A Review Of The Lagos State Data Protection Bill 2021 Viz-A-Viz The NDPR 20191
Globally, most nations are embracing the idea of regulating data processing activities within their respective jurisdictions. This growing trend can be attributed to the worldwide recognition of the value of personal data and the adverse effects unlawful access to data in the form of data breaches and data misuse. Transcending national regulation of data processing operations are continental or regional regulation and the European Union took the first step with the issuance of a continental data protection regulation in the form of the General Data Protection Regulation (GDPR), which generally applies to countries in the European Union. Nigeria, through the enabling Act establishing the National Information Technology Development Agency (NITDA Act),1 issued a federal regulation primarily focused on data protection regulation - the Nigeria Data Protection Regulation ("NDPR").2 This instrument has served as the singular national legal framework for data protection in the country till date.
Following on this trend the Lagos State Data Protection Bill ("the Bill" or "the Proposed Act") was recently introduced before the Lagos State House of Assembly.3 Since its passage, it has evoked many debates among relevant stakeholders and industry practitioners on the implication of its co-existence with the NDPR if passed into law. In this paper we will examine the provisions of the Bill viz-a-viz some provisions of the NDPR and attempt to proffer useful recommendations that may help resolve the imminent conflict issues that the proposed law is likely to engender if enacted by the Lagos State government.
- Objectives and Scope of the Proposed Bill
The proposed Bill is for a law that seeks to promote the protection of personal information processed by public and private bodies, establish minimum requirements for the processing and protection of personal information, establish the data protection commission and for connected purposes in Lagos State.4 It is divided into 9 Parts with 65 Sections and 2 Schedules. It applies to the processing of data entered in a record by or for a data controller, by making use of automated or non-automated means provided that when the recorded personal data is processed by non-automated means, it forms or is intended to form part of a ﬁling system.5 In contrast with the NDPR which only makes provision for the processing of data through automated means, this provision recognizes paper-based forms of record-keeping or filing systems as a means of processing personal data in addition to processing through automated means. This broad definition is similar to the provision of Section 2(1)(a) of the draft Data Protection Bill recently introduced by the Federal Government through the Legal and Regulatory Reform Working Group (LWG), which also provides for the processing of personal data through electronic and non-electronic means.6
- Review of The Bill
Application of the Proposed Bill
The Bill applies to data controllers domiciled in Lagos State and to controllers who are not domiciled in Lagos State but process personal data through automated or non-automated means in Lagos State, except the processing operations carried out in the State was conducted only for the transmission of personal data through the State.7 It also provides that where any other legislation in Lagos State provides conditions for the lawful processing of personal data which are more extensive than the provisions stipulated in the Bill, such extensive provisions will prevail.8 It is relevant to note that, the Bill does not contain explicit provisions stating its applicability to Nigerian citizens, rather it provides that it will be applicable to any person domiciled in Lagos State.9 The resultant effect of this provision is that the Bill may apply to the processing of personal data of foreign nationals domiciled in Lagos State.
- Establishment, Composition, Powers and Functions of the Data Protection Commission
The Bill establishes a Data Protection Commission ("Commission")10 and entrusts the Commission with the duty of maintaining a register of all data processors and data controllers, ensuring compliance with the provisions of the Bill and regulating processing activities in Lagos State, amongst other responsibilities.11 It establishes a governing board which consists of relevant stakeholders who will be appointed by the Governor of Lagos State on the recommendation of the Commissioner.12 In addition, it empowers the Commission to enter into, carry out, assign or accept the assignment of, vary or rescind, any contract, agreement or other obligation in line with its functions under the Bill.13 It also empowers the Commission to accept gifts and donations, whether subject to any trust or not, as may be required by the Commission in the performance of its responsibilities, investigate contraventions and complaints and take necessary legal steps to resolve complaints, become a member of or affiliate to any international body concerned with (whether in whole or in part) the privacy of individuals in relation to personal data, subject to the approval of the Governor.14
This Bill also entrusts the Commission with special powers to obtain information by notice in writing from any person which is necessary for the performance of its functions under the Bill; apply for a preservation order from the Court for the expeditious preservation of data, including traffic data, where it has reasonable grounds to believe that such data is vulnerable to loss or modification; and through authorized officers, enter and search any premises for the purpose of discharging any functions or exercising any powers of the Commission under the Bill.15
- Compliance Audit
The Bill empowers the Commission to carry out periodical audits of the systems of data controllers or data processors to ensure compliance with data protection principles specified in the Bill.16 It empowers the Commission to seek the assistance of such persons or authorities, as may be necessary to assist the Commission in the performance of its functions.17 It stipulates that any person assisting the Commission for the above stated purposes shall, for the purposes of confidentiality and oath under the Bill, be deemed to be an officer of the Commission.18
- Obligations of Data Controllers and Processors
In comparison with the NDPR, the Bill makes explicit provisions for the obligations and responsibilities of data controllers and processors.19 For data controllers, it makes provision for certain requirements that should be complied with during the collection, processing, usage, disclosure, and storage of personal data.20 It imposes a duty on data controllers to destroy any personal data in its custody, not later than seven (7) working days from the date the purpose of keeping the personal data lapses.21 This is a commendable provision introduced in the Bill, as the extant NDPR does not contain any explicit timeframe for the destruction of personal data by a data controller after the purpose of its usage elapses. It merely requires data controllers to delete personal data upon the request of a data subject and where such data is no longer necessary in relation to the purposes for which they were collected or processed, without providing a timeline when such destruction should be made.22
In stipulating the obligations of data processors, the Bill requires the processing of personal data for a data controller to be governed by a contract specifying the required terms of agreement made by the parties or any existing Law.23 It does not specify whether this contract is required to be in written form, as provided under the NDPR.24 It also requires data processors to obtain a written authorization from a data controller before processing any personal data for the data controller.25
- Transfer of Personal Data
Subject to the provisions contained in S.33(2) of the Bill, the Bill prohibits data controllers from transferring personal data outside Lagos State, except with the written authorization of the Commission.26 S.33(2) of the Bill, prescribes the circumstances where the data protection principles stipulated in the Bill will not apply. Also, the entire provisions of S.33 of the Bill indicates that the Bill seeks to govern international data transfers from data controllers operating in Lagos State and empowers the Commission to approve data transfer requests.
We note that this could result in some conflict issues with the NDPR as the NDPR also contains provisions requiring all transfers of personal data in Nigeria to be subject to the supervision of the Attorney General of the Federation.27 The provisions in the Bill relating to international data transfers are not as comprehensive as the provisions prescribed in the NDPR and its Implementation Framework. No provision was made for data transfers to subsidiaries or headquarters of data controllers outside Nigeria, as was provided in the Implementation Framework of the NDPR.28 In the same vein, no recognition was given to the Whitelist of countries with adequate data protection laws developed by NITDA. This could impede the prompt approval of data transfer requests from data controllers by the Commission, as the Commission would have to commence a review of the data protection laws of each country where data is to be transferred, to ascertain whether the respective countries satisfy the identified data protection adequacy requirements29 prescribed in the Bill.
- Data Protection Register
The Bill introduces a "Data Protection Register" under Part VI of the Bill30 and mandates all data controllers and processors operating in Lagos State to register with the Commission from the date of commencement of the proposed law.31 It imposes sanctions on any data controller or processor that fails to comply with the registration requirement.32 The Bill prescribes a fine of two (2) million naira or a term of 2 years imprisonment upon conviction of any data controller and processor operating in Lagos State, that stores or processes personal or sensitive data without registration with the Commission.33 The Bill also provides for the payment of prescribed registration fees following an application for registration by a data controller or processor.34
It provides that where a data processor or data controller intends to process data for two or more purposes, such processor or controller is expected to make two or more separate applications peculiar to each purpose of data processing.35 It also provides for the annual renewal of the registration made by data controllers and processors at the expiration of the registration.36 It imposes sanctions on any data controller or processor who, without reasonable excuse or lawful authority, keeps or processes personal data or sensitive personal data, without renewing their registration.37 Any data controller or processor found guilty of this offence will be liable to a fine of One Million Naira (N1,000,000) or an imprisonment term of One (1) year or both.38
- Enforcement Notices and Delegation of Enforcement Powers
In the event that a data controller or processor has contravened, is contravening or is about to contravene the provisions of the Bill, the Bill empowers the Commission to serve an enforcement notice on such data controller or data processor, requiring them to take such steps within such time as may be specified in the Notice.39 Failure to comply with an enforcement notice, will attract a penalty either in form of a fine not exceeding One Million Naira (N1,000,000.00) or imprisonment for a term not exceeding two years or to both.40
It empowers the Commission to delegate any of its powers to conduct investigations or carryout enforcements to any person or Police Officer designated by the Commissioner of Police of Lagos State.41
- Rights of the Data Subjects
The Bill makes provision for some rights available to data subjects which are similar to those contained in the NDPR.42 One of the rights provided in the Bill is the right of access to personal data by a data subject.43 The Bill requires data controllers, upon the written request of a data subject, to provide the data subject with a copy of the requested data in the controller's custody, on payment of the prescribed fee.44
However, we find this provision worrisome because it requires data subjects to pay a prescribed fee even though no cost is incurred by the data controller to furnish the requisite information to the data subject. No provision was made regarding the amount, range or criteria to guide data controllers on how to charge data subjects for accessing their personal data in the custody of the data subject. On the contrary, the NDPR contains better provisions for similar requests from the data subjects and it provides guidance to data controllers on how and when to charge data subjects for such requests. It provides that any information provided to the Data Subject, including any communication and actions taken should be provided free of charge and where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may then charge a reasonable fee considering the administrative costs of providing the information or communication or taking the action requested.45 Consequently, we recommend that the provisions of the NDPR relating to access requests by the data subjects can be adopted in the Bill before it is passed into law.
Some other rights of data subjects provided in the Bill include rights of rectification, erasure, deletion of personal data etc.46
The Bill makes provision for specific kinds of data and processing operations which are exempted from complying with some of the data protection principles highlighted in the Bill. Some of these include crime and tax related data,47 data for journalistic, literary and artistic purposes,48 educational and statistical data,49 information available to the public under a law,50 disclosure required by law or in connection with legal proceedings,51 claims of legal professional privilege,52 and processing operations for domestic purposes.53
Conclusion, Recommendations and Comments
The emergence and use of modern technologies are reorientating and raising concerns in the global space on the security of personal data. In this regard, legislations are being developed across various jurisdictions to provide adequate safeguards and measures for the protection of personal data. The proposed Bill symbolizes a positive attempt by Lagos State Government to regulate the processing of personal data within its territory. It evidences the result of the far-reaching awareness that has been created on the relevance of regulating data processing operations.
While this is a commendable step, it is important to note the perceived negatives associated with the passage of the Bill in its current form and the imminent issues that may arise from the co-existence of the Bill with the extant Federal data protection regulation, the NDPR, hence our underlisted recommendations and comments.
Further to the recommendations already provided above, we have highlighted additional recommendations which, if incorporated, may further strengthen the proposed Bill prior to its enactment:
Establishment of the Data Protection Commission
We note that if the Bill is passed into law, there will be two regulatory bodies governing data processing operations in Lagos State i.e., the Lagos State Data Protection Commission and NITDA. This might result in conflict issues with compliance requirements that might negatively impact data controllers or processors carrying out processing activities in Lagos State.
We recommend that either the Lagos State Data Protection Commission is made subject to NITDA's oversight in terms of implementation, or a collaboration is made between the regulatory bodies to resolve conflict issues that may arise.
Penalties for Failure to Register with the Commission
We believe that the penalties imposed for failure of a data controller or processor to register with the Commission are too prohibitive, especially for start-ups found in breach of the proposed law.54 No saving provisions were made in the Bill to give room for compliance after the commencement of the proposed law. The fines imposed could lead to the crippling of many start-ups found in breach of this provision. We therefore recommend a modification of this provision in the Bill to water down the prohibitive sanctions in the Bill and incorporate saving provisions encouraging data controllers and processors to comply within the prescribed grace period.
Compliance Audit and power to request assistance
The Bill empowers the Commission to carry out periodical audits of the systems of data controllers or data processors and empowers the Commission to seek the assistance of such persons or authorities, as may be reasonably necessary to assist the Commission in the performance of its functions.55 It is pertinent to note that it may be impracticable for the Commission to independently carry out this function, given their limited resources and the large number of data controllers carrying on processing operations in Lagos State. Consequently, they may always need assistance to effectively perform this function. Under the NDPR, provision is made for the licensing of DPCOs who will provide training, auditing and compliance services to data controllers and administrators.56 The criteria for licensing DPCOs are accessible to the public, and licensed DPCOs are listed on NITDA's website.57 On the contrary, the Bill contains provisions empowering the Commission to seek the support of such persons to assist it with carrying out its functions, but it did not provide any criteria for the appointment of such persons. We anticipate that this may create room for corruption and favoritisms as many persons that may or may not possess the requisite expertise to assist the commission in carrying out its compliance audit functions may be appointed. We therefore recommend that the Bill be modified to incorporate similar requirements as contained in the NDPR regarding licensing of DPCOs or the provision for a collaboration of DPCOs licensed under the NDPR with nominated persons appointed to assist the Commission under the Bill.
Furthermore, the Bill does not recognise the Audit Report compliance filings made by eligible data controllers under the NDPR.58 Consequently, data controllers carrying out processing activities in Lagos State which have undertaken the audit process and filed their report with NITDA may also be required to undertake a similar compliance audit with the Commission.
Also, and in contrast with the NDPR, the Bill did not make any provisions for the appointment of Data Protection Officers (DPO)59 to assist with the compliance requirements under the Bill. If the intention of the drafters of the Bill was to avoid duplication of functions with the DPO under the NDPR, hence the omission, then they should have made provisions for the appointment of the DPO in the Bill subject to the appointment of the DPO under the NDPR. However, not making any provisions in bill on this score is likely to be problematic.
Comments on some conflict issues of the Bill relative to the NDPR
Despite the broad scope of the NDPR, given that it is a federal regulation, there have been arguments on potential conflict issues with the proposed State Bill if enacted into law. One of the likely implications of the passage of the Bill into law viz – a – viz the NDPR is that both legislations will apply to data processing operations by data processors and controllers in Lagos State. In the areas of conflict, we suspect that the NDPR may likely prevail being a subsidiary regulation arising from a federal enactment.60 We anticipate that arguments may arise on this score, given that both the Federal and State government are empowered to legislate on privacy matters since it is not a matter specifically itemised in the Exclusive List of the Constitution of the Federal Republic of Nigeria,61 as within the exclusive jurisdiction of the National Assembly. It may also be argued that the doctrine of Covering the Field may apply in this regard since the subject matter of the Bill relates to a matter covered by a subsidiary legislation pursuant to a federal enactment.
A contrary argument that could arise from this, is that the NDPR is merely a regulation in comparison to the proposed State Law and this might give rise to divergent kinds of conflict issues in implementation that may be left for the courts to determine. We hope that the two regulatory bodies administering the different legislations will set aside any differences that may arise between them and work together towards ensuring that the entire purpose of the data protection regulation is achieved. In any event, NITDA is already hampered by the lack of resources and personnel to fully and effectively implement the NDPR. Collaborating with the Commission established under the proposed Lagos State law may provide an avenue to access the resources available to the state towards the implementation and enforcement of both enactments.
1 2007, Act No. 28. Published in the Federal Republic of Nigeria Official Gazette No. 99 Vol. 94 Lagos 5th October 2007.
2 See Preamble to the 2019 Regulation.
3 See Punch Online Newspaper, "Data Protection Bill passes 2nd reading stage at Lagos Assembly" available at: https://punchng.com/data-protection-bill-passes-second-reading-at-lagos-assembly/, accessed on 15th December 2021.
4 Preamble to the Lagos State Data Protection Bill.
5 Section 2(1)(a).
6 Bisola Scott et al, "A Review of the Nigerian Data Protection Bill 2020" available at: http://www.spaajibade.com/resources/a-review-of-the-nigerian-data-protection-bill-2020-the-intellectual-property-department/ accessed on 5th December 2021.
7 Section 2.
8 Section 2(2).
9 Section 2(4).
10 Section 3.
11 Section (b) (c) and (d).
12 Section 6.
13 Section 5(a).
14 Section 5.
15 See sections 12, 16 and 20.
16 Section 18.
17 Section 19(1).
18 Section 19(2).
19 See Part IV and V of the Bill.
20 See Sections 23, 25, 26 and 30.
21 Section 29.
22 Article 3.1 (9)(a) NDPR.
23 Section 36.
24 Article 2.7 NDPR.
25 Section 35.
26 Section 33.
27 Article 2.11 NDPR.
28 Para. 7.3 NDPR Implementation Framework.
29 Section 33(3).
30 Section 37.
31 Section 37(1).
32 Section 37(3).
34 Section 38(3).
35 Section 38(2).
36 Section 43.
37 Section 44(4).
39 Section 15.
40 Section 15(3).
41 Section 13. See also, section 22.
42 See Section 45 of the Bill and Article 3.1 NDPR.
43 Section 45.
44 Section 45.
45 Article 3.1(3) NDPR.
46 Section 47.
47 Section 49.
48 Section 51.
49 Section 52.
50 Section 53.
51 Section 54.
52 Section 55.
53 Section 56.
54 The Bill prescribes a fine of two (2) million naira or a term of 2 years imprisonment upon conviction of any data controller and processor operating in Lagos State, that stores or processes personal or sensitive data without registration with the Commission.
55 Section 18.
56 Article 4.1(4) NDPR.
57 NITDA, "Data Protection Compliance Organisation" available at: https://nitda.gov.ng/?page_id=2123 accessed 21 December 2021.
58 Under the NDPR, Data Controllers which processes the Personal Data of more than 2,000 Data Subjects in the past 12 month, are expected to file their Audit Report with NITDA before 15 March on an annual basis.
59 Article 4.1(2) NDPR.
60 See the case of Oguguo v. Medical Dental Practitioners Disciplinary Tribunal (2019) LPELR-51530 (CA) where it was held that "the Act and Rules made thereunder to regulate and govern medical and dental practice in Nigeria and to set out code of conduct for the practitioners to take precedence have priority and override local state laws on the same subject being federal legislations enacted by the National Assembly. In the event of any conflict between the provisions of the two, the federal legislation would prevail." See also, Nwandiaro v. SPDC (1990) 5 NWLR (150) 322 & P.H.M.B v. Ejitagha (2000) 11 NWLR (677) 154.
61 Constitution of the Federal Republic of Nigeria 1999 as amended.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.