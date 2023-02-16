Following the approval of the Nigeria Data Protection Bill by the Federal Executive Council, Nigerians have been urged to be rest assured that their data would be properly protected as the Nigeria Data Protection Bureau (NDPB) is set to acquire legal power to prosecute anybody who breaches other person’s data privacy. Abolaji Adebayo reports

As part of efforts to be at par with other developed countries in the protection of individual’s data privacy, the Nigeria Data Protection Bureau (NDPB) was established by the Federal Government in February 2022 as the supervisory and regulatory authority for data protection in Nigeria, a function previously undertaken by the National Information Technology Development Agency (NITDA). In 2019, pursuant to its powers under the NITDA Act of 2007, the National Information Technology Development Agency (NITDA) issued the Nigeria Data protection Regulation (NDPR). It is the principal regulation for data protection in Nigeria. An Act was made to provide the legal framework for the protection of personal data, and establish the Nigeria Data Protection Commission for the regulation of the processing of personal data, and for related matters.

Objective

The objective of the Act is to safeguard the fundamental rights and freedoms and the interests of data subjects as guaranteed under the Constitution of the Federal Republic of Nigeria, 1999, particularly to provide for the regulation of processing of personal data; promote data processing practices that protect security of personal data and privacy of data subjects; ensure that personal data is processed in a fair, lawful and accountable manner; protect data subjects’ rights, and provide remedies and means of recourse in case of breach of those rights; ensure that data controllers and data processors fulfil their obligations to data subjects; minimize the harmful effect of personal data misuse or abuse on data subjects and other victims; establish an impartial, independent and effective regulatory Commission that will superintend over data protection and privacy issues and supervise data controllers and data processors; and contribute to the legal foundations of the digital economy of Nigeria and its participation in the regional and global economies through the beneficial, trusted use of personal data.

NDPB

The year 2022 witnessed a number of advancements in the data protection space globally and Nigeria was not left out. The Federal Government of Nigeria created the Nigeria Data Protection Bureau (“the Data Protection Bureau”) in February 2022 as the principal data protection regulatory body to implement the objectives of the Nigeria Data Protection Regulation, 2019 (“the Regulation”). The Data Protection Bureau replaces the National Information Technology Development Agency (NITDA), which, prior to the creation of the Data Protection Bureau, was responsible for implementing data protectio consispolices in Nigeria.

Enforcement

Since the issuance of the NDPR, NDPB has been saddled with supervisory and enforcement responsibilities in respect of data protection matters in Nigeria. It collaborates with security agencies like the office of the Inspector General of Police to ensure full compliance and enforcement. Where NDPB has determined that a party is in breach of the NDPR, especially where such breach affects national security, sovereignty and cohesion, it may seek to prosecute officers of the organization as provided for in section 17(1) and (3) of the NITDA Act 2007. On May 17, 2022, the Federal Competition and Consumer Protection Commission (FCCPC) and NDPB jointly established the Joint Mutual Enforcement Desk. The drive behind this collaboration is aimed at addressing cogent issues of data protection, such as data protection breaches which has been a common occurrence amongst online moneylenders, and to ensure that data subjects can derive the protection that are inherent to the digital economic expansion of Nigeria. Both organisations further cemented the collaboration by entering into a Memorandum of Understanding on August 28, 2022.

Data Protection

Bill The Bill was first introduced in 2018, passed by the National Assembly on May 16, 2019 and transmitted to the President for assent. The Bill was however not assented to by President Muhammadu Buhari. Subsequent to this, there have been other unsuccessful attempts to pass a data protection law. The NDPB, as part of its objectives to ensure that there is a substantive law governing data protection, released the new Data Protection Bill 2022 in October 2022. The Data Protection Bureau recently disclosed that the Federal Executive Council has approved the Bill for further ratification and endorsement by the National Assembly. It is anticipated that the same will finally be passed into law in a few months to come. Speaking on this, the National Commissioner/ CEO of the Bureau, Dr. Vincent Olatunji, said the Federal Executive Council has on January 25, 2023 approved the Nigeria Data Protection Bill, informing that Bill will soon be passed by the legislative. “As you are aware, the Federal Executive Council on the 25th of January 2023 approved the Nigeria Data Protection Bill. It will be transmitted to the National Assembly as an Executive Bill. The Legislature has reiterated its preparedness to pass the Bill into law. “Every citizen and resident of this country can rest assured that every data controller and data processor within or outside Nigeria will be held accountable for any unlawful processing of personal data from our jurisdiction,” he said. As a new agency saddled with the responsibility of protecting people’s data privacy, Olatunji said the Bureau, in the last one year has been able to reassure champions of civil liberties around the world that Nigeria is prepared for a leading role in advancing data protection and exploring the opportunities of the global digital economy.

Awareness

Olatunji continued: “In the last one year, we have taken necessary institutional measures to lay the foundation of our bulwark for a sustainable digital economy. They are: Official Launching of the Core Values, Digital Platform and Insignia for the seamless and effective implementation of the NDPR. “We have been carrying out strategic awareness campaign across the country. We recalibrated the “Adopt–A-School” Awareness Programme which is now called “Catch – them–Young.” We were able to reach over 3000 students and pupils in about 70 schools with the message of data privacy. “You will all agree that in the wake of Covid- 19 pandemic and the adoption of online platforms for education, this class of citizens have become vulnerable to diverse abuses in the digital space.” He noted that the Bureau has engaged with public institutions including the National Assembly, Office of the Secretary to the Government of the Federation, Federal Ministry of Health, Central Bank of Nigeria, Nigeria Police Force, Independent Corrupt Practices and Related Offences Commission (ICPC), and National Lottery Regulatory Commission. “As a result of these engagements, we now have 100% increase in the rate of integration of the public sector into Data Privacy and Protection Framework,” he added.

Whitelist

In its bid to update the Whitelist in accordance with the provisions of the Regulation, the NDPB established the National Data Protection Adequacy Programme (NaDPAP) Whitelist in the last quarter of 2022. Further to the establishment of the NaDPAP Whitelist, the Bureau released a Compliance Notice mandating data controllers and data administrators to comply with a number of requirements. In order to be included in the NaDPAP Whitelist, organisations are required to: have an understanding of the NDPR; develop and implement a privacy policy, which is consispolices tent with the provisions of the NDPR; notify their employees, customers and online visitors of their privacy policy; designate at least one or two members of staff as Data Protection Contacts; and mandate their service providers/ vendors to comply with the NDPR to prevent any liability for the organisation. The Nigeria Data Protection Bureau gave organisations till November 25, 2022 to comply with these requirements for inclusion on the Whitelist. However, the deadline for compliance was extended to January 20, 2023. The expectation is that the Whitelist which will be published on the Data Protection Bureau website, in major newspapers and shared with local and international establishments in the first quarter of 2023. Speaking on the compliance level, the Head, Legal Enforcement and Regulations, NDPB, Mr. Babatunde Bamigboye, said the Bureau was still monitoring each organisation on its compliance level, adding that there would be commendation for compliance based on the rate and that there would also be sanction for noncompliance when it is time for the Bureau to do so. The Federal Government in a bid to ensure that the collection and processing of personal data is in accordance with the provisions of the Regulation and other applicable guidelines, issued a service-wide circular, through the Secretary to the Government of the Federation on November 7, 2022, directing all Ministries, Departments and Agencies of government to comply with the provisions of the Regulation, among other measures.

Penalty

Organisations that are in breach of the NDPR requirements can face penalties that vary in amount depending on the number of data subjects affected. If the data breach impacted more than 10,000 data subjects, the organisation can be fined up to two per cent of its annual revenue or N10 million. If the data breach impacted less than 10,000 data subjects, the organisation can be fined up to one per cent of its annual revenue or N2 million.

Personal Data

Personal data is any information relating to an identified or identifiable natural person and includes name, address, email address, photo, bank details, social media posts, medical information, and like information. If you or your organisation collects, records, stores, retrieves, uses, or transmits any form of personal data in respect of any person, then the provisions of the NDPR and the Compliance Notice (VOL.1/NDPB/CN/1/22) applies to you and your organisation. In accordance with the Compliance Notice, organisations are required to read and understand the provisions of the NDPR 2019 as it relates to data collection and processing by the organisation, develop and implement a privacy policy that is consistent with the NDPR 2019, notify the organisation’s customers and online visitors of the privacy notice/policy, designate at least one or two members of the organisation as the organisation’s Data Protection Contact(s). These contacts will be eligible for a free induction course in data protection regulatory compliance sponsored by the NDPB and will thereafter serve as the organisation’s Data Protection Officers (DPOs), mandate all the service providers to comply with NDPR 2019.

Investigation

The NDPB boss said the Bureau was currently investigating a quite number of data controllers who have been suspected to have breached data privacy. He added: “We are investigating over 110 data controllers and data processors for various degrees of data privacy and protection breaches. The most worrisome are those in the financial and the telecom sectors. 4 banks, online lending companies. one telecom company and one gaming company are being investigated.

“The vulnerabilities in these sectors are high partly due to the capabilities of intrusive mobile apps. When you factor in lack of due diligence on the part of data controllers in engaging data processors or vendors who have access to personal data of customers, what you see in some cases is a pattern of abuses in violation of the Nigeria Data Protection Regulation (NDPR) and section 37 of the 1999 Constitution of the Federal Republic of Nigeria. “The position of government is that those who deal with data have nothing to fear but the consequences of their acts and omissions which may constitute a civil or a criminal liability. We are particularly glad that the Nigeria Police Force are currently working with us in this regard.”

Job creation

The NDPB CEO has said the Bureau had the potential of creating at least 500,000 jobs as it is set to train and certify data privacy and protection experts in Nigeria. “This training and certification are expected to create career opportunities for at least 500,000 persons in the labour market. “There is the need for NDPB to licence an indigenous institution to coordinate the development of training materials and certify training providers based on internationally acceptable standards,” he noted.

Last line

If adequately funded and backed by law, the Bureau is expected to not only protect data, but to also generate revenue for the government.

