Nigeria Data Protection Regulation 2019 was recently announced by the Nigerian Information Technology Development Agency (NITDA), the statutory body in charge of regulating the utilization and transmission of information (The Regulation).
The Legislation, which was heralded by the Draft Data Protection Guidelines (The Guidelines) announced in 2017, encompasses the Nigerian government’s formal position paper on data security and privacy. The Regulation lays out the fundamental guidelines for data security in Nigeria.
This article analyzes the clauses of the Regulation, its adequacy in reference to international data security guidelines, and the effects on citizens, businesses, and government bodies in Nigeria, in following the latest encounters and potential ramifications connected to data exploitation internationally.
The year 2018 was a watershed moment for the global data protection regime. The European Union General Data Protection Regulations (GDPR) ratified on May 25, 2018, prompting several European Union (EU) businesses to upgrade and improve their data protection policies in order to comply with the GDPR’s regulations. The GDPR applies to all EU member states, but it also has worldwide implications because it covers any business wanting to offer products to Europeans, regardless of where they are located. The General Data Protection Regulation has resulted in a global data protection law overhaul, and Nigeria is no exception.
Notwithstanding the lack of a real and detailed data protection framework in Nigeria so far, data protection has been hinted at in a number of basic and sector-specific laws. For example, Section 37 of the Federal Republic of Nigeria’s Constitution of 1999 established a minimal level of privacy and data protection. “Privacy of citizens, their residences, mail, telephone calls, and telegraphic communications is hereby secured and safeguarded,” it says. Likewise, the Nigerian Communication Commission (NCC) adopted the General Consumer Code of Practice Regulations for Telecommunications Services in 2007, which requires telecoms companies to take adequate precautions to safeguard customer data and avoid unlawful or inadvertent disclosure. Furthermore, Section 8 of the Child Rights Act of 2003 affirms a child’s privacy rights and protection from identity disclosure.
Nigeria Data Protection Regulation 2019
The Data Protection Regulation (2019 Regulation) came into force on January 25, 2019, and requires all types of businesses in Nigeria that handle personal data to ensure their respective data privacy policies are easily accessible to the Nigerian public within 3 months of the Data Protection Regulation’s approval.
Objectives of Nigeria Data Protection Regulation 2019
The Regulation recognises the need to secure such data from potential breaches in light of current technology improvements that are contributing to the shift of companies and other information to the internet The following are the key purposes of the Regulation:
- To protect legal persons’ privacy rights when it comes to their data;
- To foster a secure landscape for the interchange of personal information;
- To combat the abuse of personal data and keep Nigerian businesses viable by establishing a data protection regulatory framework that adheres to international best practices.
- The extent of the regulation now spreads to all business organisations handling the private data of individual citizens in Nigeria or of Nigerians in the diaspora, despite the fact that the definition section of basic concepts in data protection such as data, data regulator, data subject, and so on remains unchanged.
Consequences of Failure to Comply with the Nigeria Data Protection Regulation
The NDPR creates two categories of Data Controllers for the purpose of administering penalties upon breach of the Regulations as follows:
- Data Controllers that process data of more than 10,000 Data Subjects will be liable to pay 2% of their Annual Gross Revenue or ₦10 million, whichever is greater;
- Data Controllers that process data of less than 10,000 Data Subjects will be liable to pay 1% of their Annual Gross Revenue or ₦2 million, whichever is greater.
Tenets and Principles of Nigeria Data Protection Regulation 2019
This wider scope improves the data subject’s protection and raises the likelihood of achieving the above-mentioned goals. The Regulation also establishes the following data processing tenets:
- With the assent of the user, data must be collected and used for authorised purposes: As a result, all data controllers must make sure that the primary aim for which any data is gathered is detailed, reasonable, and legal in compliance with the regulation’s rules. Furthermore, the reason for which any data is gathered must be disclosed to the data subject, and permission must be sought before the data is processed.
- Data acquired must be comprehensive, authentic, and not infringe on a person’s dignity: This implies that only data required for a specified legitimate purpose can be taken and handled, and such data must be valid. As a result, data controllers must allow data subjects to keep updating their personal information as needed.
- Data must be kept for a specific amount of time: Personal data must be archived for an appropriate duration of time. According to the Regulation; however, what constitutes a reasonable term is still up for debate.
- The Regulation also states that anyone in the custody of a data subject’s personal data owes the data subject a care duty and that such a person will be made liable for any actions or inconsistencies that contribute to the inability to protect personal data without exposing it to any potential data or infringements in compliance with the Regulations.