With the increased penetration of digitization, financial technology and interconnectivity, the volume of data mined through corporate communication channels has grown exponentially and along with this, an increased risk of exposure to consumer dissatisfaction and potential liability for breach of data privacy rights for companies. Recent global trends indicate significant consumer activism and advocacy for strict sanctions for companies who fail to adopt stiff data protection controls for personal information shared via digital platforms and websites.
This advocacy has triggered aggressive legislative action with governments taking steps to hold persons who control, transfer, store and use data to a higher standard of accountability and provide for liability in the event of breach; governments no longer pay lip service to data privacy and Nigeria is not excluded.
The Nigerian Information Technology Development Agency (NITDA) the regulatory authority responsible for matters relating to technology recently issued the Nigerian Data Protection Regulations 2019 (NDPR) and has created a legal framework which imposes additional responsibility and outlines sanctions for failure to comply with specific protocols when handling data. By implication, Nigerian corporates or third parties dealing with them are to be concerned to ensure that proper data processing methods are introduced to prevent undue exposure and potentially, financial loss arising from breach of data privacy rights in the course of their business.
The following paragraphs review the impact and key features of the new legislation as well as the potential liability or risks corporates (or their officers) operating in Nigeria are exposed to under this regime.
Legal Framework for data Protection in Nigeria
Before the NDPR was issued, the general rhetoric was that there was no framework for data protection in Nigeria, but this is not wholly correct as there are extant provisions which protect certain information from unauthorised use. The question however, was whether these were adequate, given the complexities arising with the use, retention, processing and control of data. Also, the question of sanction was largely remote as there was little definition to the processing protocol to which companies were subjected. The general provisions of these laws include:
The constitution: Section 37 of the constitution provides for the protection and guarantees the “privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications “. The ambits of this provision are wide enough to accommodate any claim for breach or violation to personal rights to data. However, an assertion in this regard would be conditional on a subjective assessment of unauthorised interference, breach or misuse. The more complex issues around retention, storage, processing and control of personal information and other online content are not addressed holistically in a specific legislation.
• NCC Consumer Code of Practice: this law requires telecommunications operators to take reasonable steps to protect customer information from disclosure (including accidental disclosure). It also restricts the unauthorised transfer of personal information.
• The Child’s Rights Act: reasserts the right to privacy as it relates to children.
Freedom of Information Act (2011): prohibits public institutions from disclosing personal information unless the individuals whose personal identifiable information is to be published consent to it.
• The Consumer Protection Framework issued by the Central Bank of Nigeria in 2016 also restrains financial institutions from disclosing personal information of customers.
The Official Secrets Act: Section 3 provides that persons who reproduce, retain, transfer or classified information are guilty of an offence.
The introduction of the NDPR (pursuant to the Nigerian Information Technology Development Agency Act (2007) enables clarity on the specific protocol for handling personal data and clarity on what amounts to breach in a manner akin to the provisions of Europe’s General Data Protection Regulations (GDPR). For clarity of analysis, key provisions of the NDPR are outlined below:
Scope of application of the NDPR
The NDPR applies to all transactions involving the processing of personal data and to possession of personal data, notwithstanding the means by which the data processing is conducted or intended to be conducted in respect of natural persons in Nigeria. By implication, commercial contracts, information displayed or transmitted on a company’s websites are subject to the provisions of the NDPR. The NDPR is also applicable to Nigerians who are resident outside Nigeria. It is yet to be seen how this would play out due to territorial limitations that may apply when the NITDA seeks to enforce the provisions of the NDPR arising in this regard.
1. Compliance provisions arising under the NDPR
• Authorised Processing of personal identifiable information subject to the following parameters:
Personal data is to be collected and processed in accordance with a specific, legitimate and lawful purpose and the Consent (any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her) of the Data Subject (an identifiable person by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;) excepting such instances where further processing is required in the interest of the public or in connection with historical research or collation of information for statistical purposes. Lawful purpose is defined to include circumstances where processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract; where processing is necessary for compliance with a legal obligation to which the Controller is subject, where the processing is necessary to protect vital interests of the Data Subject or another natural person; where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official public mandate vested in the controller;
• Consent is to be processed without undue influence, fraud or coercion.
The Data Controller (a person who either alone, jointly with other persons or in common with other persons or as a statutory body determines the purposes for and the manner in which personal data is processed or is to be processed) must be able to show that the Data Subject had legal capacity to give consent.
• Data processing by a third party is to be governed by a written contract between the party and a Data Controller.
• The Data Controller must develop mechanisms to provide sufficient protection of the personal data.
2. Duty of Care to provide a process for objection by Data Subjects:
• A Data Subject has a right to object to the processing of personal data. As such, a Data Controller has a duty of care to Data Subjects and is accountable for acts and omissions in respect of the data processing.
• A Data Subject also has the right to withdraw Consent and data cannot be processed subsequent to such withdrawal. Additionally, a Data Subject has a right to request the erasure of personal data.
3. Duty to conduct due diligence and ensure security:
• Consent may not be issued for the purpose of child’s right violation to ensure prevention of liability in this regard.
• Liability for actions or inactions of third-party contractors inures in the event of breach.
• The Data Controller is to ensure that measures which ensure security of the data are applied.
4. Transfer of personal data to a foreign country
Transfer of information to a foreign country or an international organisation is subject to the provisions of the NDPR under supervision of the Attorney General of the Federation (AGF) who is to review and make a judgment as to the adequacy of the safeguards for personal data in the subject jurisdiction. It is mindful to note that the Attorney General’s and/or the NITDA’s prior review would not be required in respect of any personal data which is to be transmitted in connection with a Lawful Purpose excepting such instances where the Attorney General has earmarked such jurisdiction as not having sufficient or reciprocal data protection measures. By implication, in many cases, the Attorney General’s permission would not be required.
5. Timeline for publication of data protection policies: The NDPR provides that not later than March 2019, public and private organisations that control personal data must publish and make their data protection policies to the public. This would include parastatals and private organisations and there are no exclusions provided in this regard.
6. Appointment of a Data Protection Officer: A Data Protection Officer is to be appointed by the company for the purpose of ensuring adherence to the NDPR. Data Controllers are also obligated to ensure training of their officers.
7. Periodic self-audit: By June 2019, all organisations are to conduct an audit of their privacy and data protection practices and where such organisation processes personal data of more than 1000 (one thousand) individuals in 6 (six) months, a soft copy of the summary of the audit is to be submitted to NITDA.
8. Annual Returns to the NITDA: Annually, persons who process data of at least 2000(two thousand) subjects within a period of 12 (twelve) months are to submit (not later than the 15th of March of the following year) a summary of the audit conducted for this period.
It is useful to state that the NDPR mandates immediate compliance. These timelines stipulated appear impracticable and the regulator must be mindful to review the potential impact of non-compliance and where feasible, provide for extension of the period to enable proper compliance. Also, the requirement to notify and obtain permission from the Attorney General is another potential limitation that may inhibit easy flow and transmission of information as such it is necessary for the NITDA to review its objective in this regard and provide a more commercially savvy requirement which facilitates compliance.
Increased exposure and attribution of personal and corporate liability for breach
The NDPR provides that companies may only store, use, transfer or process information subject to the minimum standards stipulated above. Verbose privacy policies which are difficult to access or understand will not meet the requirement of prior Consent are to be revised. Additionally, it is not enough to state that the responsibility for protecting personal data is contracted to a third party, it is important to note that any such transfer of the responsibility must be governed by a contract which meets the minimum requirements. The NDPR specifically defines parties to include directors, shareholders, servants and privies of the contracting party. Accordingly, the distinction between legal and natural persons for the purpose of limiting due diligence is irrelevant.
More importantly, companies who by virtue of their services have to mill through data to provide reports or use data in the course of product production have to confirm that personal information controlled or transmitted in such circumstances are sourced without breach of data protection requirements outlined above to prevent exposure to business crippling fines.
Penalty for Default
Non-compliance with the provisions of the NDPR could ground liability (in addition to any criminal or administrative liability) t0:
• in the case of a Data Controller dealing with more than 10,000 Data Subjects, payment of the fine of 2% of Annual Gross Revenue of the preceding year or payment of the sum of N10,000,000 (ten million naira) whichever is greater.
• in the case of a Data Controller dealing with less than 10,000 Data Subjects, payment of the fine of 1% of the Annual Gross Revenue of the preceding year or payment of the sum of N2,000,000 (two million naira) whichever is greater.
The NDPR provides that NITDA can set up administrative redress panels to investigate allegations of breach and issue administrative orders, it is expected that where such panels are set up, they would operate as quasi-judicial panels and in the event of breach, such entities may impose sanctions. The defences that would enure for defaulting companies are not expressly outlined as such, this would be clear in due course.
The NDPR is a step in the right direction as it provides further clarity on the protocol for data processing. Where the NDPR is implemented strictly, it would promote transparency, consolidate accountability of Data Controllers and ensure that individuals are empowered to exercise control and demand compliance with their preferences where personal data is to be processed. While the NDPR is indeed a welcome development, it is important to reiterate the need for strategic enforcement as clarity on the minimum safeguards and infrastructure that must be deployed to ensure safe and transparent processing of data will only be attained when the NITDA implements these regulations with practicable measures that are flexible and clear.
As such, while it is in its early stages of application, it is expedient for companies in Nigeria to begin to outline protocol for data protection and adopt technology that enables seamless incorporation of protective measures into their operations. Inevitably, companies who do not take preliminary measures to ensure compliance will be at risk of breach and liable to fines as deemed appropriate. The fines applied by the NITDA in the event of breach are significant and more importantly, the increasing global reproof for negligence in this regard will trigger stricter legislation. For any company seeking to level down risks and ensure full compliance, its data protection protocol surely matters.
Corporate organisations may mitigate the risks accruing in this regard by undertaking the following:
• immediate drafting and publication of simple and holistic data protection policies via all the channels for communication, including but not limited to websites, email signatures and contracts.
• Appointment of a Data Protection Officer with significant skill and understanding of the companies’ requirements.
• Conduct internal training for employees and officers to ensure due communication of the potential liability arising in this regard.
The risks may not be totally obviated but strict adherence to the provisions of the law will limit exposure of companies to the consequences of non-compliance.
OYEYEMI ADERIBIGBE is a Senior Associate at Templars. She is also the current Vice-Chairman of the Young Lawyers’ Forum of the Nigerian Bar Association -Section on Business Law and the Young Lawyers’ Committee Liaison Officer of the African Regional Forum of the International Bar Association. Feedback – Oyeyemi.firstname.lastname@example.org; email@example.com.