BUILDING AN EFFECTIVE SYSTEM FOR ENFORCEMENT OF DATA PROTECTION RIGHTS IN NIGERIA: THE SETBACKS AND WAY FORWARD
Up until recently, data[i] protection rights have almost never been a subject of national concern. However, with the emergence of the digital economy the need to regulate and keep up pace with international regulatory instruments like the GDPR[ii] on the sanctity of personal data[iii], the nation’s IT hub – NITDA[iv] on May, 2019, enacted an unprecedented data protection regulation – NDPR[v] and subsequently, the DP Bill,[vi] 2020.
This paper’s principal remit therefore will be to critically examine the NDPR and the Draft Bill, the enforcement impediments/defects and to provide practical way forwards.
That said, it will be fatal to begin without defining the two terms that engulfs this essay – data controller; data subject. In so doing, this paper confines itself sensu stricto to the definitions enshrined in NDPR, 2019.
“… a person who either alone, jointly with other persons or in common with other persons or a statutory body determines the purposes for and the manner in which Personal Data is processed or is to be processed”[vii]
“… any person, who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”[viii]
2.0 THE GIANT STRIDE
Being a primus inter pares regulation strictly targeted at the subject of data confidentiality, the enactment of NDPR by NITDA received lots of commendations from stakeholders, actors and data enthusiasts. Soon after, commendations gave way to criticisms. Indeed, the limited breadth of the NDPR and arguments levied against the ineffectiveness of a regulation as against an Act of the National Assembly were worthy claims. As a quick response to a more effective legal framework, the Data Protection Bill, 2020 was drafted and currently undergoes review at the National Assembly.
3.0 NDPR AND THE DRAFT DATA PROTECTION BILL, 2020: OVERVIEW
It is no doubt that the objectives of the duo documents revolve around the inviolability of personal data in accordance with best practice. In fact, one should not expect less compliance as captured in the Bill in a digital economy where breaches pollute especially, the banking and telecommunications[ix] industries owing to the absence of a regulatory framework.
To this end, the DP Bill has been applauded for its proactive clauses and wider reach, like the inclusion of fixed penalties for non-compliance[x] by data controllers which the NDPR failed to capture.
Similarly, unlike the NDPR, standing on the heels of the heavily imposed fine by the U.K ICO[xi] on the British Airways for breaching the data of more than 400,000 of its customers,[xii] the Bill places a whopping fine of N10 million on data controllers on failure to build strong firewalls against data manipulations.[xiii]
Meanwhile, the creation of the Data Protection Commission (DPC) with responsibilities to ensure and enforce compliance is stunning. For it relieves NITDA of her role on data protection and enables her serve as a mother agency.
Most significantly is that it lays to rest all debates as to the exclusion of paper-based data violations, by covering the lacuna created by the NDPR which restricted itself to electronic data. According to the Bill, personal data processed by ‘automated and non-automated’[xiv] means are now regulated.
Nonetheless, as with the case in the Nigeria Legal system, one bottleneck that readily destroys the beautiful intentions of our laws is the inert enforcement strategy. Suffice to say, that the Bill though beautiful in theory is likely to be impeded. A number of such bottlenecks are discussed in succeeding paragraphs.
4.0 IMPEDIMENTS TO THE ENFORCEMENT OF DATA PROTECTION RIGHTS IN NIGERIA
- LEGAL ARGUMENTS: There have been legal arguments as to the mode of commencing a data breach action. Some proponents claim that data protection right is subsumed under section 37 of the Constitution, hence can be instituted under the FREP rules. Opposing views however reason that the FREP rules by nature deals only with rights contained in chapter IV of the Constitution. The judicial cases DRLI v. LTSM[xv] and RAI v. NIMC[xvi] respectively have been the heels upon which these factions rely. These arguments if not properly resolved by the extant laws will culminate into a barricade to the enforcement of the Bill.
- EXTRA-TERRITORIAL APPLICATION: “Will the NDPR afford me protection anytime I am outside Nigeria even within the regions where, GDPR is, for example applicable?” This striking question by Olumide Babalola unclad the errors in the NDPR and the DP bill which merely versed its scope to Nigeria descents abroad.[xvii] But failed to show HOW it would be enforced across borders, especially in climes with data privacy regulations. For there will undoubtedly arise the issue of conflict of laws.
- UNNECESSARY JUDICIAL FORMALITIES: In the event that a data subject enforces his right to judicial remedy pursuant to section 21 of the DP bill, the unnecessary objections and formalities of court processes such as the question of locus standi will play against the enforcement of the DP rules. This, the drafters never contemplated considering the superfluous objections that invade our adjudicating system.
- WHISTLEBLOWING: Prior to the DP Bill, legal writers had deemed helpful the inclusion of the whistle blowing[xviii] in the enforcement of NDPR, which the duo documents unfortunately, do not capture. While the non-inclusion will not only discourage data breach disclosers, data controllers will leverage on this lacuna.
5.0 RECOMMENDATIONS FOR THE ENFORCEMENT OF DATA PROTECTION RIGHTS IN NIGERIA
We cannot gainsay the relevance of this novel regulation in spite of the enormous setbacks that seek to impede its kind motives. In submission therefore, the underlying paragraphs are my recommendations capable of ensuring that the legal frameworks are not only a mirage of beautiful clauses in black and white.
- One way to resolve the arguments invading our legal cabins and incessant court preliminary objections on the appropriate mode of commencing a privacy breach action is to revise the FREP rule in such a way it accommodates issues arising from the regulation. Likewise, the extant rules should be made to protect against the striking out of data breach cases for lack of locus standi. By so doing, enforcement of the violations by the court will enjoy a smooth run and elevate data rights to those contained in Chapter IV of the Constitution.
- Moreover, the provisions contained in the NDPR should be reassessed in such a way it does not give rise to further probing. For instance, the uncertainty created by the NDPR with respect to extra-territorial application should clearly be defined – is it the NDPR or the law of the country where a Nigerian resides abroad that applies?
In my own view however, the circumstances of individual cases and precedents will play vital roles in resolving problems of conflicting laws. Unfortunately, we do not yet have sufficient judicial precedents.
- Finally, to ensure that data violations are not hidden by controllers and processors, the legislature should ensure to incorporate the whistleblower’s policy into the Bill before it. This, in my opinion will encourage disclosers to be on the lookout for any such violations, having in mind that they will be rewarded. It is simply the Nigeria phenomenon.
Indeed, data confidentiality has grown into maturity and Nigeria has refused to be left in the dark. This action by the NITDA reveals the extent to which the federal government is keen towards safeguarding ‘automated and non-automated’ personal information. To achieve this however is to ensure that the NDPR and the Bill are refined to meet up international counterparts and much more so, deliberately and undoubtedly be enforced.
ABOUT THE AUTHOR
Tom Utum is a tech and IP enthusiast. His passion for AI and Data science has informed his participation in several trainings. He constantly seek platforms to learn and build his career. He’s authored articles on the Oil and Gas sector, IP and Finance. At his leisure, he plays football or write poetries. He is currently a 300level student of Law at the Obafemi Awolowo University, open to internships, volunteering and mentorship.
[i]According to NDPR, Data means “characters, symbols and binary on which operations are performed by a computer, which may be stored or transmitted in the form of electronic signals, stored in any format or any device”
[ii] General Data Protection Regulation – a trailblazer regulation by the E.U acclaimed for its comprehensiveness, and which has influenced other nations in enacting data regulations.
[iii]According to the NDPR, Personal data means “any information relating to an identified or identifiable natural person (data subjects).”
[iv]National Information Technology Development Agency, established by the NITDA Act, 2007.
[v]National Data Protection Regulation, enacted in 2019byNITDA.
[vi] Data Protection Bill, 2020 currently reviewed by the National Assembly.
[vii]Article x; 1.3, part 1, NDPR, 2019.
[viii]Article xiv; 1.3; part1, NDPR, 2019.
[ix]MTN Nigeria Communications Ltd v Barr Godfrey Eneye (2013), SUIT NO: CA/A/689/2013
[x]Section 44 of the Data Protection Bill, 2020
[xi]Information Commissioner’s Office is the UK’s independent body set up to uphold information rights and ensure compliance of the GDPR.
[xiii]Section 45 of the Data Protection Bill, 2020
[xv]Digital Rights Lawyers Initiative vs. LT Solutions & Multimedia Limited; SuitNo.HCT/262/2020 (unreported)
[xvi]Incorporated Trustees of Laws & Right Awareness Initiative vs. National Identity Management Commission; Suit No. FHC/AB/CS/79/2020 (Unreported)
[xvii]Article 2.3 of the NDPR, 2019; Section 2(1) of the Data Protection Bill, 2020.