Prior to 2019, the data protection and privacy landscape in Nigeria was largely regulated by the National Information Technology Development Agency (NITDA or "the Agency") Act, 2007 (NITDA Act). In 2019, however, the Nigeria Data Protection Regulation, 2019 (NDPR) was issued as a subsidiary legislation to the NITDA Act with the Agency empowered to oversee the implementation of the NDPR. Subsequently, in February 2022, the Nigeria Data Protection Bureau (NDPB or "the Bureau") was established by President Muhammadu Buhari to replace NITDA as the primary regulator of the data protection and privacy space in Nigeria.
Since then, stakeholders in the industry have keenly anticipated a more robust legal framework, preferably an Act, to regulate the emerging data protection and privacy regime in Nigeria. Notably, there have been attempts since 2018 at passing a Data Protection Bill into law but this has not been successful. In October, 2022, however, a draft of the Nigeria Data Protection Bill, 2022 was published by the NDPB with a view to being the legal framework for data privacy in Nigeria. The objective of the Bill, amongst others, is to safeguard the fundamental rights and freedoms and the interests of data subjects as guaranteed under the 1999 Constitution of Nigeria.
The Bill has so far been approved by the Federal Executive Council for submission to the National Assembly and will be subjected to due legislative process (presentation, reading, public hearing and passage into law) by both Chambers of the National Assembly (Senate and House of Representatives). While we await the legislative process and subsequently, the assent and signing into law by the President, this article seeks to highlight the major provisions in the Bill and discuss its impact on data controllers, data processors and data subjects in Nigeria.
General Overview and Key Changes in the Bill
i. Establishment of the Nigeria Data Protection Commission
The Bill introduces, amongst others, the Nigeria Data Protection Commission ("the Commission") and tasks the Commission with the power to oversee the full implementation of the Bill. The Commission, which is to be independent, shall:
- promote awareness to data controllers and data processors on their obligations under the Bill;
- promote awareness and understanding of personal data protection and risk to personal data as well as rights and obligations stipulated in the Bill;
- collect and publish information on protection of personal data and breaches;
- license, accredit and register bodies to provide data protection compliance services;
- advise the government on policy issues relating to data protection and privacy; and
- submit legislative proposals to the Minister, including amending existing laws and ensuring the deployment of technological and organisational measures to enhance personal data protection, regulating the processing of personal data, amongst others.
Worthy of note is the fact that the Bill has a transitional provision, which means that all powers and duties of the NDPB are to be transferred to the Commission. It is our opinion that the establishment of the Commission is a step in the right direction as a review of the functions of the Commission reveals an intention to expand the regulatory oversight of the existing NDPB.
ii. Application of the Bill to Data Subjects resident in Nigeria
Unlike the NDPR which applies to every natural person residing in Nigeria or Nigerians residing outside Nigeria, the Bill seeks to limit its applicability to data controllers or data processors domiciled, ordinarily resident or ordinarily operating in Nigeria or where the processing of personal data occurs within Nigeria. The Bill will also apply where the data controller or data processor is not domiciled, ordinarily resident or ordinarily operating in Nigeria, but is processing personal data of data subjects in Nigeria. In effect, where a data controller or processor resides or carries on business operations in Nigeria, data is processed within Nigeria or where the data controller or processor is resident abroad but processes the personal data of data subjects resident in Nigeria, the provisions of the Bill will apply. Although "domiciled", "ordinarily resident" and "ordinarily operating" used in the Bill were not defined, it appears that Nigerians living abroad are excluded from the scope of application of the Bill. Without doubt, the focus of the Bill on its applicability appears directed at data controllers and data processors, unlike the NDPR, which has its focus on the data subjects.
iii. Legitimate Interest as a basis for processing Personal Data
Under the NDPR, the legal bases for processing personal data are Consent, Contractual obligation, Legal obligation, Vital Interest and Public interest. The Bill, however, introduces legitimate interest as a basis for processing personal data, in addition to the five other existing legal bases under the NDPR. Legitimate interest will however not be a basis for processing personal data where the fundamental rights and freedom of a data subject overrides such interest, or where the interest is incompatible with the other lawful bases or where the data subject would not have a reasonable expectation that the personal data would be processed in the manner envisaged.
The introduction of legitimate interest as a ground for processing data will provide a lawful alternative for data controllers to process personal data.
Although the Bill establishes legitimate interest as a basis for processing data, it does not define the phrase. It is therefore unclear what the scope of legitimate interest will be in order to invoke its applicability.
iv. Registration of Data Controllers and Data Processors of major importance
The Bill creates the requirement for data controllers and data processors of major importance to register with the Commission within six months of the Bill being passed into law. The quantum of data processed by a data controller or data processor to qualify as a data controller or processor of major importance was not stated in the Bill, however, the Bill provides that the Commission may prescribe the number. Consideration will also be had to classes of data controllers or data processors that process personal data of particular value or significance to the economy, society or security of Nigeria.
In registering with the Commission, the data controller and data processor of major importance shall provide a description of the personal information of the Data Protection Officer (DPO), the categories and number of data subjects and the purposes for which the personal data is processed, any country to which the data controller or data processor intends to directly or indirectly transfer the personal data, amongst other information. Regular updates are expected to be provided to the Commission within 60 (sixty) days of significant changes to the information provided. Where, however, the Commission considers a registration to be unnecessary, it shall exempt a class of data controllers and data processors from the registration requirement.
It should be noted that the data controllers and data processors of major importance may be required under the Bill to pay prescribed fees or levies as shall be determined by the Commission.
v. Personal Data Breach
The Bill extensively provides for steps to be taken in the event of a data breach of the personal data stored or processed by a data processor. If such an event arises, the data processor is obligated to notify the data controller or data processor that engaged it without delay of the details of the breach and respond to all information requests from the data controller or data processor. Where a breach occurs which is likely to result in a risk to the rights of individuals, the data controller is obligated under the Bill to notify the Commission within 72 (seventy two) hours of becoming aware. Other measures to be taken are outlined in the Bill and they are aimed at ensuring that details of the breach are adequately reported and documented, and that measures are put in place to curtail the impact of the breach as well as prevent occurrences of same in the future.
"The key innovations in the Bill without doubt create higher obligations for data controllers and data processors and this is due to the high level of accountability that is expected of any organisation entrusted with the personal data of data subjects."
It appears that the Bill creates a reporting obligation to the Commission in respect only to the data controller where a breach is likely to result in a high risk to the rights and freedoms of a data subject. To determine if a breach is high risk, regard will be had to the technical and administrative measures in place to mitigate the breach, any subsequent measures taken to mitigate the risk and the nature, scope and sensitivity of the personal data involved.
vi. Consultation with the Commission prior to processing data that is high risk
By the provisions of the Bill, where processing of personal data is likely to result in high risk to the rights and freedoms of data subjects, prior to processing such data the data controller shall carry out a data protection impact assessment. The data controller is in such a circumstance also obligated under the Bill to consult the Commission prior to processing.
Although this provision appears directed at data controllers, it is important to note that data processors may also be faced with occasions of processing personal data that is high risk and it is unclear if data processors are obligated to consult the Commission in such circumstances.
vii. Sensitive Personal Data
The Bill provides for the rules for processing sensitive personal data, including listing the lawful basis for processing sensitive personal data, unlike the NDPR, which simply provides for the definition of sensitive personal data. The Commission is empowered by the Bill to prescribe rules detailing further categories of personal data that may be described as sensitive personal data, grounds for processing and attendant safeguards.
Provision is also made in the Bill for data controllers to obtain the consent of a parent or guardian where the data subject is a child, or the appropriate individual where the data subject is without legal capacity to consent.
The key innovations in the Bill without doubt create higher obligations for data controllers and data processors and this is due to the high level of accountability that is expected of any organisation entrusted with the personal data of data subjects. Data, it is said, is the new gold. The gold miners or keepers must have and indeed demonstrate the capacity to be accountable with respect to the valuable information they hold.
Conclusion
In many aspects, the Bill is a significant improvement on the NDPR and the existing regulatory framework, as it introduces a commendable regulatory landscape as far as data protection and privacy in Nigeria is concerned. It is recommended that data controllers and data processors who are entrusted with personal data of data subjects seek advise from their Data Protection Compliance Organisations (DPCOs) on the analysis of the Bill as far as their rights and obligations as data controllers and data processors are concerned so as to be prepared for the changing landscape in the likely event that the Bill is passed into law within a short time.
Pending when the Bill may be passed and signed into law, it is important for data controllers to remain aware of their ongoing obligations under the NDPR and the need to conduct their audit and file their audit report with the NDPB through their DPCOs on or before 15 March 2023 in order to avoid attendant penalties of up to 2% of their Gross Annual Revenue.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.