It would appear that the wind of data protection reform that has recently blown across the world has finally found its way to Nigeria with the passing of the Nigerian Data Protection Regulation (the Regulation) by the Nigerian Information Technology Development Agency (NITDA) on the 25th January 2019. From the preamble of the Regulation, one can easily infer that the inspiration for the Regulation came from the revolutionary data protection reform that has taken place across the globe as it states, that the Regulation has been drafted ‘in cognizance of emerging data protection regulations within the international community’ . In order to appreciate the impact of the Regulation, it is important to note that the right to data protection is not expressly listed under Chapter IV of the 1999 Constitution of the Federal Republic of Nigeria (as amended) but is at best subsumed under the right to privacy . Therefore, the Regulation attempts to accord legal recognition (through a subsidiary legislation) to an area of law that is presently subject to legislative debate. As a little departure from the fanfare that followed the coming into force of the Regulation, this Article seeks to highlight some relevant provisions of the Regulation and other related issues particularly Nigeria’s level of data protection compliance in the light of the new Regulation.
SOME KEY PROVISIONS OF THE REGULATION
Objectives of the Regulation: Section 1.0 of the Regulation provides that the objectives of the Regulation include safeguarding the rights of natural persons to data privacy; fostering a safe conduct of transactions involving the exchange of personal data; the prevention manipulation of personal data and to ensure the competitiveness of Nigerian businesses in international trade etc.
Scope of the Regulation: The scope of the Regulation is said to include all transactions intended for the processing of personal data of natural persons in Nigeria and also applies to natural persons residing in Nigeria or residing outside Nigeria but of Nigerian descent etc.
PRINCIPLES OF DATA PROTECTION: Section 2.1 of the Regulation acknowledges some principles of personal data processing and makes the processing of personal data subject to these principles. The principles guaranteed under the Regulation are – the principle of lawful processing of personal data; purpose limitation; data accuracy; storage limitation; data security and accountability.
Furthermore, section 2.1 lists – consent; performance of a contract; compliance with a legal obligation to which the Controller is subject; protection of the vital interests of the data subject or of another natural person and the performance of a task carried out in the public interest or in the exercise of official public mandate vested in the controller as the legal basis for processing personal data. Interestingly, the legitimate interest of the controller, one of the recognized legal basis for processing personal data under data protection law is conspicuously missing from the list of lawful bases of data processing under the Nigerian Regulation .
DATA SECURITY: The Regulation requires anyone involved in the processing of personal data to develop security measures to protect personal data through processes which include the use of encryption technologies; the development of organizational policy for handling personal data processing etc.
DATA PROCESSING CONTRACTS: The Regulation provides that the processing of personal data by a third party shall be governed by data processing contracts.
Other features of the Regulation include the introduction of fines which could amount to 1% or 2% of the annual gross revenue of the company; data subject access requests, the right to be forgotten; the right to rectification of personal data processing; the right to data portability etc.
DOES THE NIGERIAN DATA PROTECTION REGULATION MAKE NIGERIA DATA PROTECTION COMPLIANT?
One of the reasons for the fanfare that the Regulation has generated in some quarters is the expectation that the said Regulation could make Nigeria compliant with (at least) minimum data protection standards. This expectation is probably heightened by the fact that the new Nigerian law is also tagged a ‘Regulation’ just like the ‘General Data Protection Regulation’. Unfortunately, this may not necessarily be the case. As mentioned in earlier parts of this article, the right to data protection is a right which is not expressly listed in the traditional body of human rights known or recognized under Nigerian law and NITDA’s efforts in drafting this legal document must be saluted in the light of this fact. However, a question that begs to be answered is whether the Regulation is capable of making Nigeria (at least minimally) data protection compliant.
It would appear that a lot of attention has not been given to the fact that the Regulation is a subsidiary legislation drafted by NITDA (an agency of the executive arm of government) pursuant to powers it was granted under the NITDA Act. Therefore, should there be a conflict between another Act of Parliament and the Regulation, that Act of Parliament will prevail even though it is in conflict with the Regulation. A practical example of an Act of parliament that may conflict with the Regulation (and would be given precedence and priority over the Regulation) is the Nigerian Cyber Crimes Act  which provides for retention schedules, release of personal data pursuant to court orders, data interception by government through technical means, statutory fines etc. and the Nigerian Cyber Crimes Act (being an act of parliament) takes precedence over the Regulation (a subsidiary legislation). Therefore, this has the effect of watering down the potency and applicability of the Regulation and is an argument in favor of the proposition that the Regulation’s impact in practice may be very limited.
One of the critical issues that the Regulation has not addressed overtly is the question of which agency will function as a data protection supervisory authority. From the language of the Regulation, it would appear that NITDA has appointed itself as the data protection supervisor, the regulation in another breath gives some supervisory powers to the Attorney General of the Federation in respect of data transfers outside Nigeria. The explanatory memorandum of the NITDA Act (which is the Act of parliament which regulates the affairs of NITDA) provides, among other things, that NITDA is established to plan, develop and promote the use of Information technology in Nigeria. The writer argues that in the light of the purpose for which NITDA has been established, it is impossible for the same body to be saddled with functioning as a data protection supervisory authority and there is the need to have an independent body whose sole task will be to function as a data protection supervisory authority for Nigeria.
Another challenge that the Regulation may have to contend with is the authority of NITDA to enforce the Regulation particularly the enforcement of the fines that have been listed in the said Regulation. Being a subsidiary legislation, NITDA, in the opening paragraph of the Regulation, traces the legal justification for drafting the Regulation to Section 6 (c) of the NITDA Act (the enabling law for NITDA) which provides among other things that “NITDA shall develop Regulations for electronic governance and monitor the use of electronic data interchange…” It is arguable that at no point has the legislature delegated powers to charge fines to NITDA thereby making the charging of fines ultra vires and beyond the powers so vested by the legislature. In the age-old Nigerian case of Alausa vs Ekemode,  the court held that the action of a government official in damaging a vessel which was recovered from the waterway was ultra vires the powers vested in the public official. The court’s decision was based on the fact that though the public official was authorized to seize vessels from the water way, breaking the vessels exceeded the powers vested in the said authority. In applying this principle to the charging of fines by NITDA, it is arguable that while NITDA is authorized ‘to develop regulations for electronic governance…’, it is not authorized to charge fines and it may only take one legal action to render the provisions on fines null and void. It must also be noted that the Regulation can only be applied to companies dealing with IT and the importation of technology following the powers granted to NITDA under the NITDA Act . NITDA may therefore not have the powers to enforce the Regulation against banks (for instance) who will be subject to the supervision of the Central Bank of Nigeria.
A potential clog in the wheel of the Regulation and its attempt at data protection compliance in Nigeria is the unanswered question of whether the Regulation will apply in relation to personal data processing carried out by the government and its agencies. It is curious that the Regulation does not make any mention of processing activities carried out by government. The writer’s suspicion is further heightened by the fact that the Nigerian Personal Information Bill  presently pending before the senate expressly stipulates that the bill will not apply to the government. If, as can be inferred from the spirit of the law, the Regulation does not apply to the government, then this may unfortunately be as good as not having a compliant data protection regime and it may be difficult for the Regulation to achieve one of its objectives of making Nigeria a more attractive destination for international trade.
From the points made in this article, it is clear that the Regulation falls short of its objective of making Nigeria a fully data protection compliant nation. However, this is a step in the right direction, as the Regulation will go down in the Nigerian legal history as the first comprehensive legal instrument on data protection. There is still a lot to be done and the government must particularly show more willingness to accord respect and recognition to the right to data protection. The position that the Regulation is a step in the right direction is further supported by the fact that its verbiage is more data protection friendly when compared to the verbiage in the Nigerian Personal Information and Data Protection Bill. It is hoped that further amendments, regulation and stakeholder participation will be undertaken in the near future to ensure that Nigeria can truly be referred to as a data protection compliant country.
- NITDA Regulation, Part 1, Paragraph 3
- Section 37 of the 1999 Constitution of the Federal Republic of Nigeria (as amended)
- Article 6 (1) (f) of the GDPR
- Section 38-39 Cybercrimes (Prohibition, Prevention, etc.) ACT, 2015. Available at: https://www.cert.gov.ng/file/docs/CyberCrime__Prohibition_Prevention_etc__Act__2015.pdf Accessed 24/03/2019
- Appeal No. AB/32A/59. Available at: https://nigerialii.org/ng/judgment/high-court/1961/2 Accessed 19/03/2019
- For further readings on the powers of NITDA, please see Section 6 of the NITDA Act. Available at: https://www.researchictafrica.net/countries/nigeria/National_Information_Technology_Development_Agency_Act_2007.pdf Accessed 22/03/2019
- The Nigerian Personal Information and Data Protection Bill. Available at: http://www.nimc.gov.ng/docs/reports/personal_info_bill.pdf Accessed 20/03/2019