Keeping Up with the Dynamics: How has Nigeria fared in Data Protection so far?
By Musa Omayi Sandra :
Let’s begin with a story.
Oyiza downloads ‘BEAB’, a period tracking application from her phones Google Play store, because she finally got tired of her period coming unannounced each month. For her to use the application, she must provide her name, email address, date of birth, weight, amongst other information. She does this and clicks the ‘agree’ button, creating her account on the App. Sometime later; she opens one of her social media accounts and comes across a sponsored advert on how to deal with cramps and mood swing during periods. After some minutes of scrolling, she comes cross other adverts on the best contraceptives to use in case she has no intention of getting pregnant and the best sanitary pads in the market. By creating an account on the ‘BEAB’, her personal information is being used for targeted advertising without her express consent. This issue and more are what data protection laws seek to address.
It was laudable when on the 25th of January, 2019, Nigeria’s National Information Technology Development Agency (NITDA) issued the Nigeria Data Protection Regulation (NDPR) to addressed data privacy and protection issues in Nigeria. The Regulation was introduced to raise the standard of data protection in Nigeria to meet with what is obtainable under the European General Data Protection Regulation 2016.
Prior to this, what Nigeria had were fragmented and industry specific regulations, amongst which are the; NCC Registration of Telephone Subscribers Regulation 2011, the Freedom of Information Act 2011, the Cybercrimes (Prohibition, Prevention, etc.) Act 2015, the Child Right Act 2003, the National Identity Management Commission (NIMC) Act 2007, etc.
However, the NDPR unlike these regulations currently boast of being Nigeria’s most comprehensive legislation on the protection of personal data. As a subsidiary legislation, it has the force of law and governs the control and processing of the personal data of natural persons residing in or outside Nigeria but of Nigerian descent. This means that all data processing transactions involving Nigerian data subjects, anywhere in the world, are covered by the Regulation.
The good and the bad: how we have fared
Before the NDPR, Nigerian courts were already tilting towards specific provisions on data protection and privacy. This was evident in Godfrey Eneye v MTN Nigeria Communication Ltd., where the Court of Appeal, dismissing an appeal and placing reliance on Rule 14(1) (b), (2), and (3) of the NCC Consumer Code, held that sharing a subscriber’s phone number with third parties without the subscriber’s consent amounts to a violation of the subscriber’s right to privacy. However, with the coming to force of the NDPR, it was expected that awareness and enforcement of data protection and privacy will increase.
Looking retrospectively to when the Regulation was released and currently, the Regulation has raised the consciousness and awareness level of Nigerians and stakeholders on the need to protect personal data. Owing to this, the Federal High Court on the 28th of June 2019, in an action brought by Incorporated Trustees of Paradigm Initiative for Information Technology & Anor., v National Identity Management Commission & Anor., affirmed the data privacy rights of Nigerian citizens and directed the National Identity Management Commission (NIMC) to improve on its data privacy and security systems in order to avoid a breach of citizens’ rights to privacy. According to the court, it is not enough to have lofty data security policies, but such policies must be implemented. This decision, coming months after the Regulation was issued created a level of awareness for the new law.
In the same vein, NITDA in creating awareness about the far reaching effect of the NDPR; hosted a public awareness program in January 2020 and expressed the need for strategic programmes aimed at increasing public awareness and support for the Regulation. According to the Agency, its sensitization and awareness effort has witnessed responding to over 2,500 enquiries and comments from within and outside Nigeria and the training of media executives, Data Breach Investigators and Officers, Data Protection Compliance Organizations, Start-ups and public servants etc.5 Despite this, the Agency admitted to public awareness being low at 54%, and stated that it needed to do more.
Investigation and Enforcement
With respect to the investigative and enforcement responsibility of the Agency, sadly, not so much has been done. The agency announced on 12th of July 2019 that it had begun investigating some entities including Banks, Fintechs, Telcos etc., who are in alleged breach of the data privacy rights of Nigerians. The agency also disclosed that the Nigeria Immigration Service (NIS) is also under investigation for alleged violation of Article 2.1(2, 3) of the NDPR over its disclosure on Twitter of personal details of a man who had supposedly damaged a consular office in London.
In October 2019, NITDA stated that it had begun investigating popular caller identity app, Truecaller, for an alleged breach of the NDPR because Truecaller supplements information provided by users with information from third parties flouting global best practice rule that users should be informed of the possible third-party processors that may receive their information and for what purpose. The Agency is also investigating Lagos Internal Revenue Service over an alleged breach of the NDPR through reliable information it obtained and duly confirmed that the 5 Peter Oluka, ‘NITDA discloses theme, events for national data privacy awareness week’ (TechEconomy, 23 January 2020) <https://techeconomy.ng/2020/01/nitda–discloses–themeevents–for–national–data–privacy–awareness–week/> accessed 15 September 2020.
LIRS published personal information of taxpayers in Lagos through a web portal address ‘https://lagos.pay.ng/TaxPayer’ which was gleaned by the general public.9
The Agency’s response to these investigations is a test of its preparedness to enforce the regulation and a warning to others of the effect of flouting data privacy in Nigeria. Yet, over the past year, the Agency is yet to impose any penalty or sanction for these violations.
This is perhaps why government agencies that should be at the forefront of data protection in
Nigeria are rather the culprits of data breaches. For instance, despite the Court’s directive to
NIMC to improve on its data privacy and security systems, the Commission on August 14th 2020, barely 48 hours after announcing its preference for digital identity cards and the release of the NIMC app, leaked personal data of Nigerians to the public.10 Similarly, Unity Bank exposed the data of over 53,000 job seekers on its job portal, while the Central Bank of Nigeria made a directive to commercial banks to share customers’ data with Fintech companies, without lawful authorization. These instances, show a lack of cooperation and awareness from government agencies as to the importance of protecting personal data and how proper and lawful authorization should be sought before data is processed in compliance with the NDPR.
- James Kwen, ‘NITDA says LIRS breaches Nigeria Data Protection Regulation’ (Business Day, 27 December 2019) <https://businessday.ng/news/article/nitda–says–lirs–breaches–nigeria–dataprotection–regulation/> accessed 15 September 2020.
- ‘National Digital Identity Card: NGO Seeks Injunction against NIMC for Data Breach and
Omission to Conduct Data Protection Impact Assessment’ (Lawyard, 17 August 2020) <www.lawyard.ng/2020/08/17/national–digital–identity–card–ngo–seeks–injunction–against–nimcfor–data–breach–and–omission–to–conduct–data–protection–impact–assessment/> accessed 15 September 2020.
As a result of these breaches, which evidences a lack on the part of NITDA to enforce data protection, judicial actions have been taken up by Non-Governmental Organizations and Digital Rights Lawyers.
Also, with respect to compliance with the Regulation, although 94 organizations in Nigeria have already begun compliance with the provisions of the NDPR by putting up data security measures and fulfilling other compliance requirements, 200 firms were granted an extension to by NITDA to submit their initial data audit reports while a number of organizations are yet to comply with the provisions of the NDPR. The cause of this slowness in compliance was due to the inability of some organizations to meet up with the timeframe set by NITDA to submit their data audit reports, being unable to afford the cost of compliance and also the delay of the NITDA in appointing Data Protection Compliance Organizations.
A Data protection Act
There is also, a lack of political will by the government to deliver a Data Protection Act to the country as past attempts to enact one has not received presidential approval. Although, despite its inadequacies, if the NDPR is enforced, it will duly protect personal data, but it does not adequately solve privacy concerns. This is perhaps why NITDA has published a draft Data Protection Bill 2020 and called for relevant stakeholders and the public to comment on the areas of shortcoming in the Bill. It is hopeful that this will sooner see the light of day in other to ease the inadequacies of the NDPR.
What can be done?
NITDA should as much as possible increase its awareness effort about privacy rights through social networks, radio and television. For other stakeholders including private organizations, there should be regular training, seminars, workshops and capacity building on the importance of data privacy. This awareness on data privacy and security should be raised from the human rights perspective.
Also, regardless of the inadequacies of the NDPR, and the need for an Act that addresses its shortcomings, measures should be put in place to first enforce and implement compliance with the NDPR rather than rushing to enact a new law.
Government agencies should be mandated to uphold the highest ideals of data management, should be sanctioned appropriately where breach occurs and enforcement of the NDPR by NITDA should be prompt, independent and impartial.
It goes without saying that bringing the NDPR to life by NITDA is a remarkable effort at protecting and improving data privacy in Nigeria. However, more than birthing the Regulation, the Agency must nurture it to reach its full potentials.
 National Information Technology Development Agency Act 2007, s6.
 Appeal No: CA/A/689/2013 (Unreported).
 Andersen Tax LP, ‘Nigeria: Federal High Court Affirms The Data Privacy Rights Of Nigerian
 Abdulaziz Abdulaziz, ‘COVID-19 escalates data breach cases – NITDA Director-General’
 Emmanuel Elebeke, ‘NITDA commences investigation on alleged breach of NDPR’ (Vanguard, 12 July 2019) <www.vanguardngr.com/2019/07/nitda–commences–investigation–on–allegedbreach–of–ndpr/> accessed 15 September 2020.
 Wole Olayinka, ‘The People v Big Tech: Nigerian takes TrueCaller to Court for Alleged
Violation of Privacy Rights’ (TechCabal, 30 September 2019)
 Peters Ifeoma, ‘Personal Data Breach: Digital Rights Lawyers Sue Unity Bank Plc.’ (DNL Legal and Style, 28 August 2020) <https://dnllegalandstyle.com/2020/personal–data–breachdigital–rights–lawyers–sue–unity–bank–plc/> accessed 15 September 2020.
 ‘Data Privacy: NGO Sues CBN on Directive to Commercial Banks to Share Customers’ Data with Fintech Companies’ (Lawyard, 10 August 2020) <www.lawyard.ng/2020/08/10/dataprivacy–ngo–sues–cbn–on–directive–to–commercial–banks–to–share–customers–data–with–fintechcompanies/> accessed 15 September 2020.
 Ridwan Oloyede, ‘Nigeria: One year of the Data Protection Regulation’ (DataGuidiance, February 2020) <www.dataguidance.com/opinion/nigeria–one–year–data–protection–regulation> accessed 15 September 2020.
 Olumide Babalola, ‘Who can legislate on data protection in Nigeria?’ (Lawyard, 14 August 2020) <www.lawyard.ng/2020/08/14/who–can–legislate–on–data–protection–in–nigeria–an–opinionby-olumide–babalola/> accessed 15 September 2020.
 ‘NITDA publishes draft Data Protection Bill 2020 for public comments’ (DataGuidiance, 20