With advancements in technology, the ubiquitous nature of social media, and rapid growth in electronic transactions, personal data became more easily accessible and vulnerable to exploitation and abuse. This incident of digital transformation of life and business posed serious risks to data subjects just as it provides a boost to electronic commerce and the profits of digital companies.
The risks of abuse of data privacy by those with access to and in the custody of personal data of others underlined the imperative of data protection laws and regulations. Different states and the European Union have enacted their own versions of data protection laws and regulations to impose obligations on companies and individuals in respect of custody, transfer, use etc. of personal data.
The Nigerian Data Protection Regulations, 2019 (the “NDPR” or “Regulation”) was enacted by the National Information Technology Development Agency (“NITDA”) in response to this need for adequate protection of data privacy. In that respect, the NDPR was a timely and welcome piece of legislation. However, the source of the NDPR (NITDA) is riddled with questions on its capacity to issue the NDPR, and these questions overshadow the beauty and usefulness of the NDPR.
This article interrogates the powers of the NITDA to issue regulations in respect of personal data in the light of relevant provisions of the National Information Technology Development Agency Act (“NITDA Act” or the “Act”) and argues that the NITDA lacks the statutory powers to enact the NDPR and to that extent, the NDPR is void. I will begin this discourse with an overview of the NDPR to provide an idea of its scope and subject matter. This, to my mind, will make the determination of the question of validity easier because the answer to this question will depend largely (if not wholly) on the subjects within the powers of the NITDA.
An overview of the NDPR
The NDPR was issued pursuant to the Act with the objectives to safeguard the rights of natural persons to data privacy; to foster safe conduct of transactions involving the exchange of personal data; to prevent manipulation of personal data, and to ensure the competitiveness of Nigerian businesses through the safeguards afforded by a just and equitable framework on data protection.
The NDPR applies to all transactions involving the processing of personal data. It also applies to natural persons resident in Nigeria and Nigerians who are resident abroad. Article 2 of the NDPR stipulates general safeguards for the collection, processing, transfer, and storage of personal data. The Article generally imposes obligations on persons and entities in possession of the personal data of a natural person (referred to as a Data Subject) to process such data only for a specific, legitimate, and lawful purpose and only with the consent of the Data Subject.
Such data processing is required to be accurate and without prejudice to the dignity of the human person. The Article further imposes an obligation on anyone entrusted with personal data of a Data Subject to store the data for only a period within which it is reasonably needed and secure it against all foreseeable breaches and hazards such as cyberattack, viral attack, manipulation of any kind or damage by rain, fire etc.
The Regulation prohibits obtaining personal data without providing the specific purpose of the collection to the Data Subject and obtaining the informed consent of the Data Subject. It further requires the publication of a simple, clear, and conspicuous privacy policy on any medium through which personal data is being collected or processed and prescribes the relevant information that must be contained in any such privacy policy. A Data Subject is conferred with the right of objection to the processing of his personal data by a Data Controller (a person who either alone, jointly with other persons or in common with other persons or a statutory body determines the purposes for and the manner in which Personal Data is processed or is to be processed) for the purpose of marketing and a Data Controller is required to provide a means of objection to the Data Subject.
The NDPR is meant to be interpreted and applied liberally with the aim of furthering and never for the purpose of restricting the privacy rights of Data Subjects that have been guaranteed under the Constitution or any other enactments. Article 2.10 of the NDPR prescribes penalties for breach of any of the duties under the NDPR.
Article 3 of the NDPR confers additional rights on a Data Subject including the right to information relating to his personal data free of charge, the right to request deletion of his personal data, right to transfer personal data from one Data Controller to another, etc. Article 4.2 provides for an Administrative Redress Committee with the jurisdiction to adjudicate on complaints from Data Subjects relating to breach of the Data Subject’s rights under the NDPR.
Read also: Security agencies can access NIN database to prevent, solve crimes – Pantami
The foregoing overview encompasses the scope and subject matter of the NDPR. The question, therefore, is whether the subject matter of the NDPR is within the remit of the NITDA.
NITDA’s powers to regulate data privacy
NITDA is established by an Act, which delineates its powers and functions. The search for NITDA’s powers and functions to regulate data privacy, therefore, will necessarily commence and possibly end with an interrogation of the relevant provisions of the Act. This is more so, as the NDPR was made pursuant to the Act.
Section 6 of the Act generally provides for the functions of NITDA regarding the development and regulation of information technology in Nigeria while section 7 provides for its powers. Amongst other functions, NITDA is mandated under Section 6(c) of the Act to:
“Develop guidelines for electronic governance and monitor the use of electronic data interchange and other forms of electronic communication transactions as an alternative to paper-based methods in government, commerce, education, the private and public sectors, labour, and other fields, where the use of electronic communication may improve the exchange of data and information.” Underlined for emphasis.
The underlined portion of Section 6(c) is the only reference to “electronic data” in the Act and there is no mention of data privacy in the Act. Interestingly, even the reference to “electronic data” in Section 6(c) is in the context of “electronic data interchange” which simply means “. . . the automated, computer-to-computer exchange of standard electronic business documents between business partners over a secure, standardized connection.” This has no correlation with the personal data of individuals or data privacy.
Section 34 of the Act defines data to mean “. . . a representation of information, knowledge, facts, concepts or instruction which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and maybe in any form (including computer printout, magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computers.” Again, this definition makes no reference to nor have any relationship with personal data or data privacy.
