Ten  Priorities for the Nigeria Data Protection Commission under the New Data Protection Act

By Victoria Oloni and Ridwan Oloyede

After almost two decades, Nigeria has finally enacted its long-awaited Data Protection Act (the “Act”). The new law represents a significant opportunity for the country to harmonise its long-fragmented regulatory landscape. The Act, which builds on the four-year-old Nigeria Data Protection Regulation (“NDPR”), clarified some ambiguities and confusion that plagued the NDPR and added new provisions not previously covered by the NDPR. For example, the new law provides for fairness, transparency, and accountability principles omitted under the NDPR. It also included more explicit provisions for the protection of children, such as an age-verification requirement, legitimate interest as a lawful basis for data processing, the obligation to notify data subjects when data is not collected directly from them, more precise provisions for conducting data protection impact assessments, creating lawful bases for processing sensitive personal data, and more comprehensive data subject rights, among other novelties.

The new law has also resolved a previously contentious point regarding the legitimacy of the Nigeria Data Protection Bureau’s (the “Bureau”) establishment. Before the Data Protection Act was enacted, there were concerns about the Bureau’s legitimacy, given that it was created through a ministerial directive. It had been approved by the former president to enforce a regulation it did not create. This occurred without the former agency, the National Information Technology Development Agency (NITDA), formally amending the NDPR to transfer its powers to the Bureau, which had raised questions in the past. The enactment of the new Act has now provided the much-needed legal basis for the Bureau’s operations, alleviating these concerns. Despite the notable advancements in the new Act, it is not without its imperfections. We have explored some of these issues in depth in our prior discussions, which can be revisited here and here.

However, for the Act to operate effectively, the Nigeria Data Protection Commission (NDPC) must take definitive steps. Here are ten priorities we recommend for the NDPC under the new Data Protection Act:

1. Issue a Directive on the Role of the NDPR: An immediate task for the NDPC should be to quickly shed light on the continuing significance and role of the NDPR. This clarification will guarantee that businesses comprehend their regulatory responsibilities as we transition from the NDPR to the new Act. While the Act provides that the NDPR will persist as long as it does not contradict the Act. For example,  it is essential to clarify the status of audit requirements promptly, the list of whitelisted countries, and other rolling issues to prevent any potential confusion.
2. Publish an Executive Regulation: The Commission should promptly publish an executive regulation to explain the Act’s more complex or confusing provisions. This would extend much-needed clarity to organisations and individuals impacted by the Act. A considerable part of the law relies on the NDPC stipulating a regulation concerning its operational procedures. For instance, the effectiveness of the provisions relating to international data transfer significantly depends on such a regulation. The obligations of data controllers/processors of major importance, and the compliance filing obligations of data controllers/processors depend on the publication of an executive regulation. To prevent regulatory ambiguity and ensure the successful execution of the Act, we suggest that the NDPC publish an executive regulation without delay.
3. Publish Thematic Guidelines: Given the track record of data protection regulators in Nigeria in issuing guidelines and guidance documents, it has become increasingly important to re-emphasise this point. In the first three years of the NDPR, NITDA only published two instruments on data protection, the implementation framework and the guidelines for public institutions. For instance, it took 22 months for NITDA to publish the final version of the implementation framework (from January 2019 to November 2020). In one year of the NDPB, it published one FAQ. To provide some perspective, the Kenyan authority, established in November 2020, has published five guidelines, one regulation, and one framework. The NDPC must provide comprehensive guidelines on various thematic areas covered under the Act to make it easier for all stakeholders to understand the new legal landscape. For example, they may address niggling thematic areas like data protection impact assessments, the use of CCTV, data protection by design and default, artificial intelligence, and international data transfers, among other pressing issues.
4. Develop a Self-Assessment Toolkit: The Commission should produce self-assessment toolkits to facilitate compliance. These would empower businesses to gauge their adherence to the Act and implement necessary measures. An easily achievable step would be to create a self-assessment tool specifically for organisations that have already implemented the NDPR, helping them to understand their new obligations under the Act.
5. Publish a FAQ Document: As we transition from the NDPR to the new Act, the NDPC should make the process smoother by releasing a list of Frequently Asked Questions (FAQs). As one can expect a flurry of inquiries in the upcoming weeks, an FAQ list will provide ready responses to prevalent questions, ensuring businesses can easily understand the basics of the new law. The Commission should aim to publish this FAQ document within the next quarter and ensure it is drafted in clear, understandable language.
6. Strengthen the NDPC Team: The Commission should focus on hiring and training individuals with a broad spectrum of skills and expertise, amplifying its ability to administer the Act effectively. While comprehension of law is fundamental, the vast domain of data protection demands a broader skill set that spans engineering, information technology, and cybersecurity, to name a few. For instance, legal knowledge alone would not suffice for an inquiry or enforcement action addressing purely technical issues. Similarly, drafting guidance on specific technology usage necessitates an understanding beyond conventional legal insight.
7. Improve Transparency: The NDPC should commit to maintaining transparency in its investigative and decision-making procedures. Doing so would cultivate trust and promote an atmosphere where data protection principles are respected and adhered to. For instance, they could develop a system for data subjects to monitor the progress of their complaints from the point of reporting to resolution. Addressing unresolved complaints, a notable criticism during the enforcement of the NDPR, would significantly enhance the Commission’s reputation and effectiveness.
8. Foster Inclusive Stakeholder Engagement: The Commission should endeavour to involve all stakeholders more comprehensively. This should encompass even those stakeholders whose perspectives might not align with the Commission. This approach will help instil a culture of compliance and stimulate the creation of best practices in data protection. From civil society to academia, data protection advisors, policy trackers, and even data controllers and processors, the Commission should engage the entire ecosystem and carry them along in policy-making. In doing so, it should also not be performative engagement where “the stakeholders will have their say, but the regulator will have its way.” For instance, one suggestion made during the exposure draft of the bill was to include a civil society representative on the NDPC board to foster a more multifaceted approach to data protection; unfortunately, this recommendation was not incorporated into the final law. Civil society plays a crucial role, and its input should not be overlooked.
9. Leverage international collaboration: The Commission should shape its strategy for international cooperation mechanisms to solidify Nigeria’s data protection framework’s global recognition. Considerations could include acceding to international agreements such as the African Union Convention on Cyber Security and Personal Data Protection and the Council of Europe Convention 108. The Commission can also learn from other African data protection authorities that have strengthened their collaborative efforts through partnership agreements. Lastly, the Commission should contemplate joining international bodies such as the Global Privacy Enforcement Network and the Global Privacy Assembly.
10. Encourage Research: The NDPC should champion research and development in data protection. Such initiatives should encompass collaborations with academic institutions, research bodies, private enterprises, and non-governmental organisations. Engaging in research allows the Commission to stay abreast of evolving trends and technologies, comprehend potential challenges and risks, and devise innovative strategies for regulating data protection. High-quality research can also augment the Commission’s understanding of technology’s impact on individuals and society. The insights garnered from such research will enable the Commission to facilitate the law’s implementation better rooted in evidence and deeper understanding. For instance, the prevalence of generative AI begs for intervention, but any meaningful intervention is impossible without research, impact studies, and an understanding of the technology.

Conclusion

In addition to the priorities already outlined, the NDPC must stay alert to the swift technological advancements and remain one step ahead, revising and updating its regulations to keep them relevant, pragmatic, and capable of responding to emerging trends and challenges in the digital age. Recently, the Commission unveiled an exposure draft of its four-year strategic roadmap and action plan, setting forth ambitious objectives. The Commission’s eventual success or potential shortcomings largely depend on its dedication, resource allocation, and operating autonomy. Introducing the new law marks a critical milestone for Nigeria, but it is only the beginning of a long journey. The journey does not end with the passage of the Act; in fact, the journey is just beginning. The Commission’s preparedness to implement the Act must align with international best practices, and the ability of the Commission to respond quickly to future shifts in the digital and data landscape is equally important. We are excited about what the future holds for data protection in Nigeria, especially with the Act, and we look forward to engaging with the Commission and other stakeholders to ensure proper implementation of the Act.