The new data protection bill in Nigeria

The Nigeria Data Protection Bureau (NDPB) has published a copy of the new Data Protection Bill. In recent months, the National Commissioner of the NDPB has reaffirmed the commitment to enacting a data protection law by the end of the year. Furthermore, recently, the chair of the Senate Committee on Information Communication Technology, and Cybercrime promised that the bill would be passed within thirty days of being introduced in the national assembly. 

validation exercise for the bill was held in Abuja yesterday. The commitment to seeing the bill passed is commendable. There have been more than ten previous attempts to pass a data protection law before this point. This is the sixth attempt to pass a data protection law since 2018. The bill will be presented as an executive bill. The hope is that the current endeavour will see the end of the tunnel, unlike previous attempts.

A copy of the bill is available here.

Comment on the Data Protection Bill 2022

The bill will apply where the controller or processor is a Nigerian resident, where the processing takes place in Nigeria, or where the organisation actively targets, markets to, or monitors Nigerian residents. The bill does not apply to personal or household use. Furthermore, certain provisions of the bill will not apply where processing is required for national security, crime investigation and prevention, public health emergency control, or journalistic exemption

The review looks largely at the operational aspect of the proposed law

Bridging the gaps under the NDPR

In general, the bill is a significant improvement over the Nigeria Data Protection Regulation (NDPR). Notably, the new bill fills some gaps in the NDPR.  For example, it expressly states the principles of fairness, transparency, and accountability.  Similarly, legitimate interest is recognised as a lawful basis, but at the same time, imposed conditions that will make it impracticable to use. The legal basis for processing sensitive personal data was clearly stated, and how to provide a privacy notice when the data is not collected directly from the data subject was addressed.

The bill expanded controllers’ and processors’ mutual responsibilities. The rules on child protection are more explicit, and there is even a new requirement for age verification.  Furthermore, it appears to have reconciled the age of a child to 18 in order to be consistent with the Child Rights Act rather than the confusion created by the Data Protection Implementation Framework (DPIF), which defined a child as anyone under the age of 13.  The DPIF’s mandatory requirement for multinational corporations to have data protection officers in Nigeria is no longer in effect. It provided additional clarification on the exercise of data subject rights. Another appealing aspect of the bill is the possibility of departing from the DPIF’s requirement that references to the African Union Convention on Cybersecurity and Personal Data Protection (Malabo Convention) and the GDPR be made where the NDPR is unclear. For context, Nigeria is yet to sign or ratify the Malabo Convention.

There are also new provisions, such as mandatory registration, the transformation of the NDPB into the new data protection commission, the inclusion of a journalistic exemption that will strengthen freedom of expression, and the introduction of prior consultation with the regulator for data protection impact assessment where the risk cannot be mitigated, among other things. Finally, the bill introduces the concept of a controller and processor of “major importance.” While an attempt was made to define these terms, the classification threshold remains unknown, but the commission promised to define the tiering.

The confusion: amplifying existing gaps

Despite efforts to fill gaps in the NDPR, the bill still has room for improvement. I have highlighted some concerns below.

Mandatory registration

The new bill requires data controllers and processors of “major importance” to register with the commission.  The registration fee will also be set by the commission. While the requirement appears in many African data protection laws, its relevance appears limited to revenue generation. There is no data or empirical evidence to suggest that countries that require registration have higher compliance rates than those that do not. This must be done carefully to avoid turning registration into a tick box Olympics, as the filing of data protection audits has suffered when it has been wrongfully misclassified as evidence of data protection compliance when, in fact, it only satisfies one requirement under the NDPR and one pillar of monitoring under most privacy program frameworks.  If the drafters intend to keep the provision, they must clarify that being listed on the register is not proof of compliance with the entire law.

International data transfer

The international data transfer mechanism under the NDPR and DPIF has been chaotic. The NDPR, for example, includes a provision for countries when making an adequacy decision. However, the DPIF published a list of countries that included countries without data protection laws or with data protection laws but with no established or designated authority to enforce the law. A civil society group is currently challenging the list at the Federal High Court for the failure of NITDA to follow its own rules. The DPIF created binding corporate rules (BCR) and standard contractual clauses (SCC) without specifying the approval process and content for BCR or adopting a standard or template for SCC, which added to the confusion.

This provision will almost certainly have the greatest impact on businesses. The concept of an adequacy decision for countries and appropriate safeguards for controllers and processors appears to have been conflated by the bill’s drafters. Section 43 (1) (a) copied the GDPR’s appropriate safeguards provided in the letter but not in spirit or intent. It is critical that these provisions are properly drafted in order to avoid imposing new operational challenges on businesses.

Data retention

Another potential operational difficulty is the storage limitation provision. Anyone who has attempted to create a data retention schedule knows how difficult it can be. The bill restricts the retention period to where the law allows it or where the data subject consents. This could simplify the complexities of data retention, where contracts, research, a court order, or the defence or establishment of a legal claim could all play a role. 

Data subject rights

The bill’s provisions on exercising rights are far more comprehensive than those in the NDPR. However, it lacked a timeline for responding to the right requests.

Independence 

One of the biggest problems and criticisms of NITDA and the NDPB was their lack of independence, which affected how the NDPR was implemented.  Under the African Union Convention on Cybersecurity and Personal Data Protection, the Economic Community of West African States Supplementary Act of Personal Data Protection, the Declaration of Principles on Freedom of Expression and Access to Information in Africa, and Convention 108 of the Council of Europe, one of the measures of independence is not being tied down by the executive arm of the government. A close reading of the bill suggests that a minister has supervening power. In addition, the constitution of the governing council is largely made up of representatives of government institutions, which casts doubt on the commission’s independence. Consideration should be given to civil society and human rights interests. 

Sanctions and enforcement 

The bill risks falling into the same trap as the NDPR, where the number of data subjects affected by a violation was the sole determinant of fines.  The bill classified violators as either controllers or processors of “major importance.” The risk of violation and other factors, not just the size of the organisation, should be considered regardless of size.  Other factors to consider include the nature, gravity, and duration of the infringement; the purpose of the processing; the number of data subjects involved; the level of damage and damage mitigation measures implemented; intent or negligence; degree of cooperation with the Commission; and personal data categories.

Missing icons

The bill is silent on requirements that could strengthen accountability, like data protection by design and default and documenting a record of processing activities, among other things. However, the bill grants the commission broader power to issue regulations that may address these missing provisions.

Timelines

The bill will benefit from timeline precision. For example, timeliness for registration approval, data subject rights, and complaint resolution, among other things, are missing.

Conclusion

The bill is a necessary intervention, and its passage is an important outcome. However, the desire to pass a law in record time will be defeated if a flawed bill is enacted. Given how difficult it is to change a law in Nigeria, the people the law is meant to protect, and the businesses that are supposed to work with it will be the most affected. Furthermore, the bill should avoid focusing on large market players while ignoring small players capable of even more “horrible practices” with the tiering of controllers and processors of “major importance.” 

While it may be easy to dismiss concerns about the absence of some important provisions because they can be addressed through regulation, the regulatory rein under NITDA and the NDPB did not provide much timely clarification on the NDPR. For example, the DPIF took nearly two years to finalise, and there was confusion about which version of the document was valid.  The new commission should spend more time and effort developing useful commentaries, guides, guidelines, and resources to help with compliance.  In addition, the NDPB, which will be transformed into the commission, should invest in increasing its capacity and competence in order to improve complaint resolution time and ensure consistency of response in the face of an inquiry or regulatory confusion.

Finally, I suggest more people participate in the process by sending their suggestions to legal@ndpb.gov.ng.