Safeguarding the New Oil: A Spotlight on Nigeria Data Protection Act 2023
- Collins Okoh |
- June 21, 2023 |
- Data Protection
In recent digital-savvy times, data is considered the new oil. According to scholars like Clive Humby, the likening of data to oil is on the fact that data, especially, big data is the force behind the economic success of big companies today, and like oil, it is most useful after it is extracted and processed. Moreover, it defines new approaches to power play. The scramble to amass, commercialize, transfer, store, and process personal data has attracted greater attention from lawmakers. Consequently, there is a recent trend, especially in Africa, to institute and implement domestic data protection regulations.
Nigeria has not fallen behind in this tide. On Monday 12th June 2023, President Bola Tinubu signed the Nigeria Data Protection (Establishment, etc.) Bill, 2023 (the NDPA) into law. This principal statute marks a new era in Nigeria’s ever-mutable data protection regime and succeeds the Nigeria Data Protection Regulation (NDPR) of 2019. The NDPR was a subsidiary regulation instituted by the National Information Technology Development Agency (NITDA) to temporarily regulate the data protection space pending a primary legislation. In addition to the NDPR, there were other regulatory instruments contained in cybersecurity and consumer protection laws regulating data protection, but none were comprehensive.1
This piece seeks to highlight and critically appraise the most notable feature of the NDPA. Although, not in terms of its current efficacy but understandably based on its potential or lack thereof.
What is Salient?
The NDPA is lauded for several changes it makes to its predecessor regulations. However, the most notable development is the establishment of the Nigeria Data Protection Commission (the Commission);2 a corporate entity with a common seal, perpetual succession, and can sue and be sued in its name. The establishment of the Commission is the most salient feature because of Commission’s overarching role in protecting data subjects by ensuring that data processors and data controllers comply with the Act.
The Commission replaces the Nigeria Data Protection Bureau (the Bureau) which was established in 2022 by former President Buhari. The establishment of the Bureau was already a step in the right direction, but some stakeholders were sceptical about its scope of powers and duties. This is because the establishment was rushed and there was no major consultation with stakeholders. According to a critic, it ‘was only created by executive fiat’. Additionally, there were other sectoral regulators at the time, which raised the danger of overlap and amplified the need to spell out their functions.
NITDA and the Bureau were both established to protect personal data in Nigeria. NITDA is chiefly responsible for developing the rules and regulations, while the Bureau was responsible for enforcing them. The Bureau was also tasked with supporting the development of a primary data protection legislation, which has now been completed.
The Bureau faced several challenges, including the lack of an enabling statute. The Bureau was created through an executive directive, which meant that it did not have the same legal authority as a body created by legislation. Also, since data protection is a residual function, there were different speculations as to the body responsible for enacting the enabling statute of the Bureau between the National legislature and the State legislatures, while preserving nationwide recognition of such Bureau. In other words, there were questions as to the constitutionality of the body.
Lastly, both NITDA and the Bureau lacked the degree of independence necessary for effective data protection. For example, the Bureau was a creation of the government, and NITDA is the ICT regulatory agency of the Federal Ministry of Communications and Digital Economy, which is a ministry under the government. The ministry supervises the affairs of NITDA.3 It is important to note that the government is one of the largest processors of personal data and needs to be held accountable for data breaches. However, efforts to realise this need for accountability will only be futile in the absence of an independent body to impartially enact and enforce the necessary regulations.
The 2023 law was passed to address all issues highlighted above, especially through the Commission which would serve as the main administrative and regulatory body in the enforcement of data protection rules. The Commission replaces the Bureau and it has a broader mandate than the Bureau. This has led to some concerns that the Commission will duplicate the functions of NITDA and other sectoral regulators, or that it may lead to the institutionalisation of bureaucratic interplay among bodies.
The first key development under the NDPA is that the enabling statute is now clear as it has been enacted by the national legislature. Similarly, the statute attempts to spell out the functions of the commission,4 an effort to focus on duties and powers but not necessarily to address overlap with other bodies established in other legislations.
Section 7 of the NDPA guarantees the independence of the Commission on matters under the Act. The only available supervision is through judicial review, which any aggrieved party is mandated to pursue within 30 days after an order was made by the Commission. In line with this, the NDPA frowns against conflict of interest or other latent threats to its independence.5 It proposes up to 10 Million Naira minimum fine for such offences considered to jeopardise the impartiality of the Commission or to cause unfavourable personal gains to its members.
Scholars and practitioners tend to agree that data protection and compliance require the convergence of efforts among different bodies. The NDPA seeks to realise this consensus through the establishment of the Governing Council of the Data Protection Commission (the Council). The Governing Council is a platform for coordinated efforts and includes: ‘(i) the Federal Ministry of Justice, (ii) the ministry responsible for communications and digital economy, (iii) the Central Bank of Nigeria, (iv) a law enforcement agency; and (d) one representative from the private sector’. This is in addition to the chairman of the commission who shall be a retired judge, the National Commissioner, and a representative not below the rank of a Director or its equivalent.
The Council is critical for the operation of the Commission. It is the internal supervisory organ, and its decisions can have a significant impact on the Commission’s ability to carry out its mandate. However, this author is sceptical about the process of appointing or removing the members of the Council and the National Commissioner as it affects the independence aspirations of the NDPA.
The executive wields enormous power in the exercise of these two essential processes, which are to be exercised through the Minister for Communications and Digital Economy and the President. These two offices are in charge of recruiting and dismissing the members of the Council and the Commissioner, which means that they also have control over the Commission.6
This leads to little to no difference between the extant regime and the former regime when the Bureau was highly critiqued for falling under the supervision of the minister. Indeed, a musical key that is out of place can be a beautiful mistake but this chromaticism rather seems intentional and could thwart the positive aspirations of the NDPA. The independence of the Commission is questionable.
This author believes that the appointment and disqualification policies and practices presently contained in the NDPA can only be effective if government officials are not motivated by self-interest or abuse of public power. To mitigate the possibility of such abuse, the practices of other African countries like Kenya can be instructive.
Under sections 6 and 12 of the Kenya Data Protection Act of 2019 (Kenya DPA), the lawmakers position the Public Service Commission of Kenya at the forefront of both the recruitment and the removal of Commissioners. At the end of the preliminary phases of a recruitment exercise, the President is to appoint a Commissioner, subject to the approval of the National Assembly of Kenya. The involvement of the National Assembly affirms the supervisory role of the legislative arm of government and mitigates the consolidation of enormous power in the executive.
Furthermore, Kenya DPA gives more details about the qualifications of applicants, the interview process, a mandatory timeframe of 21 days from the application date, publication of names of the shortlisted candidates, and submission of names for appointment.
Additionally, section 17 of Kenya DPA protects the Commissioner and their officers from personal liability for acts carried out in good faith, thereby granting them immunity and strengthening their independence. However, there is no doubt that immunity can be a double-edged sword.
All these transparency and accountability measures are lacking in the extant Nigerian legislation. It is ludicrous to note that the Nigerian lawmaker failed to re-affirm their oversight function in such appointments through the provisions of the NDPA. The NDPA is also silent on numerous factors that should inform the appointment or removal of the members of the Commission, such as those present in the Kenya DPA.
The goal of this author is not to bury the hopes of the NDPA and the Commission before they have a chance to blossom. Instead, this author aims to uphold the hope while also cautioning the vigilant against the murky waters that lie ahead. The establishment of the Data Protection Commission is such an important development that must be meticulously designed. Personal data, as the new oil, is currently the most targeted ‘commodity’. It is very delicate and demands the utmost attention for effective protection.
The NDPA makes new promises through the Commission. However, there are remnants of the shortcomings of past attempts. This shortcoming is most notable in terms of its lack of independence. Consequently, the author lays down caution and highlights possible remedies.
Notwithstanding, the enactment of the NDPA and the establishment of the Commission is good news and a step in the right direction. As part of the long-term goal, the lawmakers should be keen to include the Commission among the bodies established and protected under section 153 of the Constitution of the Federal Republic of Nigeria 1999 (as amended).
1 See also a list of other guidelines and frameworks, policies, and standards under NITDA administration: https://www.dataguidance.com/notes/nigeria-data-protection-overview 15 June 2023.
2 Section 4, Nigeria Data Protection (Establishment) Act, 2023.
3 Other agencies under the same ministry include: Nigerian Communications Commission (NCC), National Identity Management Commission (NIMC), Nigerian Postal Service (NIPOST), and others. See the complete organogram at http://fmcde.gov.ng/index.php/ministry-structure/?doing_wp_cron=1686872322.6056389808654785156250 15 June 2023.
4 See Section 5, Nigeria Data Protection (Establishment) Act, 2023.
5 Section 13, Nigeria Data Protection (Establishment) Act, 2023.
6 Section 9, 11, and 14, Nigeria Data Protection (Establishment) Act, 2023.