19 Jun Transitioning from NDPR to NDPC: Some Good, Bad and Ugly Provisions of the Newly Enacted Nigeria Data Protection Act 2023
Author: Olumide Babalola
Borrowing a leaf from Timothy Endicott’s ‘The Impossibility of Rule of Law’ (1999) 19(1) Oxford Journal of Legal Studies, 1-18), I acknowledge that we cannot have a perfect law not even where wide and transparent consultation of stakeholders are not made. Amidst mixed reactions, Nigerians welcomed their first principal legislation on data protection – Nigeria Data Protection Act 2023- on the 12th day of June 2023 after more than ten legislative attempts. It (without the pitfalls) was what we had yearned and advocated for over the years and now that we have our piece of legislation, at the risk of sounding like an Oliver Twist, I take a brief look at the document which will potentially advance the emerging privacy and data protection industry in the World’s largest black nation.
The Act has many commendable provisions garnished with sour and avoidable introductions.
For clarity, I will briefly comment on these provisions as follows:
Some good provisions
The Act has many praiseworthy provisions, some out of the lot which I find interesting are:
An inclusive definition of data controller
Since the NDPR issuance, I have had many (in)formal conversations on whether data protection laws regulate the activities of private persons. However, my answers had always come from other jurisdictions. Now, by defining the term ‘data controller’ to include individuals and private entities, the Act appears to have settled the question of its application to private individuals. (section 65)
Contents of Data Processing Agreement (DPA)
Provision of clarity on what controllers should instruct processors to do in addition to the requirement of a written contract promises to enlarge the compliance net and improve widespread role-playing among stakeholders. (section 29)
Right of withdrawal of consent
This is an ingenious addition to data subjects’ rights even though it appears a reproduction of the right to object or restrict further procession. After all, where consent is given to processing activity, there ought to be a corresponding right to withdraw same. (section 35).
Principle of ‘availability of personal data’
Loss of personal data is a data breach. The Act interestingly includes ‘availability of personal data’ into the confidentiality and integrity principle. This effectively creates a cause of action where a controller is unable to provide personal data in its custody when called upon. (section 24(2)
Legitimate interest assessment
Perhaps, the most striking fault of the NDPR was its omission of legitimate interest of the controller or third party from the list of lawful grounds for processing data. This Act does not only recognise legitimate interest, it makes laudable provisions on how such interest can be assessed. (section 25(1)(b)(v).
Designation of sensitive personal data by the Commission
Sensitive personal data is tricky. The parameters change with cultural and political developments; hence it is comforting that the Commission can further widen the net for other data that can be designated sensitive in the future. (section 30(2).
Priority of the Act
Outside the NDPR, some sector-specific legislation make various provisions on data protection and they may clash with this Act which has offered clarity on precedence. The Act asserts its superiority on issues of data protection over all other legislation to the exclusion of the Constitution of course.
Judging from the exchange of regulatory baton between NITDA and NDPB, many had wondered how the new Ombudsman – the NDPC – would take over from the make-shift arrangement, but the Act has taken care of that. The NDPB, its officers and its documents have now legislatively metamorphosed into the NDPC in a seamless transitional arrangement under section 64 of the Act.
Like the previous bills, the Act repeats some avoidable errors that may subject the legislation to unnecessary interpretation issues.
Non-definition of salient terms and concepts
As an offshoot of the right to privacy, data protection is sui generis. Its terminologies and concepts do not always carry the colloquial meaning of words used. Regrettably, the Act does not define the following essential terms: anonymisation; cross border transfer; data portability and DPCO were defined under the NDPR but omitted here; recipient; vital interest; genetic data; profiling; third party; vital interest etc. Stakeholders are now left to ascribe different meanings to these terms and this may take us back to the era when we always had to resort to Europe for answers. We need to cut free from this legislative neo-colonialism as much as possible.
Problematic definition of ‘data subject’
For reasons best known to the draftsmen, the term ‘data subject’ is defined in an awkwardly simplistic and potentially elusive manner as ‘an individual to whom personal data relates.’
This definition evinces two problems in waiting. First, the word ‘individual’ is capable of diverse meanings to suit different narratives depending on who the ‘interpreter’ is. The Compact Oxford English Dictionary of Current English defines the term ‘individual’ to include a person and an entity while the Supreme Court in Alhaji Aliyu Ibrahim v Judicial Service Committee (1998) 14 NWLR (Pt. 584) 1 defined ‘individual’ to include artificial persons i.e companies. Hence, the term ‘individual’ in the section can be interpreted to mean the protection of companies too therefore, they can also sue for data breaches under Nigerian law. Without arguing the benefits or drawbacks of such a possibility, this definition of data subject ought to be clear to avoid such conjecture.
Secondly, the drafters missed a golden opportunity to define ‘data subject’ by clarifying whether deceased individuals are also protected under our data protection legal regime. Conversations around ‘propertization’ of personal data will continue to pose questions on the necessity (or otherwise) of extending coverage of data protection laws to such data for as long as they remain relevant to data controllers.
I am not unaware of the decision of the Court of Appeal in CCB v Nwankwo (2018) LPELR–44762(CA) where the court glossed over the issue of whether the privacy right of a dead man can be protected, this Act would have legislatively laid the matter to rest.
Some provisions of the Act require urgent clarification from the NDPC and that’s why I refer to them as ugly as they continue to taint the otherwise commendable objectives of the Act.
Prohibition of processing data on sex life
Data protection laws generally prohibit the processing of sensitive personal data because they pose a higher-than-usual risk to data subjects. Disclosure of this category of personal data potentially exposes data subjects to ridicule, discrimination or breach of other fundamental rights. For example, the current social, economic and political realities in Nigeria may reduce the chances of getting employed in some organisations if one discloses one’s tribe, religion, health status or trade unionism. This is the main reason the category of personal information is classified as sensitive, hence, the law prohibits their collection. However, before you can ‘collect’ such data, the law provides for safeguards.
Under the 2020 bill which went through public consultation, sexual orientation was understandably included as sensitive personal data but under section 65 of the Act, the term was curiously replaced with ‘sex life’. It is undoubtful that ‘sexual orientation’ which speaks to a person’s identity in relation to gender is different from ‘sexual life’ which means a person’s sexual activities and relationships in general. The substitution of sexual life for sexual orientation does not only make mockery of the provision, it discloses a lack of understanding of the essence of sensitive data and the protection afforded. Thankfully, this can be corrected by the NDPC which wields powers under section 30(2) to regulate categories of sensitive personal data.
Inconsistency in children’s capacity to consent
At law, children lack the capacity to give consent to certain activities. Section 31(5) references a child below the age of 13 years as incapable of giving consent to processing activities however section 65 defines a child as provided under the Child’s Rights Act which defines a child as a person under the age of 18 years. (section 277).
Re-licencing of lawyers
To boost compliance, Data Protection Compliance Organisations (DPCOs) – an ‘innovation’ under the NDPR – are engaged by the Commission to provide a number of services. However, the term ‘licence’ used in section 33 as it relates to legal practitioners is in conflict with the provision of the Legal Practitioners Act under which lawyers have been licenced to practice law in Nigeria. Section 5(c)of the Act recognises ‘accreditation’ but section 33 omits the term. To avoid needless pushback from the Supreme Court that licences lawyers or the body of legal profession itself – a jealous one – the term ‘accredit’ ought to be preferred when engaging Law Firms to provide data protection compliance services.
Impotent right to data portability
The Act in one paragraph suggests the data subject’s entitlement to the right to portability but in two separate subsections empowers the NDPC to ‘establish’ the right and provide conditions under which the right can be exercised. (section 38). This requires clarity otherwise, the right is merely cosmetic.
Court of competent jurisdiction
Jurisdiction or lack thereof is the most contested issue in our case law. The Act’s lack of clarity in defining the court with jurisdiction to adjudicate disputes arising from the provisions of the Act is a potentially contentious issue. The term ‘court of competent jurisdiction’ is as nebulous as it gets when other provisions of the Act are considered. While section 51 empowers data subjects to seek redress by civil proceedings which can effectively be commenced at the Magistrates Court, section 50 provides for judicial review which can only be brought at the High Court. This could have been avoided by clearly defining the court as the High Court or Federal High Court by taking a cue from the Freedom of Information Act 2011.
Limitation of actions
A principal objective of the Act is the safeguard of fundamental rights, security of personal data and privacy of data subjects, yet the same legislation provides for a limitation of action provision in section 54(2). What a paradox!. This provision works against the spirit and letters of the Act especially since our caselaw is replete with decisions that frown against limitation of fundamental rights.
Provisions subduing the NDPC
During public consultation, we expressed our concerns about the independence of the NDPC but the dangerous clauses were retained in the final Act. Even though section 7 of the Act guarantees the independence of the NDPC, such non-alignment becomes imaginary when the mandatory provisions of sections 23(1) and 60 are considered. The NDPC is not only duty-bound to submit an annual report to the National Assembly through the minister in charge of communications and digital economy, but the Commission also takes directives from the minister on matters “of a general nature or relating to matter of policy with respect to the objectives and functions of the Commission” (section 60).
These provisions do not only erode the NDPC’s independence, but they also empower the minister to subdue the NDPC and this will negatively impact optimal enforcement drive as we have seen in the past where government agencies have run afoul of their data protection obligations.
NDPR continues to exist
In spite of the remarkable transitional provision that allows the NDPC to continue from where NDPB stops, no provision repeals the stopgap legislation – NDPR- upon the commencement of this Act. Section 64(2)(f) preserves all existing rules and regulations as though they were made by the NDPC, hence clarification is required on the status of the NDPR to avoid further confusion.
In my joint paper delivered at the University of Oxford last week on pre-colonial privacy beliefs in Nigeria, I argued that while the influence of Global North on our privacy jurisprudence cannot be denied, we have our own cultural claims to the concept of privacy as we understand it. The enactment of this Act gives a further opportunity for a remodelling of our peculiar version of data protection that is workable given the current socio-economic circumstances. The newly transformed NDPC has its work cut out. With the use of guidance notes (and regulations under section 6(c), most of the loose ends in this Act can be tied towards a more robust ‘Nigerianised’ data protection legal framework.