Data protection is an important topic in the digital age. The subject is a representation of efforts aimed at creating a balance between individual privacy rights and legitimate use of data for business, security, education as well as provision of basic and essential services. According to the available statistics from the United Nations Conference on Trade and Development (UNCTAD), as at August 2019, ‘Across the globe, 107 countries (of which 66 were developing or transition economies) have put in place legislation to secure the protection of data and privacy.” About 44% of African countries have a data protection law while 12% have a draft law, 22% have no laws and 22% without data.” Ghana, Mauritius, Chad, Niger, Tunisia, South Africa are some of the African countries with Data Protection/Privacy Law. Nigeria is one of the countries lagging behind with respect to data protection legislation in Africa and the world at large. Some would argue that this is not necessarily so, given that the National Information Technology Development Agency (NITDA) released a Nigeria Data Protection Regulation(NDPR) in February this year. I will come back to address why NDPR does not effectively address the data protection lacuna in Nigeria.
Draft Legislations that didn’t become Laws
Meanwhile, Nigeria is one of 6 African countries with a draft law. While this information should be consoling, what makes it rather disturbing is that, this has been the case in the past 7-8 years. On April 16, 2019, President Buhari declined assent to the Digital Rights and Freedom Bill, a bill with some data protection provision, after being passed by both houses of Nigeria’s bicameral legislature. One of the reasons President Buhari gave for his decision was the need to avoid conflict with pending legislation at the National Assembly (NASS). Around this time, Nigeria’s Data Protection Bill was scaling legislative hurdles and clearly coasting towards being signed into law. For some background, the Data Protection Bill(DPB) was first introduced to the National Assembly(NASS) in the 7th NASS by the former speaker, Yakubu Dogara. However the bill couldn’t become law and was reintroduced in the 8th National Assembly, again by Dogara, this time as Speaker of the House. As a result, the bill enjoyed some prioritisation such that it was the 2nd bill considered by the House of Representatives in the 8th NASS, hence, the house bill number 02 i.e HB02. Previously, a Personal Information and Data Protection Bill, 2016 covering various aspects of personal data protection, was prepared by the National Identity Management Commission (NIMC) and sent to the House of Representatives while Senator Stella Oduah also sponsored a Bill on the Protection of Personal Information SB310 in the 8th Senate. These bills did not scale required legislative hurdles. Although the Digital Rights and Freedom Bill is back at the National Assembly, its data protection provisions have been removed as advised by President Buhari.
The Data Protection Bill(DPB) HB02
As at July 2017, the House of Representatives had passed the DPB and sent the same to the Senate for the constitutionally required concurrence before it would be sent to the President for assent. A Committee was set up to finalize the Bill. However, the Committee resolved that the Bill had failed to address the problems for which it was drafted to solve. In September 2018, the Federal Ministry of Justice, with the support of the GLACY+ Project of the Council of Europe and European Union, in collaboration with the Nigerian Cybercrime Advisory Council and the Experts Group of the Senate Committee on ICT and Cybersecurity held a Data Protection Legislative drafting workshop in Nigeria, with most public and private sector stakeholder organizations in attendance including the National Information Technology Development Agency and the National Identity Management Commission(NIMC). At the workshop, participants reviewed all the draft Data Protection and Privacy legislation pending at the National Assembly along international standards and best practices, and carried out a harmonization and drafting exercise leading to a harmonized data protection legislation for the country. As part of the process leading up to enactment of the legislation, members of the general public and interested stakeholders were asked to review the draft bill and share comments before the draft was sent back to the National Assembly. As at May 15, 2019, both the Nigerian Senate and the House of Representatives had passed the Data Protection Bill, 2019 (H.B. 02) and the Bill was sent to the President on May 29, 2019.
Nigeria’s Data Protection Regulation(NDPR) by NITDA
On January 25, 2019, Nigeria’s National Information Technology Development Agency (“NITDA”) issued the Nigeria Data Protection Regulation 2019 scheduled to take effect in April 2019. This was befuddling for most people who followed the process around the DPB earlier described because NITDA was part of the process. For obvious reasons, one is led to believe that Nitda is the reason Nigeria do not have a Data protection law. It is still unclear why NITDA is attempting to take ownership of the data protection legislation terrain in Nigeria. It is however not unusual for agencies of government to make sector-specific regulations in furtherance of their mandate as defined by the act establishing them. NITDA has often referred to Section 6c and Section 32 of the National Information Technology Development Agency Act of 2007, to explain why it has powers to make regulations, although the Act establishing the agency clearly defines its mandates as “to plan, develop and promote the use of information technology in Nigeria” but the agency has lately been pursuing regulation objectives. Whether it can or can not is not the crux of what is being considered in this article. The contention with NITDA’s NDPR is not about the content of the Regulation because both the NDPR and the DPB mirror the European Union General Data Protection Regulation in many ways. Let us not be deceived for a moment; no law or regulation is perfect. Neither the NDPR nor the DPB is perfect or without criticism. The DPB too is for example being criticised for the huge fine it prescribed for infringement of its data localisation provisions and on whether the procedure it sets for the appointments into the Data Protection Commission would truly guarantee independence. However, there are avenues to address these shortcomings. The controversy or challenge with the NDPR ranges from concerns about process to allegations of sabotage. Another issue is enforceability. As at July 2019, NITDA was still consulting stakeholders on how to enforce the NDPR which suggests that as at April 2019 when the NDPR was supposed to take off, even NITDA was yet to figure out how to enforce the Regulation. Some have argued that NITDA’s attempt is an act of agency and jurisdictional overreach, as the agency was not set up to regulate data protection within Nigeria.
Primary vs Secondary Regulation debate
Regulations are secondary legislation, while laws duly passed by the national assembly and signed by the president are primary legislation. Data protection laws touch on citizens’ right to privacy. The right to privacy in Nigeria is derived from section 37 of the Nigerian constitution. It could be argued that with regards to derogation, only laws duly passed by the national assembly should derogate from constitutionally guaranteed rights such as the rights to privacy. Derogation as may be required by Data protection legislation would require trust and legitimacy which the process leading to the passage of the Data protection Bill offered. It is doubtful that the NDPR will command these important elements. As we speak, the Association of Licensed Telecommunications Operators of Nigeria (ALTON) has petitioned the Nigerian Communications Commission (NCC) on what it described as attempts by the NITDA to regulate communications and NITDA has equally fired back to assert its authority to do so. This is clearly a legitimacy challenge. Why go this route when positive engagement was a plausible alternative?
The NDPR will surely expand the turf and revenue generating capacity of NITDA but will it protect citizens effectively? Government is a potential violators of citizens privacy rights, so an effective data protection law can not be situated within the ambit of an agency 100% under the control of incumbent and subsequent governments.
Another issue with the NDPR is enforceability, the NDPR is just a draft document, an official gazette is yet to be issued. The Ministry of Justice has statutory mandate to officially gazette laws and regulations to be enforceable in Nigeria. At the moment, the NDPR is just a toothless bulldog. Since the NDPR, many data breaches has occurred and reported. It is unclear what NITDA is doing to address them. Some of these infringements were by government agencies such as the Nigerian Immigration. It is yet to be seen how NITDA intends to hold fellow agencies accountable and enforce punishment where applicable. There is a reason why in many parts of the world, including many African countries, data protection law sets up an independent data protection commission that has mandates that allows it to hold other government agencies including law enforcement and other entities that engages with data responsible.
NDPR leading to job creation?
One of the most effective arguments in policy advocacy is the economic argument. NITDA has declared that the NDPR process has led to the creation of 40000 jobs (This is yet to be independently verified) but the NDPR could have even done more numbers. Also, in NITDA’s defense, it has been holding a couple of stakeholder consultation sessions towards implementing the NDPR but this is like building on a faulty foundation. It’s high time somebody pointed this out. It is also important to look at the bigger picture and the original purpose for which a data protection legislation is required. Nigeria is moving into a digital identity terrain without a data protection law. It is unacceptable. Anyone who is abreast of policy development around data protection legislation globally will be worried by the politics that played into the data protection legislation process in Nigeria.
Data protection is a world on its own. For example the GDPR sets up national data protection commission headed by a commissioner in each country within the European Union to enforce the law. This reflects the pattern that has been adopted in many other countries. What NITDA has done is put a clog in the wheel of progress. Aside from the fact that a lot was already invested in the DPB process, the NITDA’s process hardly inspire citizens’ confidence or trust.
The good news, the Pantami Factor
NITDA as an agency didn’t enjoy much publicity or positive press before the appointment of Ali Isa Pantami PhD, (now minister of communication) as Director General. Many wrongly or rightly criticised the agency as being ineffective in promoting technology development in Nigeria. Pantanmi brought a different energy to the agency. He came as a scholar, young and quite vibrant with the ‘can do’ attitude. There was no doubt that life was injected into NITDA’s activities. While he held sway as DG, he introduced many initiatives as well as gave life to many of NITDA’s quiet activities. It is difficult to understand why NITDA under the leadership of Pantami will sabotage such rigorous process leading to the passage of the DPB to push its own agenda of asserting itself as a regulatory agency. However, there is good news. Pantami’s new role as Minister of Communication means he has supervisory role over a lot of agencies with an interest in the issues at stake including NITDA where he held sway until recently.
I believe this broader responsibility gives Pantami a broader view of the issues and equally puts him in the position to resolve the current quagmire that nobody wants to openly talk about. The Minister, as a duty to the nation may facilitate a stakeholder consultation session to address this challenge. The office of the Secretary to the Government of the Federation or the Ministry of Justice may also initiate this conversation. Stakeholders in the space including NITDA must sit at a roundtable and put this matter to bed once and for all. What Nigeria and Nigerians need and deserve is a law on data protection and not a regulation. There is no need being a neophyte when there are multiple existing best standards templates to run with. What NITDA has done has implications for trading between Nigeria and other countries. To facilitate data processing between Nigeria and other countries, the legal framework must have equal and the same level of enforceability. UNCTAD for example does not recognize that Nigeria has a data protection law despite NITDA’s regulation and this has implications for business beyond our borders. UNCTAD describes Nigeria as one country that does not ensure an adequate level of data protection. In this age, you do not do things that touches on internet governance in isolation, there has to be an approach that addresses concerns across the board. Many international, regional, national organisations were invested in the DPB process. They are now disappointed by what has become of the process in Nigeria. No need finger pointing, we should fix this.
Adeboye is an Internet Governance expert and tweets from @AdeboyeBGO