In Europe, processing of personal data and the free movement of such data is currently governed by the 1995 European Directive (95/46/EC) (the Directive). Effective May 25, 2018, the Directive will be replaced by the General Data Protection Regulation (GDPR) which will be directly applicable throughout the EU without requiring implementation by the EU Member States. The purpose of this is to increase the legal certainty, reduce administrative burden and cost of compliance for businesses that are active in multiple EU Member States, and enhance consumer confidence in the single digital marketplace.
Importantly, the GDPR carries extra-territorial effect that will impact on the activities of businesses based outside the EU. The GDPR is set to become the benchmark for data protection with non compliance limiting the ability of a company to market or sell products or services online or offline in the EU, partner with an EU organisation, or access funding from an EU based investor.
This brief summarises the scope, extra territorial effect, and the practical significance of the GDPR for businesses in Nigeria.
1. Territorial Scope of the GDPR
It is important for a business based in Nigeria to understand the extent and scope of the rules and to devise an approach for compliance. Companies are now directly responsible for data protection compliance as long as they are processing EU citizens'
personal data, notwithstanding the location of the Company. If you are a business based in Nigeria and with customers based in the EU, or your services are targeted to EU consumers (regardless of payment being taken) or you monitor customers resident in the EU, the GDPR will apply to you.
Personal data is defined broadly under the GDPR. Personal data is any information relating to a natural person that facilitates the direct or indirect identification of the natural person by reference to an identifier. An identifier includes any of the following – a name, an identification number, telephone number, job title, email address, data that relates to the activities of an individual or their areas of interest, genetic data, biometric data, and technology based identifiers (location data, MAC addresses, and computer IP address). This definition extends to websites and applications that have the ability to track and collect information, for instance tracking cookies, about the online activities and behaviour of EU residents.
The GDPR applies to 'data controllers' and 'data processors.' A data controller is a person or entity that determines how and what to use information for. While data processors are the persons or entities who may be engaged by a controller to process personal data on their behalf (e.g. as an agent or supplier). Under GDPR, data processors will be required to comply with a number of specific obligations and will be directly liable to sanctions or compensation claims if they fail to meet these obligations. For instance, a data processor will be required to maintain records of personal data and the processing activities carried out with respect to such data. In certain instances, a person or entity could be the data controller and data processor with respect to a particular data set.
2. Effect of the GDPR on Businesses based in Nigeria
The GDPR will have an impact on businesses based in Nigeria that offer goods or services to individuals in the EU, or process data connected to the offering of goods or services to businesses and individuals in the EU, or tracks/monitors the behaviour of consumers within the EU.
Specifically, the GDPR will affect any Business based in Nigeria that carries out any of the following:
(a) owns or processes data that pertains to individuals resident in the EU.
(b) markets, sells or contacts EU residents through websites, emails, sms, and telephone.
(c) tracks the engagement of EU residents through cookies for profiling, service provision, improvement, and other purposes.
In line with the GDPR, businesses need to demonstrate that they have obtained the consent of a customer to receive marketing materials. For instance, the usual opt out provisions on websites and online marketing documents will need to be replaced by a opt in clause demonstrating that the customer has given specific consent. Also, a written statement or ticking a box when chosing a technical setting for an information society service (ISS)1 or a conduct that clearly shows that the individual understands and is freely giving their consent to the use of their data must be introduced. A box that is pre-ticked or continued use of a service by an individual will not amount to valid consent.
These responsibilities will impact on the activities of business to business (B2B) and business to consumer (B2C) relationships. Stricter responsibility applies to marketing engagement with individuals as there are specific rules guiding marketing engagement using customer email or telephone number.
3. Best Practice under the GDPR
(a) Concerning the disclosure or re-use of personal information, data must be used for purposes connected with the original intended purpose for which it was obtained.
(b) Steps must be taken to ensure that data is kept safe and secure.
(c) Data must only be kept for as long as it is needed and for the purpose for which it is obtained
(d) Data must be accurate. Where it is not, revisions must be made. Individuals can request for update to their data.
(e) Data must only be collected and stored for its intended purpose
(f) Serious data breaches must be reported within 72 hours to the supervisory authority, while data subjects have to be notified as soon as is feasibly reasonable.
4. Enforcement Action and Sanctions
GDPR makes it considerably easier for individuals to bring private claims against data controllers and processors. In particular:
(i) A person may claim possession for 'material or non-material damage'. The inclusion of 'non-material' damage means that individuals will be able to claim compensation for distress and hurt feelings even where they are not able to prove financial loss.
(ii) Data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf. This may lead to a class action.
Non-compliance will GDPR attracts a sanction of up to 4% of annual worldwide turnover of an organisation. The fines will be imposed by reference to the revenues of undertakings rather than the revenues of the relevant controller or processor.2 Although it has not been established what constitute undertakings, in many cases group companies have been regarded as part of the same undertaking. Therefore, it is more likely that group revenues will be taken into account when calculating fines, even where some of those group companies have nothing to do with the processing of data to which the fine relates provided they are deemed to be part of the same undertaking. The assessment will turn on the facts of each case.
Fines are split into two broad categories for various types of breaches depending on the turnover of the undertaking.
(i) Category A – Fines of up to 20,000,000 Euros or in the case of an undertaking up to 4% of total worldwide turnover of the preceding year. This will apply where transfer restrictions has been breached. Transfers of personal data to third countries outside the EU are only permitted where the conditions laid down in GDPR are met.
(ii) Category B - Fines of up to 10,000,000 Euros or in the case of an undertaking up to 2% of total worldwide turnover of the preceding year, whichever is higher. This will apply for failing to keep records or complying with security obligations.
Fines can be imposed in combination with other sanctions.
5. Practical implications
The GDPR increases liabilities of businesses and will capture many businesses operating outside the EU due to its extraterritorial effect. Businesses not established within the EU who are nevertheless caught by one or both of the offering goods or services or monitoring tests must take into account the effect of the GDPR on their existing processes.
The risk profile for suppliers processing personal data on behalf of their customers have been increased as they now face the threat of revenue based fines and private claims by individuals for failing to comply with GDPR. Suppliers need to take responsibility for compliance and assess their own compliance with GDPR. In many cases this will require the review and overhaul of current contracting arrangements and business cases to ensure better compliance. Businesses should update their data privacy policies in line with the global outlook to promote competitiveness and ensure regulatory compliance.
Suppliers will need to decide for each type of processing undertaken whether they are acting solely as a processor or if their processing crosses the line and renders them a data controller or joint controller, attracting the full burden of GDPR. This carries particular significance considering the extra territorial scope of the GDPR.
To minimise risk, businesses should assess the different types of data handled by the business and ensure that data handling processes complies with the provisions of the GDPR. Nigerian businesses should review their data transfer and retention policy and ensure compliance with the standards contained in the GDPR. Also, businesses should consider the possibility of employing identifiable personal data as a last resort where anonymous3 or pseudonymous4 data is sufficient for a specific purpose. Based on use, it is possible to benefit from the flexibility afforded to anonymous and pseudonymous data under the GDPR.
1 ISS is defined as any service normally provided for remuneration, at a distance, by means of electronic equipment for the processing and storage of data. This include services provided by online sellers of goods and services, ISPs, and search engines. E-Commerce Directive (2000/31/EC)
2 Parents and subsidiaries within the same corporate group may be regarded as an undertaking – Hofner and Elser v Macroton GmbH (1991) ECR I – 1979.
3 This is the process of removing identifiable information from data sets so that the person to whom the data relates cannot be identifies. Such data is outside the GDPR.
4 This is the separation of data from direct identifiers so that it is impossible to link the data to an identity without additional information that is held separately. This is a privacy enhancing technique that is employed to reduce the risks associated with data processing – GDPR, Recital 28
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.