Overview of Data Protection in Nigeria

INTRODUCTION

With the European Union’s General Data Protection Regulation (GDPR) coming into force in 2018, the prioritization of data protection by States has increased significantly. Protection of personal data has assumed an international human rights status. Paragraph 12 of the Universal Declaration of Human Rights (1948) and the International Convention on Civil and Political Rights (1966) provides that “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation.” In Nigeria, the path to developing a data protection law has been protracted, with multiple yet unsuccessful attempts to adopt a law. The National Data Protection Regulation adopted by the National Information Technology Development Agency (NITDA) in 2019 as a subsidiary regulation has proved inadequate and only further emphasized the need for a comprehensive personal data protection framework.

This overview centers on the data protection regime in Nigeria, and the role of Nigerian lawyers in the Data Protection Sector.

DATA PROTECTION LAW – LEGAL FRAMEWORKS

Simply put, Data Protection is the process of securing digital information while keeping data usable for business purposes without trading customer or end-user privacy. The intent of data protection laws is to place human beings at the center of technological advancement. In the recent world, everyone has their personal details online and if mishandled, can be exploited to harm users unscrupulously for financial gain. It has therefore, become imperative to regulate how vast amount of personally identifiable data can be managed.

Although Nigeria does not have a specific statute regulating Data Privacy and protection, the National Information Technology Development Agency (NITDA) commendably came up with the Nigeria Data Protection Regulations (NDPR) in 2019 which specifically addresses Data Privacy and Protection in Nigeria.

Nigeria Data Protection Regulations (NDPR)

On 25 January 2019, the NITDA issued the NDPR pursuant to its powers under Sections 6 (a) and (c) and 32 of the NITDA Act, 2007. The Regulations have introduced a new data protection framework with pioneer compliance requirements for organizations that deal with the data of individuals. The objectives of the Regulations include safeguarding the rights of natural persons to data privacy, preventing manipulation of personal data, and fostering the safe conduct of transactions involving exchange of personal data and the integrity of commerce and industry in the data and digital economy. Based on the NDPR, data processing includes the collection, recording, storage, retrieval, use, disclosure, transmission, erasure, and destruction of personal data. The NDPR also specifically confers certain rights on persons that provide their personal data that is, Data Subjects. These include the right to information about their personal data, right to access their personal data, right of rectification of their information, right to withdraw consent, right to object, and right to data portability. The NDPR requires Data Controllers to develop adequate security systems to protect data within their custody. In line with this requirement, Data Controllers are required to maintain and publish a data protection policy that is in conformity with the NDPR and continually train and build the capacity of staff members on data protection and privacy procedures. The NDPR also mandates Data Controllers to appoint Data Protection Officers for the purpose of ensuring compliance with the Regulations; they are to obtain lawful consent of Data Subjects before processing their personal data. Data Controllers are required to display a simple and conspicuous privacy policy on any medium through which they collect or process personal data. Such privacy policy is to contain a description of the kind of personal data to be collected, and the purpose for the collection of the data amongst other information (a sample has been attached to the NPDR 2019); In the event that a Data Controller engages the services of a third party to process personal data of Data Subjects, the NDPR requires that such engagement must be governed by a written contract between the third party and the Data Controller.

The Regulations reserves the requirement for submitting data audit reports to certain categories of Data Controllers. Accordingly, only Data Controllers that process personal data of more than 1000 Data Subjects within a period of six months are mandated to file a soft copy of the summary of their audit to the NITDA. Similarly, Data Controllers that process personal data of more than 2000 Data Subjects within a period of 12 months are mandated to file a summary of their audit to NITDA, not later than 15 March in the following year. NITDA also requires that a verification statement by a licensed Data Protection Compliance Organization (DPCO) should accompany all filings made. A DPCO is any entity licensed by NITDA to train, audit and render consulting services and other services and products for the purpose of compliance with the Data Protection Laws applicable in Nigeria; Based on the NDPR, a data controller is required to only transfer data to a foreign country or international organization subject to the supervision of NITDA and the Attorney General of the Federation (AGF). NITDA would co-ordinate relations with the AGF with respect to international transfer of personal data. However, data controllers are obligated to notify NITDA of any such transfers.

NITDA is the agency responsible for administering the NDPR. The NDPR empowers NITDA to register and license DPCOs to monitor, audit, conduct training and render data protection compliance consulting services on its behalf. However, the DPCOs will be subject to Regulations and Directives of NITDA issued from time to time.

However, paragraph 2.1 of the regulation provides for Statutory and legal exceptions to the application of data privacy and protection as applicable to the NDPR. Therefore, the NDPR does not apply to the use of personal data in furtherance of national security, public health, safety and order by agencies of the Federal, State or Local government or those they expressly appoint to carry out such duties on their behalf; the investigation of criminal and tax offences; iii. the collection and processing of anonymized data; and personal or household activities with no connection to a professional or commercial activity. In furtherance of the NPDR, 2019, a guideline for the Guideline for the Implementation of the Nigeria Data Protection Regulation (NDPR), 2019, within Public Institutions in Nigeria was issued in 2020.

Asides the NDPR, there are other laws which touch on Data Privacy and Protection in Nigeria, which are briefly highlighted below:

  1. Constitution of the Federal Republic of Nigeria: Section 37 of Nigeria’s 1999 constitution forms the foundation of data privacy rights and protection in Nigeria. It guarantees and protects the right of Nigerians to privacy and deems Privacy in this respect a fundamental right which is enforceable in a court of law when breached. Prior to the NDPR, most cases of data privacy breaches were enforced under this section.
  2. The NCC Consumer Code of Practice Regulation 2007: Part VI of the Nigerian Communications Commission (NCC) regulation, generally deals with the protection of consumers’ data in the telecoms sector. Reg. 35 requires all licensees to take reasonable steps to protect the information of their customers against improper or accidental disclosures. It prescribes that licensees shall not transfer this information to a third party except as permitted by the consumer or commission or by other applicable laws or regulation.
  3. The NCC Registration of Telephone Subscribers Regulation 2011: Regulation 9 and 10 of the NCC Registration of Telephone Subscribers Regulation 2011, deals with the data privacy and protection of subscribers. It provides for confidentiality of personal information of subscribers stored in the central database or a licensee’s database. It also provides that this information shall not be released to a third party nor transferred outside Nigeria without the prior written consent of the subscriber and commission, respectively.
  4. The Freedom of Information Act 2011: Section 14 of the Freedom of Information Act protects personal data. It restricts the disclosure of information which contains personal information by public institutions except where the involved data subject consents to its disclosure or where the information is publicly available. The Act also provides that a public institution may deny the application for disclosure of information that is deemed privileged by law (e.g. Attorney-client privilege, doctor-client privilege)
  5. The Cybercrimes (Prohibition, Prevention, etc.) Act 2015: The Cybercrimes (Prohibition, Prevention, etc.) Act, Nigeria’s foremost law on cybercrimes criminalizes data privacy breaches. Generally, this Act prohibits, prevents and punishes cybercrimes in Nigeria.
  6. The National Identity Management Commission (NIMC) Act 2007: Section 26 of this Act requires the approval of the Commission before a corporate body or anybody can have access to data stored in their database. The Act also empowers the NIMC to collect, collate and process data of Nigerian citizens and residents.
  7. The National Health Act (NHA)2014: The NHA which regulates health users and healthcare personnel restricts the disclosure of the personal information of users of health services in their records. It also ensures that healthcare providers take the necessary steps to safeguard such data.

Other acts are The Federal Competition and Consumer Protection Act 2019 and The Consumer Protection Framework 2016:

data security illustrated by a photo of a locked physical padlock resting on a laptop keyboard.

TAKING THE PRIVACY SPACE – THE ROLE OF LAWYERS

It is worthy of note that the issues surrounding legal protection have indeed created an opportunity to further specialize. There are opportunities in different specific sectors of the economy that intersects with privacy and which professionals will be able to provide tailored services, like healthcare, start-up, financial institution, insurance, big data companies, tech companies that engage in cloud computing, cyber insurance and cyber security amongst others.

 Such areas of specialization include:

  1. Privacy Policy advisor and analyst/Compliance officer – Good policies remain the driver of a regulatory framework. Involvement in Policy drafting for companies and contribution to policy recommendations when a draft regulation is issued for public consultation. Lawyers can effectively function as data protection officers, chief privacy officers or any other designation, assisting clients with compliance and transparency. Overseeing a company’s data protection strategy and its implementation to ensure compliance with extant data protection regulation.
  2. Privacy Attorney/Consulting – Data Protection laws provide a right to lodge complaint which allows data subjects to initiate lawsuit before a supervisory authority or Courts in instances of infringement of their rights. Sanctions are imposed on organizations which are also challenged before National Courts. There is an opportunity for collaboration between privacy lawyers and litigation lawyers to navigate the slippery-slope. Outside the remit of litigation, transactions lawyers can provide advisory services on privacy and data protection and the appropriate implementation and compliance with privacy laws as a risk-based strategy.
  3. Legislative Tracking – Lawyers can provide latest legal opinions and update organizations with latest decisions and laws that can impact their business. This entails providing real-time update and guidance to existing and new client companies, on the development in privacy laws globally and how it could possibly impact their businesses in order to guide them to wider compliance.

 Recommendations for Growth

Lawyers can read up articles, books and laws governing data protection, sign up for courses, attend conferences and events centered on data protection laws in order to gain knowledge and possible clientele, write articles on data protection to create a large impression to the public on the firm’s expertise on data protection and contribution to policies and conversations.


Contact:

Mercy Agbo

Associate – Intellectual Property, Communications and Technology Sector.

mercy.agbo@paulusoro.com