On 25 January 2019, the Nigeria Data Protection Regulation (NDPR) was issued by the National Information Technology Development Agency (“NITDA”), the ICT regulator for the nation. Among the objectives behind this regulation were the protection of the privacy rights and freedoms of Nigerian citizens, on the one hand, and the promotion of local and foreign investments in the digital economy by safeguarding the information systems infrastructure against breaches and implementing internationally compatible rules, on the other hand.
The ICT regulator as data protection authority
Nigeria is one of the few countries in Africa (the Ivory Coast being another example) that had decided to establish a privacy regulatory framework without creating a dedicated data protection authority. NITDA, statutorily instituted in 2007 has a mandate to oversee compliance with privacy laws. From a practical point of view, this stance has some advantages. There are examples of certain data protection statutes that cannot be enforced years after enactment because their implementation required for the establishment of a data protection regulator. And due to different reasons, including budget, the regulatory body was yet to be created. Another advantage is the possibility to have, within the same body, the expertise in both information security and privacy. Those two areas, which are central to data protection, are often separated. This can create coordination issues unless the authorities have set up means of systematically working closely and jointly.
The scope of the regulation is an extra-territorial one which applies to data controllers located outside Nigeria but processes the personal data of individuals resident in Nigeria. Hence, the regulation applies, for example, to most non-Nigerian social media companies with Nigerian-based users.
Key features of the Nigeria Data Protection Regulation
The definition of “personal data” in NDPR is similar to that of other African countries and the General Data Protection Regulation (GDPR). The term refers to “any information relating to an identified or identifiable natural person”. The definition further provides examples of personally identifiable information and includes MAC addresses, IP addresses, IMEI numbers, IMSI numbers and SIM numbers. NITDA considers that the personal data of deceased data subjects falls within the scope of the Regulation and can be enforced by their estate.
Similarly, the concept of “processing” is broadly construed and it includes inter alia data collection, recording or consultation. This means, for example, that any operation tending to anonymise personal data, through encryption, anonymisation, pseudonymisation, hashing, scrambling prior to using the data for behavioural analyses or statistics, constitutes a processing activity and falls within the scope of the regulation. The same applies to any remote access or remote visualisation by, for instance, an IT support service provider, even if the data is not hosted on its systems.
With regards to the general principles governing data processing, the regulation provides that data must be collected and processed in accordance with a specific, legitimate and lawful purpose consented to by the data subject. The data must be (i) adequate, accurate and without prejudice to the dignity of human person, (ii) stored only for the period within which it is reasonably needed and (iii) secured against all foreseeable hazards and breaches such as theft, cyberattack, viral attack, dissemination, manipulations of any kind, damage by rain, fire or exposure to other natural elements.
The legal bases on which personal data can be processed are (i) consent, (ii) the necessity for the performance of a contract, (iii) the compliance with a legal obligation, (iv) the protection of a vital interest and (v) public interest. Consent must be given by a statement or a clear affirmative action. This means that consent on an opt-out basis is prohibited.
Data subject rights are similar to the rights found in the GDPR or in the Kenyan and Beninese laws. They include the right to be informed in a clear, transparent and comprehensive manner, the right to rectification, the right to object to processing, the right to be forgotten, the right to restrict processing and the right to data portability.
Emphasis on accountability
Whereas the majority of the ECOWAS countries impose a notification to the data protection authority, or sometimes for its authorisation, prior to processing data (a requirement which is challenging to comply with for SMEs, and which would require a significant headcount increase at the regulator’s instance if it was widely complied with). Nigeria has opted for a less bureaucratic approach and has instead imposed self-audits by data controllers who process the personal data of 1,000 data subjects or more. For anything beyond 2,000 data subjects, data controllers must, on an annual basis by 15 March, provide a summary of their audit to NITDA. In addition, the regulation imposes the appointment of data protection officers. Guidance, to be issued by NITDA, will provide further detail on the thresholds beyond which it will be mandatory for an organisation to have an internal or external data protection officer.
Furthermore, compliance and self-audits are encouraged by the creation of Data Protection Compliance Organisations (“DPCOs”). These are organisations, such as consulting firms, audit firms, law firms etc, that apply to NITDA for a licence to provide training, auditing, and consulting services throughout the country. DPCOs are expected to verify self-audits prior to submission to NITDA. This is a means of decentralising compliance activities for more efficiency.
For defaulters, the sanction for breach of the regulation is the greater of 10,000,000 naira or 2% of the annual gross revenue of the preceding year, where the data controller deals with more than 10,000 data subjects.
Nigeria continues to refine her privacy legal framework. NITDA is due to imminently publish an implementation framework for the regulation. It is also planning to issue guidance on specific subjects, such as; the requirements for a data protection officer, consent, data subject access request, self-auditing or international transfers of data.
In addition, a bill is under preparation with the view to enacting a data protection statute. The lessons from the implementation of the regulation is expected to form the fulcrum of a pragmatic national law.
Aissatou Sylla, Attorney at Law, Senior Associate, Hogan Lovells LLP, Kashifu Abdullahi, Director General, National IT Development Agency & Olufemi Daniel, Lead Regulations Monitoring and Compliance, National IT Development Agency