Thought Leaders Comment On Nigeria’s Draft Data Protection Bill 2020 At Webinar Hosted By Digital Rights Lawyers Initiative

By Solomon Okedara

INTRODUCTION

On September 4, 2020, Digital Rights Lawyers Initiative (DRLI) hosted a Webinar where leading Data Protection and Privacy lawyers, industry experts and thought leaders on the subject of Data Protection made robust presentations, contributions and recommendations on the draft Data Protection Bill 2020. The event was impressively attended by 278 participants from Nigeria, Botswana, Kenya, Canada, Germany, Greece, Mauritius, Malawi, Morocco, South Sudan, South Africa, the United Kingdom and United States.

The event was moderated by our Co-Founder, Solomon Okedara with technical assistance from our partner, Lawyers Hub (Nairobi, Kenya) ably led by Linda Bonyo who also co-moderated some parts of the event.

The distinguished panelists included Mr Uche Val Obi, SAN, the Managing Partner of Alliance Law Firm and Chairman, International Trade Law Committee of the Section of Business Law of the Nigerian Bar Association; Mr Dapo Akinosun, Managing Partner, Simmons Cooper; Mrs Jumoke Lambo, Partner, Udo Udoma & Belo-Osagie; Mr Davidson Oturu, Partner, AELEX; Mr Emmanuel Gbahabo, Partner, Templars; Mr Oyeyemi Oke, Partner, AO2 Law; Mr Michael Ango, Associate Director, Andersen Tax; Mrs Aderonke Alex-Adedipe, Partner, Pavestones Legal; Mrs Ina Arome, Senior Associate, Aluko & Oyebode. and Olumide Babalola, Managing Partner, Olumide Babalola LP, Author, Casebook on Data Protection and Co-Founder, DRLI.

This panel of seasoned experts made valuable comments stating observations and recommendations and the said observations and recommendations are hereby reproduced below accordingly. This communique therefore generally presents all views and recommendations of all panelists without necessarily setting out individual panelist’s views.

While we generally believe that the draft Data Protection Bill 2020 is a step in the right direction, the following recommendations are hereby put forward for the purpose of refining the bill towards the emergence of a robust and comprehensive Data Protection Act that truly works for all. Please note that, in this communique, the words “Bill” or “Act” may be used interchangeably.

RECOMMENDATIONS

Consent and Processing of Personal Data

Section 4 of the proposed bill provides for bases for “lawfulness of personal data processing” but excludes CONSENT as a basis for processing of personal data under Section 4.  Even though CONSENT is fully highlighted in Section 5, it is nonetheless recommended that CONSENT should be expressly stated in Section 4 (2) as a basis for personal data processing.

Provisions contained in Section 26 should be brought forward to follow provisions contained in Section 5. For clarity, provisions of Section 4 provides for “Lawfulness of Data Processing”, Section 5 provides for “Consent of Data Subjects” while Section 26 provides for “Processing of Sensitive Data” the provisions of three sections are quite related and it makes for easy reference and comprehension of the position of the Act to have them arranged sequentially. It is therefore recommended that these provisions should be arranged as: “Lawfulness of Data Processing” (Section 4), “Consent of Data Subjects” (Section 5), “Processing of Sensitive Data” (Section 6)

The Section 26 (1) and (2) in its provision for “processing of sensitive data” essentially provides for processing of personal data of a child. The Section provides for parental or Guardian’s consent when the personal data of a child is who is under parental or Guardian control is to be processed. In this section, the focus of the provision is being under the control of a parent or guardian. The provision uses the yardstick of being under control of parent or guardian and not age. The first question is what if a child is 19 years old yet is under the control of parent/guardian or a child is 17 years old but not under the control of parent or guardian? What does being under control actually even mean? Another sensitive question to consider is what happens if the child is no longer under the control of parent or guardian what happens to the consent previously given by parent or guardian? Will such consent still be valid for continuing to be valid for continuous processing of the child’s personal data? It is recommended that the bill should replace “being under the control of parent or guardian” with age. It is further recommended that the bill expressly provides for what happens to personal data being processed after the child has become and adult or has stopped being under the control of parent or guardian.

Notification of Breach To The Commission

Section 17 (3) of the bill provides for notification of breach of personal data to the Data Subject to be within 48 hours of notification to the commission without stating when the data controller must notify the commission. It is strongly recommended that the Section should state when the data controller should notify the Commission of any personal data breach from the moment of occurrence of such breach.

Offences

Section 47 of the bill criminalizes some acts including attempt to commit an offence, aiding, abetting, conspiracy and provides that upon conviction, the persons convicted will be liable to “punishment provided for the principal offence under this Act” There is however nowhere in the bill where the principal offences in this regard are spelt out with their respective penalties. It is therefore recommended that the bill unequivocally spells out respective penalties to each offence, so that such provision will not be void for vagueness.

Sections 44, 45 and 46 provide for an imprisonment term of minimum of one (1) year and six months respectively. It is observed that taking away a person’s liberty is excessive here particularly on account of an action of a data controller who is a corporate entity, a fine is enough deterrence. In fact, the imposition of imprisonment term under this Act disproportionate and it is therefore recommended that imprisonment provisions should be taken out completely.

In extreme cases of breach of this Act, the provision may set maximum imprisonment term (as opposed to minimum set in sections 45 and 46).

Further, offences under the Act should be reviewed to be in accordance with the objective of the Act which is lawful processing of personal data, therefore extraneous subjects should be left for other legislation like the Cybercrime Act in order to avoid legislative overlap and overregulation.

Extra-Territorial Application

Section 2 of the bill alludes to extra-territorial application of the provisions of the Act when it provides for application of the Act to persons of “Nigerian nationality”…. “irrespective of their residence”. It should be noted that fundamental principle of territorial application of legislation within a sovereign state portends that Nigerian legislation (including the Data Protection Act) cannot apply in another sovereign state, hence that provision will rather be of cosmetic value.

The Data Protection Commission

Section 8 of the bill provides for the establishment of a Governing Board for the Data Protection Commission. A board of this nature is best constituted with great level of independence for efficiency and effectiveness. It is however regrettably noted that 12 out of 16 members of the Governing Board are directly or indirectly appointed by the President of the Federal Republic of Nigeria which in a way speaks of so much how the board may end up being tied to the apron of the President may lose its deserving independence from start. More importantly, this composition may obstruct continuity of the affairs of the board and even ground the activities of the commission given that the President may relieve most members of the board of their duties at any time.

The fact that the President also determines the renumeration and allowances of the members of the board also robs the board of its independence. It is further noted that in Section 12 the Commissioner can be removed by the President.

In consideration of composition of membership of the board, it is recommended that the membership of the board should be reviewed to the requirement of expertise in Data Protection and Privacy by members so appointed and not predominantly appointees of the President. Renumeration and Allowances are recommended not to be determined by the President. Nigerian Bar Association should be considered to have a representative on the board given that its members are trusted with significant roles in affairs of data protection and privacy. Statement of clear rules are recommended for regulation of the board itself in order to make room for objectivity.

Register of Data Controllers

Register of Data Controllers is recommended to be provided for in the Act as this will facilitate ease of enforcement of the Act. The Commission can only effectively regulate data controller that it has information about. This provision is contained in many data protection legislation around the world including the Data Protection Act of the United Kingdom.

Data Protection Compliance Officers and Organizations

While Section 9 (j) of the bill provides for the power of the commission to make regulation for licensing and certification of Data Protection Compliance Officers and Organizations, it is recommended that the Act spells out the requirements of expertise for licensing and certification of such Data Protection Compliance Officers and Organizations.

NITDA AND NDPR

The bill is silent about the fate of the extant Nigeria Data Protection Regulation (NDPR) and its issuing agency, National Information Technology Development Agency (NITDA). The bill needs to make clear provision on this whether it wants to abrogate NDPR and the role that NITDA had hitherto played or incorporate that in any respect, this has to be clearly provided for to avoid conflicts.

Data Protection Audit

Section 2 (5) of the bill provides for submission of a report of Annual Data Protection Audit to the Commission not later than March 30^th the following year. However, basis of the audit and what the audit report will contain are not stated. Recommendations are hereby made that how the audit should be done, the contents of the audit and who should carry out the audit should be clearly stated in the Act.

Jurisdiction

Section 63 of the bill provides for exclusive jurisdiction of the Federal High Court for cases arising out of the provisions of the Act and its subsidiary legislation. However, Data Protection and Privacy are rooted in fundamental human right which is a constitutional right, in which case both Federal High Court and State High Courts should have are recommended to be “clothed” on matters under this Act.

Class Action

It is recommended that Class Action be provided for in the bill in order to avoid multiplicity of suits as such is bound to be where a data controller processes hundreds of thousands of personal data and same breach affects all or most of the data subjects. Without this, there can be thousands of actions arising from a single violation of the Act.

Enforcement Notice/Investigation

In Section 36 of the bill, the  is authorized to send out enforcement notices when it has made and concluded its investigation, without express provision for the role of Data Controller to make any input based on the complaint of data subject. It is hereby recommended that it should be provided that prior to serving enforcement notice on a Data Controller, the investigation process should expressly extend opportunity of response to an allegation

Contributions To The Fund Of The Data Protection Commission

Section 52 (2) provides for contributions of 5% of the revenue generated by some listed agencies to the Funds of the Data Protection Commission, it is hereby recommended that in order to drive compliance and avoid inter-agency conflicts on this subject, Section 52 should capture that this provision of contribution of 5% of the revenue of these agencies shall apply “notwithstanding the provisions in any other law”. Further to this, this position may also be referenced under the enabling laws or regulations of those agencies.

It is also recommended Data Controllers should also contribute to the Fund of the Commission.

MSMEs as Data Controllers

For Micro, Small and Medium Enterprises (MSMEs), threshold of compliance to the Act should be specially considered and explicitly stated in order to avoid burdening them, bearing in mind their resources and capacity and the need to avoid overregulation.

Commencement of The Act and Public Sensitization

It is strongly recommended that the commencement or implementation of the Act should be preceded by a sufficient period of sensitization in order to ascertain sufficient public awareness to drive compliance. One of the obvious deficiencies of Nigeria Data Protection Regulation (NDPR) is not only that the most data controllers are not aware of it, but even most data subjects sought to be protected by the regulation were (and are still) not aware of the regulation. General Data Protection Regulation (GDPR) that applies to protect personal data across European Union was issued in 2016 but came into force in 2018, with two (2) years of pre-commencement period dedicated to intensive sensitization of data controllers and data subjects and setting up structures of supervisory authorities.