by Ademola Adeyoju
For a long time, Nigeria lacked a comprehensive data protection and privacy legislation. This has left the entire country vulnerable and exposed.
In an era where internet penetration level continues to rise at an astronomic pace and nations are developing the advanced capability to harvest and process data, it completely beclouds reason how Africa’s biggest economy has failed for so long to: ensure that personal data are obtained for legitimate and specified purposes only, protect people’s privacy by giving Data Subjects some level of control over the collation and use of their personal data, and generally balance the interests of such stakeholders as data owners, government agencies, and companies that collect, store, process, transmit, and use data.
So, when the Nigeria’s National Information Technology Development Agency (NITDA) “released five guidelines to guide its operations as well as use and access to internet and IT infrastructure in Nigeria on 25 January 2019 — and thereby resuscitated the spirit of Section 37 of the Constitution of the Federal Republic of Nigeria, which guarantees the protection of “the privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications” — the whole country heaved a huge sigh of relief.
The regulations issued include: “Rule-making Process of NITDA”, “Nigeria Data Protection Regulation”, “Guidelines for Clearance of Information Technology Projects”, “Framework and Guidelines for Public Internet Access” and “Framework and Guidelines for Use of Social Media in Public Institutions””.
A Quick Review of the Key Provision of the Data Protection Regulation (DPR)
Scope and Application of the DPR
The DPR covers transactions intended for the processing of personal data and to actual processing of personal data and person(s) residing in Nigeria or residing outside Nigeria but of Nigerian descent. But unlike the exceptional EU’s General Data Protection Regulation (the “GDPR”), for instance, it appears that the DPR does not apply to persons and entities outside Nigeria that collect, store, or process data of persons in Nigeria.
The DPR provides for the collection and processing of personal data only in accordance with lawful purpose. The Regulation also states that further processing may be done for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
According to the Regulation, processing shall only be lawful where, for instance, the Data Subject has given consent; where the processing is necessary to comply with legal obligations; or where the processing is necessary for the performance of a contract to which the Data Subject is party.
Again, regarding privacy, the DPR recommends an expansive — as against a restrictive — interpretation of the rights of Data Subjects, in furtherance of fundamental human rights and the Nigerian laws. The DPR then went ahead to stipulate penalties for privacy rights breaches.
Rights of Data Subjects
The Regulation gives Data Subjects—or if you like, natural persons that own personal data—a number of rights. For example, Data Subject have the right to be informed of the appropriate safeguards where data are transferred to a foreign country or international organization; Data Subjects also have the right to request that their personal data be deleted by any data-processing entity where, for instance, such data have been unlawfully processed, the Data Subject withdraws consent, or where the personal data are no longer necessary in relation to the purposes for which they were collected or processed.
Implementation Mechanisms and Data Protection Audit
Three months after the date of the issuance of the DPR, all public and private organizations in Nigeria that control data of natural persons are expected to make available to the general public their respective data protection policies. Each organization is also expected to appoint a Data Security Officer, responsible for handling compliance issues and ensuring that the provisions of the Regulations and other laws are effectively implemented.
The DPR also mandates every organization that collects and processes data to conduct a full and detailed audit and make a report on their data protection practices and procedure, how personal data of employees and the general public are obtained and handled, and whether Data Subjects’ consents are obtained before their data is collected, stored, or used for any purposes.
Identifiable Flaws in the DPR
A quick glance at the new DPR reveals a number of errors.
Structurally, the numbering of the Regulation is all wrong: Section 1 is numbered ‘1.0’, Section 2 and 3 is numbered ‘1.2’, and Section 4 is numbered ‘1.3’. The rest of the law is irregularly and very confusingly numbered this way. Again, there’s an error in the arrangement of section: the Section on ‘Penalty for Default’ inserted immediately after the Section on ‘Advancement of Right to Privacy’ is completely missing under the table of contents. And then, Section 42, which is supposed to state the title and commencement of the Regulation, is nowhere to be found in the body of the Regulation.
Also, one of the Guidelines issued alongside the DPR—that is, the Framework and Guidelines for Public Internet Access—erroneously refers to the DPR as a 2018 law, when the DPR call itself a 2019 legislation.
Again, although the DPR will only come into force on the date it is approved by the Board of NITDA, yet it mandates each organization to conduct a detailed audit of its privacy and data protection practices within 6 month after the date of issuance. One is almost immediately prompted to ask: what is the effect of a legislation that has not come into force? What happens to organizations that fail to conduct an audit within 6 months of the date of issuance by the time the law is finally given effect by the NITDA Board? Would the law apply retrospectively to punish ‘erring’ organizations? Meanwhile, all other Guidelines issued alongside the DPR lack certain commencement dates. It is not clear, therefore, when exactly these Regulations are to come into force.
More so, the Regulation places too much emphasis on data collection and processing but fails to adequately address the issue of data retention. This may ultimately create problems, because it is unclear for how long data-collecting companies can keep people’s personal data. And where a company prematurely erases data, what happens where a Data Subject—say, an MTN customer who needs to retrieve his information after losing his SIM card—needs his data or where law enforcement agencies need data to track a person suspected of having committed an offence?
Finally, while NITDA’s effort is laudable, questions have been raised about the legislative competence of the NITDA to make laws on data protection. “NITDA does not appear to be authorized by the NITDA Act to issue guidelines on matters of ‘data protection’, ‘data security’ or ‘data privacy’; it is unlikely that NITDA Guidelines [can stand] if its legality were eventually challenged in court”.
 It should however be noted that there are legislations that provide some sort of protection, for example, the Nigerian Commissions Act (NCA) 2003, the Freedom of Information Act (FOIA) 2011, the Credit Reporting Act 2017, etc.
 According to the new Nigeria Data Protection Regulation, a Data Subject is an “identifiable person; one who can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”.
 See Section 37 of the Constitution of the Federal Republic of Nigeria, 1999 (as amended).
 Abdulaziz Abdulaziz, ‘Nigerian govt releases guidelines on internet access, data protection’, (2019)
 See Section 2.13 of the Data Protection Regulation for the full list of rights.