In celebration of the 2023 International Data Protection Day, it is pertinent to reflect on the developments which occurred in the Nigerian data protection landscape in 2022, while also considering data privacy trends to look forward to in 2023.
The year 2022 witnessed a number of advancements in the data protection space globally and Nigeria was not left out. Highlighted below are a few of the changes which occurred in Nigeria in 2022:
- Creation of the Nigeria Data Protection Bureau: The Federal Government of Nigeria created the Nigeria Data Protection Bureau ("the Data Protection Bureau" ) in February 2022 as the principal data protection regulatory body to implement the objectives of the Nigeria Data Protection Regulation, 2019 ("the Regulation") . The Data Protection Bureau replaces the National Information Technology Development Agency (NITDA) which was prior to the creation of the Data Protection Bureau responsible for implementing data protection polices in Nigeria.
- Establishment of the Joint Mutual Enforcement Desk: On 17 May 2022, the Federal Competition and Consumer Protection Commission (FCCPC) and the Data Protection Bureau jointly established the Joint Mutual Enforcement Desk. The drive behind this collaboration is aimed at addressing cogent issues of data protection, such as data protection breaches which has been a common occurrence amongst online moneylenders, and to ensure that data subjects can derive the protection that are inherent to the digital economic expansion of Nigeria. Both organizations further cemented this collaboration by entering into a Memorandum of Understanding on the 28 of August 2022.
- Re-introduction of the Data Protection Bill ("the
Bill"): The Bill was first introduced in 2018, passed
by the National Assembly on 16 May 2019 and transmitted to the
President for assent. The Bill was however not assented to by
President Muhammadu Buhari. Subsequent to this, there have been
other unsuccessful attempts to pass a data protection law.
The Data Protection Bureau, as part of its objectives to ensure that there is a substantive law governing data protection, released the new Data Protection Bill 2022 in October 2022. The Data Protection Bureau recently disclosed that the Federal Executive Council has approved the Bill for further ratification and endorsement by the National Assembly. It is anticipated that the same will finally be passed into law in 2023.
- The National Data Protection Adequacy Programme
(NaDPAP) Whitelist: The Data Protection Bureau, in its bid
to update the Whitelist1 in accordance with the
provisions of the Regulation, established the NaDPAP Whitelist in
the last quarter of 2022. Further to the establishment of the
NaDPAP Whitelist, the Data Protection Bureau released a Compliance
Notice2 mandating data controllers and data
administrators to comply with a number of requirements. In order to
be included in the NaDPAP Whitelist, organizations are required to:
- have an understanding of the NDPR;
- designate at least one or two members of staff as Data Protection Contacts; and
- mandate their service providers/vendors to comply with the NDPR to prevent any liability for the organization.
The Data Protection Bureau gave organizations till 25 November 2022, to comply with these requirements for inclusion on the Whitelist. However, the deadline for compliance was since extended to 20 January 2023. The expectation is that the Whitelist which will be published on the Data Protection Bureau website, in major newspapers and shared with local and international establishments in the first quarter of 2023.
- Introduction of the Draft Operational Guidelines for Open Banking in Nigeria, 2022: Open banking is a system that grants third-party providers open access to consumer banking, transactions, and other financial data from banks and non-bank financial institutions using application programming interface (API). The Draft Operational Guidelines for Open Banking in Nigeria, 2022 ("the Draft Guidelines"), which comes a year after the issuance of the Regulatory Framework for Open Banking in Nigeria by the Central Bank of Nigeria, establishes the principles for data sharing across banking and payment systems.
- Data Protection Compliance Directive: The Federal Government in a bid to ensure that the collection and processing of personal data is in accordance with the provisions of the Regulation and other applicable guidelines, issued a service-wide circular3, through the Secretary to the Government of the Federation on 07 November 2022, directing all Ministries, Departments and Agencies of government to comply with the provisions of the Regulation, among other measures.
The year wrapped up on a very positive note. Bearing in mind the developments in the Nigerian data protection space in 2022, it is safe to predict the trends to look forward to in 2023. These will include:
- Prioritization of Data Security and Storage: A focus on cybersecurity as organizations continue to build digital capacity, data privacy and protection especially in the event of an actual attack or error, will become paramount especially as more and more organizations migrate to the cloud. In addition, as regulatory bodies place stricter data requirements on data controllers and data administrators, data security/cybersecurity will surely be priority for this group. It is expected that considering the increased migration to the cloud, proper storage and security of data, will be a trend to watch out for in 2023.
- Enactment of Data Protection Laws: The rise in data protection regulations in diverse sectors of the economy is a global data protection trend to watch out for and Nigeria is not left out of this. More importantly, in line with the objective of the Data Protection Bureau, to ensure the passage of the Data Protection Bill, 2022 into law, 2023 may be the year where the Regulation is finally replaced with a substantive law. Additionally, Lagos State is considering passing its own data protection legislation. A Data Protection Bill has been issued by the State House of Assembly and its provisions have been deliberated upon.4
- Increased Investment in Data Protection Compliance: The rise in data protection regulations may trigger expectations of a rise in data protection compliance obligations. Thus, we expect to see an increased commitment of data controllers and data administrators towards investing in data protection compliance.
Ultimately, Nigeria has experienced an improved performance in the data protection clime in 2022, clearly demonstrating an intention to remain and maintain its relevance locally and internationally.
1 The Whitelist is a list of countries/organisations deemed to have adequate data protection laws and for which an Adequacy Decision has been made. There are currently, 42 countries, as well as all countries in the European Union, European Economic Area, and all countries in the African Union that are also signatories to the Malabo Convention 2014, on the Whitelist.
2 Newsletter Vol. 1/NDPB/CN/1/22.
3 Ref No. SGF/OP/l/S.3/Xll/186.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.