On 6 October 2022, the NDPB released the Data Protection Bill 2022 (“the Bill”). The Bill appears to be a beacon of hope for a final legislation on the subject, as the National Commissioner of the NDPB had stated earlier in the year that there would be a Data Protection Act by December 2022. We have highlighted the key issues and summarised the major provisions of the Bill below.
Since the issuance of the Nigeria Data Protection Regulation in 2019 (NDPR), stakeholders have clamoured for a more robust data protection instrument to adequately provide for the collection and processing of personal data in Nigeria. There have been several unsuccessful attempts to pass a Data Protection Bill into law but the Data Protection Bill 2022 (“the Bill”) appears to be a beacon of hope for a final legislation on the subject.
The Bill proposes some reforms to the current legislation, the Nigeria Data Protection Regulation 2019, (“NDPR”), as well as some novel additions to the legal framework for data protection such as the establishment of the Nigeria Data Protection Commission (“the Commission”) and the recognition of legitimate purpose as a legal basis for processing data, among others.
We have highlighted the key issues and summarised the major provisions of the Bill below.
The Bill seeks to establish a more effective and efficient regulatory regime to protect and safeguard the data rights, fundamental rights and freedoms of data subjects as guaranteed under the 1999 Constitution of the Federal Republic of Nigeria.
This Bill applies only where:
The Commission is empowered to create further exemptions by Regulation.
The Bill establishes an “independent” body -the Commission-[2] which is to be a body corporate with perpetual succession and a common seal. The independence of the Commission however raises some questions as reliance is placed on the executive arm of government.
Indeed, an examination of the governing council reveals the President as the appointing authority,[3] while the Minister of Communications and Digital Economy (“the Minister”) is vested with the power to approve certain matters.
The Bill gives an extensive list of functions to be undertaken by the Commission and while some are necessary, others are superfluous and raise questions as to their practicability and utility.
These include:
The Bill lays down the composition of the governing council of the Commission as well as the criteria for membership[4] as follows:
It is further provided that all the members of the Council shall be citizens of Nigeria and shall be appointed by the President[5]. Although the members of the Council are appointed as part-time members, the National Commissioner is appointed to serve full-time.
The National Commissioner shall have 10 years’ cognate experience and proficiency in law, data protection, cybersecurity management, information and communication technology, consumer protection, management science or other relevant disciplines at a senior management level.
While a representative from the private sector shall possess not less than 5 (five) years cognate experience in data protection and privacy. Other members of the Council are simply required to have proficiency in data protection and privacy.[6]
The Commission is empowered to establish and maintain a Fund. A take-off grant of N5,000,000,000 (five billion Naira) shall be paid to the Fund, the breakdown of which has been provided for in the Bill. All expenses of the Commission shall be chargeable to the Fund.
Donations, gifts, loans, grants, all monies that shall accrue to the Commission, aids, and endowments, voluntary contributions or otherwise payable to the Commission shall be paid to the fund.[7]
The Commission may make investments, borrow, accept gifts, grants of money, aids or other property upon such terms and conditions, as are not inconsistent with the objectives and functions of the Commission under this Act.[8] The following expenses, among others, will be chargeable to the Fund:
(a) all expenses incurred by the Commission as approved by the Council or in pursuance of any expenditure policy approved by the Council; the repayment of funds borrowed by the Commission, including interest on such borrowed funds; allowances and remuneration payable to members of the Council; remunerations and other allowances, retiring benefits such as pensions and gratuities and, any other remunerations payable to the staff of the Commission; the cost of administration of the Commission; Commission;
This part focuses on the Commission’s responsibility to keep proper accounts, prepare and submit annual report at the end of each financial year and present to the National Assembly, in each financial year, a statement of estimated income and expenditure for the next financial year.
The essential principles governing the processing of personal data were stated in the Bill as (1) lawfulness, fairness, and transparency; (2) purpose limitation; (3) data minimisation; (4) accuracy; (5) storage limitation; (6) integrity and confidentiality; (7) accountability.[9]
The Bill also introduced a lawful basis for processing (processing necessary for the legitimate interests pursued by the data controller or data processor or by a third party to whom the data is disclosed). This is a welcome development as legitimate interest is provided under the European Union (EU) General Data Protection Regulation (GDPR) as a lawful basis for processing but was omitted by the draftsmen of the NDPR, even though it is presumed to have borrowed heavily from the GDPR.[10]
A few safeguards were also introduced to limit the applicability of the lawful basis. The Bill highlights certain information that must be shared with data subjects before processing,[11] and makes provision for the need for a data protection impact assessment (“DPIA”). The Bill, as an improvement on the former regime, defined a DPIA and also empowered the Commission to issue guidelines and directives on DPIA, including the categories of processing subject to the requirement for a DPIA.
It improves on the rules on processing of sensitive personal data, which lacked detailed provisions in the NDPR, as well as personal data of children[12]. A child is properly defined in the Bill, in accordance with the provisions of the Child’s Right Act.[13].
Provisions for the power of the Commission to licence a body to carry out data protection compliance services were also set out.[14] Whilst it is not clear whether this role will be carried out by the data protection compliance organisations (DPCOs) under the extant regulations,[15] it is evident that the intent of the Bill is to vest in the “body”, the power to impose sanctions on data controllers and processors. It will be problematic to effect this under the current regime for DPCOs in Nigeria.
Part 7 of the Bill provides for additional rights of the data subjects (additional when compared to the rights contained in the NDPR). Some of the rights include:
While the Bill provides a more comprehensive approach to the rights of data subjects, it however did not provide a timeline for responding to rights request.
Data processors and controllers are to take optimal technical and organization measures to ensure security, integrity and confidentiality and to protect personal data against risks such as but not limited to accidental or unauthorised access to, destruction, loss, use, modification or disclosure of personal data. [16]
The Bill further provides certain measures that may be implemented to ensure data security. They include: pseudonymization or other methods of de-identification of personal data; encryption; processes to ensure security, integrity, confidentiality, availability and resilience of processing systems and services; regular testing, assessing and evaluation of the effectiveness of the measures implemented against current and evolving risks identified.[17]
A detailed data breach management procedure was also laid down. The data controller is to notify the Commission of personal data breaches likely to result in a risk to the rights and freedoms of individuals within seventy-two hours after having become aware of it, describing the nature of the personal data breach, including, where possible, the categories and approximate numbers of data subjects and personal data records concerned.[18]
This period may be extended to accommodate the legitimate needs of law enforcement or as reasonably necessary to implement measures required to determine the scope of the breach, provided that the data controller provides to the Commission the grounds for such extension, including supporting evidence. The data controller and data processor are also mandated to keep records of all personal data breaches.[19]
The scope of the conditions governing the transfer of personal data were expanded. Like the NDPR, data can only be transferred outside Nigeria where the Attorney General considers the protections offered by the receiving country adequate. However, the Bill broadens this and provides that:
Protection shall be deemed adequate where it upholds principles that are substantially similar to the conditions for processing of the personal data provided for in the Bill, including in relation to the onward transfer of personal data to other countries.[21]
Furthermore, it sets down the factors for assessing adequate protection and in doing so retains substantially the same standards as the NDPR.[22] As an addition to the factors, where there is any legally binding instrument between the Commission and a relevant public commission, in the recipient country, addressing the elements of adequate protection which upholds substantially similar conditions for processing of personal data, as those provided for in the Bill, the Commission may deem protection adequate[23]. The Commission may also rely on the adequacy of protection made in other jurisdictions which incorporate factors like those listed in the Bill.[24]
The Commission may create a list of countries, regions, specific sectors within a country, or standard contractual clauses as not providing adequate protection for the international transfer of data[25]. This creates a blacklist similar to the whitelist under the NDPR.
A new classification of data controllers and processors called “data controllers and data Processors of major importance” was introduced[26]. A data controller or processor of major importance is defined as one that is domiciled, ordinarily resident, or ordinarily operating in Nigeria and processes or intends to process personal data of more than such number of data subjects who are within Nigeria as the Commission may prescribe, or such other class of data of particular value or significance to the economy, society or security of Nigeria as the Commission may designate.[27]
This new class is mandated to seek registration with the Commission within six months after attaining such status. As far as this provision goes, it falls to the Commission to prescribe the quantum of data control or processing that constitutes a control or processing of major significance. The Commission may also exempt a class of data controllers and processors from registration.
The Bill contains more robust provisions for enforcement of the rights of a data subject than the NDPR which simply provides for an administrative redress panel.
Where a data subject is aggrieved by the decision, action or inaction of a data controller or processor in violation of the Bill or any subsidiary legislation or orders, they may lodge a complaint with the Commission for investigation.[28] The Commission may also initiate investigations where it has reasons to believe that a data controller or processor has violated or is likely to violate the Act or any subsidiary legislation.[29]
A data subject who suffers injury, loss, or harm because of a violation of the Bill by a data controller or a data processor, or a recognized consumer organization acting on behalf of such a data subject may recover damages through civil proceedings.[30]
The Bill introduces notice of action and statute of limitation in respect of actions to be instituted against the Commission or any officer or employee of the Commission.[31] The provisions of the “old” Public Officers Protection Act is also said to be applicable to such suits. The Commission is also empowered to apply ex-parte to a Judge in Chambers for the issuance of a warrant for the purpose of obtaining evidence in relation to an investigation.[32]
The Commission is empowered to make (wide) regulations for the purpose of carrying out its objectives under this Act.[33] The Commission may make regulations, rules or orders to give full effect to the provisions of this Act.[34] The combination of these sections vest wide powers in the Commission.
Schedule 1 of the Bill contains supplementary provisions relating to proceedings of the Council.
Subject to the provisions of the Bill, the Council may make standing orders regulating the proceedings of the Council and set up any Committee. The Commission shall also have a seal and fixing of the seal shall be done by its Secretary and authenticated by the signature of the National Commissioner or such other member authorised generally or specifically by the Commission to act for that purpose.
The Bill indeed introduces interesting provisions which will advance the data protection space in Nigeria. However, certain changes clarifications need be made to ensure that the Bill, when passed, does not pose more problems than it seeks to solve.
[1] Paragraph 2.1(iv)
[2] Section 4
[3] Section 9(2)
[4] Section 9(1)
[5] Section 9(2)
[6] Section 9(4)
[7] Section 18
[8] Section 20(2)
[9] Section 25
[10] Section 26
[11] Section 28
[12] Section 33
[13] Section 67
[14] Section 35
[15] The current role of DPCOs is primarily involves audits, advisory, remediation.
[16] Section 41(1)
[17] Section 41(2)
[18] Section 42
[19] Section 42(5)
[20] Section 43
[21] Section 44
[22] Section 44(2)
[23] Section 44(2)(b)
[24] Section 44(7)
[25] Section 44(4)
[26] Section 46
[27] Section 67
[28] Section 48(1)
[29] Section 48(3)
[30] Section 53
[31] 1 month notice of action and 3 months statutory limitation. Section 56.
[32] Section 60
[33] Section 62
[34] Section 63
---
Read the original publication at AELEX.