April 23, 2019
In developed economies, particularly, in Europe and North America, the right to privacy, the need for protection of personal data of private individuals and the growing volume and value of data accessible to and stored by government and private entities has been a topical issue that has resulted in numerous legislation, international agreements and regulations. Some notable examples are the European Union General Data Protection Regulation 2018 (‘‘EUDPR’’), the European Union and United States Data Protection Umbrella Agreement/Privacy Shield and the United Kingdom Data Protection Act 2018.
Breach of these legal instruments usually result in severe sanctions like regulatory fines, reputational damage and investigations by regulators and legislators. In 2018, Facebook was allegedly involved in breach of data protection laws in the United Kingdom, by granting third party access to user information without sufficient consent. As a result of this allegation, a fine of £500, 000 (Fine Hundred British Pounds) was imposed on Facebook by the United Kingdom Information Commissioner’s Office and its Chief Executive Officer, (CEO) Mark Zuckerberg appeared before US Congressional Committees to answer questions on the extent and implications of the breach.
In Nigeria, until recently, there was no comprehensive regulatory framework for protection of private data of individuals. Rather, there were piecemeal data protection provisions in several legislation which were restricted in their scope of application. For example, Section 37 of the Constitution of the Federal Republic of Nigeria 1999 (as altered) (‘‘Constitution’’) guarantees the right to privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications. Similarly, the Freedom of Information Act 2011, prohibits public institutions from disclosing private data of individuals without their consent, just like the Federal Inland Revenue Service (Establishment) Act. 2007, makes it mandatory for tax officers to handle financial and tax information of taxpayers as confidential and makes it an offence to communicate such information to any third party without due authorization. Other examples, include the Child Rights Act 2003, which reiterates the right of a child to privacy and the Cybercrime (Prohibition, Prevention, etc.) Act 2015, which has the protection of the right to privacy as one of its objectives and requires due regard to be accorded to the Constitutional right to privacy.
In 2013, the Nigerian Information Technology Development Agency (‘‘NITDA’’) issued the Guidelines for Data Protection 2013, but this had a limited impact on the level of awareness and compliance with data protection obligations. This state of affairs along with the increasing economic importance of data, the security implications of misuse of personal data and the EU’s publication of the EUDPR necessitated the enactment and release of the Nigerian Data Protection Regulation 2019 (‘‘NDPR 2019’’ or ‘‘the Regulation’’), which is the first comprehensive and robust effort to regulate the data management sphere in Nigeria.
This article will discuss the NDPR from a general perspective and analyze the key provisions in the Regulation, including the implications of these provisions and the expected impact it will have on the compliance obligations of companies doing business in Nigeria and those that have access to or store personal data of their clients.
The NDPR aims to safeguard the right of natural persons to data privacy, foster safe conduct of transactions involving exchange of personal data and prevent manipulations of personal data. It imposes numerous compliance obligations on data controllers8 and processors in their collection and processing of personal data of natural persons. The scope of data controllers and processors includes banks and other financial institutions, telecommunication companies, payment gateway companies, internet and IT companies, electoral bodies, data management companies and the Corporate Affairs Commission.