The National Information Technology Development Agency (NITDA) in line with its mandate to develop regulations for electronic governance and to monitor the use of electronic data interchange and other forms of electronic communication transactions, introduced the Nigerian Data Protection Regulation (the Regulation) in January, 2019.
The Regulation applies to all transactions by both private and public organizations which involve the processing of personal data and seeks to protect the data rights of all natural persons living in Nigeria and all natural persons of Nigerian descent living outside Nigeria.
The Regulation defines Personal data as any information relating to an identified or identifiable natural person (data subject) including a name, address, a photo, an email address, bank details, posts on social networking websites, medical information and other unique identifiers such as but not limited to MAC address, IP address, IMEI number, IMSI number and SIM.
A Data Controller, according to the Regulation, is any person who determines how personal data is processed i.e collected, recorded, stored, adapted or altered, retrieved, consulted, used, disseminated, erased or destroyed and so on.
Under the Regulation, processing of personal data is lawful in any of the following circumstances: if the data subject consents to it, if it is necessary for the performance of a contract to which the data subject is a party, if necessary for compliance with a legal obligation, if necessary for the protection of vital interest of the data subject or other natural person, if necessary for the performance of a task carried out in the public interest or in the exercise of an official public mandate.
The Regulation prescribes the principles guiding the processing of personal data, specifically stating that anyone who is entrusted with or in possession of personal data owes the data subject a duty of care and is accountable for any acts or omissions in respect of same.
The Regulation imposes a strict obligation on data controllers to obtain consent of the data subjects, and this must be without fraud, coercion or undue influence. The data subject must be informed of this right and of the ease of withdrawing his consent at any time as well. Furthermore, data controllers are prohibited from seeking the consent of the data subject in circumstances that could lead to the direct or indirect propagation of atrocities, hate, child rights violation, criminal acts and anti-social conduct.
Data controllers have a duty to develop security measures to protect personal data such as protecting their systems from hackers and employing data encryption technology among others. The Regulation mandates all data controllers in Nigeria to make available to the public their privacy policy within three months of the date of issuance of the Regulation and also to conduct a detailed audit of their data protection practices within six months of the issuance of the Regulation. Transfer of data to a foreign country or a Non-Governmental Organization is to be carried out in accordance with the Regulation and under the supervision of the Attorney General of the Federation.
The Regulation stipulates the penalty for breaches by Data controllers. The penalty is based on how many data subjects a company processes. For companies with over 10,000 data subjects, the fine is 2% of the Annual Gross Income or ₦10, 000, 000 (Ten Million Naira) whichever is higher, and for companies with less than 10,000 data subjects, the fine is 1% of Annual Gross Income or ₦2, 000, 000 (Two Million Naira) whichever is higher.
With respect to resolution of grievances, the Regulation provides that NITDA must set up an Administrative Redress Panel to investigate and provide redress in respect of alleged breaches of personal data. This is without prejudice to the data subject’s right to judicial redress.
Generally, the Nigerian Data Protection Regulation is a welcome step as it strengthens the regulatory framework for the protection of personal data in the country. Provisions for consent and a specific purpose for the processing of personal data are critical as they ensure that the data is not processed without the approval of the subject.
Some areas of the Regulation may however, require a second look terms of practicability. For example, there are no specific modalities for the Attorney General’s supervision of the transfer of data to foreign jurisdictions or to NGOs. Moreso, data can now be transferred over the internet with a few clicks, making supervision challenging. Additionally, the three month period for organizations to provide their privacy policies may now have proved unrealistic and will likely require extension. The same fate is likely to befall the six month audit period. More publicity therefore needs to be given to the Regulation to facilitate compliance by affected persons.
