By Gbemi Adebolu
Introduction
Personal data is defined by the Nigeria Data Protection Act (the Act) as any information relating to an individual, who can be identified or is identifiable, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, cultural, social or economic identity of that individual.
The technology industry in Nigeria is still in its budding stage, and so is technology law. However, it is safe to say technology is clearly ahead of the legislation and may remain so. Nevertheless, it is important to regulate the impact of technology on individual rights and freedoms to forestall or at least limit a situation where society frantically kicks against technological advancement due to needless and frequent encroachment on fundamental rights.
The signing into law of the Nigeria Data Protection Bill (NDPB) by President Bola Ahmed Tinubu of the Federal Republic of Nigeria barely two weeks after his inauguration signals remarkable progress for the privacy and data protection space, the technology industry, and human rights. The recently signed-into-law bill is a legislation for the protection of personal information. Prior to the presidential assent, there had been a clamour from stakeholders for a distinct robust instrument that provides adequately for collection and processing of personal data in Nigeria. Although, certain provisions on data protection exist in various instruments ranging from the Constitution to the Nigeria Data Protection Regulation of 2019 and a host of sector-specific laws.
The Objective of the Act
The objective of the Act is to safeguard the fundamental rights and freedoms and the interests of data subjects as guaranteed under section 37 of the Constitution of the Federal Republic of Nigeria, 1999; and provides for regulation of the processing of personal data; promote practices that protect security of personal data and privacy of data subjects (data subject refers to an individual to whom personal data relates); ensure fairness, lawfulness and accountability in processing personal data; protect the rights of data subjects and provide remedies for breach and ensure that data controllers and processors fulfil their obligations to data subjects. Also worthy of note is that the Act aims to project Nigeria on the economic world map by strengthening the legal foundations of the digital economy within the country and participation of Nigeria in the regional and global economies through beneficial and trusted use of personal data.
It also establishes the Nigeria Data Protection Commission (‘the Commission’) for the regulation of the protection of personal information. The Act states that the Commission shall be independent in the performance of its functions under the Act. Part IV of the Act which provides for funding of the Commission states that the Commission may borrow such sums of money as may be required in the performance of its functions, and may accept gifts, grants of money, aids or other assets, provided that the terms and conditions of the acceptance are consistent with the objectives and functions of the Commission under the Act.
This provision appears to be a slippery slope. Considering the independence of the Commission under the Act, how would the accepted gifts be regulated to ensure such would not be inimical to the rights of data subjects, or a data controller’s obligations under the Act?
The Application
The Act applies to the processing of personal data -whether by automated means or not- where the data controller or data processor is domiciled in, resident in, or operating in Nigeria; the processing of personal data occurs within Nigeria; or the data controller or the data processor is not domiciled, resident or operating in Nigeria, but is processing personal data of a data subject in Nigeria.
This provision seems ambiguous. The Act does not define the test for determining whether a data controller/processor is ‘domiciled in, resident in, or operating in Nigeria.’
The Act states that its provisions will not apply in cases where processing of personal data is carried out by one or more persons solely for personal or household purposes. Provided that such processing does not constitute a violation of fundamental right to privacy of a data subject. It also provides that the obligations under Part V (principles and lawful basis governing processing of personal data), other than sections 24, 25, 32, and 40 of this Act shall not apply to a data processor/controller if processing of personal data is carried out by a competent authority – for the purposes of the prevention, investigation, detection, prosecution or adjudication of a criminal offence or execution of a criminal penalty in accordance with applicable law; for prevention or control of a national public health emergency; as is necessary for national security; in respect of publication in the public interest for journalism, educational, artistic and literary purposes to the extent that such obligations and rights are incompatible with such purposes; necessary for the establishment, exercise or defense of legal claims, whether in court proceedings or in an administrative or out-of-court procedure. The Act further provides that the Commission may by regulation prescribe types of personal data and processing that shall be exempt from application of the Act.
Principles and Obligations
Part V of the Act provides for the principles and lawful basis governing processing of personal data. This places an obligation on the data controller/processor to process data fairly, lawfully and in a transparent manner. Data controllers/processors are to ensure data is collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Personal data collected should also be limited to the minimum necessary for the purposes for which it was collected; retained for no longer than is necessary to achieve the lawful basis for collection; accurate and kept up to date; processed in a manner that ensures appropriate security of the data. The Act further outlines parameters for assessing further processing and expatiates on the principles governing processing of personal data. Worthy of note is the provision of section 26 which is to the effect that the data controller bears the burden of proof for establishing a data subject’s consent. Silence or inactivity by the data subject does not constitute consent. Consent must be express- in writing, orally or through electronic means.
Section 27 of the Act also provides information required to be communicated by the data controller to the data subject before collecting personal data. This requirement may be exempt where ‘provision of such information is impossible or would involve a disproportionate effort or expense.’ The question that arises is how a disproportionate effort or expense may be properly defined in various contexts, taking into account a number of factors.
The information the data controller is mandated to make available to a data subject is contained in what is popularly called a ‘privacy policy’. It must be expressed in clear, concise, transparent, intelligible and easily accessible format, taking into consideration the class of data subjects targeted by the data processing. There’s also provision for the conduct of a data privacy impact assessment prior to processing where it appears likely to result in high risk to rights and freedoms of a data subject due to its nature, scope, context and purposes. Section 29 provides that where a data controller engages the services of a data processor, or a data processor engages the services of another data processor, the data controller/processor engaging another has the obligation to ensure the engaged data processor complies with the provisions of the Act to ensure the rights of data subjects are protected. Section 30 limits processing of sensitive personal data by a data controller/processor unless the data subject has given and not withdrawn consent to the processing for the specific purpose or purposes for which it will be processed. The section further provides exemptions to the provision limiting processing of sensitive data by a data controller/processor. These exemptions focus on the obligations of the data controller/processor, the interests and rights of a data subject, and public interest.
Section 31 states that consent of a legal guardian is required where the data subject is a child or any individual lacking capacity to give consent. There are exceptions to the requirement for consent of a legal guardian for individuals lacking capacity to consent. This includes where the processing is- necessary to protect the vital interests of the individual; carried out for purposes of education, medical or social care by a professional owing a duty of confidentiality; necessary for proceedings before a court relating to the individual.
The Act makes provision for compliance. A data controller of major importance is required to engage the services of a Data Protection Officer. The definition of ‘a data controller of major importance’ by the Act is ‘a data controller/processor that is domiciled, resident in, or operating in Nigeria and processes or intends to process personal data of more than such number of data subjects who are within Nigeria, as the Commission may prescribe, or such other class of data controller or data processor that is processing personal data of particular value or significance to the economy, society or security of Nigeria as the Commission may designate.’ A question raised is whether or not ‘such number of data subjects’ would be prescribed objectively or subjectively by the Commission. Also, where a data controller/processor is not domiciled, resident or operating in Nigeria, but is processing or intends to process personal data of ‘more than such number’ as the Commission may prescribe, what provision applies?
Does ‘such other class of data controller/processor’ extend beyond Nigeria, so long as the personal data being processed is of ‘particular value or significance to the economy, society or security of Nigeria’? Again, how would the Commission define ‘personal data of particular value or significance to the economy, society or security of Nigeria’, and at what point would it be designated?
The Act further provides that the Commission may license an expert to monitor, audit and report on compliance by data controllers and data processors with the Act and other regulations issued by the Commission made under the provision of the Act.
Part VI of the Act provides in details the rights available to a data subject. These rights include: right to -obtain confirmation as to personal data being processed; a copy of personal data; correction/deletion of inaccurate data; erasure and restriction of data processing under certain circumstances; withdraw consent and object to processing of personal data. A data subject also has the right not to be subject to automated decision making and to data portability- which is the right to obtain personal data from a data controller, or have it transmitted to another data controller.
Part VII places an obligation on the data controller/processor to implement appropriate technical and organisational measures to ensure security, integrity and confidentiality of personal data under its control. Such measures include: pseudonymisation or other methods of de-identification of personal data, encryption and other security.
A data processor has the obligation to notify the data controller that engaged it where there’s a security breach. The data controller in turn is obliged to notify the Commission within 72 hours where the breach is likely to result in a risk to the rights and freedoms of individuals, and to a data subject where there’s a high risk to the rights and freedoms of a data subject including advice on measures to mitigate the risk.
Part VIII addresses cross-border transfer of personal data. A basis for this is adequacy of protection; consent of the data subject; performance of a contract; where it is for the sole benefit of a data subject; when necessary for public interest and exercise of legal claims or to protect vital interests of a data subject or other persons.
Part IX provides for registration of data controllers with the Commission and fees. Part X provides for enforcement of the rights of a data subject while Part XI provides for legal proceedings. It states that a suit against the Commission or its staff shall be commenced within three months after the act, neglect or default complained of. A written notice of intention to sue is also required to be served on the Commission.
Conclusion
The Act is a highly anticipated and very welcome legislation to address pertinent issues on the use and processing of personal data, and by implication the rights and freedoms of individuals. The technology space in Nigeria is still in its developmental stage. However, innovation is ahead of legislation. While legislation may not catch up with technological advancements anytime soon – or ever – it is imperative for provisions to be made as quickly as possible to protect rights of individuals and to ensure gaps for breach are limited. Technology should serve the purpose of making life easier in diverse ways; it should not hamper rights and freedoms.
The Act is a detailed attempt at regulating processing of personal data. However, it raises a few questions which need further clarification. Nonetheless, effective implementation will curtail impunity by data controllers and data processors. It should also serve to limit an influx of frivolous actions by individuals since obligations, rights and exemptions have been expressly provided.
-Advertisement-
Grab our latest Magazine, "Kelechi Amadi-Obi - Transcending the worlds of Law, Visual Art and Photography". Get your order fast and stress free.
For more details about Newswire Law&Events Magazine, kindly reach out to us on 08039218044, 09070309355. Email: newswiremagazine@yahoo.co.uk. You will be glad you did
Download E-MagazineDo you want to be heard, your events covered, your articles published, or need to advertise your products and services on our Blog and Magazine, reach out to us at Newswire Law and Events, you will be glad you did. For more details about our services, please call: 08039218044, 09070309355. Email: newswiremagazine@yahoo.co.uk
