5 - 10 minutes /

The double-edged sword of a decentralized approach to data protection legislation in Nigeria

Khadijah El-Usman

Khadijah El-Usman

Personal information, often the subject of the right to privacy, is all over the internet today. This information, for the longest time, has been mined, shared, and used without recourse because of the “smoke screen” safety that the internet provides. Where people cannot physically see harm, they tend to feel a sense of safety. An example of this is how a person will not likely go to a stadium of 300 people to read out private text messages but will give the same information to their 300 followers on social media. It is in the need to ensure that people and their information remain secure and their right to privacy online is protected that data protection as a field in law and human rights is born.

Data protection as a concept might on its own seem complicated, but it is easiest understood by approaching it through the lens of individual privacy. The right to privacy has been embraced by many countries since the universal declaration of human rights[1] and has been contextualized into national laws and values, including the Nigerian constitution. The right has been recognized as fundamental. That is to say that although there are many rights, certain rights are statute-protected by the constitution and the right to privacy generally is one of them. As digital technology and the internet become increasingly ubiquitous, these shifts towards the online realm have forced nations to go back and reevaluate how and where we define human rights: how they are violated, respected, and protected.

When the Nigerian Constitution outlined the right to privacy in Section 37 it read “The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected.”

This might have been appropriate in 1999, the year it was passed, but our technologically driven world has evolved to a point where this provision is not enough to protect online data. Sector specific laws with privacy and data protection provisions exist such as the Central Bank of Nigeria Act, the National Identity Management Commission Act and others. However, the current climate calls for a dedicated legislation that addresses data protection online and different government administrations have tried to fill in this gap.

Noting the gap in specific legislation, there have been various attempts to enact comprehensive data protection legislation in Nigeria. These efforts are reflected in a number of measures that have come before Nigerian legislators in the past. Some of which are: the Privacy Bill of 2009, the Data Protection Bill of 2010, the Personal Information and Data Protection Bill of 2012, the Electronic Transactions Bill of 2015, the Digital Rights and Freedom Bill of 2015, the Data Protection Bill of 2016, the Data Protection Bill of 2017 – none of which have been passed into law. Although one of the attempts, the Data Protection Bill of 2019, was passed before the two legislative chambers and sent to the President who ultimately rejected it, citing no rationale. Some progress was made when a draft bill was put together in 2020 and various stakeholders gave some input in the hopes that the bill would be presented sometime in 2021. However, in November 2021, the federal government put out a call for consultants to draft a new bill suggesting that the anticipated draft bill for 2020 has now been abandoned.

Through the political and legislative struggle, a gap remained which the National Information Technology Development Agency (NITDA) tried to fill by issuing the Nigeria Data Protection Regulation (NDPR) 2019[2]. The scope of the NDPR is to govern all transactions involving the automated or non-automated processing of personal data relating to natural persons living in and outside of Nigeria. The NDPR is often referred to when the question of data protection online comes up in the country, however the regulation does not cover many important aspects which precludes it from covering the gap of an all-encompassing legislation. One such gap is in the jurisdiction of the NDPR, which can loosely be narrowed to banks and businesses.

Specifically, the regulation does not address the use of personal data by federal, state, or local government agencies or the agents processing data on their behalf “in the pursuit of national security, public health, safety, and order”. This wide caveat can cover every government activity implying that regulation of data processed by government agencies is outside the purview of the NDPR.

A further look into the regulation will reveal that it does not address the investigation of criminal and tax offenses; the collection and processing of anonymized data; and more shockingly, personal or household activities that have no connection to a professional or commercial activity. This is to say that an individual has no right to seek redress under the NDPR for what they might consider a data breach.

For the first time in 2021, the lack of national legislation has led individual states to consider passing their own laws to regulate and protect the processing of personal information. As of November 2021, the Lagos state data protection bill had passed the first and second reading and had had its public hearing where the general public was invited to provide input into the bill[3]. Lagos state has always set a legislative precedent in Nigeria, and this development might set the pace for data protection legislation, with other states following suit; a double edged sword.

While this can be seen as a win for data protection advocacy and is the furthest a bill on this subject has gone since the digital rights and freedom bill in 2016, this approach also introduces serious complications for the furtherance of clear and rights-respecting data regimes across the country. For context, Nigeria has 36 states and the federal capital territory where the federal government operates. Each of those states operate as a semi-autonomous political unit with its own executive, legislative, and judicial arms of government. Each state has a total of about 4–16 million people. An average of 75,000 new businesses are registered all over the country each year, and as of 2020, there were over 41.5 million MSMEs operating in all 37 states. These numbers might provide some insight into how difficult it might be to navigate a system whereby each state passes different data protection laws and establishes its own data processing standards.

Businesses in Nigeria are registered under a federal agency called the Corporate Affairs Commission, allowing them to operate from anywhere in the country. This could mean businesses based in more than one state will need to operate with different rules or standards of data protection. The proposed law for Lagos state has a wide territorial scope that will bring organizations not located in Lagos within its regulatory purview. This could first cause a conflict with the jurisdiction of the NDPR and then with other data protection laws as they come up. Such potential conflicts can be seen in the Lagos Bill’s obligation to register with the State Regulator and renew annually as well as the need for the authorization of the State Regulator to transfer data outside Nigeria. Again, imagine nationwide businesses with state branches registering and renewing in different states and needing state permission for a transfer of data that ordinarily demonstrates business synergy. Businesses and individuals will have jurisdictional conflicts in terms of contracts, applicable laws, and operationalization problems. A country where for a business to operate in any state it must undergo additional registrations, checks and compliance, we can imagine the strain on data processors in particular.

It is established that the federal government itself, through its various agencies, is the biggest processor of personal data operating nationally in all states on projects and databases like the National Youth Service Corp, Bank Verification Number, Federal Road Safety Corp, National Identity Numbers etc. One would ordinarily assume the NDPR regulates them as well, but as earlier noted the NDPR has a restricted scope in terms of regulating government-led data collection projects. As such, where states take control of how the data processed from their citizens is managed it can promote a much needed level of accountability. This is because the federal government will most likely be responsible for implementing the new legislation and the agency that will come from it. The tendency to ignore its own shortfalls and focus on others is likely.  A downside of states passing their own legislation, besides how cumbersome the process of compliance will be for agencies, may be that it downgrades data protection legislation as a national priority. This means that some states will have laws, others won’t, and for those who do the laws themselves will be lax. Certain states can be used to circumvent responsibility and act as safe havens for data breaches. If this standard subsists, then what happens to the data subject who needs a remedy in the event of a breach? Many might be left with no alternative or loose matters to technicalities such as jurisdiction.

A human-centric approach to data governance is essential when considering laws for a standardized set of data-protection rules as well as ethical considerations about the collection, keeping, and processing of citizens’ data. While governments’ intentions in enacting their own data protection rules may be good, the loopholes may leave citizens with the short end of the stick. In my opinion it would be most ideal to have a centralized law administered by a central agency with branches in all states to ensure uniformity.

Digital systems currently drive service delivery in the country for organizations, enterprises, and individuals in both the private and governmental sectors. Individuals’ personal data is inextricably required by digital systems. For this connection to work it must be one of trust, with information being shared and preserved, regulated, and protected from breaches. After all, we all need data protection legislation and that is why civil society organizations like Paradigm Initiative put our weight behind advocacy.  So perhaps the real question is, what is stalling the process at a national level?

[1] https://www.un.org/en/about-us/universal-declaration-of-human-rights

[2] https://ndpr.nitda.gov.ng/Content/Doc/NigeriaDataProtectionRegulation.pdf

[3] A bill is a proposed law that is before a country’s legislative body for delibration

Khadijah El-Usman

Khadijah El-Usman

Khadijah El-Usman is the lead for Anglophone West-Africa at Paradigm Initiative with a focus to advance Internet freedom, and monitor the legal and policy framework around the region, to ensure that citizens’ rights are protected online. She has managed projects on Women's Rights online, Global Disinformation, Data Protection, Digital Identity, Strategic Litigation and other issues under Paradigm Initiatives Digital Rights Unit. Before Paradigm initiative Khadijah gathered experience working in government, legal practice and in the private sector. She volunteers with Generation for societal change and is passionate about women's rights. Khadijah is a legal practitioner with an LL.B from the University of Abuja and a few years of well-rounded legal practice under her belt ranging from government organizations to civil society.