On 25 January 2019, the Nigeria Data Protection Regulation was issued by the National Information Technology Development Agency (NITDA), the country’s ICT regulator. Among the objectives behind this regulation were the protection of the privacy rights and freedoms of Nigerian citizens, on the one hand, and the promotion of local and foreign investments in the digital economy by safeguarding the information systems infrastructure against breaches and implementing internationally compatible rules, on the other hand.
THE ICT REGULATOR AS DATA PROTECTION AUTHORITY
Nigeria is one of the few countries in Africa (the Ivory Coast being another example) which has decided to establish a privacy regulatory framework without creating a dedicated data protection authority. NITDA, statutorily instituted in 2007, has a mandate to oversee compliance with privacy laws. From a practical point of view, this stance has some advantages as there are examples of data protection statutes which after a few years of being enacted, cannot be enforced because they provided for the establishment of a data protection regulator and, due to different reasons, including budget, the regulator was not created.
Another advantage is the possibility to have, within the same body, the expertise in both information security and privacy. Those two areas which are central to data protection are often separated which can create coordination issues unless the authorities have set up means of systematically working closely and jointly.
The regulation has an extra-territorial scope and applies to data controllers located outside Nigeria who process the personal data of individuals who reside in Nigeria. The regulation therefore applies, for example, to most non-Nigerian social media companies with Nigerian-based users.
SOME KEY FEATURES OF THE DATA PROTECTION REGULATION
The definition of “personal data” is similar to that of other African countries and the European Union’s General Data Protection Regulation (GDPR) in that the term refers to “any information relating to an identified or identifiable natural person”. The definition further provides examples of personally identifiable information and includes MAC addresses, IP addresses, IMEI numbers, IMSI numbers and SIM numbers. NITDA considers that the personal data of deceased data subjects falls in the scope of the regulation and can be enforced by their estate.
The concept of “processing” is broadly construed and it includes inter alia data collection, recording or consultation. This means, for example, that any operation tending to anonymise personal data, through encryption, anonymisation, pseudonymisation, hashing, scrambling prior to using the data for behavioural analyses or statistics, constitutes a processing activity and falls within the scope of the regulation. The same applies to any remote access or remote visualisation by, for instance, an IT support service provider, even if the data is not hosted on its systems.
With regard to the general principles governing data processing, the regulation provides that data must be collected and processed in accordance with a specific, legitimate and lawful purpose consented to by the data subject and that the data must be: adequate, accurate and without prejudice to the dignity of human person, stored only for the period within which it is reasonably needed and secured against all foreseeable hazards and breaches such as theft, cyberattack, viral attack, dissemination, manipulations of any kind, damage by rain, fire or exposure to other natural elements.
The legal bases on which personal data can be processed are: consent, the necessity for the performance of a contract, the compliance with a legal obligation, the protection of a vital interest and public interest. Consent must be given by a statement or a clear affirmative action. This means that consent on an opt-out basis is prohibited.
Data subject rights are similar to the rights found in the GDPR or in the Kenyan and Beninese laws. They include the right to be informed in a clear, transparent and comprehensive manner, the right to rectification, the right to object to processing, the right to be forgotten, the right to restrict processing and the right to data portability.
EMPHASIS ON ACCOUNTABILITY
Whereas the majority of the Economic Community of West African States (ECOWAS) countries impose a notification to the data protection authority, or sometimes its authorisation, prior to processing data (a requirement which is challenging to comply with for small and medium-sized enterprises, and which would require a significant headcount increase at the regulator if it was widely complied with) Nigeria has opted for a less bureaucratic approach and has instead imposed self-audits by data controllers who process the personal data of 1,000 data subjects or more.
Beyond 2,000 data subjects, data controllers must, on an annual basis by 15 March, provide a summary of their audit to NITDA. The regulation also imposes the appointment of data protection officers. Guidance to be issued by NITDA will provide further detail on the thresholds beyond which it will be mandatory for an organisation to have an internal or external data protection officer.
Compliance and self-audits are encouraged by the creation of Data Protection Compliance Organisations (DPCOs), which are organisations, such as consulting firms, audit firms, law firms etc. which apply to NITDA for a licence to provide training, auditing, consulting services throughout the country. DPCOs are expected to verify self-audits prior to submission to NITDA. This is a means of decentralising compliance activities for more efficiency.
The sanction for breach of the regulation is the greater of NGN 10 million or 2% of the annual gross revenue of the preceding year, where the data controller deals with more than 10,000 data subjects.
Nigeria continues refining its privacy legal framework. NITDA is due to imminently publish an implementation framework for the regulation. It is also planning to issue guidance of specific subjects such as the requirements for a data protection officer, consent, data subject access request, self-auditing or international transfers of data. In addition, a bill is under preparation with the view to enacting a data protection statute. The learnings from the implementation of the regulation is expected to form the fulcrum of a pragmatic national law.