In January 2019, the Nigeria Information Technology Development Agency (NITDA) rolled out the Data Protection Regulations. Perhaps because Nigeria had long awaited some form of regulation on data processing, the Regulation was welcomed with much acclaim and commendation. This commentary swims against the tide. It highlights the fact that so far, the assessment of the Regulation has been perfunctory, cursory and uncritical. It demonstrates in particular that a detailed and critical reading of the Regulation reveals that there is a misapprehension of the conceptual underpinning of data protection and there are interpretative problems with the substantive provisions of the Regulation. The problems are discussed under five broad heads as follows; conceptual problems, the Scope of the Regulation, the Principles of data protection, Data subjects’ rights and Administration and enforcement.
1. Some Conceptual Problems
(a) Personal data vs personally Identifiable Information
Personal data (PD) is widely acclaimed as the central concept of data protection laws and the trigger for the application of obligations under any law or regulation. Often, PD and the similar concept of personally Identifiable information (PII) are regarded as roughly equivalent, however, most laws adopt only one of the terminologies to describe the phenomenon of information that identifies an individual or a natural person. Curiously, the NITDA Regulation defines both PII and PD and makes reference to the two concepts within the text of the Regulation.
It is important to note that the first difference between the two concepts is the context and jurisdictions in which they are used. The concept of personal data is widely used in EU and defined under the EU General Data Protection Regulation (GDPR) 2018 while its seeming equivalent PII, is used in the US. Notably, the US has no general or comprehensive data protection law and what constitutes PII is often very sector specific. Hence there are different definitions of PII in health, education and child protection laws as well as in financial services regulation and even the privacy laws of respective States. There are 50 states in the US and at least 20 sector specific laws so the list of PII goes on. The relevant question here therefore is whether the use of the two concepts in a single Regulation in Nigeria is meant to entrench a dual system of data protection which is a mixture of the US and EU system.
Furthermore, while the NITDA Regulation copiously replicates the definition of PD under the GDPR, it is obvious that the drafters did not consider the extensive interpretation of the concept by data protection authorities and the courts in the EU. A reading of the guidance issued by EU Article 29 Working Party (WP29) and some decisions of the Court of Justice of the European Union suggests for example that interpretation-wise, PII as defined in the NITDA Regulation is already covered by the definition of PD. From a conceptual perspective therefore, the use and definition of PII under the Regulation is repetitive and a mere extract from the interpretation of PD. (see WP29, Working Paper (WP) 136, Opinion 4/2007 on the Concept of Personal Data of 20th June 2007, see also Case C-434/16 Peter Nowak v Data Protection Commissioner , Case C-582/14 Patrick Breyer v. Bundesrepublik Deutschland  and Case C-101/01 Bodil Lindqvist )
The final point here relates to enforcement and compliance problems which may arise as a result of this false dichotomy. If we assume that there are differences between PD and PII, then we must also assume that the relevant provisions of the Regulation apply to a certain concept only when that concept is expressly mentioned. Thus, because the sections that deal with principles governing data processing and data subjects’ rights only mention personal data, we can argue that the principles do not apply to PII which is infact only mentioned in Part four of the Regulation. In other words, there should be no obligation on data controllers to comply with the principles when they process PII in part four. Arguably, this result would be both absurd and undesirable considering that the focus of the Regulation is to regulate the processing of data that identifies a person and both PD and PII are so defined.
(b) a right to privacy or a right to data privacy
One of the objectives of the Regulation is to safeguard the right to data privacy. (see para 1.1(a)). However, as argued here, this objective is based on the erroneous assumption that we have a constitutionally guaranteed right to data privacy. While it is correct to say that section 37 of the Constitution creates a right to privacy, this is a general prohibition from interference rather than a specific right to data privacy. Thus, while individuals have a right to protection against interference with their dignity, honour and reputation as well as to protection from intrusion into their homes or interception of their correspondence by virtue of that right to (dignitary and spatial) privacy, this does not necessarily or automatically translate into a right to data privacy.
There is some evidence to support this argument. In Germany, where the right to ‘informational self-determination’ (or right to data privacy) which was not was not enshrined in the Constitution, was recognized, this was done only after its highest court recognized the same in the 1983 landmark “census ruling”. Therefore, a separate and distinct right to data privacy would entail the Courts in Nigeria reading such a right into the provisions of section 37 and affirming that such a right is justiciable and can be enforced independently of the right to privacy. Secondly, while almost every country of the World recognizes the right to privacy enshrined in article 12 of the UDHR and in their respective constitutions, not all countries recognize a right to data privacy. Infact, only the Charter of Fundamental Rights of the European Union (CFR) presently recognizes such a right. (see arts. 7 and 8 CFR)
The critical point here is that the assumption underlying an objective to safeguard ‘a right to data privacy’ in the Regulation is misguided if not unconstitutional. It is misguided because it shows lack of understanding of the conceptual differences between privacy and data protection. It is unconstitutional because it aims to safeguard a nonexistent right to data privacy. Therefore, unless we can argue, presumably ingeniously, that it is possible for the NITDA Regulation to create a right to data privacy, then the entire Regulation could be challenged for its unconstitutionality.
2. Scope of Regulation – Citizenship as basis for protection
Paragraph 1.2(b) of the NITDA Regulation provides that the basis of protection under the Regulation is Nigerian citizenship. This is an unusual approach to data protection and a departure from international best practices. Under the Council of Europe (CoE) Convention 108+ 2018 for example, it was recommended that each party to the Convention undertake to apply the Convention to data processing subject to its jurisdiction in the public and private sectors, thereby securing every individual’s right to the protection of his or her personal data.’ (see art 3(1) The GDPR also provides that the protection afforded by the Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data. (see recital 14, see also arts. 2&3 GDPR)
Protection based on citizenship must therefore be regarded as discriminatory, partial and against international best practices. This is particularly so in view of the globalized nature of data processing and the fact that the Regulation itself envisages international data transfers. (see para 2.11) Arguably, it would seem duplicitous for Nigeria to demand protection of the personal data of its citizens transferred abroad when law or Regulation in Nigeria only protects the data of Nigerian citizens.
3. Governing Principles of data processing
The NITDA Regulation provides for four clear principles of data protection. These are purpose specification, data accuracy, data security and storage limitation. (see para. 2.1 (a)-(d)) There are two problems here. The first is that the principles are fewer in number than those in comparable laws or regulation or even those recommended in guidance on best practices. A perusal of these laws and Guidance shows that the Regulation omits at least five essential principles of data protection. These are data minimization, purpose limitation, data quality, accountability and data accuracy. In terms of the content of data protection principles therefore, the Regulation did not cover the field. (see e.g. art. 14 CoE Convention 108+, recital 39 and art. 5 GDPR and Chapter 3 South African Protection of Personal Information Act 2013)
The second problem relates to the scope and quality of the principles which the Regulation did provide for. To illustrate, the principle that personal data shall be collected and processed in accordance with specific, legitimate and lawful purpose, (see para. 2.1(a)) suggests quite correctly, that all purposes of processing must be ‘specific, legitimate and lawful. At the same time however, the provision suggests that consent is the only legitimate ground for processing personal data by further providing that such specific, lawful and legitimate purpose must be consented to by the data subject.
This argument is particularly strengthened when paragraph 2.1(a) is read together with paragraph 2.2. of the Regulation. Paragraph 2.2 provides that Without prejudice to the principles set out in paragraph 2.1, processing shall be lawful if at least one of the following grounds apply; that is, the data subject gives consent, the processing is necessary for contractual purposes, required for compliance with legal obligation, for the protection of legal interest of the data subject or processing is in the public interest. (see sub paragraphs (a) to (e))
In effect, since paragraph 2.2 is without prejudice to the principles set out in paragraph 2.1(a) and that paragraph provides that all specified, lawful and legitimate processing must be consented to by the data subject, then it must be taken that all the lawful and legitimate grounds in sub-paragraphs (b)-(e) also require consent.
If this interpretation is correct, then the provision is not only ambiguous, it is also self-contradictory and inconsistent with globally recognized principles of data processing. It implies quite incorrectly that consent is a sine qua non for any form of processing when infact consent is only one of the legal basis for processing personal data under many laws. (see e.g. art. 5 GDPR, ss. 3, 9 and 11 South African Protection of Personal Information Act 2013, see also WP29, WP259 Guidelines on Consent under Regulation 2016/279, adopted 28 November, 2017).
The ‘data storage’ principle is another example. The Regulation provides in paragraph 2.1(c) that personal data shall be stored only for the period within which it is reasonably needed. The problem here is that the principle is can be subjectively construed in the sense that ‘reasonably needed’ could be the basis for setting an indefinite date for deletion or destruction of personal data. Would it be unreasonable for example to collect and store person data on the grounds that the data may be ‘reasonably needed’ at some future date particularly in the age of big data analytics and the internet of things?
4. Rights of the data subject – an age blind approach
While there are again a number of issues that can be raised with respect to the provisions on data subjects’ rights, the most problematic seems to be the lack of exceptional protection for data subjects who are children. Paragraph 3.1 of the Regulation provides that ‘the Controller shall take appropriate measures to provide any information relating to processing to the Data Subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, and for any information relating to a child, the information shall be provided in writing, or by other means, including, where appropriate, by electronic means.
The critical point to note is that reference to children is merely fortuitous as the Regulation fails to provide any real protection for children in terms of requirement for parental consent and/or by setting age limits. As examples, in the US, the processing of personal data of children below 13 years without parental consent is prohibited and this has been the law for more than two decades. (see Child Online Privacy Protection Act (COPPA) s 1301 title XIII) Similarly, under the GDPR, providers of information society services are required to obtain parental consent before processing the personal data of children under 16 years of age. (see art 8 and recital 38 GDPR) More importantly, the UN Convention on the Rights of the Child, which is the most ratified Convention in the World, provides that ‘No child shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence, nor to unlawful attacks on his or her honour and reputation. (see article 16).
As the foregoing shows, it is not inconceivable that very young children could be deemed capable of giving consent under the NITDA Regulation thus rendering the provision inadequate for the purpose for which it was ostensibly framed.
5. Administration and Enforcement
Key enforcement mechanisms in the Regulation can be summarized as follows:
(a) Appointment of Data Protection officers (DPOs) by every Data Controller for the purpose of ensuring adherence to the Regulation.
(b) Licensing of Data Protection Compliance Officers (DPCOs) by the NITDA. DPCOs will monitor, audit and conduct training and data protection compliance consulting to all Data Controllers.
(c) The establishment of an Administrative redress panel which investigate allegations of breach of the Regulation. This is without prejudice to the right of the data subject to seek redress in court. (See generally para. 4).
While the implementation mechanisms above are unique and novel in their own rights, it is not clear how they conform to recommended best practices in the regulation of data processing. For example, the existence of an impartial and independent public supervisory authority which may be a single Commissioner or a Collegiate body is regarded as an essential component of the data protection supervisory system in a democratic society. (see Explanatory Protocol to CoE Convention 108+ 2018 at p. 20) While it appears that the NITDA has constituted itself into such a body, a perusal of the establishment, powers and functions of data protection authorities such as the Information Commissioner’s Office (ICO) in the UK, the Information Regulator in South Africa, the Data Protection Commission in Ghana, as well as the office of the Privacy Commissioner in Canada and New Zealand suggests that the NITDA cannot qualify as an independent data protection supervisory authority.
Not only does the NITDA lack the statutory mandate to act as a supervisory authority, but it also lacks the competence and expertise to function as such authority. For example, it is licensed DPCOs rather than the NITDA itself, that would directly oversee compliance with the Regulation. Since it is trite that data protection is a complex and specialized area of the law, this implies that DPCOs and DPOs must have specified levels of qualification and expertise. The question must therefore be whether a nascent data protection regime like Nigeria has the pool of professionals who can immediately act as DPCOs and DPOs? It is notable in this respect that the requirement to appoint DPOs was not part of EU law- which had existed for more than 20 years- until the recent GDPR and even then only certain organisations are required to appoint DPOs. (see art 37 GDPR, see also WP29, WP243, Guidelines on Data Protection Officers, adopted on 13 December, 2016).
Apart from questions relating to the independence and competence of the supervisory body, there are also questions about the extent to which the NITDA Regulation incorporate new and evolving mechanisms for administration and enforcement of data protection requirements. For example, laws are beginning to require that organizations implement Privacy by design (PbD) and conduct privacy impact assessment (PIA) as well as comply with mandatory data breach reporting. To prevent possible large scale data breaches, mandatory reporting systems ensure that incidents of breaches of personal data are reported timeously, usually within a period of 72 hours. Mandatory data breach reporting was recently introduced by the GDPR and all 50 states of the US now have data breach reporting laws. Similarly, PbD and PIA are relatively new requirements aimed at ensuring that technical and organizational systems implement data protection principles from the onset of a processing activity or the design or development of a product. The Regulation makes no provisions for any of these mechanism.
There are at least four fundamental aspects of an effective data protection regime; its central concept of personal data, the principles regulating data processing, the rights of the data subject and the enforcement mechanisms for the relevant law or regulation. The analysis in this commentary suggests that the NITDA Regulation falls short of international standards and best practices in all four areas. As the analysis show, the problem with the Regulation is due in part to a misapprehension of the concept of data protection and its core principles and in part to the inelegant style of the draftsman.
As also demonstrated throughout the article, there is no need to re-invent the wheel as there is already a significant body of laws in the area of data protection. This is not to say there is no room for improvement or that Nigeria cannot introduce novel provisions that address its peculiar circumstances. However, in such cases, there should be clear justifications which can be contained in explanatory memoranda or guidance notes. It is notable for example that in spite of fact that the EU has operated a data protection regime for more than two decades, the European Data Protection Board and its predecessor, the Article 29 Working Party, have already issued about 30 Opinions on different provisions of the GDPR. This is perhaps in recognition of the fact that data protection is a relatively new and complex area of law.
Name: Adekemi Omotubora
Institution: University of Lagos
Position: Lecturer, department of Commercial and Industrial law
- PhD (Information technology Law), University of Leeds, UK
- LLM (cyberlaw) University of Leeds, UK
- LLM, Obafemi Awolowo University, Ile-ife
- LLB, Obafemi Awolowo University, Ile-ife
Research interests – data protection, emerging technologies; artificial intelligence, fintech, gendertech and legaltech