The Impact Of Regulations On Data Protection In Nigeria

By Oyetola Muyiwa Atoyebi, SAN, FCIArb. (UK).

Personal data is the subject of a discussion more than ever in the tension between personal rights and commercial use. This tense relationship necessitates developing suitable models for the reality of life, and setting a balance between the demands of enterprises and privacy.

INTRODUCTION

Information is vital for enterprises/companies/businesses such as streaming platforms, companies with websites, etc. However, the usage of information especially personal data leads to various legal problems. On one side, enterprises require free and unlimited usage of personal data as much as possible for their continuity and progression to gain a competitive advantage. On the other side, natural and legal persons seek legal protection regarding their personal information or market position. Data has undoubtedly become an actual raw material and a production factor.

The need for the protection of data is very important as the world is rapidly becoming a global village, and this necessarily presupposes that there is a rise in the spread of information and data across the internet. It is then very incumbent that laws and regulations are put in place to better manage and protect the information being shared across the internet, because as much as this information and data can be used to make day-to-day affairs easier, it can also be susceptible to negative use.

In this article, we will be discussing the relevance of data protection in modern times.

The relevance of data protection has its roots in the defence of individual rights and this origin drastically reduces any possibility to consider privacy issues only in terms of costs and economic benefit.

Data protection arose with the emergence of the internet and globalisation leading people to create and upload new data and information by the second. Phenomena like the cloud and google drive have become more prevalent with not only individuals but also corporations uploading their information to them for backup and storage. Data protection regulations are therefore necessary to provide a legal framework for ensuring that not only does their data not get corrupted but it is also used for authorized purposes, or accessed by authorized personnel.

Data protection has been defined as the process of safeguarding important information from corruption, compromise or loss[1]. It has also been said to be the capability to restore the data to a functional state should something happen to render the data inaccessible or unusable. It is a topic that spans two broad spectrums, data security and data privacy[2]. Regulations protect data from compromise and provide safety and security through provisions that emphasize its privacy e.g., Sect 37 of the Constitution of the Federal Republic of Nigeria 1999 as amended, which makes privacy a fundamental human right.

Personal data is the subject of a discussion more than ever in the tension between personal rights and commercial use. This tense relationship necessitates developing suitable models for the reality of life and setting a balance between the demands of enterprises and privacy.

This concern is not contradicted by the theories which claim that the right to privacy no longer exists as people willingly share information in return for economic benefits or free services.

Moreover, a lack of data protection increases the risks of illegitimate access to information or misuse of personal data, with a potential chilling effect on individual willingness to share and communicate personal information. Notably, the original goal of data protection was to increase trust in data collecting and managing services realized by governments and companies.

Data Protection in Nigeria: Legal Framework

There are several laws and regulations which contain provisions on data protection such as the Cybercrimes (Prohibition, Prevention, etc.) Act, 2015, The National Identity Management Commission Act 2007, the National Cybersecurity Policy and Strategy, 2021, Freedom of Information Act 2021 (FOIA), Central Bank of Nigeria Consumer Protection Framework 2016, and The Nigeria Data Protection Regulation (NDPR).

The first step Nigeria took in recognizing the widespread influence of information and data technology was the establishment of the National Information Technology Development Agency (NITDA) in 2001, and then in 2007 a bill was passed known as the National Information Technology Development (NITDA Act). This agency and act were put in place to handle ICT-related activities and training of various categories of persons in ICT. It initially fell short of providing functions that foresaw the increasing digital/technological issues that now exist. Due to this, the NIDTA in January 2019 suggested the need to enact the Nigeria Data Protection Regulation (NDPR) which is established to provide the individual rights of Nigerians as regards handling their data. It empowers the NITDA to issue guidelines to cater for electronic governance and monitor the use of electronic data exchange.

The NDPR is one of the most comprehensive attempts to tackle data protection and privacy in Nigeria and shall be used as a focus in this paper.

The NDPR applies to natural persons who are residing within and outside of Nigeria, as long as they are citizens of Nigeria. With rampant cybercrimes such as piracy, identity theft, Cyberbullying, cyberstalking, hacking, phishing etc., the act is essential to ensure the security of personal and sensitive information which are entered on different platforms and filed with different organisations are protected and the individual owners are kept safe. The act identifies personal information including one’s name, address, photo, email address, bank details, posts on social media or networking sites etc. Sensitive data includes information such as personal data that reveals racial or ethnic origins, genetic data, health data, personal data concerning the data of a child under the age of 16, and data concerning a person’s sex life.

Processing of such data is only lawful where:

1. Consent of the data subject i. e. the owner has been given[3] and the data controller is able to demonstrate legal capability of data subject to consent.[4]
2. The data is necessary for the performance of a contract to which the data subject party to.[5]

• It is necessary for legal compliance with a legal obligation to which the data subject is subject to.[6]

1. Processing is necessary to protect the vital interests of data subject of another natural person.
2. Performance of a task carried out in public interest or exercise of official public mandate vested in the controller requires the data.[7]

The NDPR places certain obligations on the data controller such as data breach notification, disclosure of data protection impact assessment and maintenance of data processing records, submission of data protection audit to the NITDA if they process the data of more than 1000 data subjects in 6 months or more than 2000 subjects in 12 months etc.

It also empowers the owner of the data with rights such as the

• Right to object to the processing and use of their data in situations such as for marketing purposes.
• Right to be informed.
• Right to access their information.
• Right to erasure of their personal data.
• Right to withdraw their consent to the processing of their data.

These are enforced with the threat of penalties such as Sect 2.10 of the NDPR which provides that any person subject to the NDPR who is found to be in breach of the rights of any data subject shall in addition to criminal liabilities be liable:

• In the case of a data controller dealing with more than 10,0000 data subjects, payment of a fine of 2% of the annual gross revenue of the preceding year or of the sum of 10 million NGN, whichever is greater.
• In the case of a data controller dealing with less than 10,000 data subjects, the payment of a fine of 1% of the annual gross revenue of the preceding year or of the sum of 2 million NGN, whichever is greater.

CONCLUSION

The vast and comprehensive coverage of the NDPR makes it an in-depth starting point for data protection in Nigeria. It provides a solid locus for aggrieved parties to seek remedy on violation of their data rights.

This can be seen in the ongoing case of Digital Rights Lawyers Initiative v. NYSC[8] for the violation of Section 3 of the Constitution of the Federal Republic of Nigeria 1999, as amended and Section 2.1(a) of the NDPR by publishing and selling a yearbook containing the Corp members’ personal details without consent. It is noteworthy however that the NITDA is however yet to exercise its sanctioning powers against any data controllers and processors despite the fact that the NDPR empowers it to do so.

Finally, Data privacy is not a phenomenon that users of internet platforms are merely entitled to; it is an absolute prerequisite. In the same vein, people know what they are signing up for, in plain language and repeatedly:  ‘I believe people are smart. Some people want to share more than other people do. Just ask them”- Steve Jobs. Thus, data protection regulations find the balance between these interests.

AUTHOR: Oyetola Muyiwa Atoyebi, SAN, FCIArb. (UK).

Mr. Oyetola Muyiwa Atoyebi, SAN is the Managing Partner of O. M. Atoyebi, S.A.N & Partners (OMAPLEX Law Firm) where he also doubles as the Team Lead of the Firm’s Emerging Areas of Law Practice.

Mr. Atoyebi has expertise in and a vast knowledge of Data Protection and Data Privacy Law and this has seen him advise and represent his vast clientele in a myriad of high level transactions.  He holds the honour of being the youngest lawyer in Nigeria’s history to be conferred with the rank of a Senior Advocate of Nigeria.

He can be reached at atoyebi@omaplex.com.ng

CONTRIBUTOR: Iyanuoluwa Samuel Afolabi.

Samuel is a member of the Dispute Resolution Team at OMAPLEX Law Firm. He also holds commendable legal expertise in Data Protection and Data Privacy.

He can be reached at samuel.afolabi@omaplex.com.ng.

[1]  Paul Crocetti, Stacey Peterson, Kim Hefne ‘What is Data Protection and Why Is It Important?’ https://www.techtarget.com/searchdatabackup/data-protection?amp=1  Accessed: 22/08/2022

[2] supra

[3] Sect 2.2 (a) of NDPR

[4] Sect 2.3(2)(a) of NDPR

[5] Sect 2.2(a) supra

[6] Sect 2.2(c)

[7] Sect 2.2(e)

[8] FHC/1B/98/2020