Introduction
Data is regarded as “the new oil” of the digital age. Unfortunately, due to its high value, it is also susceptible to cyber threats, such as malicious attacks and thefts. For example, up to 90 million Facebook user accounts were exposed by a security breach in September 2018 while also, in September 2018, reports confirmed that ride-hailing firm Uber will pay £133m to settle all legal actions over the cyber-attack which exposed data from 57 million customers and drivers in 2016.
The need for a comprehensive regulatory framework on data protection led to the General Data Protection Regulation (“GDPR”) in May 2018, which transformed data protection and privacy in the European Union. Nigeria on the other hand, does not have a comprehensive principal data privacy and protection law. Until the subsidiary legislation on data protection, what the Country had were sector specific legislations containing provisions on data protection. Some of the sector specific legislations include the Child Rights Act 2003, the Consumer Code of Practice Regulations 2007, the Nigerian Communications Commission (registration of telephone subscribers) Regulation 2011, the Cybercrimes (Prohibition, Prevention Etc). Act 2015, the Freedom of Information Act 2011, and the Federal Competition and Consumer Act 2019.
It should be noted that data privacy and protection is an extension of the right to privacy which is enshrined in the 1999 Constitution of the Federal Republic of Nigeria (“constitution”) as a fundamental human right. The Constitution guarantees and protects the privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications.
The Nigerian Information Technology Development Agency (“NITDA”), realizing the need for a regulation on data protection in Nigeria especially in the light of the developments in the international community, issued the Nigeria Data Protection Regulation (“the Regulation”) on January 25, 2019.The Regulation seeks to revolutionize the protection of data and privacy in Nigeria as it is mirrors the GDPR in some respects. The Regulation has established strict compliance requirements on Nigerian companies across all sectors and it is therefore important that every company operating in Nigeria complies with the provisions set out in the Regulation.
The Nigeria Data Protection Regulation 2019
The Regulation applies to all natural persons residing in Nigeria or residing outside Nigeria but of Nigerian descent. It also applies to all transactions intended for the processing of personal data and to actual processing of personal data.
Principles of Data Processing
Every organization collecting and processing personal data shall:
- Collect and process data in accordance with specific, legitimate and lawful purpose consented to by the data Subject ;
- Ensure the personal data is adequate, accurate and without prejudice to the dignity of human person;
- Store the personal data only for the period within which it is reasonably needed and;
- Secure the personal data against all foreseeable hazards and breaches such as theft, cyber-attack, viral attack, dissemination, manipulations of any kind, damage by rain, fire or exposure to other natural elements.
Furthermore, the person in the possession of the personal data owes a duty of care to the Data Subject and would be responsible for his acts and omissions in respect of the data processing.
In addition, processing of personal data would only be considered lawful if at least one of the following applies:
- Data subject consented;
- Processing is for the performance of a contract;
- Processing is for the purpose of compliance with a legal obligation;
- Processing is to protect the vital interests of the data subject; and
- Processing is for the performance of a task carried out in the public interest.
Consent of Data Subject
One of the requirements for lawful data processing is the consent of a Data Subject with legal capacity. The consent must be given only after the purpose of the collection has been made known to the individual by the Data Controller and the consent must have been obtained without fraud, coercion or undue influence. Furthermore, the Data Subject must be informed of his right and the ease to withdraw his consent at any time.
Privacy Policy
The Regulation provides that every persons or organisations processing data must display a simple, conspicuous and easy to understand privacy policy. A valid privacy policy shall in addition to other relevant information, contain the requirements provided in the Regulation.
Data security
The Regulation enjoins Data Controllers to develop security measures to protect the data being processed. Organizations should protect their systems from hackers, set up firewalls, store data securely with access to only specific authorized individuals, employ data encryption technologies, engage in continuous capacity building for their staff, etc.
Third-Party Contracts
When a Data Controller transfers the data of a Data Subject to a third party, the organization must show that the Data Subject had consented to such transfer. Furthermore, when a third party is involved in the data processing, the Data Controller and third party must enter into a written contract and the Data Controller must ensure that the third party complies with the Regulation.
Where the third party involved is a foreign country or an international organization, such processing must be subject to the provisions of the Regulation and the supervision of the Honourable Attorney General of the Federation (“AGF”). The provisions of the Regulation, section 2.11 (a) – (e) include:
- The third party ensuring an adequate level of protection
- The consideration of the legal system of the third party
- The implementation of the legislation and data protection rules
- The existence and effective functioning of one or more independent supervisory authorities
- The international commitments of the third party or other obligations arising from legally binding conventions or instruments
However, there are situations where the decision of the NITDA or AGF as to the adequacy of safeguards in a foreign country may not be obtained. In such instances, transfer of personal data to a foreign country or an international organisation can still take place if any of these exceptions provided for in the Regulation is met:
- The data subject explicitly consents to such transfer after having been informed of the risks involved
- The transfer is necessary for the performance of a contract between the Data Subject and the Controller or the implementation of precontractual measures taken at the Data Subject’s request
- The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between the Controller and another natural or legal person;
- The transfer is necessary for public interest;
- The transfer is necessary for the establishment, exercise or defence of legal claims;
- The transfer is necessary in order to protect the vital interests of the Data Subject or of other persons, where the data subject is physically or legally incapable of giving consent;
Implementation Mechanisms
The Regulation provides for implementation mechanisms which every public and private organisations must comply with. Some of them include:
A Data Protection Officer shall be appointed for the purpose of ensuring adherence to the Regulation;
There shall be continuous capacity building for the Data Protection Officers and the other personnel involved in data processing;
Where a Data Controller processes the personal data of more than 1000 in a period of six months, it shall submit a soft copy of the summary of the audit to NITDA;
A data Controller who processes the personal data of more than 2000 data subjects in a period of 12 months shall, not later than the 15th of March of the following year, submit a summary of its data protection audit to NITDA.
Penalty for Default
Failure to protect Data Subjects’ privacy rights attracts strict penalties. For example, a Data Controller dealing with more than 10,000 Data Subjects would pay the fine of 2% of its Annual Gross Revenue for the preceding year or the sum of 10 million naira, whichever is greater. A Data Controller dealing with less than 10,000 Data Subjects, would pay the fine of 1% of its Annual Gross Revenue for the preceding year or the sum of 2 million naira, whichever is greater.
Conclusion
Every business organisation involved in data processing must be aware of the provisions of this Regulation and comply with them as failure to do so will expose such organisation to the strict penalties provided in the Regulation. Moreso, the aim of the Regulation among others is to ensure that every Nigerian business remains competitive in international trade through the safeguards afforded by the Regulation, which is also is in tune with global best practices. Organisations should therefore comply with the data protection provisions to benefit from this objective.
