The leaked personal data of hundreds of German politicians by a hacker last week has again raised the red flag on Nigeria’s lack of movement on data protection and privacy policy. This is just as the ghosts of the leak of Amazon S3 data allegedly belonging to customers of Nigerian airline, Arik, and Facebook’s disclosure in 2018 that about 200,000 personal data belonging to Nigerians were breached by Cambridge Analytica, still hovers in the air.
In both later incidences, the Nigerian authorities did not investigate or take any action to protect citizens’ data in the possession of thousands of companies. For the former, although German authorities are reported to be investigating the attack on its politicians, experts have suggested it was only possible because the German government, like their Nigerian counterparts, does not take cybersecurity seriously.
Data protection in some parts of the world is a high priority. Facebook, Google, Twitter and several technology companies that houses billions of data belonging to their users have faced intense regulatory security lately, which include appearing before lawmakers to defend how they deploy data in their possession.
The European Union commission took it a notch higher in 2018 with the release of the EU GDPR which has caused many ripples across the world. Even Nigerian companies are frantically making efforts to comply with the GDPR provision to enable them to continue to provide services for their clients residing within the EU.
The number of internet users in Nigeria rose to 108.46 million in November 2018, from 94.82 million a year earlier, according to data from the Nigerian Communications Commission (NCC). More growth is expected as the mobile broadband network continues to expand their capacity and the price of phones get cheaper. That presents a major exposure worry for data protection and privacy.
The 1999 Nigerian constitution does not assign the responsibility for data protection to any agency, but it does make reference to the protection of privacy of Nigerians. Section 37 of the constitution provides that the “privacy of citizens, their homes, correspondence, telephone conversations, and telegraphic communications are hereby guaranteed and protected”. The 2007 Act that established the National Information Data Protection Agency (NITDA) to some extent presents them as the regulator responsible for data protection in Nigeria. However Ngozi Aderibigbe a legal data expert and managing associate with Jackson, Etti & Edu told BusinessDay that the agency is not the only regulator with data oversight conferred on it.
“Other regulators, including, the Nigerian Communication Commission (NCC) and Central Bank of Nigeria (CBN) have some data protection regulations, and these regulations are enforceable against the specific entities subject to the regulatory checks of NCC and CBN,” said Aderibibge, “Therefore, each regulator – NITDA, NCC, CBN – is responsible for enforcing any breach of their respective data protection laws.”
While the CBN and NCC appear to show a little interest in policing the data of consumers under the care of providers in their segment, NITDA which should naturally take the lead appears the most irresponsible.
“NITDA which is the agency with regulatory powers to monitor the use of information technology, and the custodian of the NITDA Guidelines for Data Protection, has not shown any willpower to enforcing the data protection standards set out in the guidelines,” Aderibigbe said.
A visit to the website of NITDA will show six downloadable standards and guidelines. The National Information Systems and Network Security Standards & Guidelines and Standards for Data Interoperability are the only two documents that pay more than passing attention to data and give some sort of guideline around its usage. However, both documents address companies and the government ministry department. Neither of them pays any particular attention to the larger societal need for data protection. There is also little evidence to show that the available provisions are being enforced on companies.
In 2010, National Identity Management Commission (NIMC) sponsored a data protection bill with aim to regulate the governing of personal information of individuals, including the collection, holding, use or disclosure of such information by persons and organisations other than government institutions in a manner that recognises and protects the personal information and data of individuals. The bill has which is present with the Nigerian senate is not making the desired progress.
However, if enacted into law, it will prohibit the processing of data for purposes other than their intended use and companies could be fined for breaches of personal information.
“It would be great to have this bill passed into law as it would strengthen the data protection regime in Nigeria,” Aderibigbe said, “It is particularly important that in addition any regulatory penalties imposed for breaches, individuals should have enforceable rights against any data collector or data processor where necessary.”
To be sure, Nigeria is not the only African country that battle has a poor data protection environment as more than half of Africa’s 54 countries have no data protection or privacy laws, according to Article 19, a London-based rights group. Out of the 14 countries that have, nine have no regulators to enforce them. However, Nigeria is at a bigger risk being the African country with the most internet users.
Aderibigbe recommends enforcing the NITDA Guideline and other data protection regulations already in existence.
“These regulations and guidelines made in furtherance of their respective principle legislations are, by law, as enforceable as the principal legislation,” she said.
A bigger issue, however, could also be the lack of public awareness of the existence of these regulations and their enforcers. Increase awareness will boost the level of compliance with the regulations.
