After over 16 months as a draft, the NDPR Implementation Framework (the Framework) was finally and thankfully released by the National Information Technology Development Agency (NITDA) in the first week of December 2020, albeit dated July 2020.

As a privacy litigant and litigator, while I will continue to be grateful to NITDA for taking up the unprecedented gauntlet of regulating data protection in Nigeria, we cannot afford to, with respect, spare the Agency’s blushes within and outside the courts as far as their regulatory duties are concerned and this is done in good faith, for the betterment of the industry and its players.

First, it is highly commendable that, NITDA, like other supervisory authorities in the western World, has issued this Framework to provide further guidance towards clear compliance with the provisions of the NDPR which it describes as a “regulatory guideline” at paragraph 1.2 of its background. This description is a bit confusing to the extent that, if the NDPR is a regulatory guide, then where is the regulation itself and what does this framework seek to achieve if not to guide as well?

I am particularly concerned by the use of the term “Guideline” because it somewhat waters down the efficacy of the NDPR in the light of the Court of Appeal decision in Ogunniyi v Hon. Minister of FCT (2004) LPELR-23164(CA) that:

“The word ” Guidelines ” … simply means ” rules or instructions that are given by an official organization telling you how to do something.

With respect to the drafters of the Framework who have delivered this very momentous document at this very significant time, referring to the NDPR as a guideline does not, in my modest view, do justice to the status of the regulation which the courts have expressly and/or impliedly ruled as an extension of the Constitution of the Federal Republic of Nigeria, 1999 (as amended) under section 37 thereof. (See the decisions in Digital Rights Lawyers Initiative v National Identity Management Commission (Unreported Suit No. AB/83/2020)  delivered on the 15th day of July 2020 by the High Court of Ogun State, per A.A. Akinyemi, J. and Digital Rights Lawyers Initiative v LT Solutions & Multimedia Limited (Unreported Suit No. HCT/262/2020) also delivered by the High Court of Ogun State, per Ogunfowora, J.

On data minimization under article 2.2(b), the Framework is, sadly unclear on which of the provisions of the NDPR represents the principle especially since article 2.1(1)(b) of the NDPR muddles adequacy with the principle of accuracy, the Framework also jumbles consent under the principle of lawfulness with data minimization without making reference to the provision of the NDPR it seeks to clarify. This, with respect, does not help the professional or data subject who seeks clarity on the import of some convoluted provisions of the NDPR.

On the principle of accuracy, the Framework at article 2.2(c), like the NDPR, mishmashes it with the indices of data minimization – “adequate” and partially ignores the message of data accuracy which requires personal data to be updated and/or kept up to date. What is more, the Framework introduces “abuse” into the principle of accuracy at the expense of the principle of integrity and confidentiality.

Article 2.2(d) on retention schedule requires data controllers to communicate data retention schedules to data subjects but one would expect the document to be more explicit as to the modus of compliance. Is this also supposed to be in form of a (privacy) notice or contract or public announcement. For example, how does a data controller inform online visitors of its data retention schedule? It is hoped that further clarity would be given on this.

Surprisingly, article 2.2(e) on confidentiality and integrity is the first provision where cross reference is made to the NDPR albeit it refers to a non existent “article 2” under the NDPR. It is our modest view that, some form of referencing ought to run through the entire Framework to avoid further confusion. Again, the Framework refers to confidentiality as a right while its existence under the NDPR remains unclear, this Framework could have, with respect, done better in resolving this puzzle here.

On its extraterritorial application, the Framework repeats the same legislative “wonder” at article 1.2(b) of the NDPR yet omits to demonstrate how the NDPR will be enforced outside the shores of Nigeria in the light of conflict of laws and extraterritorial limitation of certain laws. Will the NDPR afford me protection anytime I am outside Nigeria even within the regions where, GDPR is, for example applicable?

On exceptions to the NDPR, the Framework at article 2.3 has amazingly created its own provisions outside the NDPR. There exists no provision of the NDPR which this provision of the Framework seeks to implement, hence it is our respectful opinion that, it cannot, outside the NDPR, create its own stand alone exceptions as the only one contemplated by the NDPR is found at article 2.12 with respect to transfer of data to a foreign country.

On compliance, article 3.2(iv) of the Framework offers the regulator an unutilized opportunity to give some clarity on the confusion of privacy policy with privacy notice in the NDPR but it seems this ambiguity will continue for a while.

On appointment of Data Protection Officer (DPO), article 3.4 of the Framework which provides conditions for appointment of a DPO appears to be on a collision course with article 4.1(2) of the NDPR which expressly and mandatorily provides that “Every Data Controller SHALL designate a Data Protection Officer for the purpose of ensuring adherence to this Regulation”. How can the Framework for implementing this section validly make exception for some data controllers?

On sample of privacy policy at Annexure B, the Framework suggests that a privacy policy is a contract between data controller and data subjects and that, access to online platforms automatically translates into consent. Although, the law is not settled on the status of privacy policies on a website, this kind of simulation coming from the supervisory authority is a dangerous precedent which, in itself, negates what privacy policies or notices represent, especially since the NDPR does not give such status to privacy policies.
Ultimately on the Annexure C on Countries with adequate Data Protection Laws, what stands out is the Swiss-US Privacy Shield Frameworks of the United States of America!!! For everything NITDA stands for, I will make this excuse on their behalf that, the inclusion of this data protection law is a regrettable error which was not corrected in the draft before the Framework was released.
Following the Schrems II decision of the Court of Justice of the European Union (“CJEU”) that invalidated the EU-U.S. Privacy Shield Framework in July 2020, the Federal Data Protection and Information Commissioner (FDPIC), the body responsible for the protection of personal data in Switzerland ruled, on the 8th day of September 2020, that the Swiss-U.S. Privacy Shield Framework in its entirety does not provide an adequate level of data protection for cross-border data transfers to the US.

Flowing from the foregoing, it stands to reason that, if the Swiss supervisory authority could have passed such damning verdict on the law that directly affects it, as far back as September 2020, then it is our modest view that, such should not have found itself in a document released by its Nigerian counterpart in December 2020.

In conclusion, the Framework is not only a right step in the right direction, it is a highly commendable and progressive one which should be timely updated and finetuned with the widespread input of as many stakeholders and technocrats to minimize avoidable errors and oversights before its eventual release to the public.

Once again, I congratulate NITDA for spearheading Nigeria’s baby steps in this very essential and highly technical industry.