When the European Union commenced enforcement of its General Data Protection Regulation (GDPR) sometime in May 2018, the rest of the World welcomed it not only as a breath of fresh air but also as a signification of the Council of Europe’s willpower to give data-privacy protection of its citizens and residents, a reinvigorated consideration they have been yearning for, over the years.
In a responsive move, the Nigerian National Information Technology Agency (NITDA) then took the initiative on the 25th day of January 2019, to issue something similar in objectives, to the GDPR and named it “Nigeria Data Protection Regulation” (NDPR) to become the country’s first codified Data Protection legislation.
According to NIDTA’s Director General, Isa Ali Ibrahim, “… the rate of wanton abuse of privacy of Nigerian citizens’ data, needed an urgent national response. I therefore constituted young professionals in the Agency, I challenged them to proffer solution to this problem. The team worked hard and eventually came up with a unique regulation that has become a cynosure of discerning minds” See “Reflection of Nigeria’s Data Protection Regulation 2019” assessable at www.leadership.ng
Since its issuance, a couple of learned authors and practitioners have, expectedly, written some reviews and opinions on the NDPR but I am yet to come across any of those admittedly, timely interventions that critically analyzed the shortcomings of the regulation which is, no doubt Nigeria’s most eminent extant piece of legislation, albeit subsidiary, on data privacy protection.
Objectives: Paragraph 1.0 (a) of NDPR restricts the safeguard/protection offered under the regulation to, only rights of natural persons. This is inadequate because, institutions/organizations can also fall victims of privacy/data breach but if the express provision of the NDPR is slavishly adhered to, then artificial persons can’t take cover under it as currently enacted.
In the word of Daryl Nerl (staff writer at smallbusinesstrend.com) while giving 10 tips to protect your business and customers on data privacy day; “Having information about clients and customers is important but ensuring that private information remains secure might just be as vital to the health of small businesses”. In essence, safeguard of natural persons from data breach is as important as its consideration and extension to legal entities which deal with data in any form especially when taking cognizance of the prevalence and seemingly omnipotence digital hackers and cyber terrorists.
Still on the objectives, the unjustifiable fixation on “personal data” betrays the regulations’ wide title which simply contemplates “Data” simplicita. When this is considered in the light of the definition of Data as given by the regulation, one would further ponder whether (no pun intended) the NDPR’s broad title agrees with its constricting objectives as far as the word “Data” is concerned.
Since the regulations’ main focus is to protect data, then its restriction to personal data may be counterproductive in the nearest future and in addition, may give rise to agitations for another broader regulation protection other kinds of data especially the non-personal, non-electronic data, etc. For instance, the types of data available is subject to its own uncertainties, while some proponents posit to the existence of two kinds (qualitative and quantitative), some favour three types (descriptive, predictive and prescriptive), another school has four (normal, ordinary, interval and ration) and we have the five types.
For as long as, there exists divergence even among stakeholders and practitioners on the identity and classification of data, a regulation protecting same must not shy away from its vagaries by cramping its coverage and reach as the NDPR has done here.
Surprisingly, the NDPR that prides itself as the Nigerian swift response to the GDPR, conspicuously omitted the phrase “Protect Fundamental Rights and Freedoms” from its objectives even though same forms part of the objectives of GDPR from which the NDPR derived inspiration.
On the one hand, it is commendable to note that, unlike the GDPR, the NDPR defines “Data” but the definition is not only narrowly technical, it is not comprehensive enough in the light of the regulations’ expectations. It simply defines Data as “characters, symbols and binary which operations are performed by a computer which may be stored by transmitted in the form of electronic signals is stored in any format or any device.”
The inadequacy of the above definition is, at a glance, reflected in the use of the word “computer” which the same regulation defines as “information technology systems and devices whether networked or not”. Hence, the NDPR does not seek to safeguard data wholly captured, performed and/or stored in paper form without the use of computers since its focus is on computer and ICT.
This appears tricky and can come in handy for a mischievous data controller/administrator under the regulation especially considering the provision of the first paragraph in the preamble which restates NITDA’s mandate to “develop regulations for electronic governance to monitor the use of electronic data …as an alternative to paper based methods.”
Secondly, the definition of data under the NDPR is deficient to other definitions found elsewhere even when then mean, ultimately, the same thing. Although, the Black’s Law Dictionary does not define the word, its 10th edition defines “Database” as “compilation of information arranged in a systemic way”. The GDPR also does not define data but it defines “Personal Data” as information relating to identified or identifiable natural person”. www.searchdatamanagementtechtarget.com defined data as “information that has been translated into a form that is efficient for movement or processing” and the Business Dictionary defines it as “information in raw or unorganized form”
In all the foregoing definitions, apart from the NDPR’s, a common denominator is the word “information” which sums up the whole essence of data. The NDPR chose the highly technical route without even defining what “characters” “symbols” or “binary” are.
Since the definition of “Data” in the NDPR, is in our opinion, jaundiced, then its incompetence or inadequacy will, by implication, affect that of “Database” in the same measure as it is correspondingly defined under the regulation as “collection of data”.
Happily, the word “information” is included in the definition of “Personal Data” under the NDPR but a phrase that may create a jurisprudential issue is “Bank Details”. Legal pontification may arise as to whether the phrase includes Bank statements of account and if it does, then it portends huge economic implications for Nigerian banks which have hitherto charged fees for providing their customers with statements of account. To put this in proper perspective, regulation 2.13.3 mandates such personal data as “bank details” to be given/released to Data Subjects free of charge.
Again, the definition of “Sensitive Personal Data” excludes data relating to fiancé. Hence, bank details are not seen as sensitive under the definition since it is not open-ended as drafted.
Penalty for default
While regulation 2.10 provides penalty for breach of “Data Privacy Rights”, nowhere in the entire regulation are the said rights specifically provided except one would improvise by resorting to the provision titled “Rights of a Data Subject” under regulation 2.13.
Further, the regulation for default but it is silent on remedies for victims of data privacy breach. The penalties as contained therein would only generate income for the government at the expense of the actual victims of data privacy breach.
One would have expected the drafters to take a cue from the GDPR which has comprehensive provisions on “Remedies, Liabilities and Penalties”. Worthy of note is also the provision under the GDPR on right to compensation receivable by any person who suffered “material or non-material loss” as a result of infringement under the regulation. This is sadly missing in the NDPR which seeks to confer a right without giving remedy in the event of infringement thereby defying the age long legal principle of Ubi Jus Ibi Remedium – where there is a right which is wronged, there must be a remedy. See Arulogun v Commissioner of Police, Lagos (2016) LPELR-40190(CA)
Administrative Redress Panel
The provision of regulation 3.2 prima facie appears a progressive one but judging from the antecedents of administrative panels in our country, its set up and constitution may pose their peculiar problems which may hinder them from either taking off or delivering on their mandate.
In the absence of express provisions on the timeline for its set up, membership, their qualifications or disqualification etc, its existence/emergence, in reality, may continue to be a mirage except NITDA shows real seriousness towards ensuring victims get redress which, anyway favours the government in terms of penalty for default at the expense of compensation for victims.
While I am, like, other “Data Subjects”, grateful for NITDA’s proactive interpolation in the mould of the NDPR, there will always be room for, not only an improvement, but further adaption of the regulation to meet to further meet the dynamism of the Nigerian socio-economic reality.
And as much as the NDPR has been rightly touted as Nigeria’s comprehensive and contemporary regulation on data privacy, NITDA and all other stakeholders need not get complacent with the commendable regulation but it must be periodically revised and updated to cater to outstanding issues whether existing or arising in the future.