Facilitating Privacy Compliance in Nigeria: Key Issues in the GAID Draft 2024

INTRODUCTION

Following the introduction of the widely lauded Nigeria Data Protection Act (NDP Act) in June 2023, Nigeria has made significant strides in privacy governance. These achievements include the enforcement of the NDP Act, resulting in substantial fines for major entities, such as the recent N555,800,000 penalty imposed on Fidelity Bank PLC by the Nigeria Data Protection Commission (the Commission), which equates to 0.1% of the bank’s 2023 revenue. This penalty serves as a stark reminder of the severe consequences of privacy violations and underscores the importance of strict adherence to data protection laws. Additionally, critical judicial rulings, such as in the case of Incorporated Trustees of Ikigai Innovation Initiative v. National Information Technology Development Agency, have influenced vital regulatory changes. This particular case led the Commission to halt cross-border data transfers under a Whitelist system, opting instead for a process of direct prior authorisation for such transfers.

Furthermore, the issuance of the General Application and Implementation Directive (GAID) Draft 2024 (the Directive) marks another significant development. The GAID Draft is a crucial document currently under review, with the latest update being a Validation Workshop held on the 21st of August, 2024. The Workshop, attended by key stakeholders—including legal professionals, policymakers, and data protection experts—provided a platform for in-depth discussions and feedback on the draft. This Directive is of utmost importance because it has the potential to steer uniform compliance with data governance in Nigeria.

Therefore, this article is a critical evaluation and commentary on the most pressing concerns within the GAID Draft that demand further attention of the draftsperson due to their ambiguity or potential to cause inefficiencies. The author’s aim is not to undermine the document before it blooms but to provide constructive feedback to support its goal of facilitating privacy compliance in Nigeria.

GLARING ISSUES IN THE GAID DRAFT

I. Reliance on Consent

Article 17 (8) of the Directive introduces the concept of constructive or implied consent. This concept suggests that data subjects are presumed to consent to the use of their images simply by participating in a public event. According to this provision, these images may be used in event reports, provided they are not for profit or commercial advertising without the data subject’s express consent. The Article also stipulates that a data controller in this situation must ensure that the images captured do not portray data subjects in a bad light. However, it does not define the term ‘bad light’.

The predominant challenge with this provision is that it portrays a skewed conception of consent. Consent is any freely given, specific, informed and unambiguous indication of the data subject’s will to a processing activity. Consequently, there is nothing like constructive or implied consent in privacy governance according to best practices. Consent involves the overt act of the data subject. Hence, consent is either expressly given, and therefore present, or it is not expressly given, and therefore absent.

However, in the alternative of consent, there are other lawful grounds for processing personal data, one of which is legitimate interest. In the example cited under Article 17 (8), legitimate interest may form a ground for processing the images of attendees. Nonetheless, relying on legitimate interest calls for Legitimate Interest Assessment (LIA), which obligates the data processor or controller to balance the interest of the data subject against the legitimate interest of such controller or processor. This balance is crucial to ensure that the rights and interests of all parties are considered.

Also, Article 17 (8) further provides that, in addition to other measures of duty of care, a data controller ‘may’ inform participants that images captured may be used for reporting, journalistic, or other purposes permitted by the NDP Act. The word ‘may’ implies optionality and portrays notice as a feature that can easily be discountenanced. This conclusion is further clarified by Article 53 of the Directive which defines the word ‘may’ as merely advisory but not obligatory.

It is recommended that the Commission obliterates the notion of constructive or implied consent and instead emphasises legitimate interest in the circumstance cited. Equally, the Directive should clarify what constitutes ‘bad light’ and establish whether the assessment should be objective or subjective. This clarification is important because, for instance, while some individuals may be comfortable with photos of themselves eating in public, others might find such images embarrassing or offensive. Similarly, some may object to being photographed alongside individuals with, say, deeply differing ideological viewpoints. Additionally, the need for more obligatory language in the provision is crucial, as the current use of the word ‘may’ is problematic and can lead to inefficiencies as earlier explained.

II. Cross border Data Transfer

Article 18 (1) (e) of GAID provides that consent is required before personal data may be transferred to a country that is not on the whitelist of countries published by the Commission from time to time. The NDPC decided to place the Whitelist system is in abeyance following the decision in Incorporated Trustees of Ikigai Innovation Initiative v. National Information Technology Development Agency which challenged the merit of a few countries on the Whitelist. However, even if one were to assume the existence of a logical exposition and practicality of this provision, and assuming the continued existence of the Whitelist system, Article 18(1)(e) stipulates that, upon the Directive’s enforcement, all cross-border data transfers from Nigeria would require the consent of the data subject. Whereas explicit consent is one of the lawful grounds for transferring personal data across borders, it is not a mandatory requirement as evidenced by best practices akin to chapter 5 of the GDPR, which the NDP Act mirrors in Section 41(1)(a). The other options are Binding Corporate Rules (BCRs), Standard Contractual Clauses (SCCs), Codes of Conduct, and Certification mechanisms.

Hence, this part of the Directive may be received as being overly restrictive since it makes consent mandatory for every cross border transfer. This is impracticable when the controller or processor seeks to transfer data involving a significant number of data subjects across the border—a recognised ground for exploring the other options referenced. Best practices recommend that the data subject be informed of the possibility of cross border data transfer when obtaining data from them, but seeking consent is not a mandatory factor sought when transferring data across borders.

Therefore, the use of the phrase ‘consent is required before personal data may be transferred to a country which is not in the whitelist’ is strict and problematic. The Directive could mention consent as one of the grounds but not as the sole ground for cross-border data transfer.

III. Justification for Data Retention

Article 21 (2) of the GAID Draft provides that where a contract did not materialise, any personal data collected relating to the data subject shall be destroyed within six (6) months unless there is a justifiable ground to archive the data for any future legal claim. A similar provision exists under Article 50 (4) of the Directive. This provision seems myopic. It solely provides for future legal claims as ground for retaining personal data beyond 6 months. However, there are other justifications that best practices recognise, which the NDP Act adopts in Section 24(4)(b). Likewise, Article 39(2) of the GAID Draft highlights these other valid purposes for retaining data, and they include public interest; scientific, historical research purposes, or statistical purposes; exercise of the right of freedom of expression; compliance with a legal ruling or obligation; or where the data is necessary to perform preventative or occupational medicine and medical research.

Additionally, consent is a fundamental basis for retaining data beyond the specified period. For example, data subjects may consent to an employer or contractor retaining their information for more than the stipulated 6 month period in order to connect them with future opportunities if vacancies arise.

This part of the Directive seems to lack all these considerable justifications. It can be more elaborate by referring to consent and the other viable grounds that do not involve the institution or the defence of legal claims.

IV. Reliance on Legal Obligation

On reliance on legal obligation as one of the lawful grounds for processing personal data, Article 23 (1) of the GAID Draft states that a legal obligation means any one of the following: (a) a specific duty imposed by law; (b) an order of a court of competent jurisdiction; or, (c) a responsibility incidental to an obligation imposed by law to carry out an act which requires the processing of personal data.

The concern about this provision is that it leaves the interpretation of ‘any law’ and ‘courts of competent jurisdiction’ unqualified. Going by the extant provision under the Directive, any law from any part of the world can confer an obligation in Nigeria for data processing. While this is inclusive, it will likely be abused. Controllers and processors may seek refuge under obligations conferred by foreign laws to process data in Nigeria, which ought not to be the case. For example, under Article 6 (1) & (3) of the GDPR, the interpretation of a law that confers such obligation is limited to European Union Law or a law emanating from a member state of the EU which the controller or processor is subject. This means that the Nigerian law or even a law from the United Kingdom (post-Brexit) cannot confer a legal obligation in the EU under the GDPR.

Therefore, it is recommended that the Commission defines the legal obligations relevant to data processing for Nigeria under this ground. To achieve this, the Directive needs to qualify the terms ‘any law’ and ‘court of competent jurisdiction’ by specifying ‘in Nigeria’ to provide necessary context and ensure the provision is clearly beneficial to the Nigerian legal landscape.

V. Notice to Employees

Article 31 (8) of the GAID Draft concerns internal sensitisation and privacy training. This Article recommends a data controller or processor to develop and implement a written policy for routine checks on compliance practices that may be carried out without notice to employees.

On the one hand, it is in the best interest of the employer to carry out some routine checks and compliance practices without the employees’ knowledge. On the other hand, this does not go without certain provisos and caveats. Employees are natural persons whose privacy interests and rights are not foregone by their employment status. The law protects such interests.

Hence, there are instances where carrying out compliance practices without notice to the employees will result in a breach of the privacy rights of such employees, and therefore, a balance needs to be struck. To exemplify, executing a privacy compliance check without notice to the employees will be inappropriate if the company is operating under a Bring Your Own Device (BYOD) policy and culture. This is because the personal device of the employee will inevitably contain both their personal data and data related to their work (the company). Therefore, in such an instance, a notice will be appropriate.

The Directive needs to clarify such matters and give practical direction as to the standards the policies should anticipate or model clauses that employers may adopt or aspire to. Specifically, it will be more beneficial to itemise some of the instances where notice may not be required or be more restrictive and itemise instances where notice must be given to the employees—for instance, if the company operates under a BYOD culture.

VI. Categorisation of Data Controllers and Data Processors

To ensure proportionality of obligations across different levels of major data processing, Article 8 (4) of the GAID Draft classifies data controllers and data processors into three categories of data processing, namely: (a) Major Data Processing-Ultra High Level (MDP-UHL); (b) Major Data Processing-Extra High Level (MDP-EHL); (c) Major Data Processing-Ordinary High Level (MDP-OHL).

This is an excellent development by the Directive as it allows for different expectations from different processors and controllers based on the volume of their processing activity. It is a laudable innovation that the NDP Act makes over the GDPR because this is better structured than the purely risk-based approach that the GDPR prides in.

Article 9 and 10 of the Directive are instructive on the registration process under each category, spelling out the fees to be paid, the relevant timelines, and the obligation to file Continuous Audit Returns (CAR) under each category, etc.

The foregoing notwithstanding, the Directive is silent on the metrics that will be used to assess controllers and processors that fall under these categories. Likewise, the NDP Act is silent on the same. The metrics provided are too broad. They include factors like the number of data subjects affected but lacks specificity on how to determine this number or impact to the economy. This makes it confusing for processors to comply. However, one could assume that this omission is intentional since the Commission already issued a Guidance Notice on the Registration of Data Controllers and Data Processors of Major Importance on the 14th of February 2024, providing the metrics for assessing each category.

It would be more effective for the GAID Draft to incorporate the Guidance Notice, as the GAID is a crucial document that should offer detailed guidance on complying with the NDP Act in Nigeria. The Directive could achieve this by including the content of the Guidance Notice. Although Article 8(5) of the GAID Draft intended to address this through Schedule 4, the draft instead uses Schedule 4 for the Data Privacy Impact Assessment Template, leaving the guidance unincorporated.

VII. Conditions on Household Processing

Article 6 (2) (b) of the GAID Draft provides that an individual who processes data solely for personal or household purposes shall respect the privacy of the data subjects and shall be held accountable for the conduct that puts the privacy of a data subject at risk. The listed risky conducts include ‘sharing or transferring personal data to any person or platform for any reason’.

It is impressive that the Directive and the NDP Act exempt household processing and only intervene when such processing goes against the fundamental right to privacy. However, it bewilders to note that transfer of any nature, to any person or platform, will be generally considered as such a conduct that undermines the fundamental right to privacy of a data subject. This raises several questions. Does ‘any person’ include a member of the household? Does the Directive frown against instances where the members of the household consent to such a transfer for a purpose known to them? Does ‘any platform’ include a database that is maintained at the household level? By the phrase ‘for any reason’, does the Directive bar the household members from making choices about their data provided that it restricted to the household level? Aside from these being unanswered questions, such situations may not necessarily lead to a breach.

Consequently, the Directive needs to clarify the meaning of ‘any person or platform’. Perhaps it needs to state that such persons are external or that the transfer is for a reason not compatible with the household processing of the data involved.

VIII. Designation of a Data Protection Officer

Article 11 of the Directive, referencing Section 32 of the NDP Act, acknowledges that the Data Protection Officer (DPO) may be a staff member of the data controller or may fulfil their role under a service contract. Accordingly, Article 12 (8) anticipates that a DPO may fulfil tasks and duties other than those directly related to their designation as the DPO. Nonetheless, it cautions the data controller to ensure that any such tasks and duties do not result in a conflict of interest.

While this provision seeks to protect the DPO’s independence, the Directive also needs to address potential occurrences where the DPO could become overburdened or distracted by tasks external to their designated privacy protection responsibilities. If such situations arise, as is likely, the effectiveness of the DPO’s role could be diminished, rendering the designation redundant or less impactful.

Given the DPO’s essential status, the Directive needs to specify that due regard must be given to the DPO’s ability to perform its tasks effectively. This includes minimizing non-data processing tasks that could overburden or distract the DPO from their primary responsibilities.

IX. Certification of DPOs

Article 14 of the GAID Draft is dedicated to the credential assessment of a data protection officer. This Article provides that the Commission shall create a database of Certified DPOs designated by data controllers and data processors in furtherance of Section 32 of the NDP Act. It further states that the Commission shall carry out an Annual Credential Assessment (ACA) of DPOs to ensure that each DPO maintains the level of professionalism required to carry out their responsibilities towards safeguarding the rights and interests of data subjects as required under the NDP Act, relevant case laws, and any regulatory instrument issued by the Commission.

Nonetheless, the provision lacks clarity on who is authorised to certify DPOs. Article 53, which defines the term ‘duly certified’, states that certification must be issued by an institution accredited or approved by a competent authority in data privacy protection or educational services. Although this definition is inclusive, it is also overly broad; potentially leading to ambiguity. This means that, even after a DPO obtains certification, the Commission and its agents are still required to determine the certifying institution’s adequacy and the certificate’s sufficiency. This ambiguity could foster bureaucracy and ventilate corruption.

The Directive needs to be more specific on what amounts to adequate certification. For this, it could include a credit system. An exemplary reference is the schedule under pages 76 and 77 on the metrics for assessing a DPO. The second metric requires that the training leading to the certification of a DPO must be up to 40 hours. It is unclear why such pointers are omitted in the relevant articles of the Directive. Clear metrics, as such, are beneficial. Likewise, the Directive can be more specific on a few competent authorities in data privacy protection or in educational services that are to accredit or approve the competent institutions that will in turn certify DPOs.

X. DPO Assessment Metrics

Schedule 3 of the GAID Draft is dedicated to DPO Assessment under pages 76 and 77. This schedule provides the metrics for assessing a DPO; however, there appears to be a discrepancy in the figures. The sum of the figures assigned to the four categories totals 60 (i.e. 15 + 15 + 20 + 10), yet the schedule erroneously states the total as 100. This discrepancy means that, unless corrected, each assessor will arrive at a score significantly below the expected threshold; thereby causing unnecessary delays and misunderstanding.

It is recommended that the draftspersons re-assess the figures and ensure that the total reflects the summation of the figures attached to each metric.

CONCLUSION

The GAID Draft represents a pivotal step in enhancing privacy protection in Nigeria’s data-driven economy. However, to ensure its full effectiveness, it requires adjustments that clarify ambiguities and address potential inefficiencies. By eliminating problematic concepts like constructive consent, refining provisions for cross-border data transfers, providing clearer guidance on data retention and employee privacy among others, the Directive can become a stronger tool for facilitating compliance with the NDP Act.

The recommendations provided in this article aim to sharpen the focus of the Directive, making it more aligned with global best practices while addressing Nigeria’s unique regulatory landscape. With these improvements, the GAID Draft has the potential to significantly bolster privacy governance, ensuring robust protection for data subjects and clearer operational guidelines for data controllers and processors—balancing business innovation with the protection of privacy rights.

Image by rawpixel.com on Freepik