My Thoughts On The Nigeria Data Protection Regulation (NDPR) 2019 By Olumide Babalola

When the European Union commenced enforcement of its General Data Protection Regulation (GDPR) sometime in May 2018, the rest of the World welcomed it, not only as a breath of fresh air but also as a signification of the Council of Europe’s willpower to give its residents/citizens’ data-privacy protection, the reinvigorated consideration they have yearned for, over the years.

In a copycat-esque but commendably responsive move, the National Information Technology Agency (NITDA) took the initiative on the 25th day of January 2019, to issue something similar in objectives, to the GDPR and named it “Nigeria Data Protection Regulation” (NDPR) to become the Nigeria’s first codified Data Protection legislation. According to NIDTA’s Director General, Isa Ali Ibrahim; “… the rate of wanton abuse of privacy of Nigerian citizens’ data, needed an urgent national response. I therefore constituted young professionals in the Agency, I challenged them to proffer solution to this problem. The team worked hard and eventually came up with a unique regulation that has become a cynosure of discerning minds”. See Reflection of Nigeria’s Data Protection Regulation 2019 accessible at https://leadership.ng/2019/04/25/reflection-on-nigerias-data-protection-regulation-2019/amp/

Since its issuance, a couple of learned authors and practitioners have, expectedly, written some reviews and opinions on the NDPR but this writer is yet to come across any of those, admittedly timely academic interventions, that critically analyzed the shortcomings of the regulation which is, undoubtedly, Nigeria’s most eminent extant piece of legislation, albeit subsidiary, on data-privacy protection.

Objectives: Paragraph 1.0 (a) of NDPR restricts the safeguard/protection offered under the regulation to, only rights of natural persons. This is inadequate because, institutions/organizations can also fall victims of data-privacy breach especially where their businesses are woven around data-processing and storage but if the express provision of the NDPR is slavishly adhered to, then artificial persons can’t take cover under it as currently worded.

In the word of Daryl Nerl (a staff writer at smallbusinesstrend.com) while giving 10 tips to protect your business and customers on data privacy day; “Having information about clients and customers is important but ensuring that private information remains secure might just be as vital to the health of small businesses”. In essence, safeguard of natural persons from data-privacy breach is as important as its consideration and extension to legal entities which deal with data in any form especially when taking cognizance of the prevalence and seemingly omnipotence of digital hackers and cyber terrorists.

Still on the objectives, the unjustifiable fixation on “personal data” betrays the regulations’ wide title which simply contemplates “Data” simplicita. When this is considered in the light of the definition of “Data” under the regulation, one would further ponder whether (no pun intended) the NDPR’s broad title agrees with its constricting objectives as far as the word “Data” is concerned.

Since the regulations’ main focus is to protect data, then its restriction to personal data may be counterproductive in the nearest future as it may give rise to agitations for another broader regulation for the protection of other kinds of data especially the non-personal, non-electronic data, etc. For instance, the types of data available is not devoid of its own uncertainties; while some proponents posit to the existence of two kinds (qualitative and quantitative), some favour three types (descriptive, predictive and prescriptive), another school has four (normal, ordinary, interval and ration) and while some have the five types etc. For as long as, there exists divergence even among stakeholders and practitioners on the identity and classification of data, a regulation protecting same must not shy away from its vagaries by cramping its coverage and reach as the NDPR has done here.

Surprisingly, the NDPR that prides itself as the Nigeria’s swift response to the GDPR, conspicuously omitted the phrase “Protect Fundamental Rights and Freedoms” from its objectives even though same forms part of the objectives of GDPR from which the NDPR derived its inspiration.

On the one hand, it is commendable to note that, unlike the GDPR, the NDPR defines “Data” but on the other, the definition is not only narrowly technical, it is not comprehensive enough in the light of the regulations’ expectations. It simply defines Data as “characters, symbols and binary which operations are performed by a computer which may be stored by transmitted in the form of electronic signals is stored in any format or any device.”

The inadequacy of the above definition is, at a glance, reflected in the use of the word “computer” which the same regulation defines as “information technology systems and devices whether networked or not”. Hence, the NDPR does not seek to safeguard data wholly captured, performed and/or stored in paper form without the use of computers since its focus is on computer and ICT. This appears tricky and can come in handy for a mischievous data controller/administrator under the regulation especially considering the provision of the first paragraph in the preamble which restates NITDA’s mandate to “develop regulations for electronic governance to monitor the use of electronic data …as an alternative to paper based methods.”

Understandably, some practitioners, relying on the provisions of NITDA’s enabling Act, have argued that the agency does not possess powers to issue the NDPR to cover paper-based data but we are of the respectful opinion that this is arguable until a court of law decides to the contrary.

Secondly, the definition of data under the NDPR is deficient to other definitions found elsewhere even when they mean, ultimately, the same thing. Although, the Black’s Law Dictionary does not define the word, its 10th edition defines “Database” as “compilation of information arranged in a systemic way”.

The GDPR also does not define data but it defines “Personal Data” as information relating to identified or identifiable natural person”.  www.searchdatamanagementtechtarget.com defined data as “information that has been translated into a form that is efficient for movement or processing” and the Business Dictionary defines it as “information in raw or unorganized form”. In all the foregoing definitions, apart from the NDPR’s, a common denominator is the word “information” which sums up the whole essence of data. The NDPR chose the highly technical route without even defining what “characters” “symbols” or “binary” are, thereby leaving them to conjecture.

Since the definition of “Data” in the NDPR, is in our opinion, jaundiced, then its incompetence or inadequacy will, by implication, affect that of “Database” in the same measure as it is correspondingly defined under the regulation as “collection of data”.

Happily, the word “information” is included in the definition of “Personal Data” under the NDPR but a phrase that may create a jurisprudential issue is “Bank Details” which appears under regulation 1.3(q) of the regulation. Legal pontification may arise as to whether the phrase includes Bank statements of account and if it does, then it portends huge economic implications for Nigerian banks which have hitherto, charged fees for providing their customers with statements of account. To put this in proper perspective, regulation 2.13.3 mandates such personal data as “bank details” to be given/released to Data Subjects (Customers) free of charge.

Again, the definition of “Sensitive Personal Data” excludes data relating to finance. Hence, bank details are not seen as sensitive under the definition since it is not open-ended as drafted. This may also pose some legal problems.

While regulation 2.10 provides penalty for breach of “Data Privacy Rights”, nowhere in the entire regulation are the said rights specifically provided except one would improvise by resorting to the provision titled “Rights of a Data Subject” under regulation 2.13. Further, the regulation provides for consequence of default but it is silent on remedies for victims of data-privacy breach. The penalties as contained therein would only generate income for the government at the expense of the actual victims of data-privacy breach. This is a regrettable omission.

One would have expected the drafters to take a cue from the GDPR which has comprehensive provisions on “Remedies, Liabilities and Penalties”. Worthy of note is also the provision under the GDPR on right to compensation receivable by any person who suffered “material or non-material loss” as a result of infringement under the regulation. This is sadly missing in the NDPR which seeks to confer a right without giving remedy in the event of infringement, thereby defying the age long legal principle of Ubi Jus Ibi Remedium – where there is a right which is wronged, there must be a remedy. See Arulogun v Commissioner of Police, Lagos (2016) LPELR-40190(CA)

The provision of regulation 3.2 prima facie appears a progressive one but judging from the antecedents of administrative panels in our country, its set up and constitution may pose their peculiar problems which may hinder them from either taking off or delivering on their mandate. In the absence of express provisions on the timeline for its set up, membership, their qualifications or disqualification etc, its existence/emergence in reality, may continue to be a mirage except NITDA shows real seriousness towards ensuring victims get redress which, anyway, favours the government in terms of penalty for default at the expense of compensation for the victims.

While I am, like, other “Data Subjects”, grateful for NITDA’s proactive interpolation in the mould of the NDPR, there will always be room for, not only an improvement, but further review of the regulation to further respond to the dynamism of the Nigerian socio-economic reality.

As much as the NDPR has been rightly touted as Nigeria’s comprehensive and contemporary regulation on data privacy, NITDA and all other stakeholders need not get complacent with this commendable regulation but it must be periodically revised and updated to cater to outstanding issues whether existing or arising in the future. I however commend NITDA for their unprecedented proactivity on this.

Co-Founder, Digital Rights Lawyers Initiative write from Lagos Nigeria