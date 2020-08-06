The Nigeria Data Protection Regulation (NDPR) came into force last year as the only instrument to protect Nigerian data. However, over 15 months into its implementation, stakeholders are worried that awareness about the regulation is still very low. SAMSON AKINTARO reports

Nigeria, through the efforts of the National Information Technology Development Agency (NITDA), took a bold step to protect her citizens’ data by coming up with the Nigeria Data Protection Regulation (NDPR). While this might have been influenced by the European General Data Protection Regulation (GDPR), it was, nonetheless, seen as a commendable move to keep data handlers in the country on the watch and protect the rights of Nigerians. In the absence of substantive law for that purpose, the NDPR stands as the only instrument of law binding on all data handlers in the country. Stakeholders have, however, expressed concerns over observable instances of data breach and lack of compliance with the regulation by many countries in Nigeria. In December 2019, for instance, the NITDA issued a notice of noncompliance with the provisions of the NDPR to about 100 companies, some of which were in the sensitive Fintech sector.

Non-compliance issues

Since the regulation came into force in April 2019, NITDA had on two occasions raised the alarm over some organisations’ non-compliance. While there is yet no sanction against any organisation for breach, the agency had threatened punitive measures, noting that some organisations were already under investigation.

In August 2019, the agency said it was investigating some telecom operators, banks, and fintech operators over allegation of breach of the country’s data protection regulation. The then Director-General of NITDA, who is now the Minister of Communications and Digital Economy, Dr. Isa Pantami, in a statement, said some of the organisations under investigations had been reported to be violating the rule. Aside from the private operators, the DG said the agency was also investigating the Nigeria Immigration Service (NIS) for alleged violation of the NDPR. Similarly, NITDA also in September 2019 announced that it was investigating the mobile app, Truecaller.

The agency said its initial findings revealed that the mobile app’s privacy policy was not in compliance with global laws on data protection and the Nigeria Data Protection Regulation in particular. NITDA said it also discovered that there were over seven million Nigerians, who were active users of the service, hence the need to look deeper into the app and enlighten the public on some of the areas of non-compliance as well as guide those affected.

NITDA, in a statement signed by its current Director-General, Kashifu Inuwa, had said the calleridentification service was putting “many Nigerians in unsavoury conditions.’’ Inuwa said some provisions of the Truecaller Privacy Policy were clearly excessive and invasive of the privacy of its users, adding that contrary to the expectation of many users, the Truecaller service collects far more information than it needs to provide its primary service.

Data compromise persist

While the outcome of the investigations into issues of data compromise by some organisations remains unknown, incidences of data compromises remain prevalent in the country. As of the time of filing this report, trading of data is still being freely done in the country without recourse to the data protection regulation.

Besides, the level of compliance with the regulation by companies handling data in the country is still low. Indeed, according to a data protection consultant, Dr. Michael Irene, “many companies in Nigeria claim they are compliant with the new Nigerian data protection regulation but, upon closer inspection, one notices serious gaps in their framework. Over 80 per cent of Nigerian companies are not compliant with Nigerian Data Protection Regula-tion and Europe’s General Data Protection Regulation (GDPR)”.

NDPR provisions

Under the regulation, data subjects refer to individuals in Nigeria, as well as Nigerian citizens in and outside of the country, who “can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.” Where such personal information is collected in a manner that is contrary to the NDPR, the NDPR provides that the person who collects the data (the data controller) may be liable for either or both civil and criminal penalties (if any criminal act is also committed). Civil penalties can range to payment of N2 million to N10 million, or from one per cent to two per cent of an organisation’s annual gross revenue (whichever is the greater amount).

The regulation, which is binding on all entities handling Nigerians’ data “provides that personal data shall be collected and processed in accordance with specific, legitimate and lawful purpose consented to by the data subject.” Article of the regulation mandates the data controller to expressly inform the data subject of the purpose(s) of the processing for which the personal data is intended as well as the legal basis for the processing. Data controllers are also expected to collect the minimum required data and avoid unnecessary surplusage.

Data that is not useful for the controller ought not to be collected. No data shall be obtained except the specific purpose of collection is made known to the data subject. This principle relates also to the principle on the purpose of the collection.

Obstacles to enforcement

While lauding the regulation and its provisions, stakeholders in the industry have also identified obstacles that would continue to make the regulation ineffective, if not addressed. According to a senior cybersecurity consultant product strategy and development at Serianu, Brencil Kaimba, putting policies and hefty penalties does not guarantee compliance or overall safety of the general public. “Comprehensive security has to consider people, Process, Technology, and policy.

“Laws only take care of the policy bit. A lot still needs to be done for people (particularly awareness, understanding the contents of the laws and their rights), process (putting the right infrastructure

for reporting and prosecuting these crimes) and technology (equipping the law enforcement with the right tools to identify and proactively detect noncompliance),” he said.

He, however, identified major obstacles to the implementation of NDPR, which include low awareness in the country. According to him, “to address this, regulatory bodies will have to embark on nationwide awareness campaigns aimed at helping citizens understand the contents of these laws, the process of identifying these crimes and how to report these to the police.

Law enforcement training will also help equip police and prosecutors with the skills to identify cybercrime, obtain evidence and prosecute.” He decried the absence of infrastructure for the identification and implementation of the law. “To implement data protection requirements, organisations need to have capabilities (either in house or outsourced) for data protection assessment, reporting, etc. These are skills that were previously not existent.

“There is still a need to acquire tools to identify non-compliance, monitoring infrastructure, audits, etc. To address this, regulators together with data processors and third parties need to invest in proper technologies and or processes for monitoring both compliance and non-compliance to these laws,” he added. In the same vein, the President, Association of Telecommunications Companies of Nigeria (ATCON), Mr. Olusola Teniola, who recently opened an engagement with National Information Technology Development Agency, the proponents of NDPR on the enlightenment of its members on the regulation, said: “the biggest challenge is lack of skills sets and knowledge in the area of Data Science, Analytics and BIG Data to be able to ensure that an individual internet user’s personal data is truly secure.

“The complex nature of the Internet and other enabling social media platforms is evolving at vast speeds and this then places an additional burden on not only NITDA to acquire personnel that has these requisite skills but also the judiciary and other enforcement agents that NITDA will need to work alongside in order to effectively enforce the NDPR in its true spirit. “The whole essence of NDPR and cybersecurity viz-a-vie protection is to ensure users of the World Wide Web and their data is treated in a manner that provides confidence to the consumer that their personal data information is not unduly exposed to 3rd party data abuse or outright fraud.

“In the spirit of this the NDPR provides guidelines, procedures and processes that should be adopted to ensure that the principles of a fair and neutral Internet are available to all citizens of Nigeria. Furthermore, the regulation with an act/law backing it up will promote an environment similar to the way the current data protection Act is observed in the handling of information in our present operating environment”.

Last line

To achieve the goals of the regulation, the NITDA still has a lot to do in terms of raising awareness about the NDPR. The government will also need to give force to the regulation by signing the pending Data Protection Bill into law. This is expected to bolster the objectives of the NDPR and help in the enforcement of the regulation.

