On The Invalidity Of The Nigerian Data Protection Regulation, 2019

By Agbada S. Agbada Esq.

Stephen.agbada@yahoo.co.uk

With advance in technology, the ubiquitous nature of social media and rapid growth in electronic transactions, personal data has become more easily accessible and vulnerable to exploitation and abuse. This incident of digital transformation of life and business poses serious risks to data subjects just as it provides a boost to electronic commerce and the profits of digital companies. The risks of abuse of data privacy by those with access to and in custody of personal data of others underlined the imperative of data protection laws and regulations. Different states and the European Union have enacted their own versions of data protection laws and regulations to impose obligations on companies and individuals in respect of custody, transfer, use etc. of personal data.

The Nigerian Data Protection Regulations, 2019 (the “NDPR”) was issued by the National Information Technology Development Agency (“NITDA”) in response to this need for adequate protection of data privacy. In that respect, the NDPR was a timely and welcome piece of legislation. However, NITDA lacks the powers to regulate data privacy and the NDPR is beset with a fundamental question of validity due to the apparent lack of powers of NITDA over data privacy.

This article interrogates the powers of NITDA to issue regulations in respect of data privacy in the context of the legislative powers of the National Assembly to make general data protection laws. The article argues that the National Information Technology Development Agency Act (“NITDA Act” or the “Act”) under which the NDPR was issued is inconsistent with the provisions of the Constitution and that this inconsistency renders both the Act and the NDPR void.

An Overview of the NDPR

The NDPR was issued pursuant to the Act with the objectives to safeguard the rights of natural persons to data privacy; to foster safe conduct of transactions involving the exchange of personal data; to prevent manipulation of personal data; and to ensure competitiveness of Nigerian businesses through the safeguards afforded by a just and equitable framework on data protection.[1]

The NDPR applies to all transactions involving the processing of personal data. It also applies to natural persons resident in Nigeria and Nigerians who are resident abroad.[2] Article 2 of the NDPR stipulates general safeguards for the collection, processing, transfer and storage of personal data. The Article generally imposes obligations on persons and entities in possession of the personal data of a natural person (referred to as a Data Subject) to process such data only for a specific, legitimate and lawful purpose and only with the consent of the Data Subject. Such data processing is required to be accurate and without prejudice to the dignity of the human person. The Article further imposes an obligation on anyone entrusted with personal data of a Data Subject to store the data for only a period within which it is reasonably needed and secure it against all foreseeable breaches and hazards such as cyberattack, viral attack, manipulation of any kind or damage by rain, fire etc.

The Regulation prohibits obtaining personal data without providing the specific purpose of the collection to the Data Subject and obtaining the informed consent of the Data Subject.[3] It further requires the publication of simple, clear and conspicuous privacy policy on any medium through which personal data is being collected or processed and prescribes the relevant information that must be contained in any such privacy policy.[4] A Data Subject is conferred with the right of objection to the processing of his personal data by a Data Controller (a person who either alone, jointly with other persons or in common with other persons or a statutory body determines the purposes for and the manner in which Personal Data is processed or is to be processed) for the purpose of marketing and a Data Controller is required to provide a means of objection to the Data Subject.[5] The NDPR is meant to be interpreted and applied liberally with the aim of furthering and never for the purpose of restricting the privacy rights of Data Subjects which have been guaranteed under the Constitution or any other enactments.[6] Article 2.10 of the NDPR prescribes penalties for breach of any of the duties under the NDPR.

Article 3 of the NDPR confers additional rights on a Data Subject including the right to information relating to his personal data free of charge, the right to request a deletion of his personal data, right to transfer personal data from one Data Controller to another etc. Article 4.2 provides for an Administrative Redress Committee with the jurisdiction to adjudicate on complaints from Data Subjects relating to breach of the Data Subject’s rights under the NDPR.

The foregoing overview encompasses the scope and subject matter of the NDPR.

NITDA’s Powers to Regulation Data Privacy

NITDA is established by the NITDA Act”[7] which delineates its powers and functions.  Section 6 of the Act generally provides for the functions of NITDA regarding the development and regulation of information technology in Nigeria. Amongst other functions, NITDA is mandated under Section 6(c) of the Act to:

“Develop guidelines for electronic governance and monitor the use of electronic data interchange and other forms of electronic communication transactions as an alternative to paper-based methods in government, commerce, education, the private and public sectors, labour, and other fields, where the use of electronic communication may improve the exchange of data and information.”

Section 6(c) of the Act is cited as the source of NITDA’s powers to regulate data privacy in the preamble to the NDPR. The question is whether the National Assembly has the legislative competence to confer on NITDA the powers to regulate data privacy.

The legislative powers of the National Assembly are prescribed and circumscribed by the Constitution of the Federal Republic of Nigeria, 1999 (as amended) (the “Constitution”). The National Assembly is required to observe the limits of its legislative powers as prescribed by the Constitution. The National Assembly does not enjoy a prerogative to arrogate to itself powers which are not within its remit under the Constitution and any law made by the National Assembly beyond its constitutional powers is void to the extent of the inconsistency.[8]

The items within the legislative powers of the National Assembly are as outlined in the Exclusive Legislative List and the Concurrent Legislative List of the Constitution.[9] It is important to note that no provision in the Exclusive and Concurrent Legislative Lists confers on the National Assembly the powers to make general data privacy laws or even make laws on electronic governance. Rather, Item 21 of the Concurrent Legislative List only empowers the National Assembly to “. . . make laws to regulate or co-ordinate scientific and technological research throughout the Federation.” Therefore, the National Assembly can only enact laws establishing institutions like NITDA to perform the task of regulating and coordinating scientific and technological research.

The operative phrase in Item 21 of the Concurrent Legislative List is “scientific and technological research” and the powers of NITDA or any other like institution ought to be exercised within the context of scientific and technological research.  The power to “develop guidelines for electronic governance and monitor the use of electronic data interchange and other forms of electronic communication transactions . . .” cannot be said to be a component or aspect of scientific and technological research.  And data privacy cannot by any stretch of the principles of interpretation, be construed to mean an aspect of scientific and technological research.  There was therefore no constitutional basis for the issuance of the NDPR by NITDA. What then is the fate of the NDPR?

Validity of NDPR

The law is settled that a subsidiary legislation derives its validity from its enabling statute. See Din v. Fed. A.G. (1988) 4 NWLR (Pt. 87) 147. It is also settled law that a statute cannot render nugatory the provisions of the Constitution. See GOVERNOR OF OYO STATE & ORS v. FOLAYAN. As the National Assembly has no power to legislate on electronic governance under Item 21 of the Concurrent Lists or make general data privacy laws, it cannot confer any such powers on NITDA through the Act. Section 6(c) of the Act is ultra vires the powers of the National Assembly. The Act is inconsistent with the provisions of the Constitution and is void to the extent of this inconsistency. It therefore follows that the NDPR which derives its validity from the Act is equally invalid as it is on a subject that is outside the remit of the National Assembly.

This means that Nigeria at present, has no valid data protection law or regulation. There is therefore an urgent need for a valid data protection regime which can only be established through laws validly enacted by the federal and state legislatures within the confines of their legislative powers. The legislative powers of the federal and state legislatures over data privacy will be discussed in a subsequent article.

[1] See Article 1.1 of the NDPR.

[2] See Article 1.2 of the NDPR.

[3] See Article 2.3 of the NDPR.

[4] See Article 2.5 of the NDPR.

[5] See Article 2.8 of the NDPR.

[6] See Article 2.9 of the NDPR.

[7] Section 1(1) of the Act.

[8] See Section 1(3) of the Constitution.

[9] See Section 4(1)-(4) of the Constitution.

By Agbada S. Agbada Esq., Stephen.agbada@yahoo.co.uk