By Babatunde S. Oyewole
INTRODUCTION
Globally, human activities are taking transcendental shifts from manual to digital processes at which they are conducted. These changes afford data administrators the opportunity of harnessing large data about its users and consumers. With the geometric rise of the data economy, multi-jurisdictional corporations, institutions and establishments garner enormous value in collecting, sharing and using these data[1]. The Nigerian economy is not left out, as digital technologies have opened doors to new paradigms in all sectors of the Nigerian environment[2]. This trend has necessitated the enactment of data protection legislation by governments across the world. In light of the foregoing, the clamor by various stakeholders for the development of a viable data protection regime in Nigeria in line with global standards, was responded with the issuance of the Nigerian Data Protection Regulation, 2019 (the Regulation). The regulation, which is currently the most comprehensive generally applicable single document on Data Protection in Nigeria, prescribes the minimum data protection requirements for the collection, storage, processing and technical control of personal data by private, public and government entities.
This disquisition is however concerned with just Nigeria, as it seeks to examine the legislative attempts at Data Protection in Nigeria, the Gaps and opportunities that await.
THE REALITY OF DATA PROTECTION IN NIGERIA; HIGHLIGHTING THE GAPS
Practically, in line with global trends, Nigeria is lagging behind in the development of a regulatory framework for data protection in the country. This is worrisome as she is rated below her peers within the African region[3], despite being the largest and most susceptible on the continent. This void, albeit inadequate, is being mitigated by the succinct provisions of S 37 of the 1999 Constitution of the Federal Republic of Nigeria (as amended) (the Constitution), which provides;
“The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected.”
Beyond this constitutional provision, there is neither a perceived machinery for enforcement nor is there an exact Privacy Law[4] to strengthen same. Thus, this provision can rightly be described as a mere band-aid and not a safety net. Consequently, the express mention of the word “Citizens”[5] limits its applicability to citizens of Nigeria alone. The billion-dollar question, what happens in the case of personal data of non-citizens that are being processed in Nigeria?
Moving forward, certain sectors have issued specific guidelines and regulations governing data protection. Such as, the Nigerian Communications Commission (NCC) Consumer Code of Practice Regulations 2007. The NCC Regulations take proactive steps to protect customers’ information against “improper or accidental disclosure” and that customer information must “not be transferred to any party except as otherwise permitted or required by other applicable laws or regulations”. Unlike the Constitution, the NCC Regulations is not restricted to Nigerian citizens, but also applies to non-citizens. Progressively, section 9 and 10 of the NCC Registration of Telephone Subscribers Regulations 2011 (RTSR) make similar provisions to the above stated. The Regulation prohibits the release of personal information to any security agent, licensee or any other person, except where permitted by law.
Notably, Section 14 of the Freedom of Information Act No. 4 of 2011 (FOI Act) recognizes the need for data protection in Nigeria. Under this section, a public institution is obliged to deny an application for information that contains personal information, unless the individual involved consents to the disclosure or where such information is already publicly available. Section 16 of the FOI Act further provides that, a public institution may deny an application for disclosure of information that is subject to various forms of professional privilege conferred by law. Thus, the Court of Appeal in Habib Nigeria Bank Limited v. Fathudeen Syed M. Koya[6], which involved an alleged disclosure by a bank of a customer’s transactional information, held that it is basic knowledge that a bank owes its customer a duty of care and secrecy.
Progressively, the Child Rights Act No. 26 of 2003, limits access to information relating to children (persons under the age of 18) in certain circumstances. Section 8 of the Child Rights Act guarantees every child’s entitlement to privacy, family life, telephone conversation and telegraphic communications. While section 205(2) prohibits the publication of any information that will lead to the identification of a child offender and that such records be kept strictly confidential and closed to third parties, except in certain exclusive circumstances.
The Nigerian Data Protection Regulation 2019 (the Regulation) was issued on the 25th of January 2019, by the National Information Technology Development Agency (NITDA / the Agency)[7]. As provided in the preamble of the Regulation, the Agency is mandated to develop Regulations for electronic governance and monitor the use of electronic data interchange and other forms of electronic communication transactions.The regulation was issued pursuant to Sections 6, 17 and 18 of the NITDA Act and any breach of same is deemed to be a breach of the principal Act. It applies to all transactions intended for the collection and processing of personal data in respect of natural persons residing in Nigeria or residing outside Nigeria but of Nigerian descent. Constructively, data controllers (including the federal, state, local government agencies and private sector organizations) are obliged to develop and implement adequate security measures for data protection and prescribes the penalty for default[8]. The Regulation affords data subjects certain rights, some of which are the right to information, data rectification, object to data processing, data portability, withdraw consent at any time and also data erasure (the right to be forgotten). Sentiments aside, a conscious perusal of the Regulation clearly shows that it is grossly insufficient to meet the ever-dynamic demands of a proper data protection legislation. Unlike its Ghanaian and South-Africa counterparts, the Regulation goes no step further in creating a continuing obligation for data controllers to ensure proper execution and to regularly upgrade measures adopted for data protection. Wistfully, it contains no provision for privacy impact assessment, it does not impose a specific obligation to report data breach and also fails to sufficiently address the discourse on data retention. Worse still, it makes the fundamental omission of establishing a specific institutional enforcement mechanism.
Worthy of mention are, the Cybercrimes (Prohibition, Prevention, etc.) Act 2015, the 2019 Central Bank of Nigeria Consumer Protection Framework, Regulatory Framework for Bank Verification Number Operations and Watch- List for the Nigerian Banking Industry 2017, Nigerian Communications Commission (Registration of Telephone Subscribers) Regulation 2011, sections 25 and 29 of the National Health Act, 2014 and also section 9 of the Credit Reporting Act, 2017.
THE NIGERIAN DATA PROTECTION REGIME; MAXIMIZING OPPORTUNITIES
Despite the drawbacks of the legislations above, opportunity affords itself to strengthen Data Protection in Nigeria, with reference to the 2019 Draft Regulation and the proposed Bill awaiting assent by the President. In July 2019, the NITDA published its Draft Nigeria Data Protection Regulation 2019 – Implementation Framework and sought the contributions of stakeholders. The framework brings clarification to the provisions of the NDPR and contains commendable templates. More so, the Nigerian Data Protection Bill, which originated in the House of Representatives in 2015, is still yet to be passed. The NITDA says the proposed Data Protection Bill, would consolidate on the NDPR and ensure a strong data privacy regime in the country[9]. Despite these assertions, the provisions of the Bill reveal it is still not in consonance with international best practices for Data Protection. It does not provide for the mandatory consent of a data subject to processing, regulation of processing by third parties and fundamental considerations in permitting multi-jurisdictional transfer of data and the yardstick for determining adequate level of protection in foreign territories to which data is transferred.
The economic opportunities of a viable Data Protection Regime cannot be overstated, as it advances the ease of doing business without the fear of disruption or losing money. The digital economy is fast becoming the economy itself thus, propelling Data as a valuable economic resource.
CONCLUSION
Without any iota of doubt, the Data protection regime in Nigeria has not been crystallized. At best, they can be described as foundational frameworks for what is expected to come. It is Important that the Nigerian Government pays considerable attention to formulating an effective jurisprudential avenue for Data Protection, by acquainting itself with contemporary international practices for the development and protection of the Nigerian digital space.
Babatunde is currently a 500Level Law Student at Ekiti State University. He can be reached at : Oyewole.s.babatunde@gmail.com
Footnotes:
[1] Barbara Call, Big Data: Big Opportunities (CIO, JULY 27,2020) <https://www.cio.com/article/3100665/big-data-big-opportunities.html> Accessed Sept. 18,2020
[2] In 2018, the Nigerian Investment Promotion Commission estimated that the Digital economy in Nigeria should generate $88 billion and create about 3 million jobs, by the end of 2021
[3] African countries with a comprehensive approach to data privacy include Ghana, Kenya,Cape Verde and South Africa.
[4] Protecting the Privacy of Data in Nigeria’ (cybersecfill, jun. 21, 2019)<https://www.cybersecfill.com/data-privacy-in-nigeria/>Accessed Sept. 18,2020
[5] Section 37 of the Constitution of the Federal Republic of Nigeria.
[6] [1990 – 1993] 5 NBLR p. 368 at 387
[7] The Agency is established by the NITDA, Act 2007
[8] See Section 2.10
[9] NAN ‘Data Protection Bill ll strengthen Nigeria Data Protection Regulation- NITDA The Guardian (Abuja, 17 Sept. 2020) < https://guardian.ng/news/data-protection-bill-ll-strengthen-nigeria-data-protection-regulation-nitda/> Accessed Sept. 18 2020.