Six (6) Reasons The NDPR Must Be Quickly Replaced

By Olumide Babalola

In January 2019, the National Information Technology Development Agency (NITDA) eternally edged itself in the annals of our country’s data protection history by issuing the Nigeria Data Protection Regulation (NDPR) to regulate data privacy and sundry matters in Nigeria.

Pursuant to our country’s digital economy strategy, in September 2020, NITDA announced its plans to present a draft Data Protection Bill to the National Assembly and invited the public to make comments on the draft bill but the bill is yet to find its way to the parliament.

While we confirmed to wait for the draft bill to be transmitted to the national assembly, here are six (6) out of the many other reasons the NDPR must be quickly replaced with a more robust and comprehensive principal legislation on data protection.

1. It is a Subsidiary Legislation.
It is not comforting to note that, out of the 34 African countries with data protection laws, only Nigeria has a secondary legislation regulating data protection. (See Graham Greenleaf, Comparing African Data Privacy Laws’ https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3582478)

The NDPR was issued pursuant to section 6 (c) of NITDA Act thereby making it a secondary legislation and inferior to other statutes on same subject matter. It seeks to regulate privacy which is a fundamental right provided by the constitution but it lacks the requisite force of law when it comes in conflict with other Acts of the National Assembly on similar matters. For example, it has been argued in a couple of cases that, specific provisions of the Evidence Act, CBN Act, Nigerian Communications Act on data protection will override the NDPR in event of a conflict.

The NDPR’s status as a delegated legislation continues to hamper its enforcement drive and capacity, hence the passage of a principal legislation is very imminent for our country and this much was acknowledged by the World Bank in their Digital Economy Diagnostic Report on Nigeria wherein the NDPR is described as “guidelines” and “a stop gap measure.” (see page 28 of Nigeria: Digital Economy Diagnostic Report <https://documents1.worldbank.org/curated/en/387871574812599817/pdf/Nigeria-Digital-Economy-Diagnostic-Report.pdf> )

2. NITDA’s vires to regulate data protection is unsettled
Without prejudice to the agency’s commendable proactiveness in issuing the NDPR when other agencies were seemingly laid back, there are unanswered questions as to whether section 6 (c) of NITDA Act confers it with the powers to regulate data protection.
From an academic perspective, Dr. Bernard Jemilohun and Prof. Ifedayo Akomolede argue that: “It is difficult for anyone to see very strong links between the provisions of Sections 6, 17 and 18 of the NITDA Act and the other legislations for data protection that are in operation in other countries. As a matter of fact, it is not easy by any stretch of imagination to see any section of the NITDA Act that directly or indirectly empowers the agency to engage in any form or type of law-making for data protection in Nigeria. Data protection legislation is a form of human right protection legislation and it will amount to gainsaying to think all that is about data protection is just about technology and the need to develop its use or prevent the abuse thereof.” (See Regulations or Legislation For Data Protection In Nigeria? A Call For A Clear Legislative Framework https://www.eajournals.org/wp-content/uploads/Regulations-or-Legislation-for-Data-Protection-in-Nigeria1.pdf)

In the same vein but from a practitioner’s point of view, Bisola Scott and Sandra Eke of SPA Ajibade & Co., contend that: “The power of NITDA to regulate non-electronic or paper-based personal data is questionable in light of the restrictive provisions of the NITDA Act that empowers it. In the opinion of the writers, it may be necessary to amend the provisions of the NITDA Act to expressly regulate the processing of non-electronic or paper-based data to bring it in line with international best practices or to issue a separate regulation for the protection of non-electronic data.” (See ‘NITDA’s Power to Regulate Non-Electronic Data’ http://www.spaajibade.com/resources/nitdas-power-to-regulate-non-electronic-data-bisola-scott-and-sandra-eke/>)

In the preamble to NDPR, it is observed that NITDA is statutory mandated to regulate ‘e-governance’ and ‘monitor use of electronic data interchange (EDI).’ With respect, e-governance is not necessarily data protection and EDI is a technological device used by businesses to exchange information in a structured format etc. (For further reading on EDIs, please see Ramon O’Callaghan and John Turner, ‘Electronic Data Interchange Concepts And Issues’ https://core.ac.uk/download/pdf/162457926.pdf). It is also worthy of note that, the definition of data provided under the interpretation section of the Act does not contemplate personal data rather it relates to general information processed by computers.

Notwithstanding arguments for or against NITDA in this respect, its powers to issue the NDPR has not been decided by any court, hence all ranging questions remain in the realm of academic conjecture. More so, the agency has done more for the development of the subject that any other public body since 2019 and they deserve some commendation for that.

3. The NDPR clumsily recognizes several Data Protection Authorities (DPAs)
Universally, DPAs or supervisory authorities educate the public on their data protection rights and monitor compliance with relevant data protection laws. (see Peter Hustinx ‘The Role of Data Protection Authorities’ In: Gutwirth S., Poullet Y., De Hert P., de Terwangne C., Nouwt S. (eds) Reinventing Data Protection?. Springer, Dordrecht. https://doi.org/10.1007/978-1-4020-9498-9_7).
Unlike all other data protection laws, the NDPR does not recognize a principal DPA for Nigeria. In one breathe, it refers to NITDA as the ‘the agency’ (see reg. 1.3(xxvi.), in another provision, it defines ‘relevant authorities’ to include NITDA and all other public bodies that deal partly or solely with data (see reg.1.3 (xxiv) and in another, it references ‘supervisory authorities’ but omits the definition of the term. Hence, the expansive definition of ‘relevant authorities’ under the regulation encompasses all public bodies because they all deal with personal data, at least those of their staff.
It is also worthy of note that, not only does the regulation assign different duties to NITDA, relevant authorities and ‘supervisory authorities’, it does not specifically designate NITDA as the lead DPA in the context. Hence, the regulation leaves the role of a DPA at large and this is untidy for the industry.

4. Omission of legitimate interest from the grounds
Legitimate interest is the most flexible ground of lawful processing of personal data but the NDPR does not recognize it under the principles of data protection rather, it is subsumed under a right thereby snatching a defence from the controller by adding same to data subject’s rights in a rather inelegant manner. This anomaly has however been corrected in the draft bill which is yet to be transmitted for the National Assembly.

5. Administrative fine
The NDPR imposes ranging fines on controllers for violation of data privacy rights but the use of ‘in addition to any other criminal liability’ in regulation 2.10 gives a confusing idea that the fine contemplated is quasi-criminal in nature and some practitioners have argued whether the NDPR can validly criminalize an act without trial in a court of law. This needs to be properly addressed in a principal legislation.

6. Conflict between NDPR and NITDA Act.
Regulation 4.2(6) of the NDPR provides that a violation of its provision shall be considered as a breach of NITDA Act but while the regulation imposes fines of two (2) and ten (10) million Naira, the Act between provides for fines ranging from two hundred thousand Naira and one million Naira for offences. It is trite law that a subsidiary legislation must be in conformity with its enabling law. (see Odeleye v Efunuga (1990) LPELR – 2208 (SC). Upon passage of a principal law on data protection, there would no longer be questions of conflict because both legislation deal with different subject matter.

Conclusion
With respect to NDPR and its disasters, the regulation has served its pioneering purpose and we are long overdue for the next stage of national regulation of data protection. This can only be best achieved by a principal data protection law which has been in the offing since September 2020. It is hoped that the executive would speed up the processes to aid its much-heralded digital economy strategy plan as we enter mid-year.