Rethinking Data Protection In Nigeria: Gaps And Opportunities

By Obidike Anthony Chukwudozie

INTRODUCTION

“Feeling grateful, doubling all payments sent to my BTC address! You send $1,000, I send back $2,000! Only doing this for the next 30 minutes”.[1]

This was the message sent by hackers from Elon Musk’s Twitter account on 15^th July 2020, at about 04:00 pm in the United States of America. Similar tweets were sent from the Twitter accounts of other high profile individuals such- Barack Obama, Bill Gates and Jeff Bezos. Twitter was hacked! This is one the greatest hacks in recent times and the hackers made over $120,000 worth of bitcoin through at least 300 hundred transactions. The world as we know it has gone digital, traditional banking operations are done online, huge transactions are concluded in minutes and large funds are transferred around the globe in minutes using block-chain technology. On daily basis, human interactions and transactions are digitalized such that purchases are made online, individuals request for rides from the comfort of their homes and a driver arrives there to pick them; Companies collect and exploit big data to enhance sales and customer satisfaction. All these have in common, the collection and processing of individuals personal data, the effect of which is that people are more vulnerable than they were five (5) years ago. Thus, this paper seeks to evaluate data protection laws in Nigeria in a view to discovering whether Nigeria has done enough to protect the data of its citizens, as well as proffer solutions to existing loopholes.

EVALUATION OF DATA PROTECTION LAWS IN NIGERIA

Data protection and privacy has its basis on the fundamental right of citizens to privacy.[2]Asides this constitutional provision, there are several industry specific legislations that contain provisions that touch on the protection of data and privacy. Amongst the industry specific regulations[3] are: Freedom of Information Act [4] which enables public access to public records and information, prevents a public institution from disclosing personal information to the public unless the individual involved consents to the disclosure; The Consumer Code of Practice Regulations 2007 issued by the Nigerian Communications Commission requiring telecommunication operators to take reasonable steps to protect against “improper or accidental disclosure” and must ensure that such information is securely stored.

However, irrespective of these preceding pieces of legislation, there had been no comprehensive data protection and data privacy legislation in Nigeria. To curb this, The National Information Technology Development Agency (“NITDA/the Agency”), relying on NITDA Act 2007, published the Nigerian Data Protection Regulation (herein after referred to as the Regulation or NDPR) 2019. This Regulation, although a subsidiary legislation, is the most comprehensive law on Data protection in Nigeria. The regulation applies to all “transactions” intended for the processing of Personal Data; to the processing of Personal Data, notwithstanding the means by which the data processing is being conducted or intended to be conducted in respect of “natural persons” in Nigeria. It has as its major objective, the safeguard of the rights of natural persons (Nigerians) to data privacy, prevention of manipulation of data, and to ensure that Nigerian businesses remain competitive in international trade.

The regulation provides certain guidelines to ensure the non-violation of the rights of a data subject. Notably is the registration and licensing of Data Protection Compliance Organisations (DPCOs) who shall on behalf of the Agency monitor, audit, conduct training and data protection compliance consulting to all Data Controllers under this Regulation.

INADEQUACIES OF THE NIGERIAN DATA PROTECTION REGULATION

The Regulation[5] does not contemplate protection of unnatural entities, as it specifically references only natural persons and not artificial persons. This is a shortcoming because, institutions/organizations can also fall victims of privacy/data breach but if the express provisions of the NDPR is slavishly adhered to, then artificial persons can’t take cover under it as currently enacted. The regulation should be amended to address the needs of artificial persons so as to provide a more robust data protection regulation.

The regulation provides for penalties[6] but it is silent on compensation for victims of data privacy breach. The penalties as contained therein would only generate income for the government at the expense of the actual victims of data privacy breach. The GDPR has a comprehensive provisions on “Remedies, Liabilities and Penalties”.

The provision of regulation 3.2 prima facie appears to be a progressive one. However, the set-up of the Administrative panel does not state its membership, their qualification or grounds for disqualification. This may pose peculiar problems which may hinder them from either commencing or delivering on their mandate.

Taking a cursory look at the security and breach prevention provisions in the Regulation, one might be inclined to take the view that the Regulation provides sufficient security measures for protection of personal data, by virtue of the fact that it contemplates that personal data should be protected against every conceivable form of hazard and breach. Furthermore, it prescribes specific security measures to be taken in furtherance of the required protection. However, further consideration of these provisions in comparison with similar provisions in other African jurisdictions, such as South Africa and Ghana reveals the inadequacy of the provisions under the Regulation. Like the Regulation, both the South African Protection of Personal Information Act 2013 (“PPIA”) and Ghanaian Data Protection Act 2012 (“GDPA”) require responsible parties (that is, data controllers/processors) to identify conceivable risk to data and adopt sufficient measures to safeguard data against such risk. However, the PPIA and GDPA goes a step further by requiring responsible parties to frequently confirm the effective implementation of the safeguards and ensure the frequent update of such safeguards in response to new risks or deficiencies in previously implemented safeguards. The import of these provisions is that responsible parties have a continuing obligation to be proactive by ensuring proper execution, as well as regular upgrade to guarantee adequacy and efficiency of security measures adopted for the protection of data. It is instructive to note that the absence of comparable provisions in the Regulation leaves room for ambiguity, as the provisions of the Regulation could be interpreted to mean that the obligation of a responsible party in Nigeria to ensure security of data and prevention of breach is one off.

Furthermore, the PPIA and GDPA require responsible parties to notify (as soon as reasonably possible), the applicable regulatory authorities and affected data subject(s) of any unauthorized access to and acquisition of personal data. The notification is aimed amongst others, at providing information to the data subject, to enable such person take proactive protective measures to mitigate the potential consequences of the breach. The Regulation does not impose a similar obligation on responsible parties in Nigeria, thus disclosure of a breach is at the discretion of such parties. This creates a leeway for covering up a breach or delaying disclosure, which consequently hampers execution of proactive mitigation measures by the data subject.

CONCLUSION

The data protection regulation 2019 is a significant step towards addressing the need for an encompassing data protection law. The regulation, although not full proof, falls short in certain areas as noted above. Currently, there is a Nigerian Data Protection bill 2020[7] in the National Assembly with the view to enacting a data protection statute. The bill addresses some of the issues outlined in this work. However, it is our hope that other issues not covered by the bill be incorporated into it before it is passed into law. These changes are necessary to create an extensive and efficient data protection law in Nigeria especially in light of continuous technological advancement and increasing sophistication of cyber criminals. This will also make Nigeria more attractive to tech investors and reduce technophobia amongst the 60 million unbanked Nigerians[8].

Written by OBIDIKE ANTHONY CHUKWUDOZIE, 07034310176, 08107164441,  obidikeanthony93@gmail.com

[1]Nick Statt, ‘Twitter’s massive attack: What we know after Apple, Biden, Obama, Musk, and others tweeted a bitcoin scam’ [Jul 16, 2020] <https://www.theverge.com/2020/7/15/21326200/elon-musk-bill-gates-twitter-hack-bitcoin-scam-compromised> accessed 16^th of September 2020.

[2]  The constitution of the Federal Republic of Nigeria 1999(as amended), s 37.

[3]  See also: Registration of Telephone Subscribers Regulation 2011 (“RTSR”), Central Bank of Nigeria (“CBN”) Consumer Protection Framework (“CPF”), Regulatory Framework for Bank Verification Number (“BVN”) Operations and Watch- List for the Nigerian Banking Industry 2017 (“BVN Regulatory Framework”).

[4] No. 4 of 2011.

[5] The Nigeria Data Protection Regulation (NDPR) 2019, Regulation 1.

[6] NDPR 2019, Regulation 2.10.

[7] One Trust Data Guidance, ‘Nigeria: NITDA publishes draft Data Protection Bill 2020 for public comments’ [20^th, August 2020] <https://www.dataguidance.com/news/nigeria-nitda-publishes-draft-data-protection-bill-2020-public-comments> accessed, 16^th of September 2020.

[8]  Global Data, ‘Central Bank of Nigeria looks to reach out to 60 million unbanked population by 2020 with Payment Service Banks, says GlobalData’ [25^th of April 2019] < https://www.globaldata.com/central-bank-of-nigeria-looks-to-reach-out-to-60-million-unbanked-population-by-2020-with-payment-service-banks-says-globaldata/#:~:text=25%20Apr%202019,Central%20Bank%20of%20Nigeria%20looks%20to%20reach%20out%20to%2060,Payment%20Service%20Banks%2C%20says%20GlobalData&text=Nigeria%20remains%20a%20largely%20cash,a%20lack%20of%20financial%20infrastructure> accessed, 16^th of September 2020.