EXTRATERRITORIAL ENFORCEMENT PROBLEMS OF SECTION 2 OF THE NIGERIA DATA PROTECTION ACT, 2023

By: Elolue, Bright

INTRODUCTION

The principle of sovereign equality of states under international law prevents states from overreaching their powers by attempting to stretch jurisdiction into another sovereign state. As an established principle of international law, the conventional means of law enforcement in third country such as investigation, seizure of assets and imposition of fines can only be conducted by the permission and endorsement of said third country.[1] The extraterritoriality principle that was laid down in the Lotus Case[2] contradicts this laid down principle of international law. In that case, the Permanent Court of International Justice stated that a state, within its territory, is not prohibited under international law to exercise jurisdiction which relates to persons, property and acts outside of their territory. That is, that states have the power to prescribe law extraterritorially.[3]  This is exactly what section 2(2) of the NDPA seeks to achieve by stretching the application of the Act to apply to foreign data controllers and processors who are either resident, domiciled or operating outside the borders of Nigeria but processing personal data of data subjects in Nigeria. This however poses a huge problem of enforcement against such foreign data controllers and processors.

EXTRATERRITORIAL JURISDICTION OF THE ACT

SECTION 2(2) provides that the Act shall apply, where the —

(a) data controller or data processor is domiciled in, resident in, or operating in Nigeria;
(b) processing of personal data occurs within Nigeria; or
(c) the data controller or the data processor is not domiciled in, resident in, or operating in Nigeria, but is processing personal data of a data subject in Nigeria.

The terms “resident,” “domiciled,” and “operating” are not defined by the Act. However, the meaning typically attributed to these terms is to have a presence, (legal) establishment, or to engage in some activity within a particular jurisdiction.[4]

• Jurisdiction Under International Law

Under international law, there are 3 types of jurisdiction, viz; Prescriptive jurisdiction, adjudicatory jurisdiction, and enforcement jurisdiction.[5] Prescriptive jurisdiction refers to the authority of a State to prescribe rules. Adjudicatory jurisdiction refers to “the rights of Courts to receive, try and determine particular cases referred to them. Enforcement jurisdiction refers to the authority of a State to enforce the rules it has prescribed and adjudicated.[6]

While the Nigeria Data Protection Act (hereinafter referred to as “the Act”) exercises prescriptive jurisdiction by the very letters of its provisions, the problem of adjudicatory and, much more importantly, enforcement Jurisdiction becomes pronounced with respect to foreign data controllers or processors who are processing the personal data of data subjects in Nigeria.

Extraterritorial Jurisdiction: Legal Basis

The ‘extraterritoriality principle’ refers to the competence of a State to make, apply and enforce rules of conduct in respect of persons, property or events beyond its territory.[7] Extraterritorial jurisdiction is the “ability of a state, via various legal, regulatory and judicial institutions, to exercise its authority over actors and activities outside its own territory.”[8]

The legal basis for extraterritorial jurisdiction has its foundation in the Lotus case.[9] In that case, the Permanent Court of International Justice laid down the principle that a state within its territory is not prohibited under international law to exercise jurisdiction which relates to persons, property and acts outside of their territory. That is, that states have the power to prescribe law extraterritorially.[10] This is concomitant with the effects principle, which is itself an extension of the territoriality principle, and stipulates that states may regulate behavior which takes place outside its territory insofar as it produces substantial effects within its territory[11] This established principle apparently backstops section 2 of the NDPA. However, as shall be discussed shortly, the application of this principle comes with major challenges.

• Challenges of Enforcing the Extraterritorial Jurisdiction of the NDPA

The following are identified as major challenges of enforcing the Act against foreign data controllers and processors who are not resident, domiciled or carrying on business in Nigeria.

• Too broad criteria: Section 2(2) introduces an unrestricted criterium for the applicability of the Act to foreign controllers/processors. Specifically, Paragraph (c) of the section provides that the Act shall apply to all processing by controllers/processors in respect of data belonging to data subjects in Nigeria. Therefore, as far as the data of a data subject in Nigeria is processed by a foreign entity, the Act shall apply as a matter of course. Due to its rather broad scope in terms of the processing covered under section 2, the NDPA will apply especially to the free services offered by Internet search engines and social networks, such as Google, Facebook, and Email service providers. But it’s doubtful how practical this provision is, especially as it may apply to other foreign companies whose websites are open to worldwide users but not specifically offering services that target Nigerian users nor generate revenue from Nigeria.

In Soriano v Forensic News,[12] a UK Court held that mere accessibility does not mean targeting. In that case, a U.S based magazine website was being accessed by users in the U.K, although only about 5 per cent of all visitors to the website originated from the UK and about 75 per cent from the US. It was held that the newspaper was not oriented towards UK “in any relevant respect”; and only a handful of UK donation subscriptions solicited “on an entirely generic basis”. Although, this is a case decided under the GDPR with different provisions, it however goes to show how data protection laws are being streamlined so that they do not apply on a general basis, especially with respect to foreign data controllers and processors.

1. Lack of de facto enforcement: The practicality of the extraterritoriality principle is largely a result of the influence that a state wields in relation to other states. This influence typically results from having bigger political/economic power. Thus, countries like the U.S and political/economic blocs like the European Union (EU) are able to influence other states by reason of their political/economic power. While the European Union GDPR suffers the same extraterritorial challenges as the NDPR[13], it is however able to navigate those challenges by other means such as compelling compliance.[14] As noted by Kloth,[15] the European Single market is the biggest market in the world[16], thus making it very likely that transnational companies will voluntarily subject their activities to the GDPR, as they want to retain access to the market. By this, “the EU is exploiting its market power to ‘de facto’ enforce the GDPR even towards third-country companies, by giving them the choice to ‘take it or leave it”.[17] Therefore, as it affects their activities in the EU, data controllers or processors want to avoid reputational risk that would adversely affect their business or limit their access to the European market.

• Lack of definition of terms: Words like “domiciled in”, ” resident in” or “operating in” are not defined in the definition section of the Act, thus leaving their meanings to conjectures. This is especially problematic since these terms are capable of determining whether the Act applies to a data controller/processor or not. Unless these terms are clarified by the Court or by the Commission, the confusion surrounding them will continue to persist.
• Problem of imposing fine on income of NRCs: Another major problem of enforcement of section 2 of the NDPA is ascertaining the profits of defaulting foreign (non-resident) companies for the purpose of imposing penalties on their income. Section 48 provides that the Commission may order a data controller or data processor who has violated any provision of the Act or a subsidiary legislation made under the Act to pay 2% of its annual gross revenue in the preceding financial year. The challenge here is evident as it relates to foreign companies.

Firstly, the Act that not state whether it is the global revenue or revenue derived from Nigeria (only) that the penalty shall be levied against. It is however more plausible that it is the revenue per jurisdiction that the Act contemplates, taking into consideration the concept of Significant Economic Presence (SEP)[18]. However, this position remains unclear.

Furthermore, most Non-resident companies (or multinational enterprises) do not report turnover per jurisdiction. As noted by Onyeneke & Elolue[19], this problem becomes very much pronounced in the case of digital companies (i.e. companies providing digital services over the internet) which companies may not be registered in Nigeria. Therefore, ascertaining their gross income for the purpose of imposing fines could prove difficult, if not impossible.

• Navigating the problem

The challenges identified with the enforceability of section 2 the NDPA, though of grave concern, are however not insurmountable. The following solutions have been identified.

• The very broad criteria for application can be narrowed, directed or interpreted to apply specifically to data controllers or processors that target Nigerian users either by offering goods/services or by monitoring the activities of data subjects. By focusing on this category of data controllers or processors, compliance can be achieved since they would have their business interest to protect.
• The Nigeria Data Protection Commission (the Commission) may want to consider alliances with data protection regulators from other jurisdiction to expand the enforcement reach of the NDPA. Unlike the U.S and the E.U, Nigeria does not wield much economic power to influence compliance with its data protection laws. However, a close alternative to de facto enforcement of the NDPA by reason of influence is the creation of reciprocal obligations with other states pursuing similar interests. In situations where alliance exist between States, extraterritorial compliance is possible. Therefore, the Commission can work towards establishing policy frameworks with other regulators that would see that Act is enforceable in those countries and vice versa. For example, early in 2023, the Egyptian Competition Authority (the body responsible for consumer protection in Egypt) and the Nigerian Federal Competition & Consumer Protection Commission (FCCPC) signed a memorandum of understanding providing for cooperation between the two authorities on enforcement of competition regulations.[20]
• Furthermore, making multinational enterprises register either as Nigerian companies or simply for tax purposes[21] is an effective way of extending the reach of the NDPA. Many of the big tech companies have subsidiaries in major European countries and these subsidiaries are usually held responsible for breach of data protection law committed by them or their parent company. The presence of an establishment (e.g. a subsidiary) makes enforcement easy against the foreign company. Where this is not the case, these foreign entities are more likely to treat the data protection laws with levity due to their revenue not being affected.[22]
• Closely related to the point discussed above, foreign entities can be provided with voluntary compliance possibilities. This means that they are given the option to comply with data protection laws and continue access to the territory; or otherwise, lose access to the territory. This could be likened with drawing territorial borders in the cyberspace.[23]

1. SUMMARY & CONCLUSION:

The internet world of today continues to experience increase in the flow of personal data from one jurisdiction to another, thus making it imperative for states to employ even overreaching measures to safeguard personal data of data subjects. While most data protection legislations are effective in controlling the activities of local data controllers/processors, not being able to affect the behavior of foreign controllers and processors can effectively render data protection ineffective. It is thus important that data protection laws are able to impact on the activities of foreign persons/entities that control/process personal data of data subjects. This appears to justify the extraterritorial reach of data protection laws, and, in this context, section 2 of the Nigeria Data Protection Act. Although the Act copiously provides for extraterritorial application, enforcement is however greatly undermined by the limit of enforcement jurisdiction. Nevertheless, the strategies identified under recommendations in this article can go a long way in aiding the extraterritorial enforcement of the Act.

[1] Indriana Pramesti and Arie Afriansyah, Extraterritoriality of Data Protection: GDPR and Its Possible Enforcement in Indonesia, Advances in Economics, Business and Management Research, volume 130, 3rd International Conference on Law and Governance (ICLAVE 2019) 10.2991/aebmr.k.200321.012 accessed 30^th August 2023

[2] France vs Turkey, 1927 (“Lotus”).

[3] Indriana Pramesti and Arie Afriansyah, Extraterritoriality of Data Protection: GDPR and Its Possible Enforcement in Indonesia, Advances in Economics, Business and Management Research, volume 130, 3rd International Conference on Law and Governance (ICLAVE 2019) 10.2991/aebmr.k.200321.012 accessed 2^nd September 2023

[4] In business, domicile is deemed to be the place or country in which a business is registered or has been incorporated https://corporatefinanceinstitute.com/resources/wealth-management/domicile/ accessed 2^nd September 2023; For tax purposes, a company is considered resident in Nigeria if such a company is registered or incorporated under the Companies and Allied Matters Act. This means that a company formed outside Nigeria under the laws in force in the foreign territory will be considered as a non-resident company for CIT purposes. https://taxsummaries.pwc.com/nigeria/corporate/corporate-residence#:~:text=A%20company%20is%20considered%20resident,resident%20company%20for%20CIT%20purposes accessed 2^nd September 2023

[5] Alexandre Skander Galand, ‘Conceptions of Courts and Their Jurisdiction’ in ‘UN Security Council Referrals to the International Criminal Court,’ Chapter 1, pp 12-46  https://doi.org/10.1163/9789004342217_003 accessed 2^nd September 2023

[6] ibid

[7] Oxford Public International Law: Extraterritoriality (ouplaw.com)

[8] Zerk, Jennifer A. “Extraterritorial Jurisdiction: Lessons for the Business and Human Rights Sphere from Six Regulatory Areas”, Corporate Social Responsibility Initiative Working Paper No. 59 (2010), p. 1 – 222. https://sites.hks.harvard.edu/m-rcbg/CSRI/publications/workingpaper_59_zerk.pdf ) accessed 5^th September 20232023

[9] France vs Turkey, 1927 (“Lotus”).

[10] Indriana Pramesti and Arie Afriansyah, Extraterritoriality of Data Protection: GDPR and Its Possible Enforcement in Indonesia, Advances in Economics, Business and Management Research, volume 130, 3rd International Conference on Law and Governance (ICLAVE 2019) 10.2991/aebmr.k.200321.012 accessed 5^th Se[ptember 2023

[11] Svantesson, Dan Jerker B. “Extraterritoriality and targeting in EU data privacy law: the weak spot undermining the regulation”, International Data Privacy Law, Volume 5, Issue 4 (2015), p. 226 – 234 https://doi.org/10.1093/idpl/ipv024 accessed 9 September 2023; Cedric Ryngaert, Jurisdiction in International Law, United States and European perspectives (PhD Thesis, Leuven 2007) 198 Jurisdiction in international law : United States and European perspectives – CORE accessed 5^th September 2023

[12] [2021] EWCA Civ 1952

[13] It is thus noteworthy that the NDPA draws much of its provisions from the EU GDPR (which is a flagship law on data protection); and the provision of Section 2 that is under evaluation is similar to Article 3 of the GDPR. Article 3(2)(b) provides that the GDPR shall apply to the activities of an establishment of a controller or a processor in the Union as well as to establishments outside the EU offering goods or services to or monitoring the activities of data subjects in the EU.

[14] The effects principle is based on conduct performed outside the State but that has effects inside the State. See Svantesson, Dan Jerker B. “Extraterritoriality and targeting in EU data privacy law: the weak spot undermining the regulation”, International Data Privacy Law, Volume 5, Issue 4 (2015), p. 226 – 234. https://doi.org/10.1093/idpl/ipv024 accessed 9^th September 2023

[15] Alexander Kloth, “One law to rule them all – On the extraterritorial applicability of the new EU General Data Protection Regulation” Völkerrechtsblog, 05 February 2018, doi:10.17176/20180205-094704 https://voelkerrechtsblog.org/one-law-to-rule-them-all/ accessed 19^th August 2023

[16] According to the European Commission’s trade website, the EU doubles as the largest economy in the world and the world’s largest trading bloc EU position in world trade (europa.eu)  accessed 9^th September 2023

[17] ibid

[18] The concept of significant economic presence (SEP) was introduced by the Finance Act, 2019 to expand the scope of Nigerian tax on foreign companies deriving income from their activities in the country, which were hitherto not captured in the tax net. The Order provides that a foreign company shall have an SEP in Nigeria in any accounting year where it derives 25 million Nigerian naira ($65,400) annual gross turnover or its equivalent in other currencies from any or a combination of certain digital activities. See Wole Obayomi and Victor Adegite, Insight: Taxation of Digital Economy in Nigeria—Significant Economic Presence, INSIGHT: Taxation of Digital Economy in Nigeria—Significant Economic Presence (bloombergtax.com) accessed 16^th October 2023

[19]Chinyere Onyeneke & Bright Elolue, ‘Taxation of Non-Resident Companies Under the Finance Act 2021: Challenges and Opportunities’ (2022) https://www.zbw.eu/econisarchiv/bitstream/11159/525743/1/EBP085847429_0.pdf

[20] https://www.bremerlf.com/resources/egypt-and-nigeria-sign-mou-on-cooperation-in-antitrust-matters accessed 5th October, 2023.

[21] Pursuant to the Finance Act 2021, non-resident companies may be taxable entities. It has been reported that two of the tech giants, Amazon and Facebook, have registered for tax payments in Nigeria. See https://www.google.com/amp/s/sunnewsonline.com/amazon-facebook-register-for-tax-in-nigeria/%3famp

[22] The 2020 Twitter ban in Nigeria is a good frame of reference.  In 2020 Nigeria government banned Twitter. When the ban was lifted, one of the reported conditions for the lifting of the ban was the registration of Twitter as a Nigerian company. As of today, this writer cannot confirm that Twitter is a registered entity in Nigeria or that it is registered for tax payments.

[23] Kohl, Uta (2015), ‘Jurisdiction in cyberspace’, 10.4337/9781782547396.00011 Jurisdiction in Cyberspace | Request PDF (researchgate.net) last accessed 30^th August 2023

About the Author: Elolue, Bright.
Phone number: 09063533831
Email: brightelolue95@gmail.com
Linkedin: Bright Elolue