In Brief:

On January 25, 2019, Nigeria's National Information and Technology Development Agency (NITDA) issued the Nigeria Data Protection Regulation 2019 (the Regulation). The Regulation took effect on same date. In the fashion of the European Union's Global Data Protection Regulation 2018 (GDPR), the Regulation seeks among other things, to safeguard the rights of natural persons to the privacy of their personal data by, among other measures, regulating transactions involving the collection, use and exchange of personal data. In this brief, we take a cursory look at the Regulation and some of its imperatives for businesses that deal in the personal data of those that the Regulation seeks to protect.

Scope and Application of the Regulation

The Regulation regulates the activities of Data Controllers and Data Administrators in their use of the personal data of all natural persons who are Nigerian citizens (Nigerian Citizens) or who live in Nigeria (Nigerian Residents); both, Data Subjects – please note that this definition is arguable. A Data Controller is a natural or legal person who collects, controls, processes or is otherwise in possession of personal data, while a Data Administrator is a natural or legal person who processes personal data, usually on the instruction of the Data Controller. The Data Controller or Data Administrator may be one and same natural or legal person. Both public and private entities may qualify as a Data Controller or Data Administrator to the extent that they deal in personal data.

Personal Data

Personal data, also referred to as, personal identifiable information (PII) is any information on any identifiable natural person, including: employees, suppliers, counter-parties, agents and the general public. Identification or identifiability relates to any information that can be used on its own or with others to identify, contact or locate a natural person, whether singly or within a context. Such information will naturally include the following details of a natural person: name, address, age or date of birth, identification number, location, photograph, email address, bank details, posts on websites, medical record, media access control (MAC) address, internet protocol (IP) address, international mobile equipment identity (IMEI) number, international mobile subscriber identity (IMSI) number, subscriber identification module (SIM), et.al. Accordingly, identifiability is a key consideration in whether any data will qualify as personal data for the purpose of the Regulation.

Statutory Standards of Care

The Regulation imposes strict standards of care on Data Controllers and Data Administrators. Personal data must be collected and processed transparently, and only in accordance with the specific, legitimate and lawful purpose for which it was obtained. Processing of personal data may be done only for archiving, scientific research, historical research or statistical purposes of public interest. The Data Controller is ultimately responsible for the infractions of the Data Administrator or any third party engaged by it in relation to the personal data of Data Subjects. The Data Controller must take reasonable steps to ensure that any engaged third party does not have a record of violating the personal data protection principles in the Regulation, particularly those that are express on the use of personal data and on the rights of Data Subjects. The Regulation has no provision limiting the time within which personal data is to be retained. It sets a 'reasonability of need' test as it provides that personal data should be stored only for the period within which it is reasonably needed.

Rights of Data Subjects:

The rights of Data Subjects include the following:

  1. Data Subjects have the right to know their rights. The rights of the Data Subject are required to be made known to him before his personal data is processed. In this regard, the Data Controller must ensure that the means through which personal data is being collected has a conspicuous and understandable privacy policy.
  2. Data Subjects must expressly consent to the processing of their personal data. In this regard, the Data Controller must expressly request for the consent of the Data Subject before subjecting the data to any processing. It is the Data Controller's responsibility to ensure that the Data Subject has legal capacity to give consent. Specifically, the Data Controller must be able to show that the Data Subject has validly given his consent.
  3. Data Subjects have the unrestricted right to request the deletion and or, on a limited basis, prevent the processing of their personal data. Accordingly, before obtaining the consent of the Data Subject, the Data Controller must expressly let the Data Subject know of the Data Subject's, ability to withdraw his consent at any time.
  4. Data Subjects have the right to freely transfer their personal data received from a Data Controller to any other Data Controller.
  5. Data Subjects have the right to access their personal data. In this regard, Data Controllers must, within a month, provide prompt and free response, in a structured, commonly-used and machine-readable format, to a request by a Data Subject for his personal data. The Data Controller cannot charge for this service, save in the case of unfounded and excessive requests by the Data Subject.

Transfer of Personal Data to a Foreign Country or International Organisation:

Data Controllers are required to comply with the decisions and supervision of NITDA and the Attorney-General of the Federation (AGF) whenever they intend to transfer personal data to a foreign country or international organization. In the absence of any such decision, the Data Controller must ensure the existence of any of the conditions laid by the Regulation to validate any foreign transfer of personal data.

Enforcing Data Subjects' Rights

Data Subjects can enforce any of their rights in a court of law. This is without prejudice to the mandate of NITDA's Administrative Redress Panel (ARP). The ARP is empowered to, among others, investigate any allegation of breach of the Regulation and determine appropriate redress within 28 (twenty-eight) working days.

Penalties

Breach of the data privacy rights of any Data Subject is liable to a fine of:

  1. in the case of a Data Controller dealing with more than 10,000 (ten thousand) Data Subjects, the greater of 2% (two percent) of the preceding year's annual gross revenue or ₦10million; or
  2. in the case of a Data Controller dealing with less than 10,000 (ten thousand) Data Subjects, the greater of 1% (one percent) of the preceding year's annual gross revenue or ₦2million.

Immediate Compliance Requirements for Data Controllers:

  1. Make your data protection policies available to the general public not later than April 25, 2019. The policies must conform with the Regulation.
  2. Undertake a detailed audit of your privacy and data protection policies before July 25, 2019. You may require the services of a NITDA-licensed Data Protection Compliance Organisation (DPCO) for this purpose.
  3. Where you process the personal data of more than 1,000 Data Subjects before July 25, 2019, then you must submit the audit report in (2) to NITDA.
  4. If you annually process the personal data of more than 2,000 Data Subjects, then you must submit an annual data protection audit report to NITDA no later than March 15.
  5. Designate a data protection officer, whether within or outside your organization, for the purpose of ensuring adherence to the Regulation and your relevant data privacy processes and procedures.

Conclusion

The Regulation is currently the most comprehensive legislation (subsidiary) that protects personal data rights in Nigeria. Although not as comprehensive as the GDPR, it is, in our opinion, a good way to start for Nigeria. It reflects the reality of the 21st century data economy, in which data, mostly given free although often expensive to collect and process, is the raw material or critical asset of many businesses. Other than the commercial value of the data in itself, some of such businesses proceed to use the information generated from the data to generate even greater financial or other powers for themselves and their consorts. Recognising the rights of the personally identifiable Data Subject is fair balance between the commercial ambitions and success that society needs for its advancement and the individual's fundamental right to privacy. Recognition is however insufficient, good implementation is. That NITDA is able to implement the Regulation and its future revisions in a manner where the ensuing balance aids the progress of Nigeria's growing data economy, while upholding the individual's fundamental right to privacy, is perhaps its real mandate.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.