Introduction

The evolution of the Internet has changed the world in many ways. Physical (traditional) operations and daily interactions have over time been supplemented, overshadowed or totally supplanted by online versions riding on the back of developments in information and communication technology (ICT), and consequent migration into cyberspace. ICT has become, within a very short time, one of the basic building blocks of modern society, forcing and creating a culture of dependence on innovative technology.1 The Fourth Industrial Revolution (4IR) is characterised by a fusion of technologies and they have blurred the lines between the physical, digital, and biological spheres.2

The concept of data security becomes even more important, considering that we now live in a 'database society.'3 It is this concern that births the concept of data privacy and protection with a view to finding adequate and well-established legal framework and infrastructure for the protection of data on the internet.4

Aside the above, the problem of data privacy and its invasion came up as an accessory to the Internet. Privacy entails the right to decide which details of our personal lives should be outside the public domain.5 Though right to privacy (as a subset of right to dignity of the human person) remained a guaranteed right vide section 37 Constitution of the Federal Republic of Nigeria 1999 (as amended),6 concerns however remained that section 37 is only generic and cannot apply to data privacy.

Nigeria rose up to the challenge, albeit belatedly, starting with issuance of the National Information Technology Development Agency (NITDA) Draft Guidelines on Data Protection 2013. Later, the Nigeria Data Protection Regulation 2019 (NDPR) and the Guidelines for the Management of Personal Data by Public Institutions in Nigeria 2020 (Guidelines) were issued. Currently, there is a Data Protection Bill 2020 (DP Bill) proposed as an executive bill by NITDA to address the germane issue of data governance and protection. The highlights of the NDPR, the Guidelines, the DP Bill, their interventions and challenges are the focus of this paper.

The Concept of Data Protection and Privacy

Data insecurity is borne out of the fact that data is often not in the absolute control of Data Subject (DS) and as such, might be prejudicial if not in safe hands, given the advent of information technologies to create, collate, manage, manipulate, store, and share information regardless of time and space.7

Data is defined by NDPR to mean "characters, symbols and binary on which operations are performed by a computer, which may be stored or transmitted in the form of electronic signals is stored in any format or any device."8 Meanwhile, data privacy relates to the collection, storage or usage of Personal Data (PD) while data protection refers to the action and activities dealing with data security against unauthorised access.9

History of Data Protection Regulation in Nigeria

The history of data protection is as old as ICT. Though there has been the provision for the protection of one's privacy under the Universal Declaration of Human Rights 1948 and in Nigeria's Constitution, this has however not fully guaranteed the right to privacy of one's data, especially given technological developments.

Nigeria's first attempt at data protection can be traced to the Nigerian National Policy for Information Technology (IT Policy).10 Apart from the NDPR, some Nigerian legislation and institutions that impact data protection regulation in Nigeria include the Cybercrime (Prohibition, Prevention etc.) Act 2015, Freedom of Information Act 2011, Nigerian Communications Commission Act11, NITDA Act,12 etc. However, an in-depth analysis of these laws and institutions have shown the insufficient attempt to regulate data privacy and protection in Nigeria.

The NITDA issued the NITDA Draft Guidelines pursuant to section 6(c) NITDA Act in September 2013, which metamorphosed into the extant NDPR. Later, in May 2020, NITDA issued the Guidelines in July 2020, for public institutions to ensure compliance with the NDPR, and the Framework.

Meanwhile, the Protection of Personal Information Bill 201913 and the DP Bill14  were also introduced; they seek to address the challenge of the dearth of adequate regulation of data privacy and protection in Nigeria.

Analysis of the NDPR, the Guidelines and the Framework

The NDPR seeks to safeguard the rights of natural persons to data privacy, foster safe conduct for transactions involving the exchange of PD, prevent manipulation of PD and to ensure that Nigerian businesses remain competitive in international trade through the safeguards - afforded by best practices just and equitable legal regulatory framework on data protection.

Article 2 NDPR provides for governing principles for data protection which include that: PD must be lawfully collected and processed with the consent of the DS, used in accordance with the purposes for which it was collected, be adequate, relevant,15 and without prejudice to the dignity of human person, be kept for no longer than is necessary,16 and also be kept against all foreseeable hazards. Where the DS' PD is to be transferred outside Nigeria, section 7 of the Framework applies. It mandates the Data Protection Officer (DPO) to provide the privacy policy of the Data Controller (DC), the overview of the encryption method, data security standards and other details that will guarantee the safety of the PD to be supplied to NITDA who shall in return coordinate the transfer request with the office of the Honourable Attorney General of the Federation (HAGF).

A DC who obtains data from the DS cannot plead ignorance of these provisions - there is imposition of strict liability duty of care. Therefore, once there is a processing contract with a third party who is Data Processor (DP), the DC must ensure that the DS's PD in his (DC's) care must be handled in such a way that the right of the DS will not be violated.

Consent of the DS is mandatory to every data collection to be processed by a third party17 or transferred to a foreign country.18 Consent must be obtained without fraud, coercion or undue influence,19 and in circumstances that may engender direct or indirect propagation of atrocities, hate, child rights violation, criminal acts and anti-social conducts.20

In case of data transfer to a foreign country, the NDPR obligates the HAGF to ensure that the foreign country ensures an adequate level of protection and puts into consideration issues such as the rule of law, the relevant legislation, both general and sectoral including public security, defence etc.21 However, there can be derogation from this provision provided: there is consent by the DS, the transfer is necessary for the performance of the contract between the DS and the DC, for public reasons, the establishment, exercise or defence of legal claims or to protect the vital interest of the DS.22

The Rights of the DSs contained in Article 3.1 NDPR constitute the core of the NDPR and these include: the right to be informed of the appropriate safeguards for data protection in the foreign country, right to request the DC to delete PD, right to obtain from the Controller restriction of processing of data, right to receive the PD of the DS in a structured, commonly used and machine-readable format and right to data portability. Notably, these rights cover all information on identified or identifiable individuals whereas right to privacy under the Constitution does not.

The NDPR further provides for implementation through the imposition of time-bound actions for compliance, including detailed audit of the privacy and data protection practices.23 Article 4.2 NDPR provides for an Administrative Redress Panel to investigate (within a maximum of 28 working days) alleged breach(es) of the NDPR; invite parties as necessary, issue requisite administrative orders and make determination of appropriate redress. NITDA is also mandated to take steps for local and international cooperation in fostering the implementation of the NDPR, providing international mutual assistance for enforcement, engaging relevant stakeholders in discussion and promoting the exchange and documentation of PD protection.

The Guidelines on the other hand was issued to help Public Officers24 handle and manage personal information in compliance with the NDPR since government at all levels is the largest processors of PD. Some of the Guidelines' provisions are similar with that of the NDPR. Unlike the NDPR, it provides the circumstances wherein the grant of a consent must be obtained - such as processing of sensitive information health, ethnic, political affiliation, religious beliefs etc.

The Guidelines seek to designate some information as sensitive, requiring a higher standard consent-seeking approach: direct, unambiguous and distinct communication of request through electronic means or by writing. The Guidelines mandates every public institution (however without any corresponding liability for non-compliance), to have a DPO and retain the services of a Data Protection Compliance Organisation (DPCO) with the aim to guiding the implementation the institution to compliance with the data protection regulations and principles amongst other things.25

Status Check: A Critique of Extant Provisions

The constitutional provisions on the right to privacy does not fully cover data protection; analytically, what is protected is only informational privacy. Privacy is different from data protection - whilst private life does not necessarily include all information on identified or identifiable persons, data protection covers exactly this information. Also, the permissible interference is another distinction. While the condition of processing information fairly and in accordance with other conditions may be met, thus leading to no interference with data protection; collection, storage or disclosure of such data may still interfere with private life and therefore demand justification.26

A joint reading of Article 1.2(b) and(c) NDPR excludes its application to artificial persons. This exclusion can have a far-reaching impact on natural persons who are at the helm of affairs of these artificial persons. In Volker und Markus Schecke GbR and Hartmut Eifert v Land Hessen,27 the European Union Court of Justice held that legal persons can claim protection under EU data protection law, only insofar as the official title of the legal person identifies one or more natural persons.  Given that section 18(2) Companies and Allied Matters Act 2020 now allows single member private companies, lack of protection for data of companies may prejudice the interest of the director and the shareholder.

The provision of the NDPR (Article 2.8(a)) that limits the objection of the consent of the DS regarding his data to where the DC "intend to process for the purpose of marketing" is too restrictive. The implication is that the DC, once granted consent for data processing, can always be held to process the data of the DS, provided there is a proof that such processing is not for marketing purposes. What if circumstances change that could amount to deemed withdrawal of consent or makes continued consent no longer tenable?28

The NDPR, rather than state the rights of the DS and the obligation on the DC separately, subsumed both under the heading "Rights of a Data Subject."29 Unlike the NDPR, the European Union General Data Protection Guideline (EuGDPR) has by Articles 15 - 21 specifically provided the DS the right of access, right to rectification, right to erasure, right to restriction in processing, right to data portability and the right to object.

The NDPR and the Guidelines have failed to, (and cannot), provide a remedy in case of the non-compliance with their provisions. For instance, though the NDPR gave the DS the right to seek redress in Court, it also provides (vide Article 4.2.(6)), that a breach of the NPDR is a breach of the provisions of the NITDA Act. Meanwhile, sections 17 and 18 NITDA Act only provides for offences, which are criminal in nature and which punishment ranges from a fine of N200,ooo or N500,000; and/or one or three year imprisonment in case of first and/ or subsequent offences respectively.

Particularly, Article 2.10 NDPR has provided that "any person subject to this Regulation who is found to be in breach of the data of the privacy rights of any Data Subject shall be liable, in addition to any other criminal liability, to ...(a)...fine of 2% of Annual Gross Revenue...(b)...fine of 1% of Annual Gross Revenue..."  The question thus arises, does criminalising breach of the NPDR erode the DS' right to civil action against the DC? We respectfully submit otherwise:  such a DS can, depending on the facts, sue under tort for defamation,30 trespass to land and nuisance,31 breach of confidentiality obligation32 or for copyright infringement.33

The close ended designation of some information as being sensitive by the Guidelines, therefore demanding higher standard of consent seeking is counter-productive. Unlike the Guidelines, the NDPR has defined sensitive PD to include "...any other sensitive personal information." Thus, strict compliance with the Guidelines will lead to challenges as some sensitive information is not covered in the list provided by the Guidelines.

Looking Beyond Extant Provisions: The DP Bill

As discussed above, the Guidelines and the NDPR are largely insufficient to address detailed regulation, or guarantee data privacy and protection in Nigeria. However, the DP Bill pending before the National Assembly, portends some hope for regulation of data privacy and protection in Nigeria.

The DP Bill seeks to establish the Data Protection Commission (DPC) charged with responsibility for the protection of PD, rights of DS, regulation of the processing of PD and for related matters. The objectives of the DP Bill include the promotion of a code of practice that ensures the privacy and protection of the DS, minimise harmful effect of PD misuse, and ensure the processing of PD in a transparent, fair and lawful manner with the provision of the Bill and other laws of the nation.

The DP Bill gives an exhaustive and open-ended definition of what constitutes data, including personal and biometric data revealing a DS' identity, racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation or trade union membership; personal banking and accounting records etc.34 The principles of processing  PD under the DP Bill is synonymous with NDPR's provisions. The provision of consent and withdrawal of same is an improvement on the NDPR's equivalent, in that the "data subject shall have the right to withdraw his consent at any time."35

The right of the DS under Part V, DP Bill include access to the data he has provided the DC, to have it erased or rectified as may be necessary in the circumstances.  Also, the DS is entitled to be informed about the processing of his PD36 and where need be, have the processing of his data suspended.37

The fact that these rights are termed 'rights' does not make them fundamental rights that can be enforced using theFundamental Right Enforcement Procedure Rules 2009 (FREP Rules).38  The proposed constitutional amendment should factor in the inclusion of these rights or rather adopt these rights as contained in the DP Bill as fundamental human rights so that the FREP Rules can apply.

A key aspect of the DP Bill is the provision for the DPC under Part III as a supervisory and regulatory body. The DPC's powers include the power to investigate complaints, impose fines/penalties and apply to court for issuance of warrant for any act or omission under the provision of theDP Bill. However, the power of regulatory bodies like NITDA to impose fines have been reviewed in cases like NOSDRA v. Mobil Producing Nigeria Unlimited39 vis a vis constitutional provisions on fair hearing.

In NOSDRA, the Court held that the power to impose fines and penalties reside in the court or tribunal established by law, since it borders on the determination of the civil rights and obligations of such party. Consequently, where the regulatory body is to impose such fines and penalties, section 36(2) 1999 Constitution provides that the law must grant the other party the opportunity to be heard; furthermore, the determination of such administrative body is not final and conclusive. The absence of these fair hearing (safeguard) provisions in theDP Bill is fundamental and portend some risk of being declared null and void, given decisions like NOSDRA.

Unlike the NDPR and the Guidelines, the DP Bill's Part VI seeks to regulate the management and processing of sensitive data. Sensitive data involves that of a child under parental or guardian's control, religious or philosophical beliefs, ethnic origin, race, political opinions, health, sexual life or behaviour of a DS. In the case of a child, there is also an imposition of vicarious liability on the DC for actions of the DP.40 This should put the DC on its toes to be able to secure the necessary protection of data in its care.

One of the revolutionary provisions of the DP Bill is the right of the DS to be notified of any data breach, within forty-eight (48) hours of such breach.41 There is also provision for compensation or making restitution to the victim42 in addition to the penal sanctions provided under Part XI. However, (as noted above), since this is not a fundamental right action, the speedy enforcement afforded fundamental rights actions will not apply.

Conclusion

The above analysis has revealed the present state of the data protection regime in Nigeria; clearly the progress made is not yet substantial. The lack of a true legislation that creates rights, obligations, penalties and civil liabilities will continue to be a clog in the wheel of progress of data governance in Nigeria. "Data is life" and must be guided through a combined effort of pro-active institutions, up-to-date legislation and clear-cut regulations as necessary.

As already captioned in the National Digital Economy Policy and Strategy (NDEPS) that developmental regulation is the first pillar in achieving a digitised economy, data protection is a backbone to a digital economy and therefore must be duly ensured and regulated. The government must not rest on its oars, having issued the NDPR and the Guidelines, but proceed to enact subject specific legislation that would have far-reaching effect on data privacy and protection of Nigerians.

No doubt, the DP Bill is a boost to winning the war over the dearth of proper regulation and protection of PD in Nigeria. Whilst the National Assembly is enjoined to give it speedy passage, and the Executive to follow suit vide prompt presidential assent and scrupulously implementing its provisions. Aside the signing of the DP Bill into law and setting up of the DPC, there must be will power to enforce these rights and sensitise the citizenry on the rights guaranteed by the legislation.

Footnotes

 

1. A. E. Patrick, et al, 'ICTs and Sustainable Development of Higher Education in Nigeria: Rewriting the Ugly Narrative', Journal of Educational and Social Research Vol. 4 No. 1, p. 357.

2. The reality is that technology today has entirely transformed the way we interact with each other and has had a profound impact on the way in which businesses operate: Cynthia Yav, 'Legal Frameworks for Data Protection in South Africa and Nigeria'(http://www.centurionlawfirm.com/legal-frameworks-for-data-protection-in-south-africa-and-nigeria/) (accessed 04.06.2018). See also generally, 'National Digital Economy Policy and Strategy (2020-2030)' (NDEPS): (https://www.ncc.gov.ng/docman-main/industry-statistics/ policies-reports/883-national-digital-economy-policy-and-strategy/file) (accessed 09.12.2020).

3. B.O. Jemilohun, 'An Appraisal of the Legal Framework for Data Protection in Cyberspace in Nigeria' (unpublished Ekiti State University Ph.D Thesis, 2015), 131.

4. Linet Kwamboka, 'After the Facebook-Cambridge Analytica Scandal, Can We Talk About Data Privacy in Africa Now?' Quartz Africa, 05.04.2018: (https://qz.com/africa/1245876/facebook-cambridge-analytica-scandal-heralds-better-data-privacy-in-nigeria-kenya-other-african-countries/ ) (accessed 11.12.2020).

5. A. Gunnarsson, and S. Ekberg, 'Invasion of Privacy Spam – One Result of Bad Privacy' (unpublished M.Sc thesis) Blekinge Institute of Technology, (2003), p. 3: (http://www.diva-portal.org/smash/get/diva2:832773/ FULLTEXT01.pdf) (accessed 23.12.2020).

6.The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic
communications is hereby guaranteed and protected. See also Article 17(1) of the International Convention on Civil Political Rights of 1966 which provides that "No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation" and Article 12, Universal Declaration of Human Rights 1948.

7. I.J. Ikenwe, et al, 'Information Security in the Digital Age: The Case of Developing Countries' Chinese Librarianship (an International Electronic Journal), 42 (http://www.iclc.us/cliej/cl42IIE.pdf) (accessed 18.05. 2018).

8. Article 1.3 NDPR.

9. Emmanuel Omoju and Patience Ajogbor, 'Managing Data Privacy Issues in Corporate Restructuring: Key Considerations for Investors', BusinessDay, 01.12.2020, p. 13. Some of the possible measures for the protection of data are contained in the NDPR to include protecting systems form hackers, setting up firewalls, storing data securely with access to specific authorized individuals etc. See Article 2.6 NDPR.

10. Olumide Babalola, 'Casebook on Data Protection' (2020), p.2.

11. Cap. N9, Laws of the Federation of Nigeria (LFN) 2004.

12.  No. 28 of 2007

13. This Bill, sponsored by Senator Stella Oduah, is still at the First Reading Stage: (https://placbillstrack.org/view.php?getid=6851) (accessed 14.12.2020).

14. The DP Bill is available at (https://www.ncc.gov.ng/documents/911-data-protection-bill-draft-2020/file) (accessed 11.12.2020).

15. A data collection is said to be relevant where the DC does not seek to obtain data other than that which is needed. For instance, in the course of opening a bank account, such bank being the DC is not expected to collect information relating to sex life, health records or religious affiliations of such a DS.

16. Section 8.2 Framework provides that in the absence of any contract, the retention period shall be  three(3) years after the last active use of a digital platform; six (6) years after the last transaction in a contractual agreement; or upon presentation of evidence of death by a deceased's relative and immediately upon request by the DS or his/her legal guardian where no statutory provision provides otherwise and the DS is not the subject of an investigation or suit that may require the PD sought to be deleted.

17. In case of such third-party processing, there must be a written contract between the third party and the DC. The DS despite grant of his consent has the right to withdraw his consent at any time where the DC intend to process for the purpose of marketing. See Article 2.8 NDPR.

18. See Article 2.12 and 3.1(8) NDPR. This is however subject to the absence of NITDA or the Honourable Attorney General of the Federation to decide on the existence of a legal system of the foreign country on the area of the rule of law, respect of human right etc. See Article 2.11 (b) NDPR.

19. Article 2.3 NDPR. A consent according to the NDPR means any freely given, specific, informed and unambiguous indication of the DS' wishes by which he or she, through a statement or a clear affirmative action, signifies agreement to the processing of PD relating to him or her. Such consent must however be transparent, not implied or bundled consent amongst some general terms and conditions.  See Section 5.2 Framework.

20. Article 2.4(a) NDPR. A child according to Section 5.5 Framework is any person below 13 years of age. The DC/DP must make sure that its privacy policy is user friendly to allow understanding before the children or their guardian gives consent. Also, while there are two types of consent viz: explicit or opt-in consent, the Framework mandates the use of explicit consent for sensitive data. An explicit consent gives clear and documentable consent e.g. tick a box, sign a form, send an email or sign a paper. See Section 5.3.2 and 5.4 of the Framework.

21. Article 2.11 NDPR. The Framework's Section 7 embodies some prescriptions for the implementation of this. For example, there is recognition for some whitelisted countries based on existing legal frameworks in their respective jurisdictions as being data protection compliant.

22. Article 2.12 NDPR.

23. Article 4 NDPR. There is however no civil liability where there is non-compliance apart from the criminal action under the NITDA Act.

24. This refers to any person responsible for leadership, management or administration of Public Institution, upon whose directive officers are mandated to act or discharge their duties. Section 9 Guidelines.

25. Section 2.6 and 2.7 Guidelines.

26. J. Kokott and C. Sobotta, 'The Distinction between Privacy and Data Protection in the Jurisprudence of the CJEU and the ECtHR' International Data Privacy Law, 2013 Vol. 3 No. 4, pp. 222-228: https://academic.oup.com/idpl/article/3/4/222/727206 (accessed 20.12.2020). See also Olaghere v. PP&P (Nig.) Ltd. (2013) All FWLR (Pt. 661), 1593 H.C.

27. [2012] All ER (EC) 127.

28. Article 2.8 (Objections by the Data Subject) provides: "The right of a Data Subject to object to the processing of his data shall always be safeguarded. Accordingly, a Data Subject shall have the option to: a) object to the processing of Personal Data relating to him which the Data Controller intend to process for the purpose of marketing; b) be expressly and manifestly offered the mechanism for objection to any form of data processing free of charge."

29. Part 3 NDPR.

30. The protection is however limited on the ground that what would not amount to defamation may still amount to breach of privacy. For defamation to be established, such statement must reflect on the reputation of such a person. See Nwachukwu v.  Nnoremele (1957) 2 ERLR 50.

31. Both torts favour the person in occupation and cannot deal with electronic and optical surveillance, which can be carried on from a great distance. See Peel and Goudkamp, 'Winfield and Jolowicz on Tort', (Sweet & Maxwell, (19th ed., 2014), Para 13-145 (p. 418).

32. See Aero Contractors v. Akingbehin Unreported Suit No: NICN/LA/123/2013, Oyewunmi,J's judgment of 16.06. 2015: the Defendant breached the duty of confidentiality by disclosing details to his counsel, who published same in a letter to the company for the purpose of blackmail; andAkinsanya v. Coca-Cola Unreported Suit No: NICN/LA/40/2012 Oyewunmi, J's judgment of 07.04.2016 held that the disclosure of the Plaintiff to her husband breached the confidentiality agreement. See also the case of Coco v. AN Clark (Engineers) Ltd [1969] RPC 41 @ 47 where it was held that the requirement for breach of confidence include; "(1) the information must have the necessary quality of evidence about it; (2) the information must have been impacted in circumstances importing an obligation of confidence; and (3) there must be an unauthorized use or disclosure of that information to the detriment of the party communicating it." There is no provision in the NDPR about contractual obligations coming to play where there is a breach of confidential agreement.

33. See Williams v. Settle [1960] 1 WLR 1072, where it was held that selling of the photograph taken at the Claimant's wedding was a total disregard for the rights of the Claimant. However, the provision of section 10 Copyright Act Cap. C28, LFN 2004 may not permit this decision to be applicable: unless expressly agreed to the contrary, the authorship will always reside in the photographer.

34. Section 2(4) DP Bill. However, there is a restriction of the definition of PD to that of natural person as contained in section 66 DP Bill. As earlier stated, data relating to artificial persons may have a far-reaching effect on the personality of the DS.

35. Section 5(4) DP Bill; cf. with Article 2.8 NDPR.

36. Section 6(1) DP Bill.

37. Note that under section 23 DP Bill, what will be deemed to be legitimate ground for processing the DS' information notwithstanding the right of the DS, should not be left to the discretion of the DC/DP. Rather, the Court's or DPC's consent should be sought and obtained so as to prevent arbitrariness.

38. See Incorporated Trustees of Laws and Rights Awareness Initiative v. National Identity Management Commission, Unreported Suit No. FHC/AB/CS/79/2020, Watila, J's judgement of 09.12. 2020, where it was held that data protection is an ancillary claim to a fundamental rights enforcement action. The learned judge further held that a breach of theNDPR amounts to a breach of the NITDA Act and not of the fundamental human rights provisions of the 1999 Constitution. Therefore, the rights contained under the DP Bill, if passed into law, will most likely suffer similar fate as under the NDPR.

39. (2018) LPELR- 4210 (CA). Cf. withEdiru v. FRSC & Ors [2016] 4 NWLR (Pt. 1502), 209 where the Court of Appeal held that the power of the 1st Respondent to issue fine was not a violation of the fair hearing provision in the Constitution in that the Notice of Offence issued to the Appellant does not amount to a charge or information; and that the election of the Appellant to pay fine in exchange for prosecution does not constitute a violation, but a waiver of the right to fair hearing.

40. Section 31 DP Bill.

41. Section 17(3) DP Bill.

42. Section 50 DP Bill.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.