The Paradox of Control: Can Mandatory Registration Really Ensure Data Protection?

By: Dorcas Tsebee

Introduction

One of the novel provisions under the new Nigeria Data Protection Act is the mandatory registration obligation on data controllers and data processors of major importance. After the bill became law in June 2023, Nigeria officially joined other African countries like Kenya, Uganda, Mauritius, Rwanda, Ghana, Tanzania, and Egypt, among others, with mandatory registration requirements. Reasons adduced for registration range from identifying those being regulated, acquiring legitimacy to process data, and building trust for consumers.^[1] Registration is simply the process of filing an application^[2] with the data protection authority in the countries that have made registration mandatory for data controllers and data processors. In these jurisdictions, entities cannot process data unless they are registered with the data protection authority. In addition to registration, some countries, like Uganda, Kenya, and Rwanda, have published a list of registered data controllers and processors, which is considered a valuable tool for promoting compliance with the law and building the confidence and trust of data subjects in the system. However, registration is not the sole metric for measuring compliance.

Registration of data controllers and processors under the Nigeria Data Protection Act 2023

Registration requirements are provided under Section 44 of the Act. It provides that data controllers and data processors of major importance shall register with the Commission within six months after the commencement of the Act.^[3] To be registered under the Act, the data controller or processor shall notify the Commission of the following:^[4]

1. The name and address of the data protection officer (DPO);
2. A description of the names of data subjects, the categories of personal data collected, and the number of data subjects concerned;
3. The purpose of processing personal data will also be stated in the notice sent to the Commission;
4. A list of third parties with whom the data controller or processor will be sharing the data. With this provision, the data controller can identify who data is shared with and the purpose of sharing;
5. The name and address of the data processors or its representative;
6. Any country to which data will be transferred to;
7. A description of the potential risks involved in processing of personal data and any security measures or safeguards adopted to ensure the protection of the personal data; and
8. Any other information that the Commission may require during registration.

When a data controller or processor changes any information they provided to the Commission during registration, they must notify the Commission within 60 days of the change.^[5] The Commission is expected to publish on its website a register of data controllers and processors of major importance who have successfully registered, which is similar to what is done in Mauritius, Kenya, and Uganda.^[6] When a data controller or processor notifies the commission that it is no longer a controller or processor of major importance, the names will be removed from the register.^[7] The Commission reserves the right to exempt some data controllers and processors of major importance from registration if it considers registration unnecessary or disproportionate.^[8] In addition, the Commission is empowered to prescribe registration fees and levies for data controllers and processors of major importance.^[9]

Data controller and data processor of major importance

The Act defines “data controller or data processor of major importance” as a type of data controller or processor that processes personal data that is of a certain value or importance to Nigeria’s economy, society, or security.^[10] In either case, the Commission prescribes or designates such a data controller or processor, as the case may be.^[11]

The Act did not state the parameters  or criteria for classification as a data controller or processor of major importance but it does say that the Commission can set the number.^[12] It remains unclear whether numerical thresholds would be introduced and what the objective parameters would be. Is it going to be unique individuals over a period of time, or those strictly within Nigeria or global users?

Former state of play

Before the enactment of the Act, data controllers and processors were not required to register with the data protection authority. However, there was/is a mandatory obligation to file an audit report for controllers within a certain threshold, and last year, the Nigeria Data Protection Bureau (before the commission was created) published a compliance notice that compels all data controllers in the country to submit some documents before they are included on an “adequacy whitelist” to demonstrate compliance.^[13] However, the adequacy list is yet to be published.

Data protection registration: a solution or a compliance facade?

According to the Office of the Data Protection Commissioner in Kenya, registration serves as one of the requirements for compliance with the data protection law and also a means of ensuring transparency in the data processing ecosystem.^[14] The requirement for the registration of data controllers and processors in Nigeria is a new provision that will be regarded as an additional obligation when the provision is fully implemented.

Regulators have often argued that registration and identification of data controllers and processors aid in the regulation of their activities. However, there has not been any data or evidence to show that registration has led to higher levels of compliance in the countries that have already put it in place. ^[15] The imposition of a registration fee may also suggest that registration is a mere revenue-generating source for the data protection authorities.^[16] Of the 11 African countries with a registration obligation, Rwanda is the only country that does not prescribe a registration fee. Another pitfall of mandatory registration is the potential for it to be misconstrued as full evidence of compliance, which gives a false sense of adherence. In Kenya and Uganda, for instance, controllers have published announcements regarding their registration, misrepresenting them as proof of compliance with the law as a whole.^[17] A second issue is the classification of “importance,” which suggests an obsession with large players; if the digital lending ecosystem has taught us anything, it is that small players are capable of committing atrocities of legendary proportions.^[18]

While organisations may mistake registration for evidence of compliance with the legal requirement, it is only one of many compliance obligations under the Act. For context, Tala, a digital lending company in Kenya, announced in September 2022 that it had been registered with the Office of the Data Protection Commissioner (ODPC),^[19] but in October of the same year, the company was one of 40 entities the ODPC announced was under investigation for privacy violations.^[20] Again, Worldcoin Foundation received an enforcement notice from the ODPC recently for failing to comply with the Data Protection Act, even though the organisation is a registered data controller under the Act.^[21] This is similar to the fanfare that follows the announcement of submitting an audit report in Nigeria, where the controller may be failing in the most basic of ways; the evidence of registration without genuine effort to develop a functional privacy program is merely a checkbox exercise. In addition, failure to register does not preclude the regulator from exercising its oversight over unregistered entities. Furthermore, the Act does not adequately address situations in which individuals are data controllers or processors or if they are equally expected to register.

Conclusion

While registration may be essential for promoting legal compliance, transparency, and accountability in the ecosystem,  it is also important to note that it is only one aspect of data protection law compliance. The regulator will do a lot of good by emphasising to controllers and processors that the registration requirement is only one of many steps required to build a good privacy program.

It is hoped that the registration requirement does not suffer fatigue similar to the audit process, where some organisations only see the process as a tick-box Olympic without implementing the privacy program itself and presenting the compliance seal as evidence of complete adherence with the law. The regulatory authority must also contribute to changing this mindset. Increasing awareness and halting the spread of false misrepresentation can address this issue. Organisations that have successfully filed an audit report, for example, should refrain from using phrases such as “NDPR compliant,” because auditing is only one aspect of the compliance program. Similarly, taking the Worldcoin issue in Kenya as an example, registration does not forestall sanctions or fines for non-compliance with the data protection law, nor does it mean less oversight from the regulators.

^[1] ‘FAQs on Registration – Office of the Data Protection Commissioner Kenya’ (Odpc.go.ke2019) <https://www.odpc.go.ke/register-data-controllers/> accessed 27 March 2023.

^[2] Which contains the relevant information as specified by law.

^[3]Nigeria Data Protection Act 2023, Section 44 (1).

^[4] Nigeria Data Protection Act 2023, Section 44 (2)(a-h).

^[5]Nigeria Data Protection Act 2023, Section 44(3).

^[6]Nigeria Data Protection Act 2023, Section 44(4).

^[7]Nigeria Data Protection Act 2023, Section 44(5).

^[8]Nigeria Data Protection Act 2023, Section 44(6).

^[9] Ibid section 45.

^[10]Nigeria Data Protection Act 2023, Section 65.

^[11]Ibid.

^[12] Patience Aliu and Nkechi Udeze, ‘An Overview of Key Changes in the Nigeria Data Protection Act 2022’ (2023) available at <https://www.mondaq.com/nigeria/privacy-protection/1283496/an-overview-of-key-changes-in-the-nigeria-data-protection-Act-2022> accessed 16 March 2023.

^[13] Nigeria Data Protection Bureau Compliance Notice  (2022) <https://www.ndpb.gov.ng/Files/N638013317079274503.pdf> accessed 16 March 2023.

^[14]  ‘FAQs on Registration – Office of the Data Protection Commissioner Kenya’ (Odpc.go.ke 2019) <https://www.odpc.go.ke/register-data-controllers/> accessed 16 March 2023.

^[15] Ridwan Oloyede, ‘Data Protection Compliance: When it’s a Tick-Box Olympics and a Race to Nowhere’ (2022) available at <https://ridwanoloyede.com/data-protection-compliance-when-its-a-tick-box-olympics-and-a-race-to-nowhere/> accessed 13 March 2023.

^[16]Ridwan Oloyede, ‘The New Data Protection Act in Nigeria’ (LinkedIn.com 2022) available at <https://www.linkedin.com/pulse/new-data-protection-Act-nigeria-ridwan-oloyede-> accessed 13 March 2023.

^[17] ‘LinkedIn’ (Linkedin.com2023) <https://www.linkedin.com/posts/iotec-limited_iotec-pdpo-certificate-activity-6916782117741862912-89yB/?originalSubdomain=ug> accessed 29 March 2023. ‘Tala Receives Nod to Act as a Data Controller in Kenya – Capital Business’ (Capital Business7 September 2022) <https://www.capitalfm.co.ke/business/2022/09/tala-receives-nod-to-act-as-a-data-controller-in-kenya/> accessed 29 March 2023.

^[18] ‘Inside the Pervasive Practice of LendTechs in Nigeria’ <https://ikigaination.org/wp-content/uploads/2021/08/lendtech.pdf> accessed 29 March 2023.

^[19] Ibid.

^[20] Kepha Muiruri, ‘Tala, Branch among 40 Digital Lenders Flagged for Personal Data Breaches’ (Citizen Digital5 October 2022) <https://www.citizen.digital/business/data-protection-body-auditing-40-digital-lenders-over-privacy-breach-claims-n306878> accessed 29 March 2023.  Antoaneta Roussi, ‘Kenyan Borrowers Shamed by Debt Collectors Chasing Silicon Valley Loans’ (@FinancialTimes10 September 2020) <https://www.ft.com/content/16c86479-e88d-4a28-8fa4-cd72bace5104> accessed 29 March 2023.

^[21] Copy of ODPC Decision