Since the issuance of the Nigeria Data Protection Regulation in 2019 (NDPR), stakeholders have clamoured for a more robust data protection instrument to adequately provide for the collection and processing of personal data in Nigeria. Consequently, there have been several unsuccessful attempts to pass a Data Protection Bill into law since 2018.
The Nigeria Data Protection Bureau ("NDPB") released the Data Protection Bill 2022 ("the Bill") on 6 October 2022. The Bill appears to be a beacon of hope for a final legislation on the subject, as the National Commissioner of the NDPB had stated earlier in the year that there would be a Data Protection Act by December 20221.
This Bill seeks to establish an independent and effective regulatory commission to superintend over data protection and privacy issues and supervise data controllers and data processors2 within the private and public sectors. It deals with four core issues, amongst others:
- the processing of personal data;
- protecting the rights of data subjects3 including a framework for such protection;
- the establishment a Data Protection Commission; and
- the contribution to the legal foundations of Nigeria's digital economy and an improvement of its appeal for participation in the global marketplace.
In this article, we examine the Bill and highlight the attendant issues which need be addressed before the passage of the Bill.
Applicability of the Bill
Part I of the Bill states that it will only apply where:
- the data controller or data processor is domiciled, ordinarily resident, or ordinarily operating in Nigeria;
- the processing of personal data occurs within Nigeria; or
- the processing of personal data of a resident of Nigeria where the data controller or data processor was actively marketing to, targeting or monitoring such residents within Nigeria.
The following issues are immediately noticeable from this part of the Bill and they include:
- The provision on the applicability of the Bill seems to be a derogation from the NDPR, which based its applicability on the data subject, as opposed to the controller or processor. The Bill also does not define the terms used. The test to determine whether a controller or processor is domiciled, ordinary resident or ordinarily operating in Nigeria is unknown.
- The Bill does not apply to the processing of personal data done by a data subject solely during a personal, recreational or household activity.4 While personal or household activity is a reproduction of the exceptions under the DPIF5, the meaning and scope of, "recreational activity" as contemplated under the Bill remain "uncertain".
- The Bill also exempts the application of rights and obligations contained in Parts VI to X (other than the principles governing processing of personal data) from applying to a data controller or processor when processing of personal data. This includes processing carried out by "competent" authorities in certain instances;6 and publication in the public interest for journalism, educational, artistic and literary purposes. The Bill does not define competent authorities or explain the scope of exempted publications.
Independence of the Commission
The Bill makes provisions for the establishment of an "independent" commission and the appointment of a governing council. One question that comes to mind is the status of the Commission as an independent body.
A review of the composition of the governing council of the Commission shows heavy reliance on the executive arm of government as the appointment and removal of the members lie on the President's prerogative7. The Minister of Communications and Digital Economy ("Minister") also wields so much power over the governing council, as it has to submit legislative proposals to the Minister, including amending existing laws, with a view to strengthening personal data protection in Nigeria. The Commission is also empowered to make regulations on any matter that the Minister considers necessary or expedient to give effect to the objectives of this Act.
These seemingly supervisory and oversight functions over the governing council casts doubt on the actual independence of the Commission.
Legitimate Interest as a legal basis for processing personal data
A significant improvement on the NDPR, which has been included in the Bill is the recognition of legitimate interest8 as a lawful basis for processing personal data.
Under the present regulatory regime, Controllers and processors have been limited to consent and performance of contract as their recourse for processing personal data9. Certain processing activities, for instance, such as employer-employee relationship which should ordinarily be covered by legitimate interest (with safeguards), were left to be covered by consent, which would then leave us with the question on whether consent in this instance is actually freely given, considering the power imbalance.
Thus the inclusion of legitimate interest, which can cover such situations, is a commendable addition to the body of rules on data protection in Nigeria.
Data Protection Impact Assessment
The Bill makes provision for the need for a data protection impact assessment ("DPIA"). As an improvement on the former regime, the Bill defined a DPIA and also empowered the Commission to issue guidelines and directives on DPIA, including the categories of processing subject to the requirement for a DPIA. This is an improvement on the provisions of the NDPR which did not expatiate on the subject.
Sensitive Personal Data
The Bill states rules on the processing of sensitive personal data, which is an improvement on the NDPR which had little or no provision other the definition of the term.10 It also gives a long list of lawful bases for processing sensitive personal data. It further states that the Commission may prescribe in rules, further categories of personal data that may be classified as sensitive personal data, further grounds on which such personal data may be processed, and safeguards that may apply. It also stated considerations to be looked into, in prescribing these rules.
The Bill states that, when a data subject is a child or another individual lacking the legal capacity to consent, a data controller shall obtain consent of a parent or other appropriate legal guardian of the child or other individual, as applicable, to rely on consent under section 26(1)26(a) or 32(1)32(a) of the Bill.
Data Protection Compliance Organisations
The Bill also makes provisions for the power of the Commission to licence a body to carry out data protection compliance services.11
Whilst it is unclear if this role will be carried out by the data protection compliance organisations (DPCOs) under the extant regulations,12 it the intent of the Bill is to vest in the "body", the power to impose sanctions on data controllers and processors.
It may thus be problematic to effect this under the current regime for DPCOs in Nigeria.
Rights of a Data Subject
While the Bill provides a more comprehensive approach to the rights of the data subjects (compared to the NDPR), the rights outlined in the bill are still not encompassing when compared to the European Union (EU) General Data Protection Regulation (GDPR).
The GDPR thoroughly explains the rights of data subjects, how the rights can be exercised, process of exercising the rights, limitations to the exercise of the rights etc. However, these are not clearly expressed in the Bill.
In addition, the Bill does not provide for a timeline for responding to rights request. For example, while the GDPR provides that the controller shall provide information on steps taken to address the request within one month or a further two months, the Bill provides no such timeline. Although the Bill provides that the request shall be attended to without unreasonable delay, what amounts to unreasonable delay was not specified.
It is thus recommended that the rights in the Bill be expressly explained, and a time frame affixed.
The provision of data security in the Bill is an abridged replication of the provisions in the GDPR. Although the Bill makes provisions for pseudonymization and de-identification of personal data, there is no comprehensive regulatory framework on pseudonymization and de-identification in Nigeria. This may pose problems in the future.
It is however worth of note that the Bill provides a detailed data breach management procedure. The data controller may extend the known seventy-two-hour reporting period to accommodate the legitimate needs of law enforcement or as reasonably necessary to implement measures required to determine the scope of the breach, provided that the data controller provides to the Commission the grounds for such extension, including supporting evidence. The data controller and data processor are also mandated to keep a record of all personal data breaches.
Cross-Border Transfer of Personal Data
The provisions of the Bill on cross border transfer are complicated. The draftsman, in the opening section, seemed to have intended to shift from the requirement for adequacy decision.13 It perhaps would have achieved the effect of shifting the focus from the protection afforded in each jurisdiction (adequacy decision) to the security and protection measures of the controllers and processors (i.e. a risk-assessment-focused approach), or offering both as alternates.
The Bill provides that personal data shall not be transferred from Nigeria to another country unless the recipient of the personal data is subject to a law, binding corporate rules, contractual clauses, code of conduct or certification mechanism that affords an adequate level of protection with respect to the personal data in accordance with the Bill, and upon the application of one of the laid down conditions in the Bill. It however complicates this provision by adding a long list of measures for assessing the "adequacy of protection" afforded,14 including the existence of any legally binding instrument between the Commission and a relevant public Commission in the recipient country addressing elements of adequate protection referred to in subsection and the existence and functioning of an independent, competent data protection or similar supervisory authority with adequate enforcement powers, international commitments and conventions binding on the relevant country and its membership of any multilateral or regional organisations.
This brings us back to the GDPR model. Under the GDPR, transfer of personal data outside the EU and the European Economic Area (EEA) is based on three exceptions- adequacy, appropriate safeguards and derogation. 15 It would appear that the draftsman intended to adopt this in the Bill. However, the Bill has certain shortcomings in comparison to its counterpart. An example is the reference to binding corporate rules and standard contractual clauses, with no guide or pre-approval in relation to the clauses.16 This is no improvement from the presently confusing provisions of the DPIF. What the draftsman has essentially done is to muddle up the concepts of adequacy decision and appropriate safeguards. Perhaps, the intention is for the Commission to exercise its powers in making up for the lapses by issuing regulations and guidelines that will provide further clarity on these matters.
While some of the provisions are substantially the same as those provided for under the NDPR, the Bill also makes novel additions to the legal framework of data protection in Nigeria, such as the establishment of an "independent" body called the Nigeria Data Protection Commission ("Commission"), a new classification of data controllers and processors called "data controllers and data Processors of major importance" and compulsory registration with the Commission and the recognition of legitimate purpose as a legal basis for processing data, among others. Clarifications and changes, as highlighted in this article and by other stakeholders need be made to ensure that the Bill, when passed, does not pose more problems than it seeks to solve.
2. Data Controller" means a person who either alone, jointly with other persons or in common with other persons or a statutory body determines the purposes for and the manner in which Personal Data is processed or is to be processed; "Data Controller/ Administrator" means a person or an organization that processes data
3. "Data Subject" means any person, who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity
4. Section 3(a)
5. Paragraph 2.1(iv)
6. This includes prevention, detection, investigation of crime; prevention or control of public health emergency.
7. Section 9(2) and 12(1). Removal is based on the recommendation of the Minister and subject to disqualification under the Bill.
8. Legitimate Interest is one of the bases that organisations rely on to legally process personal data. Legitimate interests include commercial, individual, or societal interests. Data processing must be necessary in order to be considered legitimate. It may be the interest of the organisation/ third party to whom the data is disclosed.
9. The other three, namely, processing in the vital interest of the data subject, in compliance with a lawful obligation and performance of a task carried out in public interest, can only be resorted to in peculiar (usually non-commercial) circumstances.
10. The DPIF mentioned it only a few times- such as, as an instance where a DPIA, consent/ higher level of consent are required.
11. Section 35
12. The current role of DPCOs is primarily involves audits, advisory, remediation.
13. Section 43
14. Please see our summary for the list.
15. Chapter V of GDPR: Article 44–50 Transfer of Personal Data to Third Countries or International Organizations
16. At best, the Bill provides that the Commission may approve binding corporate rules, codes of conduct or certification mechanisms proposed to it by a data controller, where the Commission determines that the aforesaid meets the adequacy requirements of subsection. Section 44(5).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.