On 6 October 2022, the NDPB released the Data Protection Bill 2022 (“the Bill”). The Bill appears to be a beacon of hope for a final legislation on the subject, as the National Commissioner of the NDPB had stated earlier in the year that there would be a Data Protection Act by December 2022. We have highlighted the key issues and summarised the major provisions of the Bill below.
INTRODUCTION
Since the issuance of the Nigeria Data Protection Regulation in 2019 (NDPR), stakeholders have clamoured for a more robust data protection instrument to adequately provide for the collection and processing of personal data in Nigeria. There have been several unsuccessful attempts to pass a Data Protection Bill into law but the Data Protection Bill 2022 (“the Bill”) appears to be a beacon of hope for a final legislation on the subject.
The Bill proposes some reforms to the current legislation, the Nigeria Data Protection Regulation 2019, (“NDPR”), as well as some novel additions to the legal framework for data protection such as the establishment of the Nigeria Data Protection Commission (“the Commission”) and the recognition of legitimate purpose as a legal basis for processing data, among others.
We have highlighted the key issues and summarised the major provisions of the Bill below.
PART I: OBJECTIVES AND APPLICATION
The Bill seeks to establish a more effective and efficient regulatory regime to protect and safeguard the data rights, fundamental rights and freedoms of data subjects as guaranteed under the 1999 Constitution of the Federal Republic of Nigeria.
This Bill applies only where:
- the data controller or data processor is domiciled, ordinarily resident, or ordinarily operating in Nigeria;
- the processing of personal data occurs within Nigeria; or
- the processing of personal data of a resident of Nigeria, where the data controller or data processor was actively marketing to, targeting, or monitoring such residents within Nigeria.
- It is important to note that the Bill does not apply to the processing of personal data done by a data subject solely during a personal, recreational, or household activity. While personal or household activity is a reproduction of the exceptions under the DPIF[1], the meaning and scope of, “recreational activity” as contemplated under the Bill remain uncertain”. The Bill also exempts activities carried out by competent authorities simpliciter, and for the purpose of:
- investigation, detection or prosecution of criminal offences or the execution of criminal penalties;
- prevention or control of a national public health emergency;
- national security; and
- publication in the public interest for journalism, educational, artistic and literary purposes to the extent that such obligations and rights would be incompatible with such purposes
The Commission is empowered to create further exemptions by Regulation.
PART II: ESTABLISHMENT OF THE NIGERIA DATA PROTECTION COMMISSION, FUNCTIONS AND POWERS
The Bill establishes an “independent” body -the Commission-[2] which is to be a body corporate with perpetual succession and a common seal. The independence of the Commission however raises some questions as reliance is placed on the executive arm of government.
Indeed, an examination of the governing council reveals the President as the appointing authority,[3] while the Minister of Communications and Digital Economy (“the Minister”) is vested with the power to approve certain matters.
The Bill gives an extensive list of functions to be undertaken by the Commission and while some are necessary, others are superfluous and raise questions as to their practicability and utility.
These include:
- registration of data controllers and data processors: The requirement for registration of data controllers and processors is one that leaves doubt in the minds of many, as to its utility.
- designate countries, regions, sectors or binding corporate rules, contractual clauses, codes of conduct or certification mechanisms as affording or not affording adequate personal data protection standards for cross-border transfers (this will be discussed in detail later); and
- prescribe the manner and frequency of filing, and content, of compliance returns by data controllers and data processors of major importance to the Commission.
PART III: ESTABLISHMENT OF A GOVERNING COUNCIL AND ITS ADMINISTRATION
The Bill lays down the composition of the governing council of the Commission as well as the criteria for membership[4] as follows:
- The Chairman who shall be a retired judge of a superior court of record;
- The National Commissioner;
- One representative from the Federal Ministry of Justice (not below the rank of a director or its equivalent);
- One representative from the Ministry of Communications (not below the rank of a director or its equivalent);
- One representative from Central Bank of Nigeria (not below the rank of a director or its equivalent);
- One representative from a law enforcement agency (not below the rank of a director or its equivalent); and
- One representative from the private sector.
It is further provided that all the members of the Council shall be citizens of Nigeria and shall be appointed by the President[5]. Although the members of the Council are appointed as part-time members, the National Commissioner is appointed to serve full-time.
The National Commissioner shall have 10 years’ cognate experience and proficiency in law, data protection, cybersecurity management, information and communication technology, consumer protection, management science or other relevant disciplines at a senior management level.
While a representative from the private sector shall possess not less than 5 (five) years cognate experience in data protection and privacy. Other members of the Council are simply required to have proficiency in data protection and privacy.[6]
PART IV: FINANCIAL PROVISIONS
The Commission is empowered to establish and maintain a Fund. A take-off grant of N5,000,000,000 (five billion Naira) shall be paid to the Fund, the breakdown of which has been provided for in the Bill. All expenses of the Commission shall be chargeable to the Fund.
Donations, gifts, loans, grants, all monies that shall accrue to the Commission, aids, and endowments, voluntary contributions or otherwise payable to the Commission shall be paid to the fund.[7]
The Commission may make investments, borrow, accept gifts, grants of money, aids or other property upon such terms and conditions, as are not inconsistent with the objectives and functions of the Commission under this Act.[8] The following expenses, among others, will be chargeable to the Fund:
(a) all expenses incurred by the Commission as approved by the Council or in pursuance of any expenditure policy approved by the Council; the repayment of funds borrowed by the Commission, including interest on such borrowed funds; allowances and remuneration payable to members of the Council; remunerations and other allowances, retiring benefits such as pensions and gratuities and, any other remunerations payable to the staff of the Commission; the cost of administration of the Commission; Commission;
PART V: ANNUAL ACCOUNTS
This part focuses on the Commission’s responsibility to keep proper accounts, prepare and submit annual report at the end of each financial year and present to the National Assembly, in each financial year, a statement of estimated income and expenditure for the next financial year.
PART VI: PRINCIPLES AND LAWFUL BASIS GOVERNING PROCESSING OF PERSONAL DATA
The essential principles governing the processing of personal data were stated in the Bill as (1) lawfulness, fairness, and transparency; (2) purpose limitation; (3) data minimisation; (4) accuracy; (5) storage limitation; (6) integrity and confidentiality; (7) accountability.[9]
The Bill also introduced a lawful basis for processing (processing necessary for the legitimate interests pursued by the data controller or data processor or by a third party to whom the data is disclosed). This is a welcome development as legitimate interest is provided under the European Union (EU) General Data Protection Regulation (GDPR) as a lawful basis for processing but was omitted by the draftsmen of the NDPR, even though it is presumed to have borrowed heavily from the GDPR.[10]
A few safeguards were also introduced to limit the applicability of the lawful basis. The Bill highlights certain information that must be shared with data subjects before processing,[11] and makes provision for the need for a data protection impact assessment (“DPIA”). The Bill, as an improvement on the former regime, defined a DPIA and also empowered the Commission to issue guidelines and directives on DPIA, including the categories of processing subject to the requirement for a DPIA.
It improves on the rules on processing of sensitive personal data, which lacked detailed provisions in the NDPR, as well as personal data of children[12]. A child is properly defined in the Bill, in accordance with the provisions of the Child’s Right Act.[13].
Provisions for the power of the Commission to licence a body to carry out data protection compliance services were also set out.[14] Whilst it is not clear whether this role will be carried out by the data protection compliance organisations (DPCOs) under the extant regulations,[15] it is evident that the intent of the Bill is to vest in the “body”, the power to impose sanctions on data controllers and processors. It will be problematic to effect this under the current regime for DPCOs in Nigeria.
PART VII: RIGHTS OF A DATA SUBJECT
Part 7 of the Bill provides for additional rights of the data subjects (additional when compared to the rights contained in the NDPR). Some of the rights include:
- A data subject has the right to obtain from a data controller, without constraint or unreasonable delay:
- confirmation as to whether or not the data controller, or a data processor operating on its behalf, is storing or otherwise processing personal data relating to the data subject;
- a copy of such personal data in a commonly used electronic format except to the extent that providing such data would impose unreasonable costs on the data controller, in which case the data subject may be required by the data controller to bear some or all of such costs;
- correction, or if correction is not feasible or suitable, deletion of any such personal data that is inaccurate, out of date, incomplete or misleading;
- the erasure of personal data concerning a data subject without undue delay along with an obligation on the data controller to erase personal data without undue delay where the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed, or where the data controller has no other lawful basis to retain the personal data;
- restriction of data processing pending resolution of a request or objection of the data subject under the Bill.
- Right to withdraw consent to the processing of personal data at any time.
- Right to object on grounds relating to his particular situation, to the processing of personal data.
- A data subject has the right not to be subject to a decision based solely on automated processing of personal data, including profiling, which produces legal or similar significant effects concerning him subject to some exceptions.
While the Bill provides a more comprehensive approach to the rights of data subjects, it however did not provide a timeline for responding to rights request.
PART VIII: DATA SECURITY
Data processors and controllers are to take optimal technical and organization measures to ensure security, integrity and confidentiality and to protect personal data against risks such as but not limited to accidental or unauthorised access to, destruction, loss, use, modification or disclosure of personal data. [16]
The Bill further provides certain measures that may be implemented to ensure data security. They include: pseudonymization or other methods of de-identification of personal data; encryption; processes to ensure security, integrity, confidentiality, availability and resilience of processing systems and services; regular testing, assessing and evaluation of the effectiveness of the measures implemented against current and evolving risks identified.[17]
A detailed data breach management procedure was also laid down. The data controller is to notify the Commission of personal data breaches likely to result in a risk to the rights and freedoms of individuals within seventy-two hours after having become aware of it, describing the nature of the personal data breach, including, where possible, the categories and approximate numbers of data subjects and personal data records concerned.[18]
This period may be extended to accommodate the legitimate needs of law enforcement or as reasonably necessary to implement measures required to determine the scope of the breach, provided that the data controller provides to the Commission the grounds for such extension, including supporting evidence. The data controller and data processor are also mandated to keep records of all personal data breaches.[19]
PART IX: CROSS–BORDER TRANSFERS OF PERSONAL DATA
The scope of the conditions governing the transfer of personal data were expanded. Like the NDPR, data can only be transferred outside Nigeria where the Attorney General considers the protections offered by the receiving country adequate. However, the Bill broadens this and provides that:
- personal data shall not be transferred from Nigeria to another country unless the recipient of the personal data is subject to a law, binding corporate rules, contractual clauses, codes of conduct or certification mechanisms that affords an adequate level of protection with respect to the personal data in accordance with the Bill, and
- upon the application of one of the laid down conditions in the Act. [20]
Protection shall be deemed adequate where it upholds principles that are substantially similar to the conditions for processing of the personal data provided for in the Bill, including in relation to the onward transfer of personal data to other countries.[21]
Furthermore, it sets down the factors for assessing adequate protection and in doing so retains substantially the same standards as the NDPR.[22] As an addition to the factors, where there is any legally binding instrument between the Commission and a relevant public commission, in the recipient country, addressing the elements of adequate protection which upholds substantially similar conditions for processing of personal data, as those provided for in the Bill, the Commission may deem protection adequate[23]. The Commission may also rely on the adequacy of protection made in other jurisdictions which incorporate factors like those listed in the Bill.[24]
The Commission may create a list of countries, regions, specific sectors within a country, or standard contractual clauses as not providing adequate protection for the international transfer of data[25]. This creates a blacklist similar to the whitelist under the NDPR.
PART X: REGISTRATION AND FEES
A new classification of data controllers and processors called “data controllers and data Processors of major importance” was introduced[26]. A data controller or processor of major importance is defined as one that is domiciled, ordinarily resident, or ordinarily operating in Nigeria and processes or intends to process personal data of more than such number of data subjects who are within Nigeria as the Commission may prescribe, or such other class of data of particular value or significance to the economy, society or security of Nigeria as the Commission may designate.[27]
This new class is mandated to seek registration with the Commission within six months after attaining such status. As far as this provision goes, it falls to the Commission to prescribe the quantum of data control or processing that constitutes a control or processing of major significance. The Commission may also exempt a class of data controllers and processors from registration.
PART XI: ENFORCEMENT
The Bill contains more robust provisions for enforcement of the rights of a data subject than the NDPR which simply provides for an administrative redress panel.
Where a data subject is aggrieved by the decision, action or inaction of a data controller or processor in violation of the Bill or any subsidiary legislation or orders, they may lodge a complaint with the Commission for investigation.[28] The Commission may also initiate investigations where it has reasons to believe that a data controller or processor has violated or is likely to violate the Act or any subsidiary legislation.[29]
A data subject who suffers injury, loss, or harm because of a violation of the Bill by a data controller or a data processor, or a recognized consumer organization acting on behalf of such a data subject may recover damages through civil proceedings.[30]
PART XII: LEGAL PROCEEDINGS
The Bill introduces notice of action and statute of limitation in respect of actions to be instituted against the Commission or any officer or employee of the Commission.[31] The provisions of the “old” Public Officers Protection Act is also said to be applicable to such suits. The Commission is also empowered to apply ex-parte to a Judge in Chambers for the issuance of a warrant for the purpose of obtaining evidence in relation to an investigation.[32]
PART XIII: MISCELLANEOUS
The Commission is empowered to make (wide) regulations for the purpose of carrying out its objectives under this Act.[33] The Commission may make regulations, rules or orders to give full effect to the provisions of this Act.[34] The combination of these sections vest wide powers in the Commission.
SCHEDULE
Schedule 1 of the Bill contains supplementary provisions relating to proceedings of the Council.
Subject to the provisions of the Bill, the Council may make standing orders regulating the proceedings of the Council and set up any Committee. The Commission shall also have a seal and fixing of the seal shall be done by its Secretary and authenticated by the signature of the National Commissioner or such other member authorised generally or specifically by the Commission to act for that purpose.
CONCLUSION
The Bill indeed introduces interesting provisions which will advance the data protection space in Nigeria. However, certain changes clarifications need be made to ensure that the Bill, when passed, does not pose more problems than it seeks to solve.
[1] Paragraph 2.1(iv)
[2] Section 4
[3] Section 9(2)
[4] Section 9(1)
[5] Section 9(2)
[6] Section 9(4)
[7] Section 18
[8] Section 20(2)
[9] Section 25
[10] Section 26
[11] Section 28
[12] Section 33
[13] Section 67
[14] Section 35
[15] The current role of DPCOs is primarily involves audits, advisory, remediation.
[16] Section 41(1)
[17] Section 41(2)
[18] Section 42
[19] Section 42(5)
[20] Section 43
[21] Section 44
[22] Section 44(2)
[23] Section 44(2)(b)
[24] Section 44(7)
[25] Section 44(4)
[26] Section 46
[27] Section 67
[28] Section 48(1)
[29] Section 48(3)
[30] Section 53
[31] 1 month notice of action and 3 months statutory limitation. Section 56.
[32] Section 60
[33] Section 62
[34] Section 63
---
Read the original publication at AELEX.