One of the reasons for the astronomic rise of the Tech Industry in Nigeria and worldwide is the monetization/mining of information otherwise known as Data, it also means that Tech companies, especially those in the Social Media subsector, wield some of the greatest forms of influence in modern history, having access to almost everything private about us in a way unfathomable by governments of the world.
It is as a result of this that the National Information Technology Development Agency (NITDA), the overall agency in charge of the Regulatory Framework governing the Nigerian Tech Sector, in pursuance to the NITDA Act, created and issued the Nigerian Data Protection Regulations 2019(hereinafter referred to as ‘The Regulations’) which must be adhered to by every digital service provider dealing directly or indirectly with the receipt and processing of end-user data.
These regulations are a loose conceptual adoption of the European General Data Regulations (GDPR) and will form the focus of this article which aims to provide you with :
– A clear understanding of what the Regulations considers Data and its core focus, personal data.
– The compulsory compliance demands of the Regulations on every Digital Platform service provider dealing with end-user data.
– The penalties to which defaulters of its provisions can and/or will be liable under the Regulations.
What is “Data” under the Regulations?
The regulations define Data as “Characters, symbols & binary which operations are performed by a computer which may be stored by transmission in the form of electronic signals stored in any format or device”.
It goes further to define personal data as “Information relating to an identified or identifiable natural person (referred to under the regulations as a “Data Subject”) being one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location,data, an online identifier to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person and can be anything from a name, address, a photograph, email address, bank details, Social Media posts, Medical information and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM information, Personal Identification information and others”.
Who are the regulations applicable to?
The regulations apply to natural persons and legal persons(companies and organizations) in Nigeria and Nigerian citizens or Diaspora residents with Nigerian Ancestry.
What exactly are the demands of the regulations regarding data?
The Regulations have provisions for the following requirements:-
– Anyone involved in the activity of processing data or Data control is required by the regulations to have in place set up and continuously improved sufficient security measures including Anti-hacking safety measures, Firewall set-up, Data encryption, reinforced storage with zero access probability to unauthorized persons, as well as continuous competence and capacity upskill training for all staff involved in Data receipt, processing, storage & protection.
3rd Party Processor engagement by a Primary Data Processor.
– Any outsourcing by a primary Data receiver to a 3rd party involved in Data processing MUST be governed by a written contract between the 3rd party and the primary Data receiving party (known as the Data controller) in line with the provisions of the regulations.
End-user/Data Subject Consent
– The consent of the end-user (data subject) MUST be obtained AFTER informing him/her of the purpose/reason for the data collection.
– The Regulations place a legal duty on the data controller to ensure that there’s no presence of a misrepresentation/fraud or force used in acquiring the consent of a data subject.
– Consent shall not be given, asked for or accepted where there’s a possibility of digital or online promotion of hate through speech and hate action encouragement, human or child rights violations, crimes or anti-user community conduct.
– Data subjects must be made aware of their right/legal option to withdraw their consent even though the legality of data receipt, processing and storage of their data based on previously acquired consent will not be questioned.
– 3rd party transfer of the data subject’s data by the primary Data controller must happen only after legally obtaining the data subject’s consent.
This is a must especially regarding Fintech companies that deal with a lot of end-user personal data and which leverage a lot of 3rd party partnerships with banks and other financial institutions e.g Digital Lending, Digital International Remittance transfers, Digital Savings Platforms, E-commerce platforms, etc.
– Data collection & processing methods and privacy policies must be disclosed via display in an easily discernible form to the data subject.
a). A clear definition of what makes up the consent of the Data subject.
b). What constitutes receivable Personal Information of the Data subject.
c). A stated purpose of the end-user’s personal data collection.
d). Information on the technologies used in the collection and storage of personal info, cookie policies, etc.
e). Notification to the data subject for the purpose of obtaining prior consent in the event of 3rd party access to his personal information.
f). A set of agreed Dispute Resolution/Remedy mechanisms in the event of the Data subject’s privacy.
Liability for Data Privacy Breach by the 3rd Party.
This was not explicitly mentioned in the regulations but by virtue of the principle of vicarious liability the primary Data controller will be liable in the event of a breach of the Data Subject’s Data Privacy arising out of the deliberate actions or negligence of the 3rd party Data Processor.
Are there any rights guaranteed by the regulations?
Yes, there are. The regulations grants to the end-user/data subject the following rights:-
– The right to delete personal data.
– The right to object to personal data processing for the purpose of marketing or commercial promotions.
– The right of a data subject to withdraw consent to the use of his personal data.
– The right of an end-user to be notified in the event of a privacy breach.
– The right to limit personal data processing and the right to transfer personal data to another controller (the latter right is of a two-way application, subject to the data subject’s consent in the case of the data controller’s right to transfer personal data to a 3rd party).
– The right of rectification regarding personal information.
What do the regulations say about the Transfer of Personal Information (Data Subject information) to a foreign country or International organization?
This is under the Regulatory governance of NITDA which as a government agency is statutorily empowered to give directions in collaboration with the supervisory role of the Attorney-General of The Federation (AGF) regarding the determination of which countries/organizations have adequate Regulatory Frameworks set up regarding the issue of End-user/Data Subject Privacy Protection.
Where there are no directives in the manner described above, the primary data controller can go ahead with the transfer of the Data subject’s transfer where:
a).The consent of the transfer was obtained legally from the Data subject after clearly informing him of the likely risks of breach involved therein.
b). The performance of a contractual obligation between the data subject and primary data controller depends on the transfer .
c). The necessary execution of pre-contractual measures upon the end-user’s demand.
d). There’s overriding Public Interest.
e). There’s the need for proving a legal claim.
f). The subject is physically or legally incapable of giving consent on health grounds or legal incapability .e.g. Unlawful detention.
What are the further compliance requirements of the regulations on Private & Public organizations?
Under the Regulations, all organizations involved in Data collection, processing and storage are expected to :-
– Make public their Data protection policies;
– Appoint a Data Protection Compliance Officer( or DCPO) for the purpose of carrying out compliance with the Regulations as well as carrying out data protection instructions of the Data controller. A DCPO can be an outsourced firm or individual;
– Carry out continuous upskill capacity building for its Data receipt, protection and processing staff;
– Carry out a detailed audit of its Data Protection practices stating important information that includes:
a). Collected Personal information of their employees and its Data subjects.
b). The purposes of its Data collections.
c). 3rd party access to data subject personal information where applicable.
d). The presence of consent where an data subject’s personal information is collected, processed, stored, and transferred along with the disclosed method of obtaining consent.
- e) . The Privacy and Data Protection policies of an organization.
f). The measures of an organization used in the monitoring and reporting of Privacy & Data Protection Policy violation.
g). The organization’s means of assessing the impact of current and emerging technologies on its Data Privacy/Security policies.
– An audit soft copy containing the relevant information must be remitted to NITDA where a Data controller processes the data of more than 1,000 data subjects in a period of 6 months.
– Send every year on a date not later than the 15th of March, a Data protection audit to NITDA where a Data controller processes the personal data of more than 2,000 data subjects within a 12-month period.
Who or what exactly is eligible to be a DPCO?
A DPCO Data Protection Compliance Organization/Officer can be an outsourced IT service provider, outsourced Lawyer/Law firm, or Audit firm. A DPCO is licenced by NITDA to provide the following services –
– Data Protection Compliance & Advisory services.
– Data Compliance audit preparation.
– Data Protection & Privacy Due Diligence Investigation.
– Data Privacy Breach Remediation and Dispute Resolution.
What are the penalties for being in default of the regulations and do i have the right to seek further redress?
A Data Controller dealing with or having more than 10, 000 data subjects will in the event of a default be liable to a fine of whichever is greater in value between 2% of its preceding year annual gross revenue or a fine of Ten Million Naira.
In the case of a Data controller with less than 10,000 data subjects, a default of the regulations will earn a fine of whichever is greater in value between 1% of its preceding year annual gross revenue or a fine of Two million Naira.
These fines are payable to NITDA and yes, as a data subject you have the right to seek further redress via damages for Privacy and other consequent breaches against a Data controller in Civil law as well as a Criminal law by virtue of the Cybercrime Act.
As a Primary Data Controller, you have a right to seek legal redress against a 3rd party outsourced by your company to process data transferred by you in the event of losses arising breaches of your data subject’s privacy due to a deliberate act or negligence of the 3rd party.
Conclusion :- The Regulations are just an aspect of the Regulatory Framework governing ICT and the Tech Sector in Nigeria, a Regulatory Framework that is constantly evolving due to the dynamic nature of Tech from communications to E-commerce to Fintech to Social Interactions. It is thus wise to ensure your up-to-date compliance with this Regulatory Framework constantly to avoid possible unplanned losses, especially of the type constantly experienced by ICT and Fintech subsectors such as Mobile Communications and Digital Moneylending by having close by diligent Data Protection Compliance professionals going forward.