On 4 th February 2022, President Muhammadu Buhari approved the establishment of a new government agency, the Nigeria Data Protection Bureau (NDPB). According to the official press release announcing its establishment, the NDPB would be responsible for consolidating the gains of the NDPR and supporting the process for the development of a primary legislation for data protection and privacy. The NDPB is expected to enforce compliance with the provisions of the Nigeria Data Protection Regulations 2019 (NDPR). Prior to this time, the National Information Technology Development Agency (NITDA), had been solely responsible for data privacy regulation and compliance in Nigeria. While it is beyond doubt that the regulation of data processing was long overdue and the NDPR was a fairly decent effort by government, the enforcement of data protection compliance has been fraught with several challenges. This article seeks to highlight some of the challenges affecting data privacy compliance in Nigeria, and proffer practical and useful recommendations to address these challenges.
CHALLENGES OF DATA PRIVACY COMPLIANCE IN NIGERIA
Inadequate Sensitization on Data Protection
Despite the issuance of the NDPR in 2019, there is still a lack of awareness on its existence much less its provisions. Many data subjects including the educated and uneducated are ignorant of their rights with respect to the protection and integrity of their personal data. Equally, data controllers who process personal data do so with insufficient or non-existent understanding of the provisions of the NDPR and their respective obligations. It is also common to find many data controllers misconstrue their obligations under the NDPR such as erroneously assuming that they are only subject to the provisions of NDPR when they process the personal data of up to 2000 data subjects.
Lack of an Independent and Regulatory Authority
There have always been concerns with respect to the degree of independence of NITDA from government control. This is because NITDA is domiciled and under the general supervision of the Federal Ministry of Communications and Digital Economy (Ministry). Presently, there is limited information on the extent of NDPB's subordination to the Ministry or even NITDA. However, there is a high likelihood that NDPB will still be under the residual control and supervision of the Ministry particularly since the NDPB was not established pursuant to any statute and was only created by executive fiat. Without a doubt, the various levels of government in Nigeria outstrip the private sector when it comes to the volume of personal data collected and processed. In fact, the digital economy policy of the federal government is primarily anchored on data collection and processing. Consequently, the need for an independent data protection agency that can hold government accountable for its use and processing of personal data cannot be overemphasized.
In addition to having an independent regulatory agency, it is also vital to ensure that the agency has sufficient man-power and technical resources to discharge its duties efficiently. For instance, NITDA was severely incapacitated in terms of manpower and technical resources to effectively administer and enforce the provisions of the NDPR throughout the country.
Lack of a robust legal framework
There is no gainsaying that the NDPR is a commendable initiative by the government aimed at plugging the absence of a legal regime on data protection in Nigeria prior to its passage in 2019. However, the NDPR itself was conceived as an interim measure which should prepare the ground for the enactment of a substantive and comprehensive legislation on data protection in Nigeria. This partly explains the several deficiencies and loopholes in the NDPR which has significantly constrained data protection compliance in Nigeria. Some of these lapses in the NDPR include the lack of an extra-territorial scope in the regulations which could have regulated issues relating to cloud storage of personal data collected from Nigeria on servers located in other countries, absence of any obligation to appoint a legal representative in Nigeria for data controllers who process personal data obtained from the country, absence of any requirement for data controllers to keep record of processing activities among others. This partly explains the scanty body of legal jurisprudence on data protection in Nigeria.
Absence of stiff penalties to serve as deterrence
It is a notorious fact that most individuals do not practice voluntary compliance unless there is a real threat of sanction. In fact, some potential defaulters tend to weigh the prescribed penalty/cost for breach against the benefit they may derive therefrom in making a decision on whether to comply or not. As such, for any enactment to achieve high compliance, there must be a stiff penalty regime. Furthermore, the damaging consequences of breach within the context of data privacy on a data subject, justifies the imposition of severe penalties for breach. However, the NDPR regime on penalties in inadequate. The maximum penalty for a data breach as prescribed under the NDPR is 1% of the annual gross revenue of the preceding year or payment of the sum of N2,000,000 (whichever is greater) where the data controller processes less than 10,000 data subjects, or 2% of the annual gross revenue of the preceding year or a payment of the sum of N10,000,000 (whichever is greater). In contrast, the GDPR provides for a maximum penalty of €20,000,000 or 4% of annual global turnover whichever is greater.
Extensive Sensitization Campaigns on Data Privacy
The NDPB should undertake widespread sensitization campaigns on the provisions of the NDPR and the imperatives of respecting data privacy. The sensitization campaigns should be targeted at both data subjects to educate them on their rights, and data processors to enlighten them on their respective obligations and penalties for non- compliance under the NDPR. NDPB should also partner with the conventional media as well as utilize social media in ensuring maximum reach and increased visibility. Increased Funding and Governmental Support for an Independent Regulatory Agency It is expedient that the Federal Government adequately fund the NDPB in order to improve its capacity and efficiency. The staff strength of the NDPB should also be significantly expanded since their area of responsibility covers the entire country. Necessary tools and technology including periodic training on the global trends and developments in data privacy practice should be made available to the NDPB staff by the government. Crucially, the government should grant NDPB the autonomy to conduct its affairs with minimal governmental/ministerial control and influence. This will enhance the efficiency and productivity of the NDPB in the discharge of its assigned regulatory duties.
Enactment of a Substantive and Comprehensive Legislation on Data Privacy
It is long overdue for the country to have a substantive legislation on data privacy to replace the NDPR. Many African countries including neighboring countries like Ghana have since passed specific legislations on data privacy in their respective countries. The enactment of substantive legislation rather than a subsidiary regulation also tends to positively portray a country as taking data privacy seriously. In fact, the data privacy profiles of a country are now critical considerations for investment decisions by foreign investors. In this respect, the data privacy regulatory authorities of many countries including the GDPR now prohibit their private and corporate citizens from transferring/sharing data collected from within their shores with countries with no or ineffective data privacy laws. However, it is heartwarming that the NDPB has as one of its core mandates - supporting the process for the development of a primary legislation for data protection and privacy.
Prescription of Stiffer Penalties and Determined Enforcement
The NDPB should also endeavor to scale up the penalties prescribed in the Data Protection Bill where necessary to further disincentivize breach and promote deterrence. In the meantime, the NDPB can improve on enforcement by applying the penalties prescribed on defaulters without discrimination. The NDPB should also consider pursuing legal actions including canvassing novel arguments on areas where there are apparent lacunas in the NDPR with a view to having the courts make pronouncements on such issues and thereby enriching the jurisprudence on data privacy. Doing so will instill deterrence in potential defaulters and enhance the profile and regulatory efficacy of the NDPB.
The establishment of the NDPB is a laudable initiative by the government which signals the government's acknowledgement of some of the challenges of the previous regime under NITDA. With the benefit of hindsight as it relates to NITDA's challenges in the enforcement of the NDPR as outlined in this article, the NDPB can aim to do better and avoid some of the setbacks encountered by NITDA. However, given the lack of clarity on the specific remit of NDPB as well as the lack of a statutory backing to its creation, there are speculations that the NDPB is a stop gap intervention itself. This should nevertheless not deter the NDPB from striving to be efficient and impactful, as the gains and successes recorded by it can be of immense value to any successor agency and will certainly help deepen the practice of data privacy in Nigeria.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.