Whiter the NITDA Data Protection Guidelines 2017?
By: Chukwuyere Ebere Izuogu
Towards the end of year 2017, the National Information Technology Agency (NITDA or the Agency) released a draft Data Protection Guidelines 2017 (the Guidelines) and in the first quarter of year 2018 solicited for comments regarding the Guidelines. According to NITDA, the Guidelines seeks to provide a guideline for all organizations or persons that control, collect, store and process personal data of Nigerian residents and citizens within and outside Nigeria, and to prescribe minimum data protection requirements for the collection, storage, processing, management, operation, and technical controls for information in this category. Although, Nigeria at this time is yet to enact a data protection statute of general application, the Guidelines, no doubt is timely and a welcome development, considering the fact that the US state of California’s Consumer Privacy Act and EU’s General Data Protection Regulation (GDPR), both ambitious pieces of data protection legislations were, respectively enacted and effective in 2018.
In this opinion piece, I provide a summary of the main features of the Guidelines with the corresponding deficiency if any, then I proceed to examine the statutory basis for the Guidelines after which I make my conclusions with recommendations on how best a broad-based data protection statute may be enacted for Nigeria. This opinion piece is not intended to be a comprehensive review of the Guidelines.
Main features of the Guidelines
Material and territorial scope
Section 4 of the Guidelines sets out the categories of persons covered by its provisions, and these are persons based in Nigeria, including but not limited to data controller or data administrators and data subject; and to persons based outside Nigeria if they process personal data of Nigerian residents and citizens; and the collection, accessing and processing of personal data by wholly or partly by automatic and non-automatic means. It is pertinent to note that even though this section does not expressly mention a “data processor” as being subject to the Guidelines, nonetheless, the reference to “including”, and the “processing of personal data” by a person who acts as a data processor is sufficient to trigger the application of the Guidelines so as to bring that person within its scope. It is also pertinent to note that the territorial scope of the Guidelines extends beyond Nigeria to persons based outside of Nigeria so long as they process personal data of Nigerian residents and citizens. In my view, it is immaterial whether the processing was done outside (or inside) Nigeria, or whether the citizen of Nigeria was physically present in Nigeria as at the time of the processing.
Definition of personal data
The Guidelines defines personal data as “any information relating to an identified or identifiable natural person (“data subject”); information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM and others. This definition is consistent with the definition of personal data under the GDPR and the caselaw of the EU.
Data protection principles
The Guidelines contains robust data protection principles similar to that contained in the GDPR, and they are; purpose specification requiring that the purpose for which personal data is processed must be communicated to the data subject (Sections 6 – 7, Section 15 (a)); data minimization requiring that only personal data required for the purpose for which it was obtained should be processed and/or collected (Section 8, Section 15 (c)); right of rectification which enables data subjects to update their personal information (Section 9); right of access which enable data subject to obtain a copy of their personal data in the custody of a data processor (Section 10, Section 17); data security requiring the adoption of cybersecurity measures to protect personal information processed (Section 11, Section 18); restrictions on the cross-border transfer of personal data unless the recipient country has a data protection legislation, there is a contractual arrangement for the protection of personal data between the data controller and recipient organization, or the consent of the data subject is obtained (Section 12); accuracy requiring that persons who process personal information must take steps to ensure their accuracy (Section 15 (d)); retention requiring that personal data shall be processed for no longer than is necessary (Section 15 (e)); fair and lawful processing requiring that there must exist a lawful basis for processing personal data (Section 16); right of erasure to enable data subject exercise a right of erasure (Section 17 (d)); and data portability which enable data subjects to transmit their personal data to another processing system (Section 27).
Specific types of processing relating to special categories of data
The Guidelines sets out particular circumstances in which the processing of sensitive personal information is allowable. In this regard, Section 14 prescribes the conditions for the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sex life.
Section 28 of the Guidelines establishes the elements that should be taken into account when assessing the adequacy of the level of protection in another country, and they are that the level of protection shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; a consideration of the nature of the data, the purpose and duration of the proposed processing operation or operations, the rules of law, both general and sectorial, in force in the receiving country and the professional rules and security measures which are complied within that country which should not be lower than the content of the Guidelines herein. The Guidelines makes it clear that a third-party country’s level of protection shall not be lower than that specified in the Guidelines, in cases where personal data is to be transferred from Nigeria to that country.
Enforcement mechanisms and penalties
The Guidelines in Section 33 states that “the enforcement of these Regulations shall be by the “Relevant Authorities”. The interpretation section of the Guidelines defines “Relevant Authorities” to include NITDA or any other statutory body. In this regard, it is unclear whether a statutory body will also include a law enforcement agency created by statute, and/or which particular relevant authority is the lead data protection authority.
It is also pertinent to state that although the Guidelines tasks both NITDA and other “Relevant Authorities” with monitoring, ensuring and enforcing its provisions, it does not create an enforceable right of redress for the data subject nor an adjudicatory process in which redress may be sought. In addition, the Guidelines is silent on the compensation and/or fine that will apply where the processing of personal data is in violation of its provision(s). This in my opinion is very important in any data protection framework in order to ensure compliance and to deter violations.
The statutory basis for the Guidelines
Now I turn to the statutory basis for the Guidelines. It is an elementary principle of law that any exercise of rule-making power by an administrative agency must be legitimate, that is it must be by statutory grant of authority (See Olanrewaju v. Oyeyemi (2001) 2 NWLR (Pt.697) 229). Accordingly, NITDA in exercising its power to issue guidelines on data protection purportedly relied on Section 6 of its enabling Act (the NITDA Act) in issuing the Guidelines. As an initial matter, it is pertinent to state that Section 6 of the NITDA Act contains elaborate provisions that spells out the statutory functions of NITDA and runs from (a) through (n). However, none of these provisions expressly mentions the phrase “personal identifiable information”, “personal data”, “data protection” “privacy” or “protection of personal data” as mentioned by NITDA in the preamble to the Guidelines, nor do they expressly mention any variation of these terms or equivalent terms.
In construing Section 6, it is important to note that the primary rule of interpreting laws in Nigeria is the literal rule of construction whereby we give words used in a statute their ordinary and natural meaning. The reason for this is that the literal rule of construction without doubt expresses the intention of the legislature in enacting a law (See Ugwu v. Ararume (2007) 12 NWLR (Pt.1048) 365). According to the Court in PDP v. INEC (2014) 17 NWLR (PT.1437) “The cardinal principle in the interpretation of statutes is that the meaning of a statute or legislation must be derived from the plain and unambiguous expressions or words used therein …. The literal rule of interpretation is always preferable unless it would lead to absurdity and inconsistency with the provisions of the statute as a whole”. The Supreme Court of Nigeria in 2017 reaffirmed the literal rule in Skye Bank v. Iwu (2017) LPELR-42595 (SC) by stating in clear terms that “The law is also well established that interpretation of statutes should always be given its ordinary meaning” and that “where [a statutory provision] is clear, unambiguous and to the point, any addition or subtraction [in its interpretation] will be sequel to introducing an illegal back door amendment” [emphasis on the underlined]. For it is settled law, that an administrative rule cannot expand the provisions of the substantive statute, it must be within the authority derived in the main enabling Act (See Olarewaju v. Oyeyemi supra).
From the foregoing, it may thus be rightly argued that the absence of these data protection terms in Section 6 of the NITDA Act makes it unlikely that the legislature had intended to grant NITDA such authority to regulate the processing of personal data and/or issue guidelines on data protection. Accordingly, where words used in a statute are clear and unambiguous, they should therefore be accorded their literary meaning (See Adewunmi v. A-G., Ekiti State (2002) 1 S.C. 63). In the eventuality of a legal challenge, my humble view is that NITDA cannot successfully rely on Section 6 to sustain a legal basis for issuing the Guidelines. In the final analysis, it does seem that the major obstacle to the effective enforcement of the Guidelines if ever it comes into force, would be its statutory basis which appears to be pillared on a shaky foundation having regard to the clear wordings of Section 6 of the NITDA Act.
Conclusion and the way forward
Due to the proliferation of personal information in several databases across Nigeria and the likelihood of the online behavioural tracking of data subjects in Nigeria, the need for the enactment of a law to regulate the processing of these personal information has never being more important. This call is coming on the heels of the unbridled access to, and repurposing of personal information as revealed by the recent Facebook-Cambridge Analytical data scandal in which Nigeria was mentioned as a use case. Regardless of the statutory basis for the Guidelines, NITDA’s effort in this regard is highly commendable. In terms of scope of application, the Guidelines is a significant improvement to the Draft Guidelines on Data Protection 2013 also released by NITDA, and appears to be the most comprehensive data protection framework to originate from Nigeria. In my opinion, NITDA in addition to taking steps to remedy the deficiencies of the Guidelines as highlighted above, should as a matter of urgency convert it into a Bill which should be subsequently forwarded to the National Assembly, through the office of the Attorney General of the Federation as an executive Bill sponsored by either the President and/or NITDA, or alternatively seek for an amendment to the NITDA Act that remedies these deficiencies and authorizes NITDA to make guidelines and/or regulations for the processing of personal information.
Personal data we have been severally told is the new oil. This oil is now the most valuable commodity in the digital economy and has helped to solidify the market position of some of the world’s most valuable internet companies. National governments including Nigeria must set strict controls on how this oil is “mined” or acquired, used and transferred to another country. The state of California and EU have set a “gold” standard, Nigeria is encouraged to follow suit. The time for this is now. As much as we love using the internet, this should not come at the cost of losing our privacy online.
Chukwuyere is a Moz://a Fellow, Research Fellow at the African Academy Network on Internet Policy and Senior Associate at Streamsowers & Köhn.