Nigeria Data Protection Bill aims to reinforce information security rules

Nigeria’s Data Protection Bill 2020 aims to ensure that data processing in the country conforms to international standards, notably European Union’s GDPR, and safeguards personal information — actions that the government considers necessary for the growth of international trade and the IT sector.

The bill was formulated and proposed by the National Information Technology Agency  (NITDA), and builds on the Nigerian Data Protection Regulation (NDPR), implemented in January 2019.

The NDPR lays out basic rules for the legal processing of data, the rights of data subjects and sanctions for failure to observe regulations. The main proposal in the 2020 bill is for the creation of a new Data Protection Commission focused on ensuring compliance with the 2019 regulations as well as additional strictures meant to clarify certain data processing procedures.

The draft bill was published to the public in August and interested stakeholders were  invited to comment. The comment period ended in September and the bill is currently being reviewed by the National Assembly, according to a NITDA spokesperson, who said that at the moment there is no timeline for when the review will be over.

What does the current NDPR cover?

The current NDPR took a big first step in the country’s efforts to ensure that data processing in the country would conform to the General Data Protection Regulation (GDPR) requirements for entities worldwide that seek to do business in the EU.

 “NITDA issued the Nigerian Data Protection Regulation (NDPR) with the objectives to safeguard the rights of natural persons to data privacy; foster safe conduct for transactions involving the exchange of personal data; prevent manipulation of personal data; and ensure that Nigerian businesses remain competitive internationally,” said Director General of Nigeria’s Securities and Exchange commission Lamido Yuguda in a recent webinar.

The NDPR, for example, states that processing is lawful if:

• The data subject has given consent
• Processing is necessary for the performance of a contract to which the data subject is a party
• Processing is necessary for compliance with a legal obligation to which the controller (the person or entity determining how the data is to be used) is subject
• Processing is necessary in order to protect the vital interests of the data subject
• Processing is necessary for the performance of a task carried out in the public interest or in exercise of an official public mandate

There has been debate however, about what the appropriate amount of money should be for fines, in cases where the rules are violated. In addition, legally, the NDPR strictures are currently codified in the form of supplementary regulations, while the new proposed bill — if passed by the National Assembly and approved by the president — would enshrine the rules into law and empower the newly formed commission to enforce them via the authority of a national Act, legal authorities point out.

Why is a new Data Protection Bill needed?

“Given the limitations of the NDPR in scope, form and power,” explains Bisola Scott, from the law firm S.P.A Adibaje & Co, “it became necessary to enact a more comprehensive law solely governing data privacy and protection.”

While NITDA has a very broad mandate to implement national IT policy it is proposing the formation of a separate commission to focus specifically on promoting and enforcing data protection laws. NITDA states the new bill is meant to be approved as “an Act to establish the Data Protection Commission charged with the responsibility for the protection of personal data, rights of data subjects, regulation of the processing of personal data and for related matters.”

The bill reworks some of the language in the current NDPR, clarifies guidelines and lays proposed specific monetary sanctions for rule violations.

Ultimately, the aim of the is to “promote a code of practice that ensures the privacy and protection of personal data without unduly undermining the legitimate interests of commercial organisations and government security agencies to collect such data”, according to analysis by legal data experts, Data Guidance.

Read the complete draft Data Protection Bill right here.

What are the aims of the Data Protection Bill?

The draft bill is intended to build on the NDPR framework. There are a number of plainly stated goals that the bill aims to achieve:

• To protect data subjects’ data vis-à-vis the use of such data by organisations and security agencies;
• Establish a regulatory authority that will coordinate data protection and privacy issues and
• Have oversight on data controllers and data processors; and ensure that personal data is processed in accordance with NITDA’s data protection principles.

Who is the bill aimed at?

All stakeholders in the Nigerian economy, both public and private organisations,  will be impacted when the draft bill becomes an act of law. Each of the following actors without exception shall be required to comply with the provisions of this Act:

• A data subject who is a citizen of Nigeria;
• A data subject who is ordinarily resident in Nigeria;
• A body incorporated under the laws of Nigeria;
• An unincorporated joint venture or association operating in part or in whole in Nigeria;
• Any person who does not fall within paragraphs (a),(b), (c) or (d), but maintains an office, branch or agency through which business activities are carried out in Nigeria.
• Foreign entities targeting persons resident in Nigeria.

What types of data will be protected?

As a result of the global pandemic and the explosive growth in cloud services,  more and more personal data goes online. Governments around the world are grappling with how best to protect that data from unscrupulous hackers who are constantly dreaming up new ways of exploiting that data for their personal gains.

These are the categories of data that the legislation is aiming to safeguard for Nigerians:

• Personal and biometric data revealing a data subject’s identity, racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation or trade union membership;
• Personal banking and accounting records;
• Personal data revealing a data subject’s flight reservation or itinerary;
• Student’s academic transcripts records;
• Personal medical and health records;
• Telephone calls, call data records, messages, websites, and other information stored on any electronic device
• Personal subscription data which reveals data subject behaviour.

The role of data controller and processors

The NDPR is modelled closely on the GDPR. These documents define a “data controller” as a person, company, or other body that determines the purpose and means of personal data processing (this can be determined alone, or jointly with another person/company/body).

The person, or agency, that processes that data on behalf of the controller is known as the “data processor”.

Data controllers and processors are absolutely vital to the success of Nigeria’s attempts to regulate the internet.

Implementation and enforcement are going to be two key factors that will determine exactly how safe Nigerians feel when putting their data online. The success of the new bill rests in the hands of data controllers who will be required to submit reports of data protection audits to the new commission on an annual basis.

The bill states that the “commission shall compile and publish an annual report containing the list of organisations who have submitted the audit report.” Failure to submit a report will result in fines and penalties being imposed on the offending parties. 

The bill places responsibility on the data controller to make sure that organisations are compliant with the law.

“The data controller is required to engage only a data processor who provides sufficient guarantees to implement appropriate technical and organizational measures, taking into account the data controller’s obligations under the bill and to ensure the protection of the rights and fundamental freedoms of the data subject,” according to Scott. “Data controllers are required to appoint a data protection officer who will be responsible for ensuring adherence to the bill. This is, however, subject to the regulation made by the Commission.”

What is the punishment for contravening the data protection law?

The bill clearly lays out the proposed punishment for those who are breaking the law. Among the recommended sentences are the following:

• A person who knowingly or recklessly — (a) obtains, or discloses personal data to a third party, without the consent of the data controller, (b) after obtaining personal data, retains it without the consent of the data controller commits an offence and is liable on conviction to a fine of not less than ₦5,000,000.00 (Five Million Naira) or imprisonment for a term not less than 1 (one) year or both.
• A person who sells personal data, commits an offence and is liable on conviction to a fine of not less than ₦1,000,000.00 (One Million Naira) per record or to imprisonment for a term not less than 5 (five) years concurrently or both
• A data controller or data processor who fails to put in place appropriate data protection technical and managerial safeguards, policies, standards, and procedures commits an offence and is liable on conviction to a fine of not less than ₦10,000.000.00 (Ten Million Naira) for every year in default or to imprisonment for a term of not less than 1 (one) year or both.

The new data protection rules are a bold and important step for business in Nigeria to complete in the digital economy. With stricter regulation and clear guidelines, both Nigerian companies and multinational corporations will be able to engage with the Nigerian consumers and feel secure in the knowledge that data, which is the backbone of the 21st century economy, is being handled with the respect that it deserves.