Legal Framework for Data Protection in Nigeria And Possible Implications for Security And The Economy

The wave of innovation washing through industries has been a sea of opportunities, as well as a harbinger of malicious activities such as data loss and porous cyber security. Both Cyber Security and Data Protection remain hot button topics and their lack thereof has proved to be a menace to today’s businesses in areas such as data manipulation and questionable security in transactions.[1] The complexity and sophistication of today’s cyber threats requires special attention, and to this end, the National Information Technology Development Agency (NITDA) in January 2019 issued and published the Data Protection Regulation (The Regulations) which has come to overturn the lack of a tangible framework for Data Protection and Privacy.

The Regulation’s Key Provisions

The Regulations introduce major compliance obligations for Nigerian companies, which include audit checks, publication of data protection policies, filing of audit reports amongst others and also stipulates stiff penalties for its breach. Its key players are:

• Data Subject: one whose identity is or may be revealed from the data.
• Data Protection Officer: one designated by the Data Controller to implement the Regulation and whose responsibility is to ensure compliance of the Data Controller with the Regulation.
• a Data Controller: person/persons who determine how personal data is processed or will be processed. Processing means any action carried out on personal information. It includes collection, storage, adaptation, alteration, retrieval, use, or dissemination.[2]

Rights of Data Subject

The Regulation recognises the right of a Data Subject to a deletion and restriction of personal information, and the right to transfer the information to another Data Controller in a clear and concise manner.[3] The Rules provide a comprehensive list of what the what the Controller shall provide the Data Subject in order to protect the latter’s rights.

International Transfer of Data

The Regulations provide that a data controller is required to only transfer data to a foreign country or international organization subject to the supervision of NITDA and the Attorney General of the Federation (AGF) as they relate to rule of law, respect for human rights and fundamental freedom, and relevant legislation. However, data controllers are obligated to notify NITDA of any such transfers.[4]

Procuring Consent before Receiving Data

This provision ensures that consent has been duly procured, and the the specific purpose of collection is made known to the Data Subject.[5]

Due Diligence and Prohibition of Improper Motives

This provision establishes the Data Processor or Controller’s liability for the actions or inactions of third parties which handles the personal data of Data Subjects under the Regulations; The provision, very importantly, prohibits child rights violation and hate through data protection.[6]

Enforcing the Rights of Data Subjects

NITDA is empowered by Section 3.2 to set up an Administrative Redress Panel to entertain allegations from Data Subjects; investigate same, and where necessary, issue administrative orders; and determine apposite redress. [7]

Compliance Requirements

i). The Regulations require Data Controllers to develop adequate security to protect data within their custody.[8] The Regulations also mandates Data Controllers to appoint Data Protection Officers for the purpose of ensuring compliance with the Regulations;

ii)Data Controllers are to obtain the lawful consent of Data Subjects before processing their personal data. [9]

iii). In the event that a Data Controller engages the services of a third party to process personal data of Data Subjects, the Regulations require that such engagement must be governed by a written contract between the third party and the Data Controller.[10]

iv). NITDA also provides that a verification statement by a licensed Data Protection Compliance Organization (DPCO) should accompany all filings made. The DPCOs will monitor, audit, and render data protection compliance consulting services to aid compliance with the NDPR .

Penalties

Failing to comply with the Regulation is dependent on the number of Data Subjects that a company processes:

a). For more than 10,000 Data Subjects, payment of a fine of 2% Annual Gross Revenue or N10,000,000, whichever is greater.

b). For Less than 10,000 Data Subjects, payment of a penalty of 1% of Annual Gross Revenue or N2,000,000, whichever is greater.[11]

Comparison with The United Kingdom

The Regulations and UK’s Data Protection Act of 1998 both define personal data to cover data that can be used to identify a living individual. Under the Regulations, personal data does not include artificial bodies (companies’ information) but is defined as information relating to an identified or identifiable natural person. The Act also creates rights for those who have their data stored, and responsibilities for those who store, process or transmit such data.

The UK is also bound by the General Data Protection Regulations (GDPR) which harmonises the data protection regulations throughout the EU and will introduce a strict data protection compliance regime with severe penalties of up to 2% worldwide turnover. Just like the GDPR, Nigeria’s Regulation imposes an obligation on the Data Controller to ensure that its third-party processors adhere to the Regulation, and for the application of the data protection provisions to all residents.9

Implications for Security and The Economy

Insufficiency of data protection and cybercrime regulations can directly or indirectly impact on the valuable opportunities that cloud computing can provide for the economy especially for businesses, organisations and SMEs. [12]

Without sufficient Data Protection and Cyber Security Regulations, in the coming years, Nigeria will be a hotbed for numerous class action suits as it is one of the largest hosts of outsourced data processing in the world. Nigeria already pays a heavy price in this regard, as cybercrime costs the economy the sum of $500 million per annum.[13]

As it is under Australia’s The Privacy Amendment (Notifiable Data Breaches) Act 2017,[14] a provision for mandatory data breach reporting in the Regulations may have implications for continuous disclosure for businesses and companies as they will lose customer confidence, and ultimately, profits. For example, Yahoo’s stock fell by 6 percent in December 2016 when it announced 500,000,000 of its accounts had been hacked.[15] Additionally, organisations may open themselves for more of these claims of misleading and deceptive conduct if they make overly ambitious conduct about their levels of data security.

Also, huge investments may be lost where companies that use market driven technologies such as blockchain are victims of data breaches. Such a situation may not augur well for the company and its customers (local/international), and ultimately, the economy.

Recommendations

i). The government may wish to consider the comprehensive review of the current legal regime to engender a supportive regulatory environment that will appropriately define privacy laws, and most importantly address security concerns. The enforcement framework of the NITDA should be strengthened, as well as its online presence in order to sensitise the public on the economic benefits of cloud computing, its risks, its assistance to business startups.

ii). Against data security and governance, the framework should strengthen both data security and governance through the protection of both active and passive parties to cloud services agreements. Federal and state legislature can advance this agenda by maintaining certain basic requirements in cloud service relations/set benchmarks and standards in line with international best practices.[16]

iii). Also, the education sector can upgrade its ICT curriculum to include a wide range of cloud computing services and technology. Courses can also be expanded to build knowledge base, skills, and capacity in cloud computing.

By and large, the Regulation is loud on its position data shall only be collected for specified, explicit and legitimate purposes, and shall not be used in a manner inconsistent thereof. It is well applauded for its conciseness, clear language, and timeliness. Another commendable feature is its practical provisions, penalties (like the GDPR’s), and unambiguity in describing its key players. However, these regulations should be matched with thorough implementation which looks out for the economy as well as protecting the data privacy of individuals. This will motivate Nigerian consumers’ confidence in the use of cloud services and the attendant advantages from such services.[17]

References:

[1] Bits Blocks and The Nigerian Bar, Kolapo Femi-Oyekola (2019). Owing to this threat, numerous class actions have arisen. In 2018, Home Depot reached a $19.5m settlement with customers whose credit cards information was stolen by third party hackers in 2014.

[2] Section 1.3

[3] Section 2.13.1

[4] Section 2.10 and 2.11

[5] Section 2.3 (i)

[6] Section2.4

[7] Section 3.2

[8] Section 2.6

[9] 2.3(i)

[10] Section 2.7

[11] Section 2.10

[12] NIALS, 2014, Identifying Gaps in Data Privacy and Security in the Adoption of Cloud Services in Nigeria| Lanre Fagbohun

[13] Cybercrime in Africa: Facts and Figures https://www.scidev.net/sub-saharan-africa/icts/feature/cybercrime-africa-facts-figure.html Last visited 23rd September 2019

[14] Article 11. Failure to adhere is even considered an interference with privacy and may attract penalties.

[15] Yahoo! shares fall after security breachhttps://www.thestar.com.my/business/business-news/2016/12/16/yahoo-shares-fall-after-latest-security-breach/

[16] Ibid 13

[17] Ibid