This page offers a high-level overview of the data protection landscape in Nigeria, including any relevant laws, the challenges in implementing those laws, political willingness, and ongoing advocacy efforts.
There is no exclusive statute governing data protection at this point in time. There is, however, a subsidiary legislation called the Nigeria Data Protection Regulation (NDPR), 2019, under the NITDA Act.
The NITDA Act empowers the National Information and Technology Agency (NITDA) to issue guidelines to cater for electronic governance and monitoring the use of electronic data exchange. Deriving from this provision, NITDA then developed and issued the Nigeria Data Protection Regulation, 2019. A significant feature of the NITDA Regulation is that it is a data privacy and protection-specific body of rules as opposed to it being an ancillary provision in a legislation whose primary objective is not data protection.
Features of Regulation
The NDPR was passed with the objectives to safeguard the rights of persons to data privacy, to foster safe conduct for transactions involving the exchange of personal data, to prevent manipulation of personal data; and to ensure that Nigerian businesses remain competitive in international trade through the safe-guards afforded by a just and equitable legal regulatory framework on data protection. The NDPR also lays down data subject rights, the importance of consent in data processing, the responsibilities and obligations of the data protection officers, and the norms for an audit process.
Related Draft Legislations
Three bills concerning the same have been issued. These are the Data Protection Bill, 2020, HB504 and HB564 (HB stands for House Bills). It is uncertain which of these bills will eventually be passed. There is, however, a subsidiary legislation called the Nigeria Data Protection Regulation (NDPR), 2019.
On 11 July 2019, the NITDA issued a draft version of the Nigeria Data Protection Regulation 2019: Implementation Framework (the “Draft Framework”). The Draft Framework focuses on the implementation of the Data Protection Regulation particularly in the areas of compliance and enforcement. The Draft Framework provides for the registration of Data Protection Compliance Organizations (DPCOs), who will provide auditing and compliance services for data controllers by the NITDA. Under the Draft Framework, the categories of persons who can be DPCOs include professional service consultancy firms, information technology service providers, Audit firms and law firms subject to certain qualifications. Its latest version is dated November 2020.
Although the NDPR is aimed at covering a “data protection” gap in Nigeria, the scope of application is very limited. It applies mostly to private sector organizations that deal with personal data and only has the power to impose fines. Some of the biggest data processors in Nigeria are Government agencies and no laws exist to particularly check and sanction any indiscriminate use of personal data.
Features of the Draft Bill
Of the three draft bills, the (Draft) Data Protection Bill, 2020, has provisions very similar to the NDPR. The Bill would apply to the collection, storage, processing and use of personal data relating to persons residing in Nigeria and persons of Nigerian nationality, by automated and non-automated means. However, Section 35 of the Bill would provide exemptions in situations of public order, public safety, public morality, national security, public interest, the prevention or detection of crime, the apprehension or prosecution of an offender, the assessment or collection of a tax or duty or of an imposition of a similar nature; or publication of a literary or artistic material. Generic terms such as “public safety and security” are often used by governments to justify usually unjustifiable actions.
The Bill provides that an independent Data Protection Commission may make regulations and guidelines to prescribe exemptions for the processing of personal data to assess a person’s suitability for employment by government or appointment to a public office. The 2020 draft bill was the most relevant of all previous attempts because it is the most recent, the one that seems to have more political will attached and varied stakeholder interests inputted. However in November 2021 the Federal Government called for consultants to draft a new bill.
Related and Sector-Specific Laws
The Nigerian Constitution protects the rights of citizens to their privacy and the privacy of their homes, correspondence, telephone conversations and telegraphic communication. Data privacy and protection are thus extensions of a citizen’s constitutional rights to privacy.
Other laws that contain sector-specific provisions for data protection include:
The National Identity Management Commission (NIMC) Act, 2007
The Child Rights Act (CRA), 2003
The Freedom Of Information Act, 2011 (FOIA)
Cybercrimes (Prohibition, Prevention Etc) Act, 2015 (CPPA)
Central Bank Of Nigeria Consumer Protection Framework, 2016 (CPF)
The Nigeria Communications Commission (Registration Of Telephone Subscribers) Regulations, 2011 (NCC Regulations)
The Credit Reporting Act, 2017 (CRPA)
Features of Enforcement
In enforcing the NDPR, the NITDA has its focus entirely on private institutions within certain sectors where the only sanctions are fines. Meanwhile,there is excessive personal data collection by the government that is yet to see the legal scrutiny of data protection principles.
Composition and oversight of the regulatory body
The National Information Technology Development Agency (NITDA), can be said to be the “self-appointed” data protection regulator in Nigeria. Its operations fall under the Ministry of Communications and Digital Economy, this means that the agency is not independent of the government. This means that the sanctions outlined under the regulation cannot be used against the biggest data controllers in Nigeria, which are other government agencies.
The NITDA has the mandate to create frameworks for the planning, research, development, standardization, application, coordination, monitoring, evaluation and regulation of Information Technology practices in Nigeria. In line with this mandate, issued the Nigeria Data Protection Regulation (NDPR) in January 2019.
Predominant Hurdles In Implementation
The lack of independence of the NITDA is a major issue in proper implementation of the subsidiary regulation, given that the government collects large swathes of citizens’ personal data. Red-tapism, rigidity, centralization, excessive bureaucratic layers are an issue in every aspect of governance.
Furthermore, the proposed Draft Data Protection Bill, 2020 makes way for excessive government intervention and control.
Key National Issues in the Field
Chief among data protection issues in Nigeria is excessive government collection of biometric data. The Federal Road Safety Corps (FRSC) collects biometric data of individuals before issuing drivers’ licenses. The Nigeria youth service corporation (NYSC) collects biometric data for every Nigerian graduate of higher institutions who must undergo a mandatory youth service. The Nigerian Immigration Service also collects data for passports, while the Independent National Electoral Commission (INEC) has the data of people who apply for voters’ cards. Banks and, by extension, the Central Bank of Nigeria also harvest biometric data through the process of providing Bank Verification Numbers (BVN). Yet, the governance structure of data protection and privacy seems unreliable. Private sector actors handle data as well, however tech players in Nigeria are not operating on a large enough scale to be of concern yet.
An updated SIM card policy published by the NCC in May 2021 has highlighted that it intends to implement a Centralised Equipment Identity Register. This was dropped after a substantial public outcry against the idea.
It is worth mentioning that data protection does not rank high in political discussions, as in a developing country matters like electricity, job creation, water, affordable health care and housing are the most pressing.
Current Political Climate
The current minister of communications and digital economy has a considerable amount of control over once independent agencies like the NIMC, NCC and NITDA. There have been instances of the minister issuing directives to agencies under him on public social media channels like Twitter.
Data protection is a relatively new concept in Nigeria that is gaining more traction with time. With various government initiatives that have collected biometric data, new private actors and tech companies on the scene, data protection advocacy has become a necessity.
Current advocacy focus is on increasing awareness about data protection and pushing for the passage of the Data Protection Bill.
Lack of political will when it comes to implementing the Data Protection Bill, pervasive government interference in civil society work, and a restrictive bureaucracy stall advocacy efforts in Nigeria.