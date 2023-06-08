With the adoption by the Federal Executive Council in 2022, Nigerians were urged to rest assured that their data would be properly protected especially with the Nigeria Data Protection Bureau (NDPB) being given the legal power to prosecute breaches of other person’s data privacy. Since the issuance of the Nigeria Data Protection Regulation in 2019 (NDPR), stakeholders have clamoured for a more robust data protection instrument to adequately provide for the collection and processing of personal data in Nigeria.

Consequently, there have been several unsuccessful attempts to pass a data protection bill into law since 2018 by the Ninth National Assembly. The Nigeria Data Protection Bureau (NDPB) released the Data Protection Bill 2022 on October 6, 2022. The Bill appears to be a beacon of hope for final legislation on the subject, as the National Commissioner of the NDPB had stated earlier in the year that there would be a Data Protection Act by December 2022.

This Bill seeks to establish an independent and effective regulatory commission to superintend over data protection and privacy issues and supervise data controllers and data processors within the private and public sectors. It deals with four core issues, includ- ing the processing of personal data; protecting the rights of data subjects includ- ing a framework for such protection; the establishment of a Data Protection Commission; and the contribution to the legal foundations of Nigeria’s digital economy and an improvement of its appeal for participation in the global marketplace.

The Nigeria Data Protection Bureau (NDPB) was established by the Federal Government in February 2022 as the supervisory and regulatory authority for data protection in Nigeria, a function previously undertaken by the National Information Technology Development Agency (NITDA). In 2019, pursuant to its powers under the NITDA Act of 2007, the National Information Technology Development Agency (NITDA) issued the Nigeria Data Protection Regulation (NDPR). It is the principal regulator for data protection in Nigeria.

An Act was made to provide the legal framework for the protection of personal data and establish the Nigeria Data Protection Commission for the regulation of the processing of personal data and related matters.

Objective

The objective of the Act is to safeguard the fundamental rights and freedoms and the interests of data subjects as guaranteed under the Constitution of the Federal Republic of Nigeria, 1999, particularly to provide for the regulation of the processing of personal data; promote data processing practices that protect the security of personal data and privacy of data subjects; ensure that personal data is processed in a fair, lawful, and accountable manner; protect data subjects’ rights, and provide remedies and means of recourse in case of breach of those rights; ensure that data controllers and data processors fulfill their obligations to data subjects; minimize the harmful effect of personal data misuse or abuse on data subjects and other victims; establish an impartial, independent and effective regulatory Commission that will superintend over data protection and privacy issues and supervised data controllers and data processors; and contribute to the legal foundations of the digital economy of Nigeria and its participation in the regional and global economies through the beneficial, trusted use of personal data.

NDPB

The year 2022 witnessed several advancement in the data protection space globally and Nigeria was not left out. The Federal Government of Nigeria created the Nigeria Data Protection Bureau (“the Data Protection Bureau”) in February 2022 as the principal data protection regulatory body to implement the objectives of the Nigeria Data Protection Regulation, 2019 (“the Regulation”). The Data Protection Bureau replaces the National Information Technology Development Agency (NITDA) which was prior to the creation of the Data Protection Bureau responsible for implementing data protection policies in Nigeria.

Enforcement

Since the issuance of the NDPR, NDPB has been saddled with supervisory and enforcement responsibilities in respect of data protection matters in Nigeria. It collaborates with security agencies like the Office of the Inspector General of Police to ensure full compliance and enforcement. Where NDPB has determined that a party is in breach of the NDPR, especially where such breach affects national security, sovereignty, and cohesion, it may seek to prosecute officers of the organization as provided for in sections 17(1) and (3) of the NITDA Act 2007. On May 17, 2022, the Federal Competition and Consumer Protection Commission (FCCPC) and NDPB jointly established the Joint Mutual Enforcement Desk.

The drive behind this collaboration is aimed at addressing cogent issues of data protection, such as data protection breaches which have been a common occurrence amongst online moneylenders, and to ensure that data subjects can derive the protection that is inherent to the digital economic expansion of Nigeria. Both organisations further cement- ed the collaboration by entering into a Memorandum of Understanding on August 28, 2022.

Data Protection Bill

The Bill was first introduced in 2018, passed by the National Assembly on May 16, 2019, and transmitted to the President for assent. The Bill was however not assented to by President Muhammadu Buhari. After this, there have been other unsuccessful attempts to pass a data protection law.

The NDPB, as part of its objectives to ensure that there is a substantive law governing data protection, released the new Data Protection Bill 2022 in October 2022. The National Commissioner/CEO of the Bureau, Dr. Vincent Olatunji, said the Federal Executive Council on January 25, 2023, approved the Nigeria Data Protection Bill, expecting that the Bill would soon be passed by the National Assembly.

“As you are aware, the Federal Executive Council on the 25th of January 2023 approved the Nigeria Data Protection Bill. It was transmitted to the National Assembly as an Executive Bill. Then, the legislature reiterated its preparedness to pass the Bill into law,” he noted. As a new agency saddled with the responsibility of protecting people’s data privacy, Olatunji said the Bureau had been able to reassure champions of civil liberties around the world that Nigeria is prepared for a leading role in advancing data protection and exploring the opportunities of the global digital economy.

Awareness

Olatunji continued: “In the last year, we have taken necessary institutional measures to lay the foundation of our bulwark for a sustainable digital economy. They are the Official Launching of the Core Values, Digital Platform, and Insignia for the seamless and effective implementation of the NDPR. “We have been carrying out strategic awareness campaigns across the country.

We recalibrated the “Adopt–A–School” Awareness Programme which is now called “Catch – them–Young”. We were able to reach over 3000 students and pupils in about 70 schools with the message of data privacy. “You will all agree that in the wake of the Covid-19 pandemic and the adoption of online platforms for education, this class of citizens has become vulnerable to diverse abuses in the digital space.”

He noted that the Bureau had engaged with public institutions including the National Assembly, Office of the Secretary to the Government of the Federation, Federal Ministry of Health, Central Bank of Nigeria, Nigeria Police Force, Independent Corrupt Practices and Related Offences Commission (ICPC), and National Lottery Regulatory Commission. “As a result of these engagements, we now have a 100 per cent increase in the rate of integration of the public sector into the Data Privacy and Protection Framework.”

Whitelist

In its bid to update the Whitelist in accordance with the provisions of the Regulation, the NDPB established the National Data Protection Adequacy Pro- gramme (NaDPAP) Whitelist in the last quarter of 2022. Further to the establishment of the NaDPAP Whitelist, the Bureau released a Compliance Notice mandating data controllers and data administrators to comply with several requirements.

To be included in the NaDPAP Whitelist, organisations were required to have an understanding of the NDPR; develop and implement a privacy policy which is consistent with the provisions of the NDPR; notify their employees, customers, and online visitors of their privacy policy; designate at least one or two members of staff as Data Protection Contacts; and mandate their service providers/vendors to comply with the NDPR to prevent any liability for the organisation.

Speaking on the compliance level, the Head of Legal Enforcement and Regulations, NDPB, Mr. Babatunde Bamigboye, said the Bureau was still monitoring each organisation on its compliance level, add- ing that there would be commendation for compliance based on the rate and that there would also be sanction for noncompliance when it is time for the Bureau to do so.

Penalty

Organisations that are in breach of the NDPR requirements can face penal- ties that vary in amount depending on the number of data subjects affected. If the data breach impacted more than 10,000 data subjects, the organisation can be fined up to two per cent of its annual revenue or N10 million. If the data breach impacted less than 10,000 data subjects, the organisation can be fined up to one per cent of its annual revenue or N2 million.

Personal data

Personal data is any information relating to an identified or identifiable natural person and includes name, address, email address, photo, bank details, social media posts, medical information, and like information. If you or your organisation collects, records, stores, retrieves, uses, or transmits any form of personal data in respect of any person, then the provisions of the NDPR and the Compliance Notice (VOL.1/ NDPB/CN/1/22) applies to you and your organisation.

In accordance with the Compliance Notice, organisations are required to read and understand the provisions of the NDPR 2019 as it relates to data collection and processing by the organisation, develop and implement a privacy policy that is consistent with the NDPR 2019, notify the organisation’s customers and online visitors of the privacy notice/policy, designate at least one or two members of the organisation as the organisation’s Data Protection Contact(s).

These contacts will be eligible for a free induction course in data protection regulatory compliance sponsored by the NDPB and will thereafter serve as the organisation’s Data Protection Officers (DPOs), mandating all the service providers to comply with NDPR 2019.

Last line

While the 9th Assembly failed to pass the bill, the current National Assembly should take due credit and ensure the speedy passage of the bill, and President Bola Tinubu should quickly assent to it for the good of posterity. The passage of a comprehensive data protection law in Nigeria is urgent and should not be delayed any further.