DATA PROTECTION LAW IN NIGERIA

We shall consider significant provisions of the National Information and

Technology Development Agency Regulation (NITDA Regulation) that
impact data protection and data privacy in Nigeria. The NITDA
Regulation is Nigeria’s most comprehensive attempt yet to tackle this
phenomenon and to bring it within tolerable limits.

The world’s most valuable asset is no longer oil, but data. Data has
been described as individual units of information, which may be
measured; collected and reported; stored and analysed. In computing,
data is information that has been translated into a form that is
efficient for movement or processing.

Data is considered to be the ‘oil’ of the digital era. The world’s most
valuable companies include tech giants such as Google, Apple,
Facebook and Amazon (GAFA) whose subscribers are routinely required
to provide their data to facilitate access. The internet and smartphones
have contributed significantly to making data more valuable, available
and abundant. Almost every human activity generates a digital trace.
For example, our heart beat, our pulse, a running event, navigating
through traffic are all activities which produce data when connected to
the internet. The more cars, watches and phones that are connected to
the internet the more data that can be generated. Artificial Intelligence
through algorithms has become so smart today that they can now
review contracts, conduct legal research and mediation, predict
exposure to disease and determine when a machine needs servicing.
The data industry has demonstrated such exponential growth that
certain multinationals now position themselves as data purveyors and
merchants.

Typically, internet subscribers and social media users are required to

provide personal data and sensitive information to facilitate access and
use of these platforms. Almost all transactions conducted online
require the release of some form of personal data. Although, social
media users are often advised of data privacy terms, they do not
necessarily preclude the use or sharing of such personal data in
specified circumstances. This introduces the risk of having personal
sensitive information being potentially shared with or sold to high level
security agents or blue-chip companies to enable surveillance and data
gathering.

According to a survey by McAfee, more than 40% of people worldwide

are of the view that they lack control over their personal data, and
one–third of parents do not know how to explain online security risks
to their children. In 2008, there was widespread information regarding
how top brands such as Facebook, Panera Bread and Sacramento Bee
experienced data breaches that exposed several millions of personal
records to abuse by criminals5. There appears to be a lucrative market
for data, and hackers tend to sell data they steal to professional
scammers.

These worrying statistics and developments have generated

widespread concerns around how to improve security frameworks over
the personal data we provide, in the knowledge that data protection
laws never fully offer complete protection against malicious attacks and
users are best advised to understand the basics of data privacy and how
to protect themselves. Google, Uber and Facebook have experienced
breaches of the private data of users over the years and, on each
occasion, these supposedly trusted companies failed to report/disclose
the breaches (when they occurred) to enable customers take steps to
protect themselves. The failure by these companies to disclose data
privacy violations when they should have, underscores the importance
of users taking personal data security as their personal responsibility.

The General Data Protection Regulation (EU) 2016/679 (‘GDPR’) and the
2018 reform of the GDPR are regulations under EU law concerning data
protection and privacy for all individual citizens of the European Union
(EU) and the European Economic Area (EEA). It also deals with the
export of personal data outside of the EU and EEA. In Nigeria, while
there are several legislations containing ancillary provisions which seek
to protect data privacy, the most comprehensive statutory instrument
for this purpose is a subsidiary legislation made pursuant to the
National Information Technology Development Agency Act, 2007
(‘NITDA Act’). The NITDA Act empowers the National Information
Technology Agency (NITDA) to inter alia develop guidelines/regulations
for electronic governance and monitor the use of electronic data
interchange in both the private and public sectors of the economy6.
Deriving from this provision, NITDA then developed and issued the
2013 Guidelines for Data protection and thereafter, the Nigeria Data
Protection Regulation 2019 (‘NITDA Regulation’), which is the extant
body of rules regulating the subject in Nigeria. A significant feature that
distinguishes the NITDA Regulation from other legislation in Nigeria is
the element of it being a data protection-specific body of rules as
opposed to it being an ancillary provision in a legislation which is not
primarily concerned with data privacy protection.

2. RELEVANT LEGISLATION IMPACTING DATA PROTECTION AND DATA

PRIVACY UNDER NIGERIAN LAW

Based on the functions of the Governing Board, NITDA would appear to

be the apex regulator for data privacy and protection in Nigeria.
However, this is without prejudice to the powers exercisable by the
regulators listed in the specific legislations which have data privacy and
protection provisions, regarding their enforcement of those provisions
in the manner set out in the legislations creating them. The provisions
contained in the NITDA Regulation do not also affect the existing rights
of natural persons or Nigerians under any other extant law, regulation,
policy or contract.

2.1 NITDA REGULATION

In Nigeria, while there are several legislations containing ancillary

provisions which seek to protect data privacy, the most comprehensive
statutory instrument for this purpose is a subsidiary legislation made
pursuant to the NITDA Act. The NITDA Act empowers the National
Information and Technology Agency (NITDA) to issue guidelines to cater
for electronic governance and monitoring the use of electronic data
exchange. Deriving from this provision, NITDA then developed and
issued the Nigeria Data Protection Regulation 2019. A significant
feature which distinguishes the NITDA Regulation is that it is a data
privacy and protection-specific body of rules as opposed to it being an
ancillary provision in a legislation whose primary objective is not data
protection.

2.2 THE 1999 CONSTITUTION OF THE FEDERAL REPUBLIC OF NIGERIA

As is applicable to most jurisdictions, Nigeria’s data privacy and data

protection regime emanates from the fundamental legislation of the
land i.e. the Constitution of the Federal Republic of Nigeria 1999, as
amended (“the Constitution”), which, by virtue of section 37 thereof
protects the rights of citizens to their privacy and the privacy of their
homes, correspondence, telephone conversations and telegraphic
communication. Data privacy and protection are thus extensions of a
citizen’s constitutional rights to privacy.

2.3 THE CHILD RIGHTS ACT

Nigeria adopted the Child Rights Act (CRA) in 2003 to domesticate the
United Nations Convention on the Rights of the Child, which is a human
rights treaty designed to guarantee the civil, economic, political, social,
health and cultural rights of children. The CRA is a legislation to provide
for and protect the rights of a Nigerian Child, who is defined as a person
under the age of 18 years. Section 3 of Part II CRA incorporates by
reference the provisions of Chapter IV of the Constitution, which deal
with the fundamental rights of citizens. Also, section 8 of the CRA which
covers a child’s rights to private and family life states that a child is
entitled to his privacy, family life, home, correspondence, telephone
conversations and telegraphic communication.

2.4 FREEDOM OF INFORMATION ACT 2011(FOIA)

The purpose of the FOIA is to make public records and information held
by Government agencies more freely accessible by the public. However,
it specifically makes an exception with respect to personal records and
information and matters concerning personal privacy. In this regard,
section 14 of the FOIA limits Government agencies from disclosing the
personal information of citizens unless the individual’s consent is
obtained, or the information is publicly available.

2.5 CYBERCRIMES (PROHIBITION, PREVENTION ETC) ACT 2015 (CPPA)

The fundamental purpose of the CPPA is to establish a framework for
the prohibition, prevention, detection, prosecution and punishment of
cybercrimes in Nigeria. It imposes an obligation on mobile networks,
computer and communications service providers to store and retain
subscriber information for a period of two years. Significantly, it
requires such service providers to accord premium to an individual’s
right to privacy as enshrined in the Constitution and to take steps
towards safeguarding the confidentiality of data processed.

2.6 CENTRAL BANK OF NIGERIA CONSUMER PROTECTION FRAMEWORK

2016 (CPF)

The Central Bank of Nigeria (CBN), in furtherance of its mandate to

promote stable financial system, established the CPF to, among other
objectives, engender public confidence in the financial system. The CPF
itself is a subsidiary legislation made pursuant to the Central Bank of
Nigeria Act 2007 (CBN Act) as amended and the Banks and Other
Financial Institutions Act, 2007 (BOFIA). The provisions of section 3.1(e)
of the CPF are to the effect that consumer information must be
protected from unauthorised access and disclosure. In order to enable
disclosure, financial services institutions are required to obtain written
consent of customers before their data may be shared with third
parties or for promotional purposes.
2.7 THE NIGERIA COMMUNICATIONS COMMISSION (REGISTRATION OF
TELEPHONE SUBSCRIBERS) REGULATIONS 2011 (NCC REGULATIONS)

Pursuant to section 70 of the Nigerian Communications Act 2003 (NCA

2003), the NCC is empowered to make and publish regulations
concerning multiple subjects including but not limited to permits,
written authorisations, licenses, offences and penalties relating to
communication offences. Drawing from this authority, the NCC issued
the NCC Regulations which apply to telecommunications companies.
Regulation 9 of the NCC Regulations specify that, in furtherance of the
rights guaranteed by section 37 of the Constitution and subject to any
guidelines issued by the NCC or a licensee, any subscriber whose
personal information is stored in the Central Database is entitled to
request updates9; to have the data kept confidential10; not to have
subscriber information duplicated except as prescribed by the NCC
Regulations or an Act of the National Assembly11; and to preserve the
integrity of the subscriber’s information12. Also, licensees are required
to utilise subscriber’s information in accordance with the law13;
likewise, licensees and other named parties are required not to retain
biometrics of any subscriber after transmission to the Central
Database14. Regulation 10 of the NCC Regulations is to the effect that
any release of the personal information of a subscriber must be subject
to the consent of the subscriber or in accordance with the provisions of
the Constitution of the Federal republic of Nigeria or any other Act of
the National Assembly or the NCC Regulations as may be amended
from time to time.
2.8 THE CREDIT REPORTING ACT 2017 (CRPA)

The CRPA was enacted for the purpose of improving access to credit
information and standardising risk management in credit transactions.
It provides the framework for credit reporting, licensing and credit
bureaux. Section 9 of the CRPA is to the effect that Data Subjects i.e.
persons whose data are maintained by credit bureaux, shall be entitled
to the privacy, confidentiality and protection of their credit information
subject to certain exceptions listed under section 9(2) to 9(6) of the
CRPA.

3. A REVIEW OF THE NIGERIA DATA PROTECTION REGULATION 2019

The objectives of the NITDA Regulation are to safeguard the rights of

natural persons to data privacy, foster the safe handling of transactions
which involve the exchange of personal data, prevent acts of
manipulation relating to personal data, and ensure that Nigerian
businesses remain competitive in the international market place
through adoption of legal and regulatory frameworks which secure
personal data and meet standards of international best practices.

3.1 SCOPE OF APPLICATION

The data protection provisions embodied in the NITDA Regulation

extend to all transactions regarding processing of personal data
irrespective of the means, all natural persons residing in Nigeria or
natural persons outside Nigeria who are citizens of Nigeria, in so far as
the operation of the NITDA Regulations does not impair the privacy
rights of natural persons or Nigerians under other extant laws,
regulations, policies or contracts.

3.2 GOVERNING PRINCIPLES OF DATA PROCESSING

Personal data should be collected and processed observing specific,

lawful and legitimate purpose as consented to by a Data Subject i.e.
owner of the data being collected and processed:

 Personal data shall be adequate, accurate and respect dignity of

the human person;Storage of Personal data should be on a need-
to-retain basis;
 Personal data should be secured against foreseeable hazards;
 The custodian of personal data owes a duty of care to the Data
Subject;
 The custodian of personal data is accountable for his acts or
omissions;

Lawful Processing of Personal Data.

The conditions under which Personal Data would be deemed to have

been lawfully processed have been highlighted below:

 Where consent of the Data Subject has been procured;

 Where processing is necessary for the performance of contract to
which the Data Subject is a party;
  Where it is required for compliance with a legal obligation which
the Data Controller i.e. the person or body of persons who
determine the purposes for which and manner in which Personal
Data is being or to be processed, is required to discharge;
 Where it is required to protect the vital interests of the Data
Subject;
 Where it is required for carrying out a task in the public interest or
in the exercise of an official public mandate imposed on the Data
Controller.

3.3 PROCURING CONSENT FROM A DATA SUBJECT

The NITDA Regulation prescribe the circumstances under which

consent may be extracted from a Data Subject as follows:

 The specific purpose of collection of Personal Data must be made

known to the Data Subject before his consent may be secured and
deemed lawful;
 The Data Controller is obliged under the law to ensure that
consent of the Data Subject is obtained without fraud, coercion or
undue influence; and in doing so, regard must be had to the legal
capacity of the Data Subject, whether the Personal Data
consented to be unambiguous.
 The Data Subject must be aware of his right to withdraw his
consent at any time (provided that he is bound by acts carried out
pursuant to initial consent before withdrawal)
  the nature of the consent must be examined, to determine
whether it is conditional or excessive for the performance of the
contract, and whether data is transferable to a third party under a
contract. Privacy Policy to be Displayed

All media through which Personal Data is being collected must display
in a simple, conspicuous and understandable manner, their applicable
privacy policy. The minimum requirements for such a privacy policy are
as set out below:

What represents consent for the Data Subject;

 Description of personal information that is collectible;

 Purpose of Personal Data being collected;
 Technical methods deployed to source and store personal
information, cookies, web tokens etc.;
 Whether third parties have access, and if so, nature of;

remedies:

No limitation clause would avail any Data Controller who is in default of

the NITDA Regulation.

3.5 DATA SECURITY AND THIRD-PARTY DATA PROCESSING CONTRACT

The NITDA Regulation imposes an obligation on persons involved in
data processing or control of data to develop security measures to
protect data including safeguards against hackers, setting up firewalls,
employing data encryption technologies and similar approaches18.

NITDA Regulation provides that data processing by third parties should

be governed by written contracts between such third parties and the
Data Controller.

3.6 PENALTY FOR DEFAULT

Breach of the privacy rights of any Data Subject under the NITDA
Regulation shall, apart from other criminal liability, attract, with respect
to Data Controllers dealing with more than 10,000 Data Subjects,
payment of a fine of 2% of annual gross revenue of the preceding year
or payment of N10 million, whichever is greater; and with respect to
Data Controllers dealing with less than 10,000 Data Subjects, a fine of
1% of the annual gross revenue of the preceding year or payment of ₦2
million, whichever is greater.
3.7 TRANSFER OF PERSONAL DATA TO A FOREIGN COUNTRY AND
EXCEPTIONS

NITDA Regulation circumscribe the manner in which the transfer of

Personal Data to a foreign country is to be effected. While observing
the provisions of the Regulation and conducting such transfers under
the supervision of the Honourable Attorney General of the Federation
(HAGF), the following considerations shall be taken into account:

The foreign country provides an adequate level of protection;

Legal system and enforceability of human rights in the foreign country;

Effectiveness of supervising authority for data privacy in the foreign

country;

International commitments of the foreign country with respect to

protection of Personal Data.

In the absence of a decision by the HAGF as to the adequacy of the

above considerations, such transfers shall only take place where
consent of the Data Subject has been secured; transfer is necessary for
the performance of a contract or is required for the performance of a
public interest purpose; or in establishment, exercise or defence of
legal claims or in defence of the vital interests of the Data Subject.

3.8 RIGHTS OF A DATA SUBJECT

The NITDA Regulation provide elaborately for the rights of the Data
Subject and these rights include the minimum requirements for
processing personal data, right of the Data Subject to be informed of
appropriate safeguards for data protection, rights of the Data Subject
to request deletion of personal data in appropriate cases and
reiteration of the protection of fundamental rights as afforded by the
constitution of the Federal Republic of Nigeria.

3.9 IMPLEMENTATION MECHANISM

The NITDA Regulation has established rules which govern the manner in
which the provisions of the Regulation should be implemented. The
major planks on which implementation rests are discussed below.

 All public and private organisations in Nigeria that control the

data of natural persons must publish to the general public their
respective Data Protection Policies within three months of
issuance of the NITDA Regulation.
 a Data Protection Officer shall be designated by every Data
Controller to ensure adherence with the provisions of the NITDA
Regulation and such Data Controllers are required to ensure
continuous capacity building for Data Protection Officers;

 NITDA shall register and license Data Protection Compliance

Organisations (DCPOs), which shall have responsibility for
monitoring, auditing, training Data Controllers on its behalf.
  All organisations are required to, within six months of the
issuance of the NITDA Regulation, conduct an audit of its privacy
and data protection practices having regard to the provisions of
the Regulation. Also, where a Data Controller processes the
Personal Data of more than 1000 Data Subjects over a six-month
period, a soft copy of the summary of the audit mentioned above
should be submitted to NITDA.
 Finally, on an annual basis, Data Controllers who manage the
Personal Data of over 2000 Data Subjects over a twelve-month
period, shall no later than 15 March of the following year, submit
a summary of the Data Protection audit in the manner specified
by the Regulation to NITDA.

4. EFFECTS OF THE PROVISIONS OF THE NITDA REGULATION AND ITS

STATUS IN THE NIGERIAN DATA RIVACY AND DATA PROTECTION
REGIME

The establishment of NITDA Regulation is one deserving of

commendation by all. It is, indeed, the most elaborate attempt by
Nigeria to codify the private right to data and its protection. What this
portends is that it provides confidence to all stakeholders, local and
foreign, who seek to invest and do business in Nigeria that it has data
laws comparable to any in the world. It represents an important step
towards keeping abreast with the digital revolution and a stamp of
approval for the value of safeguarding digital rights within Nigeria.
Nigeria’s technological advancement is perennially on an upward
trajectory and the net effect of embracing a comprehensive data
privacy and protection regime will manifest in a number of positive
ways, some of which we have attempted to highlight in the paragraphs
that follow.

4.1 UPHOLDING AND GUARANTEEING THE RIGHT TO PRIVACY

The adoption of a data privacy and protection legislation is an

acknowledgement of the right of persons to preserve those rights as
guaranteed under the Nigerian constitution. This promotes information
exchange and development of our digital economy space.

4.2 REINFORCEMENT OF NIGERIA’S CYBER SECURITY REGULATIONS

With the establishment of NITDA Regulation, Nigeria has assumed a

definitive stand on the war against cybercrimes, which has become a
domestic and cross-border menace. It has placed Nigeria as a
respectable member of the comity of serious-minded nations who are
committed to stamping our cybercrimes or, at least, mitigating the
debilitating consequences they wreak on several economies across the
world. It is important to mention that security upgrades in networks,
servers and infrastructures have been a primary source of cyber
protection along with other policy and security changes until recently.
The passing of the NITDA Regulation has directly impacted data privacy
and security standards while also indirectly encouraging businesses to
develop and improve their cyber security measures, limiting the risks of
any potential data breach.

4.3 UNIFORMITY OF DATA PROTECTION

Prior to the establishment of the NITDA Regulation, it was safe to assert

that Nigeria had no uniform or comprehensive body of rules regulating
data privacy and protection save for those earlier highlighted in this
paper. The NITDA Regulation has thus, brought about a sense of sanity
and standardization in this space satisfying international expectations.

4.4 PREMIUM BUDGETING FOR COMPLIANCE WITH NITDA

REGULATIONS

With consequential enforcement action, this legislation provides a

credible basis for cracking down on offenders for non-compliance with
its provisions. We expect that companies will increasingly channel
resources towards bringing their operations in alignment with the
provisions of the NITDA Regulation including appointment of Data
Protection Officers.

4.5 REFORMS IN MARKETING

Marketers have, typically, relied heavily on the personalised data
gathered from our internet practices and tendencies to reach target
markets and shape their campaigns. They will have to get explicit
permission to use personal data and be clear about how they gather
that information, going forward. The changes and increased barriers
brought about by data privacy laws may turn some in-house marketing
teams and agencies back to traditional marketing methods. Also, many
sites charge their users nothing to use their site but will pay to keep
everything running by selling data about their users to advertisers.
Some speculate that there may be an increase in sites charging for
memberships and subscriptions to maintain their sites without the free
data.

5. CONCLUSION

Without question, the NITDA Regulation constitutes a transformational

attempt to radicalise the data privacy and protection regime in Nigeria.
As shown in this paper, several countries of the world have adopted the
principles set out in the internationally recognised standards of the
GDPR in formulating their domestic laws in this area. Nigeria has
similarly followed suit and come up with the NITDA Regulation which
encapsulates wholesale changes to what hitherto existed.

We expect a paradigm shift in the way corporations and individuals

carry on business and interact with respect to the data in their
possession. While we have highlighted scenarios that could landscape
this space in a post-NITDA Regulation era, we challenge the
government to ensure that its provisions are effectively enforced. A
robust enforcement framework primed to give teeth to its provisions
will, in our view, enable realization of its promise.