With the European Union’s General Data Protection Regulation (GDPR) coming into force in 2018, the prioritization of data protection by States has increased significantly. Protection of personal data has assumed an international human rights status. Paragraph 12 of the Universal Declaration of Human Rights (1948) and the International Convention on Civil and Political Rights (1966) provides that “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation.” In Nigeria, the path to developing a data protection law has been protracted, with multiple yet unsuccessful attempts to adopt a law. The National Data Protection Regulation adopted by the National Information Technology Development Agency (NITDA) in 2019 as a subsidiary regulation has proved inadequate and only further emphasized the need for a comprehensive personal data protection framework.
This overview centers on the data protection regime in Nigeria, and the role of Nigerian lawyers in the Data Protection Sector.
DATA PROTECTION LAW – LEGAL FRAMEWORKS
Simply put, Data Protection is the process of securing digital information while keeping data usable for business purposes without trading customer or end-user privacy. The intent of data protection laws is to place human beings at the center of technological advancement. In the recent world, everyone has their personal details online and if mishandled, can be exploited to harm users unscrupulously for financial gain. It has therefore, become imperative to regulate how vast amount of personally identifiable data can be managed.
Although Nigeria does not have a specific statute regulating Data Privacy and protection, the National Information Technology Development Agency (NITDA) commendably came up with the Nigeria Data Protection Regulations (NDPR) in 2019 which specifically addresses Data Privacy and Protection in Nigeria.
Nigeria Data Protection Regulations (NDPR)
The Regulations reserves the requirement for submitting data audit reports to certain categories of Data Controllers. Accordingly, only Data Controllers that process personal data of more than 1000 Data Subjects within a period of six months are mandated to file a soft copy of the summary of their audit to the NITDA. Similarly, Data Controllers that process personal data of more than 2000 Data Subjects within a period of 12 months are mandated to file a summary of their audit to NITDA, not later than 15 March in the following year. NITDA also requires that a verification statement by a licensed Data Protection Compliance Organization (DPCO) should accompany all filings made. A DPCO is any entity licensed by NITDA to train, audit and render consulting services and other services and products for the purpose of compliance with the Data Protection Laws applicable in Nigeria; Based on the NDPR, a data controller is required to only transfer data to a foreign country or international organization subject to the supervision of NITDA and the Attorney General of the Federation (AGF). NITDA would co-ordinate relations with the AGF with respect to international transfer of personal data. However, data controllers are obligated to notify NITDA of any such transfers.
NITDA is the agency responsible for administering the NDPR. The NDPR empowers NITDA to register and license DPCOs to monitor, audit, conduct training and render data protection compliance consulting services on its behalf. However, the DPCOs will be subject to Regulations and Directives of NITDA issued from time to time.
However, paragraph 2.1 of the regulation provides for Statutory and legal exceptions to the application of data privacy and protection as applicable to the NDPR. Therefore, the NDPR does not apply to the use of personal data in furtherance of national security, public health, safety and order by agencies of the Federal, State or Local government or those they expressly appoint to carry out such duties on their behalf; the investigation of criminal and tax offences; iii. the collection and processing of anonymized data; and personal or household activities with no connection to a professional or commercial activity. In furtherance of the NPDR, 2019, a guideline for the Guideline for the Implementation of the Nigeria Data Protection Regulation (NDPR), 2019, within Public Institutions in Nigeria was issued in 2020.
Asides the NDPR, there are other laws which touch on Data Privacy and Protection in Nigeria, which are briefly highlighted below:
- Constitution of the Federal Republic of Nigeria: Section 37 of Nigeria’s 1999 constitution forms the foundation of data privacy rights and protection in Nigeria. It guarantees and protects the right of Nigerians to privacy and deems Privacy in this respect a fundamental right which is enforceable in a court of law when breached. Prior to the NDPR, most cases of data privacy breaches were enforced under this section.
- The NCC Consumer Code of Practice Regulation 2007: Part VI of the Nigerian Communications Commission (NCC) regulation, generally deals with the protection of consumers’ data in the telecoms sector. Reg. 35 requires all licensees to take reasonable steps to protect the information of their customers against improper or accidental disclosures. It prescribes that licensees shall not transfer this information to a third party except as permitted by the consumer or commission or by other applicable laws or regulation.
- The NCC Registration of Telephone Subscribers Regulation 2011: Regulation 9 and 10 of the NCC Registration of Telephone Subscribers Regulation 2011, deals with the data privacy and protection of subscribers. It provides for confidentiality of personal information of subscribers stored in the central database or a licensee’s database. It also provides that this information shall not be released to a third party nor transferred outside Nigeria without the prior written consent of the subscriber and commission, respectively.
- The Freedom of Information Act 2011: Section 14 of the Freedom of Information Act protects personal data. It restricts the disclosure of information which contains personal information by public institutions except where the involved data subject consents to its disclosure or where the information is publicly available. The Act also provides that a public institution may deny the application for disclosure of information that is deemed privileged by law (e.g. Attorney-client privilege, doctor-client privilege)
- The Cybercrimes (Prohibition, Prevention, etc.) Act 2015: The Cybercrimes (Prohibition, Prevention, etc.) Act, Nigeria’s foremost law on cybercrimes criminalizes data privacy breaches. Generally, this Act prohibits, prevents and punishes cybercrimes in Nigeria.
- The National Identity Management Commission (NIMC) Act 2007: Section 26 of this Act requires the approval of the Commission before a corporate body or anybody can have access to data stored in their database. The Act also empowers the NIMC to collect, collate and process data of Nigerian citizens and residents.
- The National Health Act (NHA)2014: The NHA which regulates health users and healthcare personnel restricts the disclosure of the personal information of users of health services in their records. It also ensures that healthcare providers take the necessary steps to safeguard such data.
Other acts are The Federal Competition and Consumer Protection Act 2019 and The Consumer Protection Framework 2016:
TAKING THE PRIVACY SPACE – THE ROLE OF LAWYERS
It is worthy of note that the issues surrounding legal protection have indeed created an opportunity to further specialize. There are opportunities in different specific sectors of the economy that intersects with privacy and which professionals will be able to provide tailored services, like healthcare, start-up, financial institution, insurance, big data companies, tech companies that engage in cloud computing, cyber insurance and cyber security amongst others.
Such areas of specialization include:
- Privacy Attorney/Consulting – Data Protection laws provide a right to lodge complaint which allows data subjects to initiate lawsuit before a supervisory authority or Courts in instances of infringement of their rights. Sanctions are imposed on organizations which are also challenged before National Courts. There is an opportunity for collaboration between privacy lawyers and litigation lawyers to navigate the slippery-slope. Outside the remit of litigation, transactions lawyers can provide advisory services on privacy and data protection and the appropriate implementation and compliance with privacy laws as a risk-based strategy.
- Legislative Tracking – Lawyers can provide latest legal opinions and update organizations with latest decisions and laws that can impact their business. This entails providing real-time update and guidance to existing and new client companies, on the development in privacy laws globally and how it could possibly impact their businesses in order to guide them to wider compliance.
Recommendations for Growth
Lawyers can read up articles, books and laws governing data protection, sign up for courses, attend conferences and events centered on data protection laws in order to gain knowledge and possible clientele, write articles on data protection to create a large impression to the public on the firm’s expertise on data protection and contribution to policies and conversations.
Associate – Intellectual Property, Communications and Technology Sector.