With the recent cybersecurity breaches involving major companies such as Google, which was slammed with a fine of £44 million and British Airways, which is currently facing a record fine of £183million in the United Kingdom (UK), the Nigerian Information Technology Development Agency (NITDA) is currently pushing hard on the agenda to ensure protection of data privacy in Nigeria.
The Nigerian Data Protection Regulations (NDPR) which was released in January 2019, has introduced major compliance obligations on Nigerian companies across all sectors, which include audit checks, publication of data protection policies, filing of audit reports amongst others, and also severe penalties for its breach.
Recently, the NITDA commenced investigations on some identified data controllers for alleged breach of the NDPR. The NITDA initially set a 25 July deadline for Companies to file their initial data protection audit report. However, after consultations with industry stakeholders, the Agency announced a three-month extension (which will elapse on 25 October 2019) for Data Controllers to conduct relevant data protection audits and file their initial audit reports.
In the light of these recent events, personal data protection and privacy has become a burning issue for a number of stakeholders. Therefore, this Article examines the NDPR provisions and other data protection and privacy developments in the international scene.
The Nigerian Data Protection Regulations 2019
i . Background
On 25 January 2019, the NITDA issued the NDPR pursuant to its powers under the NITDA Act. The Regulations introduce a new data protection framework with novel compliance requirements for organizations that deal with the data of individuals. The objectives of the Regulations include, inter alia, safe guarding the rights of natural persons to data privacy, preventing manipulation of personal data and fostering the safe conduct of transactions involving exchange of personal data. The Regulations also seek to enhance the competitiveness of Nigerian companies in international trade through the safeguards that are in line with global best practices.
ii. Scope of the Regulations
The NDPR applies to all transactions intended for the processing of personal data of natural persons residing in Nigeria or Nigerian citizens residing in foreign jurisdictions. Based on the NDPR, data processing includes the collection, recording, storage, retrieval, use, disclosure, transmission, erasure and destruction of personal data.
The NDPR also specifically confers certain rights on persons that provide their personal data i.e. Data Subjects. These include the right to information about their personal data, right to access their personal data, right of rectification of their information, right to withdraw consent, right to object, right to data portability and right to be forgotten.
iii. Compliance Requirements
The NDPR requires Data Controllers to develop adequate security systems to protect data within their custody. In line with this requirement, Data Controllers are required to maintain and publish a data protection policy that is in conformity with the NDPR and continually train and build the capacity of staff members on data protection and privacy procedures. The NDPR also mandates Data Controllers to appoint Data Protection Officers for the purpose of ensuring compliance with the Regulations;
Data Controllers are to obtain the lawful consent of Data Subjects before processing their personal data. Thus, Data Controllers are required to display a simple and conspicuous privacy policy on any medium through which they collect or process personal data. Such privacy policy is to contain a description of the kind of personal data to be collected, and the purpose for the collection of the data amongst other information;
In the event that a Data Controller engages the services of a third party to process personal data of Data Subjects, the NDPR requires that such engagement must be governed by a written contract between the third party and the Data Controller.
The NDPR mandates all Data Controllers to conduct an audit on the data privacy policies of their organization within six months from the issuance of the NDPR i.e. 25 July 2019. However, the NITDA has announced a three-month extension (which will elapse on 25 October 2019) for the filing of the initial audit report. The Regulations reserves the requirement for submitting data audit reports to certain categories of Data Controllers. Accordingly, only Data Controllers that process personal data of more than 1000 Data Subjects within a period of six months are mandated to file a soft copy of the summary of their audit to the NITDA. Similarly, Data Controllers that process personal data of more than 2000 Data Subjects within a period of 12 months are mandated to file a summary of their audit to NITDA, not later than 15 March in the following year.
NITDA also requires that a verification statement by a licensed Data Protection Compliance Organization (DPCO) should accompany all filings made. A DPCO is any entity licensed by NITDA to train, audit and render consulting services and other services and products for the purpose of compliance with the Data Protection Laws applicable in Nigeria;
iv. Transfer of Data to Foreign Countries and International Organizations
Based on the NDPR, a data controller is required to only transfer data to a foreign country or international organization subject to the supervision of NITDA and the Attorney General of the Federation (AGF).
NITDA would co-ordinate relations with the AGF with respect to international transfer of personal data. However, data controllers are obligated to notify NITDA of any such transfers.
v. Administration
NITDA is the agency responsible for administering the NDPR. The NDPR empowers NITDA to register and license DPCOs to monitor, audit, conduct training and render data protection compliance consulting services on its behalf. However, the DPCOs will be subject to Regulations and Directives of NITDA issued from time to time.
"The NDPR requires Data Controllers to develop adequate security systems to protect data within their custody. In line with this requirement, Data Controllers are required to maintain and publish a data protection policy that is in conformity with the NDPR and continually train and build the capacity of staff members on data protection and privacy procedures."
vi. Consequences for Failure to Comply with the Regulation
The NDPR creates two categories of Data Controllers for the purpose of administration of penalties upon breach of the Regulations as follows:
Data Controllers that process data of more than 10,000 Data Subjects will be liable to pay 2% of their Annual Gross Revenue or ₦10 million, whichever is greater;
Data Controllers that process data of less than 10,000 Data Subjects will be liable to pay 1% of their Annual Gross Revenue or ₦2 million, whichever is greater.
Recent Events in the Domestic & International Data Protection & Privacy Space
The release of the NDPR has increased the awareness level of many stakeholders on the need to protect personal data of Nigerians. Recently, an incident reportedly involving the Nigerian Immigration Service (NIS) and a Nigerian citizen resulted in a public debate on the responsibility of the NIS to protect personal data of individuals. In that incident, the Nigerian High Commission in London was reported to have posted the bio-data page of a Nigerian citizen on its social media page. This gave rise to discussions with respect to a possible breach of the Nigerian Citizen's privacy rights under the NDPR.
According to reports, NITDA is currently investigating the NIS as well as other identified data controllers for alleged breach of privacy rights of citizens. In addition to this, the Agency issued a Draft NDPR Implementation Framework and conducted sensitization sessions where stakeholders were invited to discuss concerns on the draft framework. This clearly depicts NITDA's readiness to enforce the provisions of the NDPR.
Similarly, there have been strict enforcements of the General Data Protection Regulation (GDPR) in various jurisdictions in the EU since 2018. In July 2018, the Portuguese Data Protection Authority (CNPD) imposed a fine of €400,000 on a Hospital in Portugal for non-compliance with the provisions of the GDPR. The CNPD had reportedly discovered that the staff of the hospital had unrestricted access to patients' information, regardless of their specialty. Thus, the CNPD decided that the hospital had not put in place adequate measures to ensure protection of patients' data.
Similarly, the French Data Protection Authority (CNIL) reportedly slammed "Google" with a fine of £44million, for allegedly breaching the GDPR's rules on transparency by failing to give Data Subjects adequate information on the use of their personal data. The CNIL also alleged that Google failed to make the process for declining or withdrawing consent easy for the Data Subjects.
In the light of the foregoing, a number of organisations within Nigeria and the EU have begun to adopt more watertight processes to ensure the safeguarding of personal data of individuals and overall compliance with the Data Protection & Privacy Rules.
Conclusion
The issuance of the NDPR shows NITDA's seriousness towards protecting the privacy of individuals by protecting their personal data. Some organizations in Nigeria have already begun compliance with the provisions of the NDPR by putting up data security measures and fulfilling other compliance requirements. However, a number of organizations are yet to comply with the provisions of the NDPR.
In view of the extended filing deadline in October 2019, it is imperative for all Data Controllers to engage the services of DPCOs, which are authorized by the NITDA, to review their data privacy policies and practices and help them navigate through the compliance requirements provided under the NDPR.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.