Nigeria: Steering Through Tax Compliance And Data Privacy: The Responsibility Of Nigerian Tax Authorities

Overview of Taxation and Authority in Nigeria

Taxation in Nigeria operates under a detailed legal framework, including various Statutes, Acts, and Decrees, which outline the structure of the tax system and identify the responsible bodies. The Federal Inland Revenue Service (FIRS) oversees federal taxes, state taxes are managed by state boards of internal revenue, and local taxes fall under local government revenue committees.¹

The Power and Responsibility of Tax Authorities

Tax authorities in Nigeria have broad powers to collect information from taxpayers to assess income or profits.² These powers include:

1. Requiring individuals to complete and submit specific forms.
2. Meeting with tax officers to discuss financial matters.
3. Demanding the provision of relevant books, documents, or accounts.³
4. Requesting information about specific individuals from entities such as banks.⁴
5. Scrutinizing income or profits.
6. Mandating organizations to furnish requested information.
7. Requiring banks and other financial institutions to provide details about new customers to the tax authority on a monthly basis.

Such extensive powers, however, raise concerns about the potential misuse of taxpayer information, highlighting the need for a balance between monitoring tax compliance and protecting taxpayer data.⁵

Taxpayer Information and Data Protection

The legal landscape governing taxpayers' information in Nigeria, includes the Constitution of the Federal Republic of Nigeria,⁶ Nigerian Data Protection Act (NDPA)⁷ the Finance Act and Nigerian Data Protection Regulation (NDPR)⁸ amongst others guarantee the right to privacy for taxpayers.

In an effort to ensure both effective monitoring of taxpayers and the protection of their privacy, Nigeria has put in place robust standards through the NDPA and the NDPR. These standards emphasize the importance of obtaining consent, implementing strong security measures, providing clear information, and maintaining transparent privacy policies. Here's a detailed look at each aspect:

1. Consent: The cornerstone of personal data handling under the NDPA is the requirement of consent. The NDPA permits the processing of personal data primarily when the individual has given consent or for specific purposes like fulfilling contractual obligations, legal obligations, protecting lives, or serving public interests.⁹ The NDPR elaborates on the fair management of personal data by public entities, including tax authorities. According to the "Guidelines for the Management of Personal Data by Public Institutions in Nigeria 2020,"¹⁰ tax authorities are authorized to process data for tax regulation purposes without additional consent but must obtain explicit consent for any other use or before sharing personal data with third parties.¹¹
2. Technical and Organizational Measures: The NDPA requires both data controllers and processors, including tax authorities, to establish appropriate technical and organizational measures to ensure the security, integrity, and confidentiality of personal data.¹² These include measures such as data pseudonymization, encryption, and protocols to ensure the security, and availability of data processing systems. Additionally, protocols for data restoration in case of incidents, periodic risk assessments, and regular testing and updating of measures against evolving risks are required.¹³ The 2020 Guideline further mandates public institutions, including tax authorities, to store personal data in secure digital repositories and restrict data sharing to encrypted methods, thereby limiting access to data to authorized personnel only, unless in cases mandated by law, such as criminal investigations or court orders.¹⁴
3. Provision of Information: Tax authorities are required to clearly inform individuals about the collection of their data. These include providing details such as their identity, location, contact details of their data collector, and the purpose of data collection, specifically for tax purposes. They must also disclose who else may access the individual's information, the individual's rights regarding the data, the retention period of their data and the procedure for lodging complaints in case of data breaches. Such information is typically provided in a privacy policy, to ensure individuals understand how their data is being managed.¹⁵
4. Privacy Policy: Following the 2020 Guideline, tax authorities must implement a comprehensive privacy policy in line with the NDPA. This policy should outline consent requirements, types of personal information collected, purposes of data collection (especially for taxation), technical methods for data collection and storage, and principles of NDPR. It should also outline the rights of data subjects, verifiable consent mechanisms and remedies for violations. This policy must be effectively communicated to the public through various means, including websites, digital media, and physical locations where the tax authorities operate.¹⁶

RIGHTS OF TAXPAYERS

Taxpayers are granted specific rights under data protection laws, including:

1. Right to obtain Information: Taxpayers have the right to know if their personal data is being stored or processed, including details about the data's purposes, recipients and storage period etc. related to their data.¹⁷
2. Right to Access: Taxpayers can request a copy of their personal data in a commonly used electronic format, unless this incurs unreasonable costs borne by the data subject.¹⁸
3. Right to request restrictions on data processing.¹⁹
4. Right to withdraw consent for data processing at any time.²⁰
5. Right to object to the processing of their personal data.²¹

Navigating Cross-Border Data Transfers

For cross-border transfers of personal data, it is crucial that the receiving country or entity provides a level of data protection that is at par with or exceeds the protections offered by Nigerian law. This principle ensures that personal data of Nigerian citizens remains protected against unauthorized access and misuse, irrespective of where the data is processed or stored. Data controllers and processors must document the justification for international data transfers, assess the adequacy of data protection measures in the receiving jurisdiction, and ensure compliance with the NDPA and NDPR. ²²

Handling Personal Data Breaches

When a data breach occurs, it is not only a security issue but also a significant risk to the privacy and rights of individuals. The data controller must notify the Nigeria Data Protection Commission (NDPC) of any breach within 72 hours of detecting a breach likely to endanger individuals' rights and freedoms. This notification should describe the nature of the breach and the categories of affected individuals and personal data records, if possible.²³ Remedial actions would be taken to address the breach.

Consequences of Breach

The legal framework around data protection in Nigeria establishes clear consequences for breaches, highlighting the seriousness with which data privacy is regarded. When the NDPA or its subsidiary laws are violated, the NDPC can issue compliance or cease and desist orders to uphold data subjects' rights.²⁴ Failure to comply with these orders constitutes a criminal offence, punishable by a fine,²⁵ imprisonment for up to one year, or both.²⁶ Additionally, data subjects have the option to seek damages through civil proceedings against the responsible party. The Finance Act also imposes a fine of up to N1,000,000.00, imprisonment for a maximum of three years, or both for disclosing taxpayer information to unauthorized parties or misusing it, unless explicitly allowed by law.²⁷

There has been limited precedent where tax authorities were held accountable for violating taxpayers' rights in Nigeria. However, recent case of Incorporated Trustees of Digital Rights Lawyers Initiative v. Lagos State Inland Revenue Service (LIRS),²⁸ the Claimants instituted an action against the LIRS for allegedly violating the NDPR by publishing personal and tax information of Nigerians on the LIRS website. While this case is pending resolution, it serves as a critical reminder of the need for compliance with data protection regulations.

The European case of Bernh Larsen Holding AS and Others v. Norway,²⁹ provides valuable insights into the international landscape of data protection. In this case, tax authorities acquired extensive data access by copying all documents from a company's server, capturing data irrelevant to tax evaluations.

This overreach included private communications of employees and confidential business information, engaging rights and interests safeguarded by Article 8 of the European Convention on Human Rights (ECHR).³⁰ It was accepted that confidential commercial information is to be protected under Article 8 of the ECHR.³¹

In a parallel scenario, Nova v. Portugal³², presented a dispute where tax authorities contested Ms. de Brito Ferrinho Bexiga Villa-Nova's tax payments on her professional earnings. She refused to provide her personal bank account details on the grounds of professional and banking secrecy. However, the Court of Appeal mandated the disclosure to unearth the factual scenario in the interest of legal proceedings. Despite this decision, the European Court of Human Rights (ECtHR) sided with her, recognizing the breach of her right to professional secrecy, a component of her private life, under Articles 6, 8, and 13 of the ECHR.

Despite these legal cases unfolding outside Nigerian borders, they reinforce the principles of the NDPA regarding the processing of personal information strictly based on consent or fulfilling legal obligations.³³

Need for Improvement

There is no denying that substantial strides have been taken to strike a balance between enforcing effective tax policies and safeguarding taxpayers' data. However, there is still room for improvement. This includes the adoption of more efficient strategies to enforce data protection laws, a shortened timeframe to address complaints, and comprehensive training for tax authorities. These measures, coupled with the implementation of enhanced technological features, would guarantee the comprehensive protection of taxpayers' data.

Footnotes

1 PML, Nigerian Tax System: Structure And Administration (2024) https://pml.com.ng/nigerian-tax-system-structure-and-administration/#:~:text=Tax%20administration%20involves%20the%20registration,efficiency%20and%20effectiveness%20of%20taxation. Accessed on the 7th of January, 2024.

2 Section 47; 48 and 49 of the Personal Income Tax Act, 2011; Section 60 and 61 of the Companies Income Tax Act, 2007

3 Section 47 of the Personal Income Tax Act, 2011

4 Section 47; 48 and 49 of the Personal Income Tax Act, 2011; Section 60 and 61 of the Companies Income Tax Act, 2007

5 FIRS (2017) "Filing Tax Returns" https://www.firs.gov.ng/wp-content/uploads/2020/11/FILING-TAX-RETURNS.pdf accessed on January 23, 2024.

6 Section 37 of the Constitution of the Federal Republic of Nigeria, 1999 (as amended)

7 Nigerian Data Protection Act, 2023

8 Nigeria Data Protection Regulation, 2019

9 Section 26 of the Nigeria Data Protection Act, 2023

10 Regulation 13.1 of the Nigeria Data Protection Regulation, 2019; Paragraph 1.4 of the Guidelines for the Management of Personal Data by Public Institutions in Nigeria, 2020; Paragraph 2.1 of the Guidelines for the Management of Personal Data by Public Institutions in Nigeria, 2020

11 Paragraph 4.0 (e) ibid

12 Section 39(1) of the Nigerian Data Protection Act, 2023

13 Section 39(2) ibid

14 Paragraph 4.0 ibid

15 Section 27 of the Nigeria Data Protection Act, 2023

16 Paragraph 3.1 of the Guidelines for the Management of Personal Data by Public Institutions in Nigeria, 2020.

17 Section 26 of the Nigerian Data Protection Act, 2023; Section 34(1)(a) of the Nigerian Data Protection Act, 2023.

18 Section 34 (1)(b)(c) ibid

19 Section 34(1)(d) of the Nigerian Data Protection Act, 2023

20 Section 35 ibid

21 Section 36 ibid

22 Section 41 and 42 of the Nigeria Data Protection Act, 2023

23 Section 40 ibid

24 Section 47 of the Data Protection Act, 2023

25 Section 49 ibid

26 Ibid

27 Section 54 of the Finance Act, 2020 (Substitution for Section 39)

28 FHC/AB/CS/53/2020 https://www.dataguidance.com/notes/nigeria-data-protection-overview accessed on February 20, 2024.

29 Application no. 24117/08 https://dergipark.org.tr/en/download/article-file/2256435 accessed on February 21, 2024.

30 Article 8 of the European Convention on Human Rights (ECHR)

31 European Convention on Human Rights.

32 ECtHR, Brito Ferrinho Bexiga Villa-Nova v. Portugal, Appl. no. 69436/10, Judgment of 1 Dec. 2015 https://repository.law.umich.edu/cgi/viewcontent.cgi?article=1236&context=book_chapters accessed February 21, 2024

33 Section 26 of the Nigeria Data Protection Act, 2023

For more information or to discuss your tax requirements including trainings, please contact: Bashir Ramoni, FCTI at bashir.ramoni@scp-law.com or Rosecarmel Odeh at rosecarmel.odeh@scp-law.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.