In February 2022, following an application by the Minister of Communications and Digital Economy, Professor Isa Ali Pantami, President Muhammadu Buhari confirmed the establishment of the Nigeria Data Protection Bureau ("NDPB" or the "Bureau"). Although it is unclear at this time the full extent and scope of the Bureau's powers and duties, reports indicate that the Bureau is vested with the primary mandate of focusing on data protection and privacy for Nigeria. It will also be responsible for consolidating the gains of the Nigeria Data Protection Regulation, 2019 ("NDPR" or the "Regulation"), and will support the development of legislation for data protection and privacy in Nigeria.1 Dr. Vincent Olatunji, the Director of the e-Government Development and Regulations Department at the National Information Technology Development Agency ("NITDA"), the federal government agency responsible for the administration and implementation of the NDPR, was appointed as National Commissioner/Chief Executive Officer of the Bureau.2
As earlier stated, the scope of the Bureau's regulatory powers and functions within the sphere of data privacy and protection in Nigeria, is still unclear; as an enabling law establishing the Bureau does not exist at this time. It is therefore uncertain what conflicts and/or overlaps (in terms of scope, functions, etc.) will exist with other regulators such as the NITDA. It is, however, noted that the statement issued on behalf of the Minister of Communications and Digital Economy, announcing its establishment, also indicates that the Bureau is established to, amongst others, work with other agencies of the Federation to procure the establishment of a federal legislation for the regulation of data protection and privacy rights in Nigeria. Since there are, apart from the NITDA, several other sectoral regulators which regulate issues of data protection within their sectors, it is expected that the enabling law for the Bureau will work to strike a balance and facilitate collaboration among all these federal agencies.
Whilst the collaborative nature of the key function of the Bureau is an admirable proposal, a critical legal issue to be considered is the constitutionality of a federal law regulating data protection. This is because 'data protection' appears to be a residual matter which falls within the exclusive legislative powers of States, since it is not captured under the Exclusive Legislative List ("ELL") or the Concurrent Legislative List ("CLL") in the Second Schedule to the Constitution of the Federal Republic of Nigeria, 1999 (as amended) (the "Constitution"). However, we note that the right to privacy is entrenched in Part IV of the Constitution. We also note that by virtue of the provisions of Item 68 of the ELL which permit the National Assembly to legislate on any matter incidental or supplementary to any matter mentioned anywhere on the ELL, the Federal Government of Nigeria ("FGN") may, through laws passed by the National Assembly, regulate data protection as being incidental or supplementary to "fingerprints, identification and criminal records", which are items listed on the ELL.
In order to ensure the practical and holistic administration of data protection, thorough discussions must be had, to understand the constitutional basis on which the Bureau seeks to serve a regulatory role. Additionally, it is expected that the Bureau, the NITDA and other relevant agencies will work coherently (with industry stakeholders) to achieve this feat.
Nigeria has recorded increased data penetration over the last decade, with attendant increase in the processing of personal data as a fundamental part of various business activities. As such, a well thought-through and coherent data governance framework is an undeniable imperative for the Nigerian economy at this stage. It is expected that the Bureau will not only work to supplement the efforts of the NITDA but also seek to work with State governments to facilitate the adoption of a truly national data protection legislation; that will provide a uniform data protection governance framework without duplication of bureaucratic administrative obligations for data processors (as well as the appurtenant multiple costs related thereto).
Recognizing the central role of data protection in a digital economy and the existence of sector specific regulatory agencies, such as the Nigerian Communications Commission and the Central Bank of Nigeria, which also regulate data protection within their respective sectors, it will thus be critical for the FGN to ensure seamless synergy between the Bureau and the NITDA and other sector-specific agencies. It is suggested that, the formula adopted with regard to the Nigerian Code of Corporate Governance, 2018 and the Federal Competition and Consumer Protection Act, 2018 should be adopted; where sector-specific regulators commit to enforcing the relevant standards in their sectors but are required to leave certain core technical issues to the technical regulator. As between the NITDA and the Bureau, NITDA's role may be limited to developing standards, guidelines and regulations, as expressly stated in its enabling Act, while the Bureau is empowered to implement and enforce such standards, guidelines and regulations. Where this approach is adopted, each agency is enabled to develop specialization and focus, necessary to ensure a robust and effective data protection framework for the country.
Generally, the protection of privacy rights and data protection has increasingly become important across the globe. Personal data breaches across numerous data heavy corporations and smaller institutions continue to be on the rise. It is thus pertinent that data protection be given unique and sufficient attention from a regulatory perspective. The introduction of the Bureau indicates that the Government is fully aware of this.
Notwithstanding, it is pertinent that the FGN and the relevant state governments ensure:
- sufficient collaboration in achieving a thought-driven approach to the scope, powers, legitimacy and functions of relevant data protection regulatory agencies and bodies in Nigeria;
- consultations and engagements with lawyers, industry players and other stakeholders in ensuring that data protection and privacy-related policies are fit-for-purpose and do not unduly duplicate obligations of participants in the market;
- smooth interplay between the Bureau, NITDA and other relevant agencies, in a bid to ensure efficiency in the administration of data protection in Nigeria.
With regard to the Bureau, issues around the constitutionality of its establishment can be effectively addressed, by empowering the Bureau to work collaboratively across the tiers of government in the country. As a necessary first step, the FGN should procure the enactment of an enabling law setting out, amongst others, the scope, functions, powers and limitations of the Bureau, mindful of the considerations (both practical and legal) highlighted above.
1. Available at: https://punchng.com/buhari-approves-new-bureau-for-nigeria-data-protection/, last accessed on March 6, 2022.
2. At the time of his appointment, he was the Director of the e-Government Development and Regulations Department at the National Information Technology Development Agency, the apex regulator for data protection in Nigeria and the federal agency responsible for the administration and implementation of the NDPR.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.