article 5(1) says controllers who rely on exemptions must abide by other provisions not exempted. With respect to the drafters, they lost sight of the position that the NDPA exempts processing activities but not controllers. Hence, if a processing activity is exempted from the application of the entire NDPA, how can reliance be placed on that same Act?. For example, section 3(1) NDPA provides that: “This Act shall NOT apply to the processing of personal data carried out by one or more persons solely for personal or household purposes” (Emphasis mine). If the provision is clear to the extent that the entire Act does not apply to processing for household purpose(s), one wonders where the Commission derives the powers to subject such processing to other provisions of the Act. The article even lists other minimum provisions that must be complied with. Alas! Designation of DPO is one of them. Does this mean, individuals processing personal data for household purposes must designate DPOs? That is certainly not the intention of the legislature.
Processing for household activities
GAID represents an opportunity to provide guidance on the parameters of household processing and examples of activities contemplated but article 6 is bereft of this. In addition to listing activities that may portend risks, this section should provide clarity on activities that will not constitute household processing.
General compliance measure
Article 7 is quite repetitive and incongruous. Items (d) and (h) are substantially the same. Item (j) references ‘organisational privacy policies’ yet ‘the privacy policy shall be in compliance with the NDPA. This needs some clarification. While ‘the policies’ ordinary refer to the totality of all privacy documents to be kept by a controller, the ‘privacy policy’ may refer to the notice published on website. This confusion is further compounded by item (k) which requires ‘organisational privacy policies’ to be published on the platforms. Does this mean controllers are meant to publish all their privacy documents on their platforms? I hope Not!.
Reliance on Consent
The Special Rule of Law Indexes (SRLI) devised by the Commission are meant to evaluate where reliance on consent will defeat the rule of law. Article 17(5) is therefore faulty for anticipating other lawful bases to still be supported by the same SRLI. Here, one expects the GIAD to give examples of relationships or circumstances where consent should not or be sparingly relied on. For instance, consent given in an employment relationship or where consent is made conditional to a contract for a processing activity that is not necessary for the performance of the contract.
Consent to transborder transfer of data
Article 18(1)(e) requires consent for ‘transfer’ to a country not in the whitelist. Since the NDPA is silent on what constitutes transfer of data, here comes a perfect opportunity for the Commission to provide guidance on the meaning and examples of the concept. In the context of cross-border data flow, it is desirable to have examples of processing activities that qualify as transfer of data so controllers know when their obligations are triggered. For example, cloud computing, cross-border commerce, hotels and air travel reservations, interrelations between multi-national companies etc.
Since the Commission proposes to align with international best practices, they may take a cue from the European Data Protection Board (EDPB) by providing factors that must be fulfilled before a processing activity is considered cross-border transfer of data. In a guideline issued by the EDPB, for there to be cross-border transfer, there must be a controller – the exporter of data so where the data subject is the one exporting, there is no cross-border transfer; secondly, the data must be transmitted by the controller for the purpose of processing by another controller or processor (the importer) and third, the importer is in a third country outside the EU. In Nigeria, we do not necessarily need to transplant this, but it is desirable to have some guidance on this.
Alternative dispute resolution
Amusingly, by article 22(1), the Commission through its own Guidelines, seeks to arrogate to itself powers to review a decision made through ADR mechanism. The implication of this ‘ambitious’ provision is not only multidimensional, it is impotent, ultra vires and in conflict with the statutory provision of the Arbitration and Mediation Act 2023 (AMA). First, the provision seeks to overwhelm the Commission with an additional adjudicatory duty not contemplated by the NDPA except this kind of appellate jurisdiction is read into the provisions. Secondly, ‘even though the draft document does not define ‘ADR mechanism’, in legal parlance, it refers to mediation, conciliation and arbitration – these are mechanisms regulated by AMA, a statute which supersedes the provision of the GAID. Third, the jurisdiction to sit as an appellate adjudicatory body is expressly conferred by statute, no such express provision exists in the NDPA, hence this proposal for the Commission to sit on arbitral appeals is speculative, ultra vires and problematic.
Reliance on public interest
Public interest is a lawful basis that can be easily abused especially by private data controllers. In article 26, guidance should be provided on whether private entities can rely on this basis especially in the light of the clause ‘official authority vested in the data controller’ as found in section 25(1)(iv) of the NDPA. Secondly, the draft GAID ought to simplify issues but not to further complicate them as found in article 26(1)(c) on ‘destitution or deprivation for the benefit of the data subject.’ If this is not clarified, then it can be conflated with a condition for reliance on the lawful basis of vital interest.
Reliance on legitimate interest
Since the GAID is meant to provide guidance, relatable examples ought to be provided to further enlighten its users. It will be quite helpful to give instances where controllers can expectedly rely on legitimate interest, for example, direct marketing, fraud detection or prevention, use of employees or clients’ data, intra-group transfer, IT security etc.
Data Privacy Impact Assessment
Article 29(1)(e) curiously references the existence of safeguards under section 45 of the 1999 Constitution but there are clearly no safeguards in the provision. Rather, the provision of section 45 derogates privacy, hence article 29(1)(e) is misleading.
Privacy by design and default
Article 32(2)(b) references ‘privacy by design and default’ but offers no further guidance on this concept. Since the NDPA does not mention privacy by design or default, the GAID is expected to provide comprehensive information on the nature, essence and process.
Technical and organisational measures
Article 33 requires the controller to implement technical and organisations measures but as with some other concepts, this is also undefined, unexplained and without relatable examples.
Data Processing Agreement
Article 35(2) requires DPAs to contain clauses on ‘insurance’ without more. It is desirable to provide clarity on what kind of contract is anticipated in DPAs. The sub-article (4) references ‘self-employed worker’ but it should actually read ‘self-employed person while it is unclear whether the drafters intend the requirement of training to replace audit even where the individual qualifies as controller of major importance.
Benchmarking with interoperable data privacy measures
Again, it is worth emphasising that that GAID is meant to simplify compliance with the NDPA but its wording and some of the terminologies are likely to defeat the objectives of clarifications. One wonders why the GAID repeatedly references the Fundamental Rights Enforcement (FREP) Rules – civil procedure rules drafted solely for suits filed in the High courts for the enforcement of fundamental rights. One wonders what the FREP rules have to do with ‘applicable technical and organisational measures’ as referenced in article 36(2).
Complaint to the Commission
Article 40 should be utilized to emphasise that the exercise of the right to lodge complaint is not a condition precedent to the right to file a suit for enforcement of privacy. This is particularly necessary when the conflicting decisions of the Federal High Court and the High Court of Lagos State on the issue are considered. See DRLI v Unity Bank Suit No. FHC/AB/CS/85/2020 delivered 9th December 2020 and Okafor v Okafor Suit No. LD/12264MFHR/21 delivered 5th May 2022. Also, not only does the GAID not define the term ‘Pre-Action Conference’ (PAC), the use of such terminology in article 40(10) is misleading. In legal parlance, a complaint to an executive body like the Commission does not ordinarily constitute an ‘action’, secondly the word “Pre” before “Action Conference” presupposes that there would be an actual action but article 40(13) does not speak to any ‘action’, rather a decision would be given after the final PAC.
Jurisdiction of court
This is a no-go area for a subsidiary legislation. The NDPA confers jurisdiction on a ‘court of competent jurisdiction’ – a nebulous definition that cannot be corrected by a Guideline from the Commission but a pronouncement from a court. Secondly, it is even erroneous to omit the National Industrial Court from the list when the provision of section 254(c) of the Third Alteration Act is considered.
Definitions
Domicilicity ought to be defined in the context of incorporation, liaison office, corporate agency or subsidiary in Nigeria. For clarity, other concepts or terminologies that ought to be defined are: personal or household purpose; minor; privacy by default or design; technical and organisational measures etc.
Other observations
Practical examples: Since the GAID is meant to be a practical guide for understanding the wording of the NDPA, it is most helpful with practical and relatable examples for laymen’s comprehension and also with less legalese.
Conflict with NDPR: Since the NDPR is still an extant regulation, this GAID needs to repeal the regulation or speak to its superiority in the event of a conflict between its provisions and that of NDPR. For example, under the NDPR, only controllers processing data of more than 1000 and 2000 data subjects within 6 and 12 months period respectively are meant to file audits but this provision is at variance with the GAID.
Age of consent: Section 31 of the NDPA gives a confusing stance on the age of consent. The GAID ought to clarify the reference to the definition of child under the Child’s Rights Act and the 13 years in section 31(5) NDPA.
Transfer Impact assessment: This should be one of the recommended compliance obligations under cross-border transfer.
Sensitive personal data: Section 30(2) of the NDPA allows the Commission to give directives on further categories of sensitive data and safeguards. Surprisingly, this responsibility for safeguards was pushed to the controller under article 44(2)(c) of the GAID without further guidance. The GAID is meant to simplify this fundamental specie of data processing.
Conclusion
Regardless of its shortcomings, the GAID is a commendable step by the NDPC and the drafters must be appreciated for a job well done. However, since it is still in draft form, it must bear the true semblance of a guide on the provisions of the NDPA.
