Nigeria has not had any data
protection regulation that covers the rights of people resident within its
territory. The Nigerian Information Technology Development Agency(NITDA) recently
began the implementation of a data protection regulation known as the Nigerian
Data Protection Regulations 2018 which was copied from the EU General Data
Protection Regulation (GDPR).

The regulation released by the
NITDA was not attributed to any specific provision of the authority’s enabling
legislation and a vague reference was made to Section 6 of the NITDA Act. A lot
of individuals have reviewed the piece of regulation released by the NITDA and
have failed to note that the agency lacks the requiste power to regulate or
create provisions for legislating over data protection within Nigeria, such
reviews can safely be described as misleading. The regulations can, therefore,
be described as an act of jurisdictional overreach as the agency was not set up
to regulate data protection within Nigeria.

Furthermore, the regulation can
best be described as an affront to the
ECOWAS Data Protection Law of which Nigeria is a signatory
to and participated in the drafting of the legislation.

 1. Introduces
Prison terms

The bill introduces provisions
that if breached introduces prison sentences for persons and organisations that
fall foul of its rules. In part XII which comprises of sections 48 to 54 of the
legislation, jail terms have been stipulated for persons or organisation who
trade in personal data belonging to residents of Nigeria. In Nigeria, certain
companies and entities buy and sell data belonging to residents of Nigeria to
organisations or individuals who engage in micro-targeting of people.

The business of buying and
selling user data would therefore become a crime with the introduction of
Section 48(4) which state that “A person commits an offence who advertises
or indicates that Personal Data where the person obtains the data in
circumstances described under subsection (1) of this section, is or may be
available for sale, shall be liable on conviction to imprisonment for a term
not less than 5 years or to a fine of not less than
₦3,000,000,000.00 or to both such imprisonment term and fine.”

Furthermore online content
service providers such as Google, Facebook, Jumia and associated entities could
also face jail terms if they fail to obey the provision of section 36 of the
bill on data localisation. Section 36 provides that all Data Controllers and
Data Processors of Personal Data shall record, systematize, accumulate, store,
host, amend, update and retrieve Personal Data on devices that are physically
located within Nigeria’s territorial jurisdiction.

A breach of the above provision
would result in a data controller or processor being liable upon conviction to
imprisonment for a term not less than 10 years or to a fine of not less than
₦8,000,000,000.00 or to both such imprisonment term and fine.

2. Introduces the Right to be
Forgotten In Nigeria.

Under the Data Protection bill,
there are eight key rights belonging to Data subjects. The rights are listed
below.

  •  Right to be informed: this means that
    data controllers must provide clear and correct information to data
    subjects – purpose, retention. This right is discerned from Section 18.
  • Right of access: This means data subjects have
    the right to know whether personal data is being processed and if so,
    access it ie copy of their personal data – how and why. This right is
    discerned from Section 18.
  • Right to rectification: This means if personal
    data is inaccurate data controllers must correct it. This right is
    discerned from Section 20
  • Right to erasure or right to be
    forgotten: This means if personal data belonging to an individual is made
    public, the data subject has the right to have such information deleted.
    This right is discerned from Section 20.
  • Right to restriction of processing ie right to
    limit personal data processing. This right is discerned from Section 25.
  • Right to data portability: This simply means
    to move, copy and transfer personal data across different services. This
    right is discerned from Section 26.
  • Right to object: This means data subjects have
    the power to decline personal data processing eg direct marketing. This
    right is discerned from Section 23 of the bill.
  • Right not to be evaluated based on automated
    individual decision making (AI) including profiling. This right is
    discerned from Section 19(1).

The right to be forgotten is a
right which stipulates that personal data were obtained or available shall be
erased when such data is inadequate, irrelevant and excessive in relation to
the purposes for which it was collected. A typical example is when a search
engine operator would be obliged to delete the links to related pages.

The right to be forgotten would
allow residents of Nigeria ask data processors or data controllers i.e search
engines to remove links to “inadequate, irrelevant or … excessive” content
pursuant to the provisions of Section 20 of the bill

The right to forgotten was made
prominent by the case of Google Spain SL, Google Inc. v
Agencia Española de Protección de Datos, Mario Costeja González
. In
that case, the Court of Justice of the European Union (CJEU) held that an
individual could apply to an internet intermediary or online content service
sharing provider to prevent information about the individual from coming up in
searches or on the internet intermediary’s platform.

The CJEU further noted that the
applicability of the doctrine has a broad territorial scope, and should the
need arise results gotten be delisted on a search engine’s platform. The Court
further found that the fundamental right to privacy is greater than the
economic interest of a commercial firm and, in some circumstances, the public
interest in access to Information.

3. Data Localisation

 Data localization is the
act of keeping data on any device that is
physically present within the borders of a specific country where the data was generated.

The provisions of Section 36
provide that “The Data Commissioner shall mandate Data
Controllers and Data Processors of Personal Data pursuant to this Bill, to
record, systematize, accumulate, store, host, amend, update and retrieve
Personal Data on devices that are physically located within Nigeria’s
territorial jurisdiction.

The provision would ensure that
the Nigerian government having to deal with cybersecurity threats or
individuals worrying about the right to privacy. It would also lead to the
creation of more jobs for persons resident in Nigeria.

Although the provisions of
section 36 can best be described as a protectionist clause it may lead to a
development known as splinternet or cyber-balkanization which means the
segregation of the internet by various regions due to factors such as
technology, nationalism, commerce and laws.

Adavize Alao