News
Data Privacy And Protection Regulations In Nigeria
Challenges Confronting Implementation Of Data Privacy And Protection Regulations In Nigeria
1. Introduction
Being the agency of the Federal Government of Nigeria charged with the responsibility of developing and regulating information technology in Nigeria, the National Information Technology Development Agency (NITDA) is empowered by its enabling Act to create a framework for the planning, research, development, standardisation, application, coordination, monitoring, evaluation and regulation of information technology practices in Nigeria developing standards, guidelines and regulations for that purpose.
Consequently, the introduction of the Nigerian Data Protection Regulation (NDPR) by the National Information Technology Development Agency (NITDA) on 25th January 2019 signalled the gradual institutionalisation of a culture of data privacy and protection in Nigeria. A deeper awareness and appreciation of relevant issues around data privacy and protection has begun to take root. Before the NDPR came into force, Nigeria’s regime of data privacy and protection existed in multiple legislations that sought to protect subject-specific data and information from unlawful use. These ultimately proved inadequate in addressing the concerns of owners, users and regulators of data, thus giving birth to the NDPR.
The NDPR is currently Nigeria’s singular most comprehensive body of rules that govern data privacy and protection, albeit a subsidiary legislation birthed through powers granted under the NITDA Act. In execution of its mandate, NITDA had issued a deadline for mandatory data compliance audit for July 2019, which it subsequently revised to October 2019. Owing to widespread non-compliance with the provisions of NDPR, NITDA was then constrained to initiate the issuance of non-compliance notices to about 100 defaulting companies in December 2019. In addition, NITDA has also embarked upon several investigations into the affairs of the Immigrations Services, financial services institutions and telecommunications companies in its quest to bring sanity into this space.
That being said, NDPR has not been spared the typical challenges that bedevil every new piece of regulation. This article attempts to engage some of these challenges with a view to attracting robust conversations around them and identifying remedial measures that need to be adopted in addressing them.
Challenges Confronting Data Privacy and Protection in Nigeria
Every fledgling piece of legislation comes with teething issues which may range from the need to introduce amendments, adequacy of its provisions to deal with prevailing issues in the industry to which it relates to the ease of its applicability to the environment it covers. We now consider a few of those challenges that require to be addressed if appreciable progress is to be made in this sector.
2.1 Lacuna in the NDPR
Despite NITDA's admirable step of issuing the NDPR in January 2019, concerns have developed about the somewhat restrictive nature of its provisions. For instance, the definition of data under the NDPR 2019 is limited to electronic data thereby excluding matters concerning or relating to paper-based data violations without remedies or protection.
2.2 Status of data privacy and security laws
The world is a data-driven global economy. Nigeria, like any other nation, needs to protect the personal data of her citizens wherever they are, regardless of the means of data processing or the location of the data controller or processor. Before the NDPR was released by the NITDA in January 2019, Nigeria ran with the Guidelines on Data Protection 2013 ('NITDA Guidelines'). However, right from the commencement of the NITDA Guidelines until when repealed, there were lingering doubts over its status and what appeared to be an absence of enablement to enforce its provisions.
Instructively, NDPR represents the most significant sector-specific law regulating data in Nigeria and is clearly more comprehensive than the NITDA Guidelines. In spite of this seeming improvement in regulatory guidance for data privacy and protection, the same affliction that mired the Guidelines has again reared its head with the NDPR i.e. its efficacy is being called to question. Arguments that having been issued by NITDA pursuant to her powers to issue regulations clothe NDPR with the force of law, have not quite cut it with stakeholders. Thankfully, the NITDA has initiated the process of elevating NDPR to the status of an Act of the National Assembly, and in this regard, has published the draft Data Protection Bill 2020 ('the Draft Bill') for public comments. In particular, the Draft Bill aims primarily to promote a code of practice that ensures the privacy and protection of personal data without unduly undermining the legitimate interests of commercial organisations and government security agencies to collect such data. It is also designed to minimise the harmful effect of personal data misuse or abuse of data subjects and other victims, as well as ensure that personal data is processed in a transparent, fair, and lawful manner, under the data protection principles stipulated in the Draft Bill or any other legislation. Hopefully, this Draft Bill, when made an Act, will be able to address some of the inadequacies of the NDPR 2019.
2.3 Poor Implementation, Application and Enforcement of Extant Regulations.
Beyond the apparent inadequacies that have characterised attempts to institutionalise a data privacy regulatory framework in the country, there are still apprehensions over the ability of government to conform to the provisions of data protection regulations. This is because of the unenviable reputation of the country’s ministries, departments and agencies (“MDAs”) for according scant regard to the laws which enactment they may even have championed. There is thus the concern that the mere elevation of the NDPR to the status of an Act may not be sufficient to effect an attitudinal change.
In spite of the fact that NDPR was designed to take effect from 25th April 2019, with Data Collectors distributing their protection policies, at the minimum, as compulsorily required by under NDPR , there has been little or no compliance with this mandatory requirement, despite the obvious dire implications for flouting its provisions. This author is not aware of any recorded instance of punitive action being taken against defaulters. Also, NITDA has looked on, somewhat helplessly, as the stipulation that every Data Controller should designate a Data Protection Officer to undertake specified functions is flagrantly being violated by corporate organisations and MDAs alike.
2.4 The shortage of judicial decisions on data privacy violations
Judicial precedents constitute the building blocks on which every jurisprudential system is hinged. The Nigerian judiciary is no exception. There is a dearth of questions/issues emanating from the current body of rules regulating the industry before the courts. This state of affairs has and continues to make it extremely difficult for a body of decided cases that could provide guidance for this area to be developed and followed. There are several issues yawning for authoritative resolution and, unless interpreted by the courts, may limit development and growth in this space. For example, the question of the full purport of who a data subject is a daunting enquiry that needs urgent elucidation.
Although, the NDPR 2019 defines data subject to mean an identifiable person; one who can be identified directly or indirectly, in particular by reference to an identification number or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity, the question remains as to whether that definition could be extended to cover companies of any description. The issue of whether only a human entity can have his/her data breached is a very important legal question to broach.
2.5 Issue of Consent to Data Collection
Another important issue is the requirement to secure the consent of a Data Subject before personal data may be sourced and utilised for any purpose. Consent implies that valid consent must be obtained before the collection of data, especially through clear stipulation of the purpose of data collection and indication of the need for additional consent where personal data might be shared with third parties. Furthermore, a Data Controller is required to take and keep a record of the consent of individuals, and there must be provision for withdrawal of consent by such Data Subject at any time (European Data Protection Board, 2016). Regrettably, in Nigeria, both government agencies and private firms have consistently failed to comply with these aspects of the NDPR by their actions, thus causing untold embarrassment and hardship to affected persons. In Nigeria, it is not uncommon to experience data about one being generated and captured by companies and agencies without knowledge of its owner or first seeking and securing consent.
2.6 Lack of Data protection Practitioners in Nigeria
Yet another pertinent challenge facing the industry in Nigeria has to do with the role that a credible professional body could play in ensuring strict adherence to a regulatory framework by all practitioners and stakeholders within both the private and public sectors of the economy. This body may also be charged with the responsibility of monitoring developments in regulatory governance and technology to keep abreast with international standards and best practices. This author expects that professionals such as Data Protection Officers, Data Controllers and similar players would help populate this body and grow it from strength to strength.
3. Conclusion
It is not unusual for assimilation and acculturation of a new idea to be slow on the uptake by stakeholders. This author expects that over time, internalisation of the broad principles that guide data privacy and protection would occur and, gradually, institutions set up to act as watchdogs for the industry would help engender and bed in a culture of respect for and preservation of data privacy and security.
Article provided by: Uche Val Obi (Alliance Law Firm, Nigeria)
Discover more about INPLP, the INPLP-Members and the GDPR-FINE database
Dr. Tobias Höllwarth (Managing Director INPLP)
News Archiv
- Alle zeigen
- November 2024
- Oktober 2024
- September 2024
- August 2024
- Juli 2024
- Juni 2024
- Mai 2024
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010