All over the world, technological advancements and breakthroughs have increased exponentially, which has increased the use of personal data and associated risk of data breaches. Thus, data protection and privacy continues to gain global attention due to the compliance obligations and responsibilities that come with data processing activities.
As a result, we have witnessed increased efforts by various governments to ensure compliance with data protection laws across different jurisdictions and significant strides being recorded by corporations to formulate and implement robust data protection compliance framework for the processing of personal data within their possession.
Protecting the privacy of personal data is the responsibility of every business. Therefore, all data controllers are expected to take appropriate actions towards creating a culture of privacy within their environment. As we celebrate the 2023 International Data Privacy Day, this Newsletter provides highlights of recent data protection and privacy update in Nigeria and across few select jurisdictions.
Part A - Highlights of Key Data Privacy Updates in Nigeria
1. Overview of the ECOWAS Law Suit Seeking to Compel the Federal Government of Nigeria to Enact a National Legislation on Data Protection
On the 19 July 2021, a registered Non- Governmental Organisation (NGO), Incorporated Trustees of Digital Rights Lawyers Initiative (the "DRLI"), instituted a public interest lawsuit at the ECOWAS Court in Suit No: ECW/CCJ/APP/37/21 and sought an order of Court compelling the Federal Government of Nigeria to enact into law a comprehensive data protection legislation in order to protect and enforce the data privacy rights of Nigerians.
The DRLI in its arguments referenced the Supplementary Act A/SA.1/01/10 on Personal Data Protection within ECOWAS ("Supplementary Act") which Nigeria signed along with another West African Countries on 16 February 2010. The Supplementary Act, which is believed to be the first regional instrument promoting the protection of the data privacy rights of citizens of ECOWAS Member State, requires each Member States to establish a legal framework for the protection of data privacy rights within the ECOWAS.
DRLI alleged that the Nigerian government had failed to fulfil its obligation as a Member State to enact a comprehensive national legislation domesticating the provisions of the ECOWAS Supplementary Act.
However, the Nigerian Government, in its counter-argument, denied the allegations of the DRLI and enumerated the extant laws in force for the protection of data privacy in Nigeria. It was also contended on behalf of the Federal Government of Nigeria that the ratification of the Supplementary Act will require legislative approval in line with the constitutional procedure stipulated under Section 12 of the 1999 Constitution of the Federal Republic of Nigeria.
The three-man panel of the ECOWAS Court have reserved Judgment in the suit till 15 March 2023. Whilst it is not in doubt that considerable efforts have made towards the enactment of the Nigeria Data Protection Bill 2022 which is currently undergoing deliberations at the National Assembly, the public interest lawsuit instituted at the ECOWAS Court by the DRLI clearly demonstrates increased level of awareness regarding the importance of data privacy rights within Nigeria and West Africa at large and the resolve of NGOs to challenge the status quo regarding perceived unwillingness of the government of the day to enact data protection laws by way of legal redress both at national and regional courts of law.
2. Introduction of the Data Protection Bill 2022
On 6 October 2022, the Nigeria Data Protection Bureau officially released the new draft of the Nigeria Data Protection Bill 2022 (''the Bill"). The Bill provides the legal framework for the processing and protection of personal data in Nigeria.
In terms of the scope of its applicability, the Bill will only apply where:
- the processing of personal data is carried out by a data controller or data processor domiciled, ordinarily resident or ordinarily operating in Nigeria;
- the processing of personal data occurs within Nigeria; or
- the processing of the personal data of the data subject occurs in Nigeria without the data controller or the data processor being domiciled, ordinarily resident or ordinarily operating in Nigeria.
The Bill does not however apply to the processing of personal data for personal or household purposes as well as in cases of criminal investigation and prosecution, national public health emergency, national security, public interest or the establishment or defense of legal claims.
The Bill provides for the establishment of the Nigeria Data Protection Commission ("the Commission") to be headed by the National Commissioner, with the Governing Council assuming a supervisory role over the Commission. The Commission is expected to be independent in the discharge of its responsibilities. The Bill also covers key areas such as data protection principles, lawful bases for the processing of personal data, requirements for the processing of sensitive personal data and conducting of a data protection impact assessment, rights of data subjects, appointment of Data Protection Officers ("DPOs") and licensing of data protection compliance organisations ("DPCOs"), rules relating to cross-border transfer of personal data, amongst others.
The Bill confers enormous enforcement powers to the Commission including the powers to arrest, search and seize during the course of investigation.
Due to the national importance of the Bill, it is expected that the National Assembly will expedite the constitutional process for the review of the Bill to enable the Bill receive Presidential assent in due course.
3. Recent Operational Activities Introduced within the Data Protection Space in Nigeria
- Establishment of the Nigeria Data Protection Bureau
The Nigerian data protection space witnessed significant regulatory reforms in 2022 with the establishment of a new data protection regulator in Nigeria.
In its official press release made in February 2022, the Federal Government, through the office of the Presidency, approved the establishment of the Nigeria Data Protection Bureau (''the Bureau" or NDPB) following the formal application made by the Minister of Communications and Digital Economy, Professor Isa Pantami. The NDPB was, however, launched in April 2022. According to the official press release, the Bureau will be responsible for consolidating on the gains of the Nigeria Data Protection Regulation 2019 (NDPR) and supporting the process for the development of a primary legislation for data protection and privacy.
Prior to the establishment of the NDPB, The National Information Technology Development Agency (NITDA) was saddled with the responsibility of ensuring data protection and privacy compliance in Nigeria. However, it is noteworthy that the legitimacy of NDPB as the new national data protection regulator in Nigeria has been greeted with criticism as some stakeholders hold the view that the establishment of the NDPB, without any form of statutory backing by way of an enabling law, renders the establishment of the NDPB ineffective ab initio.
Notwithstanding the doubts expressed as to its legitimacy, the NDPB has since assumed the regulatory role of ensuring the compliance with the provisions NDPR and will receive the data protection audit reports from data controllers and processors in Nigeria due on or before the 15 March 2023.
To view the full article click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
