A REVIEW OF THE NIGERIAN DATA PROTECTION BILL 2020 1

1. INTRODUCTION

Data Privacy and Protection in Nigeria has evolved over the past few years, spurred on by their ascendancy as major concerns in the world today with the rise in data privacy and security breaches. One of the significant developments in this area in Nigeria is the issuance of the Nigerian Data Protection Regulation ("NDPR"),2 which was highly impacted by the European Union's General Data Protection Regulation.3 However, given the limitations of the NDPR in scope, form and power,4 it became necessary to enact a more comprehensive law solely governing data privacy and protection. The draft Data Protection Bill 2020 ("the Proposed Bill" "the Bill" or "the Proposed Act") was recently introduced by the Federal Government through the Legal and Regulatory Reform Working Group (LWG) which was constituted in March 2020, in furtherance of the Federal Government's implementation of the Nigeria Digital Identification for Development (ID4D) Project.5 The LWG concluded the harmonization of all reviews and comments from LWG stakeholders on the Bill and has requested for further comments from interested persons.6 The Bill has been published on the website of some LWG stakeholders including the National Information Technology Development Agency(NITDA)7 and the National Identity Management Commission for public comments8

The Bill can be seen as a response to the need for a more effective and comprehensive legal regime for data privacy and protection in Nigeria and may likely bridge the gaps that currently exist in the extant regulatory regime when passed into law.

Objectives of the Proposed Bill

The Proposed Bill primarily seeks to establish an effective regulatory framework for the protection of personal data, regulate the processing of information concerning data subjects and safeguard their fundamental rights and freedoms guaranteed under the 1999 Nigerian Constitution.9 It aims to promote the code of practice which guarantees privacy and data protection without inordinately undermining the interest of commercial organizations and government agencies in respect of such data.10 In addition, it seeks to minimize the effects of misuse and abuse of personal data, establish an impartial regulatory authority and ensure personal data is processed in a fair and lawful manner in line with the bill and other existing legislation.11

Scope of Application

The proposed Bill applies to the processing and use of personal data of both Nigerian citizens and persons residing in Nigeria, by automated or non-automated means.12 This provision indicates that the Bill also extends to the processing of non-electronic data in addition to electronic data, putting to bed all debate as to whether the NDPR applies to paper-based data and closing that loophole.13

The Bill extends to personal data processed by private and public organisations resident in Nigeria.14 It equally applies to data controllers and processors of personal data where they are both either established in Nigeria, and the personal data of the data subject are processed within Nigeria; or the data subject resides in or outside Nigeria. Other instances in which the Bill would apply are where a data controller is not established in Nigeria but uses equipment or a data processor in Nigeria to process data of subjects resident within or outside Nigeria; or where processing is carried out in respect of data of subjects that reside in or outside Nigeria and such data originates partly or wholly from Nigeria.15 This section exempts the application of the proposed Bill to the processing of personal data carried out by a data subject while performing a purely personal or household activity.

The Bill sets out six categories of persons covered by the proposed Act which include Nigerian citizens, Nigerian residents, organisations incorporated in Nigeria, unincorporated joint ventures or associations (businesses) operating partly or wholly in Nigeria; persons who maintain an office, branch or agency through which business activities are carried out in Nigeria; and foreign entities targeting Nigerian residents.16 The Bill also applies to certain types of personal data including personal and biometric data, sensitive personal data, personal banking and accounting records, data that reveals a data subject's flight reservation or itinerary, academic transcript records, and medical and health records.17 It further provides that data controllers or processors are required to submit data protection audit reports to the Data Protection Commission ("Commission") annually, not later than 30th March. This requirement to submit audit reports is also contained in the NDPR, however, the NDPR requires only data controllers that process personal data of more than 2000 data subjects to submit audit reports annually, not later than the 15th of March. Furthermore, the Commission is required to compile and publish a report containing the list of organisations that have submitted the audit report annually.18

2. REVIEW OF THE BILL

Basic Principles and Legal Basis for Processing Personal Data

The Bill highlights the basic principles which a data controller or processor must comply with when processing personal data. Personal data must be processed for specific, explicit, and legitimate purpose, and in a lawful, fair, and transparent manner. The basic principles highlighted in the Bill are similar to those contained in the NDPR.19

The Bill further stipulates instances where processing of personal data will be regarded as lawful. Personal data will be held to have been lawfully processed if it was processed for the performance of a contract, compliance with a legal obligation, protection of vital interests of a data subject or another person, or a prevailing legitimate interest pursued by the data controller or a third party.20 The justification for processing premised on 'legitimate interest' will not suffice where such interest is overridden by the interests of fundamental rights and freedoms of the data subject.21

Establishment, Composition, Power and Functions of the Data Protection Commission

The Bill establishes the Data Protection Commission and a Governing Body for the Commission.22 The composition of the governing board includes relevant stakeholders in the data privacy community and government agencies that deal with large amounts of data.23 The Commission can implement and monitor compliance with the provisions of the Bill, make administrative arrangements which it believes are appropriate in order to discharge its duties, investigate complaint based on the bill, make regulations, apply to court for warrant, impose fines and penalties and generally perform its duties with the aid of enforcement agencies.24 In addition, the Commission is required to make regulations for the licensing and certification of data protection compliance officers and organizations.25 This Bill recognizes the role of data protection compliance officers and more information on their roles will be contained in the Regulation to be promulgated by the Commission.

Rights of the Data Subjects

The Bill lays out the rights of data subjects, superseded by the provisions of Section 38 of the proposed Act which deals with the rights of persons affected by the processing of any personal data to request from the Commission an assessment as to whether such processing complies with the Act.26

Data subjects are to be notified of data breaches affecting them within 48 hours after notifying the Commission and section 17(4) highlights the content of such notification.27 Sections18-25 of the Bill provide for the rights of a data subject to include right of access, right in respect of automated decision making, right to rectification, erasure, right to seek judicial remedy among others. These rights are like those contained in the NDPR28 except the introduction of the right in respect of automated processing and the right to have data processing suspended.

Processing of Sensitive Data

The Bill prohibits the processing of data relating to children under parental or guardian control in accordance with existing laws, and processing on religious or philosophical beliefs, on ethnic grounds, religion, race, political opinions, health, sexual orientation or behaviour of a data subject, except as otherwise provided in the Bill or other extant laws.29 Pursuant to the interpretation section of the Act, these categories of data fall under sensitive personal data of a data subject. A data processor or controller may process sensitive personal data where processing is necessary as provided under the Bill, the data subject consents or in the case of a child under parental control, prior consent of the parent or guardian is obtained before processing."30

Sensitive data relating to race or ethnic origin should not be processed except where it is necessary for the identification and elimination of discriminatory practices and carried out with appropriate safeguards for the rights and freedoms of the data subject.31 Furthermore, spiritual or religious organizations and institutions founded on religious or philosophical principles are allowed to process personal sensitive data if it relates to their members, employees or other persons belonging to the organisations; consistent with the objects of the institutions; and are necessary to achieve the aims and objectives of such institutions.32

Section 29 of the Bill further provides for compensation33 for the data subject where they suffer harm arising from a contravention by the data controller or for processing contrary to the provisions of the Bill. On the part of the data controller or processor, a proof that they took reasonable care in all cases to comply with the requirement of the Bill suffices as a defense.34

Duties of Data Controllers and Data Processors

The Bill sets out the duties of data controllers and processors.35 It also makes provisions for the vicarious liability of a data controller where processing is carried out by a data processor on behalf of the data controller.36 However, the vicarious liability of the data controller as contained in the Bill is subject to a legally binding contract between the data controller and processor. 37

A data controller is required to engage only a data processor who provides sufficient guarantees to implement appropriate technical and organizational measures, taking into account the data controller's obligations under the Bill and to ensure the protection of the rights and fundamental freedoms of the data subject.38 Data Controllers are required to appoint a Data Protection Officer who will be responsible for ensuring adherence to the bill. This is, however, subject to the regulation made by the Commission.

Data Location and Security

The Bill requires that data controllers and processors should only process personal data on devices within their control whether physically located within or outside Nigeria.39 Data controllers and processors must take optimal technical and managerial measures to protect the personal data against risks of breach, destruction and unauthorized use, modification or disclosure. It further mandates data controllers and processors to undertake regular tests to assess and evaluate the effectiveness of their technical and organizational measures for ensuring security of processing.40

Administration and Enforcement

Section 36 of the Bill introduces the concept of an Enforcement Notice and vests in the Commission the power to issue such notices to data controllers or processors, where they have contravened or there is reasonable belief of likely contravention of the data protection principles under the proposed Act. The notice is issued to restrain a data controller or processor from taking steps towards processing the personal data of the person described in the notice.

Trans-Border Flow of Personal Data

According to the bill, the transborder transfer of personal data may only take place where an adequate level of protection based on the bill is secured in the recipient State or international organisation. The transborder transfer of personal data may also take place where the data subject has given explicit, specific and free consent, after being informed of risks arising in the absence of appropriate safeguards; the specific interests of the data subject require it; and prevailing legitimate interests, especially public interests are provided for by law. These provisions are synonymous with those contained in the NDPR except that the requirement for the supervision of the Attorney General required under the existing regulation has been avoided.41 This eliminates the bottlenecks that may arise in fulfilling the conditions of international transfer of data.

Offences and Penalties

The Bill criminalizes the unauthorized collection, disclosure, and retention of personal data, sale of personal data and negligence in the protection of data.42 It imposes a fine of 5 million naira and/or imprisonment for a year for unlawful collection, disclosure, and retention of personal data.43 For the unlawful sale of personal data, it imposes a fine of 1 million naira per record or/and imprisonment for 5years concurrently.44 In the case of unlawful advertisement of personal data, a fine of N500, 000 naira per record and/or imprisonment of 5 years concurrently is imposed.45 It further criminalizes situations where breach is caused by the negligence of the data controller or processors by imposing a fine of 10 million naira for every year of default and/or an imprisonment of not less than 1 year.46 The court may, in addition to imposing sentences, give an order to the convicted person to forfeit its asset, money and equipment used to or intended to be used to commit the offence to the Federal Government.47 The Bill also makes provision for a Court of law to grant orders for the compensation of victims of offences by convicted persons,48 which is not contained in the NDPR.

Records Obtained from Data Subject's Rights of Access

The Bill restrains a person who provides goods, facilities or services to the public from utilizing a request for information as a condition for the supply of goods and services.49 However, this provision will not apply where imposition of such requirement is necessary for the identification of persons or authorized under an enactment, valid commercial transaction or in the public interest.50

Miscellaneous

The Bill empowers the Commission to review, amend or repeal guidelines or regulations51 and confers jurisdiction to hear matters relating to the Bill on the Federal High Court.52 It further empowers the Commission upon an ex-parte application to a Judge in Chambers to enter and search premises or persons or to seize properties where it has reason to believe that an offence is being committed or likely to be committed under the Bill.53

3. CONCLUSION AND RECOMMENDATIONS

The Proposed Act is quite comprehensive as it captures vital issues on data privacy and security which may likely restrain harmful data practices and limit abuse of data by data controllers and processors. It also appears to be in line with global best practices and may position the country as a more formidable presence in the world markets, if passed into law. The right to privacy is a fundamental right recognised in many constitutions around the world and a comprehensive legislation such as the Bill is essential at this time due to emergence of technologies that facilitate the transfer of personal data, increased use of data by individuals and businesses, and for effective democratic governance. We have highlighted some recommendations below which, if incorporated, may further strengthen the proposed Bill prior to its enactment:

Definition/Description of the Roles of Data Protection Officers and Data Protection Compliance Organisations

Although the Bill briefly identifies a data protection officer and data protection compliance organization and implies that more information on these parties will be provided in a Regulation to be made by the Commission, it may be necessary to define and describe the roles of these parties in the proposed Act being the enabling Act. This will provide clarity on the significance of such entities pending the issuance of the Regulation.

Specific Compensation for a Data Subject

According to the Bill, the compensation to which a data subject is entitled for failure of a data controller or processor to comply with the proposed bill is to be determined by the court. The proposed bill does not provide the specific amount to which a data subject would be entitled or guiding parameters for arriving at a suitable monetary figure. It might be expedient to provide the specific amount or range of compensation to guide the court in determining the compensation payable.

Prohibition of Sale of Personal Data

The proposed bill should outrightly prohibit the sale of personal data due to the likelihood of abuse by data controllers, data processors or the purchaser of such data especially in Nigeria. Allowing the sale of personal data may make it impossible or difficult to effectively monitor the purchaser's compliance with the Bill as such data will be widely distributed through such unrestricted sale. The Bill prohibits sale only where a person who knowingly or recklessly obtains, or discloses the personal data to a third party, without the consent of the data controller or after obtaining personal data, retains it without the consent of the data controller.54 The sale of personal data is prohibited in the Ghanaian Data Protection Act.55 According to that Act, a person who sells or offers to sell personal data of another person commits an offence and is liable on summary conviction to a fine or a term of imprisonment or to both.56 A similar explicit provision is to be preferred in the Nigerian Data Protection Bill.

Protection of Personal Data of Legal Entities

The scope of the Bill should be extended to data belonging to legal entities as a breach of an entity's data may influence individuals or natural persons, or result in the privacy breach of personal data, as entities do not exist in isolation but are made up of shareholders, proprietors and employees who are mostly natural persons.57 The absence of an express provision regarding protection of information concerning legal entities in the Bill may be said to undermine the importance of their data in relation to processing in Nigeria.58

Appointment, Removal and Payment of Remuneration and Allowance of Members of the Commission

The Bill imposes the duty of appointment, removal and payment of remuneration and allowance of members of the commission on the President. This may inhibit the independence of the commission in carrying out its duties. The General Data Protection Regulation (GDPR)59 as opposed to the Bill, stipulates that "each Member State shall ensure that its supervisory authority is subject to financial control which does not affect its independence." Thus, a separate endowment could be created to fund the operations of the commission to ensure its autonomy and independence.

Itemization of Security Measures

Unlike the NDPR,60 the Bill does not itemize the various kinds of safeguards a data processor or controller may adopt to ensure optimal protection of personal data. The Bill should itemize these safeguards and further state whether such form of security measures or safeguards exempt such data from being classified as personal data especially where it cannot be used to identify a natural person. There are a number of security measures that can be included in the bill, such as anonymization, pseudonymization, use of encryption technologies, etc.

Definition of Essential Terms

The NDPR defines certain essential terms such as Data, Computer and Foreign Country etc.61 whereas these basic definitions are absent in the Bill. Essential terms such as 'Trans-border' should also be defined or included in the interpretation section of the Bill to prevent ambiguity.

Publicity and Clarity of Privacy Policy

While the Bill provides for data location and security, it does not provide the requirement for publicity and clarity of privacy policy as stated in the NDPR. The NDPR provides that "Notwithstanding anything contrary in this Regulation or any instrument for the time being in force, any medium through which Personal Data is being collected or processed shall display a simple and conspicuous privacy policy that the class of Data Subject being targeted can understand."62 The Bill should include a similar provision on the requirement of simple and conspicuous privacy policy as it is essential to obtaining independent and informed consent from the data subject.

Third Party Data Processing Contract.

The Bill does not provide for 'Third Party Data Processing Contract,' and it merely provides that "Where a data processor engages a third party to meet its obligations to the data controller, the data processor shall impose the same data protection obligations set in its contract with the data controller and the data processor is liable to the data controller for ensuring the performance of the third party's obligations."63 The NDPR stipulates clearer provisions for the requirement of a third party data processing contract and provides that "..processing by a third party shall be governed by a written contract between the third party and the Data Controller. Accordingly, any person engaging a third party to process the data obtained from Data Subjects shall ensure adherence to this Regulation."64 A specific provision on the requirement of a third party processing contract should be provided where either a data processor or controller engages a third party to process personal data. This is essential as it would mandate the need for such contracts, which would provide sufficient information to a third party as to its data protection obligations in carrying out the instruction from a data processor or controller.

Generally, the NDPR recognizes the existence and validity of other laws on data privacy and protection and provides that the regulation shall not operate to deny any Nigerian or any natural person the privacy rights such person is guaranteed under these laws.65 However, the Bill is silent on the fate of the NDPR upon its passage into law in spite of some conflicting or divergent provisions in the Bill. Section 67 of the Bill provides that "Nothing in this Act shall nullify or invalidate any provision of an Act of the National Assembly regarding safeguarding privacy of personal data." The NDPR stems from the NITDA Act which vests NITDA with the power to make regulations on safeguarding privacy of personal data, by virtue of section 6 of the NITDA Act. Consequently, it may be argued that the NDPR would still be enforceable despite the enactment of the BiIl, and if there is a conflict between the Bill and the NDPR, the former would naturally take precedence.

Since the NDPR, though a non-sector-specific regulation, is a subsidiary legislation the Bill would have a stronger force of law and overriding powers on the NDPR to the extent of its inconsistency. It is imperative that the Bill addresses this issue to prevent confusion as to the position and status of the NDPR once it is enacted.

The Bill is still a draft and does not appear to have been presented before the legislative houses. Comments from interested persons are still being obtained as part of the process which will lead to the enactment of the Bill.

Footnotes

1. Bisola Scott, Sandra Eke, Francis Ololuo and Oreoluwa Adebayo, Associates SPA Ajibade & Co., Lagos, Nigeria.

2. The NDPR was issued on 25th January 2019.

3. The GDPR came into force across Europe on 25th May 2018.

4. The NDPR, being a subsidiary legislation, is subject to the powers granted it by its enabling Act (NITDA Act) and thus, not able to create new roles, functions or exercise powers outside those powers conferred on it. For instance, it is not empowered to create a new regulatory body like the proposed data protection commission in the Bill, cannot not extend its scope of application to non-automated personal data and covers only processing of data belonging to natural persons residing in Nigeria or outside Nigeria but are Nigerian Citizens, as provided in Article 1.2. It is also inferior to and may be repealed by a primary legislation. See NITDA's Power to Regulate Non-Electronic Data, available at http://www.spaajibade.com/resources/nitdas-power-to-regulate-non-electronic-data-bisola-scott-and-sandra-eke/, accessed on 26th August 2020.

5. NIMC, Submit Comments on the Draft Data Protection Bill 2020, https://www.nimc.gov.ng/submit-comments-on-the-draft-data-protection-bill-2020/, accessed on 23rd August 2020.

6. Ibid.

7. OneTrust Data Guidance, Nigeria: NITDA Published Draft Data Protection Bill 2020 For public Comments, available at https://www.dataguidance.com/news/nigeria-nitda-publishes-draft-data-protection-bill-2020-public-comments, accessed on 23rd August 2020.

8. NIMC, Submit Comments on the Draft Data Protection Bill 2020, https://www.nimc.gov.ng/submit-comments-on-the-draft-data-protection-bill-2020/, accessed on 23rd August 2020.

9. Section 1 of the Data Protection Bill.

10. Section 1(a).

11. Section 1(b)-(d).

12. Section 2(1)(a).

13. Bisola Scott & Sandra Eke, NITDA's Power to Regulate Non-Electronic Data, available at http://www.spaajibade.com/resources/nitdas-power-to-regulate-non-electronic-data-bisola-scott-and-sandra-eke/, accessed on 26th August 2020.

14. Section 2(1)(b).

15. Section 2(1)(c)(i)-(iv).

16. Section 2 (3).

17. Section 2 (4).

18. See Section 2(5).

19. See section 3 of the Bill and Reg. 2.0 of the NDPR.

20. Section 4(2) (a)-(e).

21. Section 4(2)(e).

22. Section 7 and 8 (1).

23. Section 8(1)(a)-(f).

24. Section 10.

25. Section 9(j).

26. Section 17(1) and (2). [list these out here]

27. Section 17(3).

28. Reg. 2.13.

29. Section 26(1).

30. S.26(2).

31. Section 26 (7).

32. Section 27(1)(a).

33. As decided by a Court of law.

34. Section 29 (2).

35. Section 30 and 32.

36. Section 31.

37. Section 31(3).

38. Section 31(2).

39. Section 33.

40. Section 34(3).

41. Section 43(1)-(3) of the Bill & Reg. 2.11 NDPR.

42. Section 44.

43. Ibid.

44. Section 44(3).

45. Section 44(4).

46. Section 45(1).

47. Section 49. Unlike the NDPR, the Bill contains stiffer and more comprehensive penalties for the breach of its provisions. It introduced custodial form of punishments in addition to payment of fines and made specific provisions for the kind of penalties to be imposed on any person in breach and not only data controllers as is contained in the NDPR. See Article 2.10 of the NDPR.

48. Section 50.

49. Section 51(1).

50. Section 51(2).

51. Section 62.

52. Section 63.

53. Section 64(1).

54. Section 44(1) & 3(3).

55. See Data Protection Act 2012 available at https://nita.gov.gh/wp-content/uploads/2017/12/Data-Protection-Act-2012-Act-843.pdf accessed on 20th August 2020.

56. Ibid. Section 89(1).

57. Bisola Scott & Sandra Eke, NITDA's Power to Regulate Non-Electronic Data available at https://www.mondaq.com/nigeria/privacy-protection/961432/ndpr-and-the-protection-of-personal-data-of-legal-entities-in-nigeria, accessed on 26th August 2020.

58. In other jurisdictions like South Africa and Switzerland, the privacy and data protection laws extend protection of personal data to legal entities in addition to natural persons. See Bisola Scott & Sandra Eke, "NDPR and the protection of personal data of legal entities in Nigeria" [insert link or reference if previously cited in this paper] accessed 27 August 2020.

59. (EU) 2016/679.

60. See Article 2.6 of the NDPR.

61. Reg. 1.3.

62. Reg. 2.5 NDPR.

63. Section 32(2) of the Bill.

64. Reg. 2.7 NDPR.

65. Reg. 1.2(c) NDPR.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.