Introduction

The 21st century,
commonly dubbed “the information age” with its greatest invention, the
internet, has brought about fast and easy dispensation of personal information
or data. With an estimated 2.96 billion social media users worldwide, social
media is the greatest accomplice to the speedy dispensation of personal
information around the world.[2] Virtually everybody on the planet has
their personal data i.e., name, address, pictures, email address, bank details,
or medical information online. These data reveal sensitive personal information
that can be exploited to harm users unscrupulously for economic gain. Thus, it
is has become important to protect these data and regulate the way data is
used. One should be able to decide whether or not they want to share some
information, who has access to it, for how long, for what reason and to be able
to modify some of this information, if necessary.[3]


The information age has seen
data exchange become a common feature and an integral part of commercial
transactions. Considering that five of the six largest companies in the world
(Apple, Microsoft, Amazon, Google and Facebook) deal in data and profit off
processing the data of its consumers,[4] it has become imperative to regulate how
that vast amount of personally identifiable data is managed. For instance, the
Google-owned YouTube’s algorithm feeds off personal data (e.g. user
information, likes, searches, etc.) to suggest what videos users may like or
find interesting.

1.     
“Knowledge is power, information is
power.”

1.1      
This statement by Robin Morgan became more glaring and profound in the light of
the Facebook-Cambridge Analytica Data Privacy Scandal[5] that shook the world in 2018. Here,
Cambridge Analytica, a political consulting and strategic communication firm
was found to have illicitly collected the personal data and information of
about 87 million Facebook users without their consent for political advertising
purposes (especially in the run-up to the 2016 US Presidential elections). This
scandal amongst other previous data privacy breaches[6] signaled the urgent need to protect
personal data. It prompted the immediate implementation of the EU General Data
Protection Regulation (GDPR)[7] in 2018.

1.2      
In similar vein, Nigeria has had its own fair share of data privacy breaches.
Notably, the recent case between NITDA[8] and TrueCaller (2019) as well as the case
involving MTN Nigeria Communications Ltd v Barr. Godfrey Eneye (2013) are a few
instances.[9] Data protection is becoming a risk issue
discussed at negotiation stages between companies in different jurisdictions
and data protection has become a tool to encourage confidence in businesses. In
essence, it is important that companies and persons in Nigeria know the laws
governing Data Privacy and Protection in Nigeria and the scope of rights,
duties and responsibilities available to them.

2.     
The Legal Framework of Data Privacy and
Protection Laws in Nigeria

Although Nigeria does not
have a specific statute regulating Data Privacy and protection, the NITDA
commendably came up with the Nigeria Data Protection Regulations (NDPR) in 2019
which specifically addresses Data Privacy and Protection in Nigeria. Asides
from the NDPR, there are other laws which touch on Data Privacy and Protection
in Nigeria, which are briefly highlighted below.

3.     
The Constitution[10]

Section 37 of Nigeria’s 1999
constitution forms the foundation of data privacy rights and protection in
Nigeria. Section 37 guarantees and protects the right of Nigerians to privacy
with respect to their homes, correspondence, telephone conversations and telegraphic
communications. It deems Privacy in this respect a fundamental right which is
enforceable in a court of law when breached. Prior to the NDPR, most cases of
data privacy breaches were enforced under this section.[11]

4.     
The Nigeria Data Protection Regulation
(NDPR) 2019[12]

Albeit a subsidiary
legislation, the NDPR is the major law specifically aimed at addressing data
privacy and protection in Nigeria. The regulation was issued by the National
Information Technology Development Agency (NITDA) in 2019 to comprehensively
regulate and control the use of data in Nigeria.[13] A copycat of the EU GDPR, the
regulation touches on principles of data processing, the requirement of Data
Compliance Officers, requirement of data subject’s consent for collecting and
processing data, requirements for international transfers of data and rights of
data subjects, inter alia. It also prescribes penalty for non-compliance
with the regulation. [14]

5.     
The NCC Consumer Code of Practice
Regulation 2007[15]

Part VI of the Nigerian
Communications Commission (NCC) regulation, generally deals with the protection
of consumers’ data in the telecoms sector. Reg. 35 requires all licensees to
take reasonable steps to protect the information of their customers against
improper or accidental disclosures. It prescribes that licensees shall not
transfer this information to a third party except as permitted by the consumer
or commission or by other applicable laws or regulation. Data collected by the
licensee must be such that is reasonably required for business purposes and not
to be kept for longer than necessary. This law extends not only to electronic
or written data but also to verbal data recorded by the licensee.[16] It also provides for notification of the
consumer of the use and disclosure of data obtained from them.

6.     
The NCC Registration of Telephone
Subscribers Regulation 2011[17]

Regulation 9 and 10 of the
NCC Registration of Telephone Subscribers Regulation 2011, deals with the data
privacy and protection of subscribers. It provides for confidentiality of
personal information of subscribers stored in the central database or a
licensee’s database.[18] It also provides that these information
shall not be released to a third party nor transferred outside Nigeria without
the prior written consent of the subscriber and commission, respectively. This
regulation also regards the information stored in the Central Database as the
property of the federal government of Nigeria.[19]

7.     
The Freedom of Information Act 2011[20]

Section 14 of the Freedom of
Information Act protects personal data. It restricts the disclosure of
information which contains personal information by public institutions except
where the involved data subject consents to its disclosure or where the
information is publicly available. The Act also provides that a public
institution may deny the application for disclosure of information that is
deemed privileged by law (e.g. Attorney-client privilege, doctor-client privilege).

8.     
The Cybercrimes (Prohibition,
Prevention, etc.) Act 2015[21]

The Cybercrimes
(Prohibition, Prevention, etc.) Act, Nigeria’s foremost law on cybercrimes
criminalizes data privacy breaches. Generally, this Act prohibits, prevents and
punishes cybercrimes in Nigeria. It prescribes that anyone or service provider
in possession of any person’s personal data shall take appropriate measures to
safeguard such data. [22]

9.     
The Child Rights Act 2003[23]

The Child Rights Act
protects the privacy rights of children.[24]  The Act protects and guarantees
the right of every child to privacy, family life, home, correspondence,
telephone conversation and telegraphic communications subject to the
supervision or control of the parents or guardians.[25]

10. The
Consumer Protection Framework 2016[26]

The Central Bank of
Nigeria’s Consumer Protection Framework prohibits financial institutions from
disclosing the personal information of their customers. It also ensures that
these financial institutions take appropriate measures to safeguard customers’
data and necessitates the prior written consent of their customers before
sharing these data with anyone.

11. The
National Identity Management Commission (NIMC) Act 2007[27]

Section 26 of this Act
requires the approval of the Commission before a corporate body or anybody can
have access to data stored in their database. The Act also empowers the NIMC to
collect, collate and process data of Nigerian citizens and residents.

12. The
National Health Act (NHA)2014[28]

The NHA which regulates
health users and healthcare personnel restricts the disclosure of the personal
information of users of health services in their records. It also ensures that
healthcare providers take the necessary steps to safeguard such data.

13. The
Federal Competition and Consumer Protection Act 2019[29]

This Act stipulates that the
Federal Competition and Consumer Commission shall ensure that business secrets
of all parties concerned in investigations conducted by it are adequately
protected during all stages of the investigation or inquiry.[30]

14. Case
Laws

Just like many other common
law jurisdictions, judicial decisions are an integral source of law in Nigeria
and although, very few, there are court decisions on data privacy and
protection. Some of these include the cases of Godfrey Nya Eneye v MTN
Nigeria Communication Ltd
[31] and Barr. Ezugwu Anene v Airtel
Nigeria Ltd
.[32] In the former case, the court held that
the unauthorized disclosure of the claimant’s mobile phone number by his
telecommunications service provider (the defendant) and subsequent unsolicited
text messages he received from unknown third parties were violations of his
constitutional right to privacy. A similar verdict was given in the latter
case. Both claimants were awarded damages of N5,000,000 (five million naira),
respectively.

15. Conclusion

15.1    
It is laudable that Nigerian authorities through their laws and various
regulations are taking bold steps to protect the personal data of her citizens.
However, despite the array of laws and regulations on data privacy and protection,
the only law that specifically and comprehensively deals with this phenomenon
is the recently announced NDPR by NITDA.

15.2    
Prior to the NDPR, most laws on data privacy and protection in Nigeria were
industry specific. For instance, the various NCC regulations protect consumers
in the telecommunications sector; the provisions in the Child Rights Act
protects persons under the age of 18 and the Freedom of Information Act
protects personal data in records of public institutions. Therefore, the
establishment of a data privacy and protection law in the form of the NDPR that
transcends industries and category of persons is highly commendable.

15.3    
The quick implementation and enforcement of the NDPR by NITDA has shown its
seriousness in ensuring compliance with data privacy and protection laws by
data controllers and processors in Nigeria. [33] Another evidence of this is the current
investigation of TrueCaller by NITDA for data privacy breaches[34] alongside the recent investigation of
the Lagos Internal Revenue Service (LIRS) for publishing some Lagos State
taxpayers’ personal information on its website.[35] The establishment of the NDPR and the
activities of NITDA have also helped create awareness about data privacy and
protection amongst Nigerians.

15.4    
Despite being a huge step in the right direction, the NDPR is not without
criticism. The regulation solely “applies to all transactions intended for the
processing of personal data and to actual processing of personal data
and to natural persons residing in Nigeria or residing outside Nigeria
but of Nigerian descent.”[36] The NDPR applying solely to personal
data
and natural persons means the regulation excludes other forms
of data and corporate organisations respectively.

15.5    
Furthermore, some quarters believe the NDPR being a regulation and not a
statute enacted by the National Assembly lacks the requisite force of law
sufficient for addressing such an important subject. Some also believe the NITDA
is not empowered by law within the ambit of Section 6 of the NITDA Act to make
such a regulation.

15.6    
Nonetheless, Nigeria is one of the few countries that can boast of having data
privacy and protection laws in the world.[37] It is thus apparent the country is
heading in the right direction although there is still room for improvement.

_________________________________________________________________

For further information on
this article and area of law, please contact

Francis Ololuo at:
S. P. A. Ajibade & Co., Lagos by

Mobile (+2348112491286) or

Email
(fololuo@spaajibade.com).


[1]    
Francis Ololuo, Associate Intern Intellectual Property & Technology Law
Department, SPA Ajibade & Co., Lagos, Nigeria.

[3]
    Estelle Masse “Data Protection: Why it matters and how to
protect it” (January 25, 2018) available online at: https://www.accessnow.org/data-protection-matters-protect/accessed
on January 20, 2020.

[5]
    “Facebook data privacy scandal: A cheat sheet” by James
Sanders and Dan Patterson (July 24, 2019) available online at: https://www.techrepublic.com/article/facebook-data-privacy-scandal-a-cheat-sheet/
accessed on January 20, 2020.

[6]
    For instance, in 2014 the personal information of over
3billion Yahoo users was unlawfully accessed by hackers – CNN Business: “Every
Single Yahoo Account  was Hacked – 3 Billion in all” (October 4, 2017)
available online at https://money.cnn.com/2017/10/03/technology/business/yahoo-breach-3-billion-accounts/index.html/
accessed on 4TH February, 2020

[7]
    The European Union General Data Protection Regulation
2016/679 is the EU’s major law on Data Protection and Privacy is aimed at
protecting natural persons within the EU with respect to the processing of
personal data and on the transfer of such data outside the EU.

[8]
    National Information Technology Development Agency (NITDA)
is Nigeria’s foremost agency responsible for regulating data privacy and
protection in Nigeria.

[9]
    CA/A/689/2013 (Unreported).

[10]
   The Constitution of the Federal Republic of Nigeria 1999 (as
amended). Act No. 24, 5 May 1999.

[11]
   See the case of Barr. Ezugwu Emmanuel Anene v. Airtel Nigeria Ltd,
Suit No: FCT/HC/CV/545/2015 (Unreported).

[12]
   A regulation made by the NITDA pursuant to Section 6 of the NITDA
Act. Available on https://nitda.gov.ng/wp-content/uploads/2019/01/NigeriaDataProtectionRegulation.pdf
accessed on 27th January, 2020.

[13]   
NITDA is empowered by section 6(a) of the NITDA Act (2007) “to create a
framework for the planning, research…evaluation and regulation of Information
Technology practices, activities and systems in Nigeria.”.

[14]
   For a review of the NDPR, see “Data Protection Regulation 2019 –
The New Law” by Yimika Ketiku and Dolapo Bolu, available online at: http://www.spaajibade.com/resources/data-protection-regulation-2019-the-new-law-yimika-ketiku-and-dolapo-bolu/
accessed on January 20, 2020.

[15]
   Nigerian Communications Act 2003, Federal Republic of Nigeria
Official Gazette No. 87 (10th July, 2007) Vol. 94.

[16]
   Regulation 35(3), CPC 2007.

[17]
   Federal Republic of Nigeria Official Gazette No. 101 (7th November
2011) Vol. 98.

[18]
   Regulation 9(2).

[19]
   Regulation 5.

[20]
   Federal Republic of Nigeria Official Gazette (28th May)
Vol.98. Available on  https://www.cbn.gov.ng/FOI/Freedom%20Of%20Information%20Act.pdf
accessed on 28th January, 2020.

[21]
   Federal Republic of Nigeria Official Gazette (15th May)
Vol. 102. Available on  https://cert.gov.ng/ngcert/resources/CyberCrime__Prohibition_Prevention_etc__Act__2015.pdf
accessed on 28th January, 2020.

[22]
   Section 21.

[23]
   Child’s Rights Act No 26 of 2003 (Federal Republic of Nigeria
Official Gazette No 26, Vol.90). Available on  https://www.refworld.org/pdfid/5568201f4.pdf
accessed on 28th January, 2020.

[24]
   persons under the age of 18.

[25]
   Section 8.

[26]
   Pursuant to its powers under section 2(a) and 33(1)(b) of the CBN
Act 2007, the CBN released the Consumer Protection Framework 2016 on 7th
November 2016. Available on  https://www.cbn.gov.ng/out/2016/cfpd/consumer%20protection%20framework%20
(final).pdf
accessed on 28th January, 2020.

[27]
   National Identity Management Commission Act No 23 of 2007 (Federal
Republic of Nigeria Official Gazette No 23, Vol. 94). Available on  https://www.nimc.gov.ng/docs/reports/nimc_act.pdf
accessed on 28th January, 2020.

[28]
   Federal Republic of Nigeria Official Gazette No. 145 (27th
October, 2014) Vol. 101.

[29]
   Federal Republic of Nigeria Official Gazette No 18 (1st
February 2019) Vol. 106. http://fccpc.gov.ng/uploads/FCCPA%202019.pdf
accessed on 28th January, 2020.

[30]
   Section 34(6).

[31]
   Appeal No: CA/A/689/2013 (Unreported).

[32]
   Suit No: FCT/HC/CV/545/2015 (Unreported).

[33]   
In December 2019, NITDA threatened to issue a Notice of Non-compliance and to
publish the names of companies that default in filing their Initial Data
Protection Audit Report within the prescribed timeline. See https://andersentax.ng/nitda-to-issue-non-compliance-notices-to-defaulting-
organizations/
, accessed on 30th January, 2020.

[34]
   Wole Olayinka “The People v Big Tech: Nigerian takes TrueCaller to
Court for Alleged Violation of Privacy Rights” 30th September 2019 https://techcabal.com/2019/09/30/the-people-v-big-tech-nigerian-takes-truecaller-to-court-for-alleged-violation-of-privacy-rights/
accessed on 30th January,2020.

[35]
   James Kwen “NITDA says LIRS breaches Nigeria Data Protection
Regulation” 27th December, 2019 https://businessday.ng/news/article/nitda-says-lirs-breaches-nigeria-data-protection-regulation/
accessed on 30th January, 2020.

[36]
   Article 1.2 of the NDPR 2019.

[37]
   Other countries/regions include the EU, Canada, Brazil, China,
Angola, Argentina, Australia and Cape Verde.

First published here