The Implication of Data Privacy Laws on Business Operations in Nigeria

INTRODUCTION

Business forms part of the most important human activities as a means of livelihood for every individual. Being an economic activity, it is concerned with the production, distribution, and exchange of goods and services to earn profits by satisfying the unlimited wants of human beings. In the course of doing business, private data is usually exchanged between individuals and companies. Therefore, it becomes imperative to protect this data, as a breach can lead to serious issues for consumers and businesses.

Data is an integral asset for any business. As such, data privacy needs to be taken seriously. In today’s age, the biggest asset an enterprise holds be it a Brick-and-Mortar company, a Digital Commerce provider, a Cloud service provider, a Telco, an FMCG, or even a Government is the data of its customers and constituents.^[1]

The growth of the Internet has changed the world in many ways. Physical (traditional) operations and daily interactions have over time been supplemented, overshadowed, or supplanted by online versions riding on the back of developments in information and communication technology (ICT), and consequent migration into cyberspace[2]. ICT has become, within a short time, one of the basic building blocks of modern society, forcing and creating a culture of dependence on innovative technology.^[3]

This article seeks to evaluate the implication of data privacy regulations on business operations in Nigeria vis-a-vis the data privacy regulations across some jurisdictions.

OVERVIEW OF FOREIGN LEGISLATION ON DATA PRIVACY

Individual data and personal information are used while doing business by organizations, there is, therefore, a need for Government oversight and laws on how data is gathered and handled so that this asset can benefit our society at the same time protecting the individuals. To achieve this objective, almost all jurisdictions have laws and regulatory frameworks in place to address data privacy and protection when doing business.

A sneak peek into the various regulations across jurisdictions shows how credence is given to the protection of individuals with regards to the handling and processing of personal data. For example, we have the Data Protection Act (DPA) in the UK, the Netherlands, and Spain. Jurisdictions like Australia, Dubai, Hong Kong, Japan, and Singapore have Australia’s Notification Law (ANL), Dubai Data Law (DDL), Personal Data Privacy Ordinance (PDPO), Act on the Protection of Personal Information (APPI), and Personal Data Protection Act (PDPA) respectively. China has had a set of laws with far-reaching implications governing Data Privacy and Data Security. The successor of these laws and regulations in China is the Cyber-Security Law (CSL) which has been in force since June 2017. This Law regulates not only enterprise data security but also online speech and censures behavior that poses a threat to the Chinese government.[4]

In the US, on the other hand, there are several regulations on the handling of personal data. Laws like NIST 800-171, Health Insurance Portability and Accountability Act (HIPAA), US Federal Trade Commission Act (FTC Act), and Gramm-Leach-Bliley Act (GLB Act) coupled with state regulations like California’s Electronic Communications Privacy Act or New York’s General Business (GBS) Article 39-F and State Technology Law (STT) Article 2 forms the core self-regulatory framework that the industry complies with.[5]

The most laudable impact so far across foreign jurisdictions with regards to Data Privacy and Protection and how it affects business is the EU’s General Data Protection Regulation known as GDPR which came in force on May 25th, 2018. Even though it is an EU-centric law designed to harmonize data privacy laws across Europe while protecting the data privacy of EU citizens, it has thus far had far-reaching implications affecting anyone not only doing business with EU members but even with EU subjects in other jurisdictions. Today, it is arguably the single most impactful regulation affecting technology and non-technology businesses alike in the EU, the US, and the rest of the world.[6]

RELEVANT LEGISLATION ON DATA PRIVACY UNDER NIGERIAN LAW

In Nigeria, the most comprehensive statutory legislation on data protection is a subsidiary legislation made pursuant to the National Information Technology Development Agency Act, 2007 (‘NITDA Act’).[7] The National Information Technology Agency (NITDA) is empowered to develop guidelines/regulations for electronic governance and monitor the use of electronic data interchange in both the private and public sectors of the economy.[8]  The  NITDA according to Section 32 of the NITDA Act 2007 issued the Nigeria Data Protection Regulation 2019 (‘NDPR’) as subsidiary legislation to the NITDA Act 2007,[9] thereby making the Nigeria Data Protection Regulation 2019 (‘NITDA Regulation’) the specific body of extant rules regulating data privacy in Nigeria. Other legislation containing ancillary provisions on data privacy (general legislation or sector-specific legislation) include but are not limited to:

• THE 1999 CONSTITUTION OF THE FEDERAL REPUBLIC OF NIGERIA (AS AMENDED)

Section 37 of the 1999 Constitution protects the rights of citizens to their privacy and the privacy of their homes, correspondence, telephone conversations, and telegraphic communication. The import of this is that data privacy and protection is an extension of a citizen’s constitutional rights to privacy which a business organization has to uphold.

• CYBERCRIMES (PROHIBITION, PREVENTION, ETC) ACT, 2015 (CPPA)

The main objective of the CPPA is to criminalize Cybercrimes in Nigeria. It imposes an obligation on mobile networks; computer and communications service providers to store and retain subscriber information for two years. Sections 14 and 16 prohibit dealing with data stored in a computer system or network in a fraudulent manner or for fraudulent purposes. Section 19 also requires financial institutions to protect data, while Section 12 prohibits the unlawful interception of electronic communications.

• CENTRAL BANK OF NIGERIA ACT, 2007

The Central Bank of Nigeria (CBN), in furtherance of its mandate to promote a stable financial system, issued the Consumer Protection Framework 2016 (CPF) which prescribes that consumer information must be protected from unauthorized access and disclosure.[10] To enable disclosure, financial services institutions are required to obtain the written consent of customers before their data may be shared with third parties for promotional purposes.

• THE NIGERIA COMMUNICATIONS COMMISSION (REGISTRATION OF TELEPHONE SUBSCRIBERS) REGULATIONS 2011 (NCC REGULATIONS)

This regulation as issued by NCC provides for the confidentiality of records of telephone subscribers maintained in the NCC’s Central Database. According to section 70 of the Nigerian Communications Act 2003 (NCA 2003), the NCC is empowered to make and publish regulations concerning multiple subjects including but not limited to permits, written authorizations, licenses, offences and penalties relating to communication offences.

Pursuant to the power vested on the NCC, the NCC issued the NCC Regulations applicable to telecommunications companies. Regulation 9 of the NCC Regulation provides that, in furtherance of the rights guaranteed by section 37 of the Constitution and subject to any guidelines issued by the NCC or a licensee, any subscriber whose personal information is stored in the Central Database is entitled to request updates;[11] to have the data kept confidential;[12] not to have subscriber information duplicated except as prescribed by the NCC Regulations or an Act of the National Assembly; [13]and to preserve the integrity of the subscriber’s information[14].

It should be noted also that, licensees must be obtained to utilise subscriber’s information in accordance with the law.[15] The regulations also provide that any release of the personal information of a subscriber must be subject to the consent of the subscriber or in accordance with the provisions of the Constitution of the Federal republic of Nigeria or any other Act of the National Assembly or the NCC Regulations as may be amended from time to time[16].

• THE CREDIT REPORTING ACT, 2017 (CRPA)

The CRPA provides the framework for credit reporting, licensing, and credit bureaux. Section 9 of the CRPA is to the effect that Data Subjects i.e., persons whose data are maintained by credit bureaux, shall be entitled to the privacy, confidentiality, and protection of their credit information subject to certain exceptions listed under section 9(2) to 9(6) of the CRPA.

• THE NATIONAL IDENTITY MANAGEMENT COMMISSION ACT, 2007

Section 26 of the Act mandates prior authorization of the NIMC before accessing data or information contained in the National Identity Database.

A REVIEW OF THE NIGERIA DATA PROTECTION REGULATION 2019 VIS-a-VIS ITS IMPACT ON BUSINESS IN NIGERIA

The objectives of the NDPR are to safeguard the rights of natural persons to data privacy, foster the safe handling of transactions that involve the exchange of personal data, prevent acts of manipulation relating to personal data, and ensure that Nigerian businesses remain competitive in the international marketplace through the adoption of legal and regulatory frameworks which secure personal data and meet standards of international best practices.[17]

The data protection provisions encompassed in the NDPR extend to all transactions regarding the processing of personal data irrespective of the means, all-natural persons residing in Nigeria or natural persons outside Nigeria who are citizens of Nigeria. The NDPR does not operate to deny any Nigerian or any natural person the privacy rights he is entitled to under any law, regulation, and contract for the time being in force in Nigeria or any foreign jurisdiction.[18]

Worthy of note is that any organization or business involved in the collection and processing of personal data should ensure it observes the specific, lawful, and legitimate purpose as consented to by a Data Subject i.e., owner of the data being collected and processed.[19]While engaging in business or any transaction, the conditions under which Personal Data of an individual would be deemed to have been lawfully processed are highlighted below:[20]

1. Where consent of the Data Subject has been procured;
2. Where the processing is necessary for the performance of a contract to which the Data Subject is a party;
3. Where it is required for compliance with a legal obligation which the Data Controller i.e., the person or body of persons who determine the purposes for which and manner in which Personal Data is being or to be processed, is required to discharge;
4. Where it is required to protect the key interests of the Data Subject;
5. Where it is required for carrying out a task in the public interest or in the exercise of an official public mandate imposed on the Data Controller.

There is the need to procure the consent from a data subject when engaging in business. The NDPR prescribes the circumstances under which consent may be extracted from a Data Subject.[21]

Whatever media through which Personal Data is being collected when doing business must be displayed simply and conspicuously in which the class of Data Subject being targeted can understand. The minimum requirements for such a privacy policy are as set out in the Act.[22]

PENALTY FOR DEFAULT

Any person or business found to be in breach of the privacy rights of any Data Subject under the NDPR shall, apart from other criminal liability, attract, with respect to Data Controllers dealing with more than 10,000 Data Subjects, payment of a fine of 2% of the annual gross revenue of the preceding year or payment of N10 million, whichever is greater; and with respect to Data Controllers dealing with less than 10,000 Data Subjects, a fine of 1% of the annual gross revenue of the preceding year or payment of ₦2 million, whichever is greater[23].

TRANSFER OF PERSONAL DATA TO A FOREIGN COUNTRY AND EXCEPTIONS

When persons, businesses, or organizations intend to transfer personal Data of Data Subject to foreign countries, the NDPR prescribes how the transfer is to be effected. The Honourable Attorney General of the Federation (HAGF) who supervises the observation of the provisions of the Regulation and conducting such transfers has to consider the following factors:[24]

1. That the foreign country provides an adequate level of protection;
2. The Legal system and enforceability of human rights in the foreign country;
3. The Effectiveness of supervising authority for data privacy in the foreign country;
4. The International commitments of the foreign country concerning the protection of Personal Data.

In the absence of a decision by the HAGF as to the adequacy of the above considerations, such transfers shall only take place where consent of the Data Subject has been secured; transfer is necessary for the performance of a contract or is required for the performance of a public interest purpose; or in the establishment, exercise, or defense of legal claims or in defense of the key interests of the Data Subject.[25]

It should be noted that Data Subject is entitled to be informed of appropriate safeguards for data protection, to request deletion of personal data in appropriate cases, and reiteration of the protection of fundamental rights as afforded by the Constitution of the Federal Republic of Nigeria.[26]

IMPLEMENTATION MECHANISM     

The NDPR established rules which govern the way the provisions of the Regulation should be implemented.[27]

All public and private organizations in Nigeria that control the data of natural persons must publish to the general public their respective Data Protection Policies within three months of issuance of the NDPR.[28]

Furthermore, a Data Protection Officer shall be designated by every Data Controller to ensure compliance with the provisions of the NDPR, and such Data Controllers are required to ensure continuous capacity building for Data Protection Officers.[29]

NITDA shall register and license Data Protection Compliance Organisations (DCPOs), which shall have responsibility for monitoring, auditing, training Data Controllers on its behalf.[30]

All organizations are required to, within six months of the issuance of the NDPR, conduct an audit of its privacy and data protection practices having regard to the provisions of the Regulation. Also, where a Data Controller processes the Personal Data of more than 1000 Data Subjects over six months, a soft copy of the summary of the audit mentioned above should be submitted to NITDA.[31]

Finally, on an annual basis, Data Controllers who manage the Personal Data of over 2000 Data Subjects over twelve months, shall no later than 15 March of the following year, submit a summary of the Data Protection audit in the manner specified by the Regulation to NITDA.[32]

EFFECTS OF THE PROVISIONS OF THE NDPR ON BUSINESS OPERATIONS IN NIGERIA

The milestone set by the NDPR is indeed a remarkable one. What this portends is that it provides confidence to all stakeholders, local and foreign, who seek to invest and do business in Nigeria that it has data laws comparable to any in the world.

The implication of this legislation, therefore, is to put every person or organization dealing with personal data of persons when doing business in Nigeria on their toes. In other words, such businesses or organizations are to ensure that they establish a data protection policy in their line of business and also ensure that all legal obligations are met to avoid breach of any privacy right.

The NDPR further guides organizations as to how they engage in business, and this include the following:

1. Ensuring that their policy considers the particular personal data needs of their business.
2. Establishing procedures for staff to follow when processing personal data. This is important as the defense of ‘due diligence’ can avail the business in the event of any complaint against them.[33]
3. Evaluation of the risk of suffering any security incident or breach.

CONCLUSION

Data is a valuable currency in this new world. With the NDPR, there is a transformational landscape that offers protection and privacy for the personal data of persons when engaging in business with organizations within and outside Nigeria. The regulation, therefore, seeks to put the consumer in the driver’s seat, and the task of complying with this regulation falls upon businesses and organizations.

With the current trend as to how individuals and corporations deal with personal data in their possession when doing business, provisions of the NDPR must be complied with to the letter and it should be effectively enforced.

Business organizations should note that compliance with the NDPR will not only aid in protecting the personal data of persons when doing business but also help in improving and maintaining the brand value of an organization. Compliance will give an organization a competitive advantage over its contemporaries, and it will also prevent loss of revenue for businesses.

The NITDA must be commended in its effort in ensuring that the provisions of the NDPR are effectively implemented and enforced. With the release of the NDPR Implementation Framework (‘NDPRIF) in November 2020, we hope that this document provides a robust framework for the implementation of the NDPR when doing business in Nigeria.

 FOOTNOTES:

[1]Data Protection and Privacy Regulations – Impact on Business Published on October 5, 2019 //www.linkedin.com/pulse/data-protection-privacy-regulations-impact-business-sohail-munir accessed on the 2^nd  of February 2022.

[2]https://www.mondaq.com/nigeria/data-protection/1020784/actions-beyond-the-nigerian-data-protection-regulations-npdr-2019 accessed 2^nd of February 2022

[3] A. E. Patrick, et al, ‘ICTs and Sustainable Development of Higher Education in Nigeria: Rewriting the Ugly Narrative’, Journal of Educational and Social Research Vol. 4 No. 1, p. 357.

[4] Data Protection and Privacy Regulations – Impact on Business Published on October 5, 2019 //www.linkedin.com/pulse/data-protection-privacy-regulations-impact-business-sohail-munir accessed on the 2nd of February 2022.

[5] Ibid.

[6] Ibid

[7] An extensive article on Data Privacy and Data Protection Law in Nigeria. Published on 9^th September 2020 https://inplp.com/latest-news/article/an-extensive-article-on-data-privacy-and-data-protection-law-in-nigeria/ accessed on the 20^th of February 2022.

[8] Section 6(c) NITDA Act 2007

[9] E. Gbahabo & O. Akpaibor International Comparative Legal Guide-Data Protection 2020; Nigeria: Data Protection Laws and Regulation 2020 (July 2020)

[10]Section 3.1(e) of the CPF 2016

[11] Regulation 9 (1) NCC (Registration of Telephone Subscribers) Regulations 2011

[12] Regulation 9 (2) Ibid

[13] Regulation 9 (3) Ibid

[14] Regulation 9 (4) Ibid

[15] Regulation 9 (5) Ibid

[16] Regulation 10 Ibid

[17] Paragraph 1.1 Nigeria Data Protection Regulations 2019

[18] Paragraph 1.2 Ibid https://www.scribd.com/document/557736695/Data-Protection-Law-in-Nigeria accessed 23rd of February 2022.

[19] http://www.alliancelf.com/data-privacy-and-data-protection-law-in-nigeria/accessed 23^rd of February 2022

[20] Paragraph 2.2(a-e) Ibid

[21] Paragraph 2.3 (1) & (2) Ibid

[22] Paragraph 2.5 (a) –(i) Ibid

[23] Paragraph 2.10 Ibid

[24] Paragraph 2.11 Ibid

[25] Paragraph 2.12 Ibid

[26] Paragraph 3.1 Ibid

[27] Paragraph 3.0(3.1) -(3.8) Ibid

[28] Paragraph 4.1 Ibid

[29] Paragraph 4.2 – 4.4 Ibid

[30] Ibid

[31] Paragraph 4.5 Ibid

[32] Paragraph 4.7 Ibid; http://www.alliancelf.com/author/admin/ accessed 23^rd of February 2022

[33]Https://www.bdbpitmans.com/insights/what-is-the-data-protection-act-and-how-does-it-affect-my-business/ accessed 24^th of February 2022.