Nigeria has not had any data protection regulation that covers the rights of people resident within its territory. The Nigerian Information Technology Development Agency(NITDA) recently began the implementation of a data protection regulation known as the Nigerian Data Protection Regulations 2018 which was copied from the EU General Data Protection Regulation (GDPR).
The regulation released by the NITDA was not attributed to any specific provision of the authority’s enabling legislation and a vague reference was made to Section 6 of the NITDA Act. The regulations can, therefore, be described as an act of jurisdictional overreach as the agency was not set up to regulate data protection within Nigeria.
Furthermore, the regulation can best be described as an affront to the ECOWAS Data Protection Law of which Nigeria is a signatory to.
1. Introduces Prison terms
The bill introduces provisions that if breached introduces prison sentences for persons and organisations that fall foul of its rules. In part XII which comprises of sections 48 to 54 of the legislation, jail terms have been stipulated for persons or organisation who trade in personal data belonging to residents of Nigeria. In Nigeria, certain companies and entities buy and sell data belonging to residents of Nigeria to organisations or individuals who engage in micro-targeting of people.
The business of buying and selling user data would therefore become a crime with the introduction of Section 48(4) which state that “A person commits an offence who advertises or indicates that Personal Data where the person obtains the data in circumstances described under subsection (1) of this section, is or may be available for sale, shall be liable on conviction to imprisonment for a term not less than 5 years or to a fine of not less than ₦3,000,000,000.00 or to both such imprisonment term and fine.”
Furthermore online content service providers such as Google, Facebook, Jumia and associated entities could also face jail terms if they fail to obey the provision of section 36 of the bill on data localisation. Section 36 provides that all Data Controllers and Data Processors of Personal Data shall record, systematize, accumulate, store, host, amend, update and retrieve Personal Data on devices that are physically located within Nigeria’s territorial jurisdiction.
A breach of the above provision would result in a data controller or processor being liable upon conviction to imprisonment for a term not less than 10 years or to a fine of not less than ₦8,000,000,000.00 or to both such imprisonment term and fine.
Under the Data Protection bill, there are eight key rights belonging to Data subjects. The rights are listed below.
- Right to be informed: this means that data controllers must provide clear and correct information to data subjects – purpose, retention. This right is discerned from Section 18.
- Right of access: This means data subjects have the right to know whether personal data is being processed and if so, access it ie copy of their personal data – how and why. This right is discerned from Section 18.
- Right to rectification: This means if personal data is inaccurate data controllers must correct it. This right is discerned from Section 20
- Right to erasure or right to be forgotten: This means if personal data belonging to an individual is made public, the data subject has the right to have such information deleted. This right is discerned from Section 20.
- Right to restriction of processing ie right to limit personal data processing. This right is discerned from Section 25.
- Right to data portability: This simply means to move, copy and transfer personal data across different services. This right is discerned from Section 26.
- Right to object: This means data subjects have the power to decline personal data processing eg direct marketing. This right is discerned from Section 23 of the bill.
- Right not to be evaluated based on automated individual decision making (AI) including profiling. This right is discerned from Section 19(1).
The right to be forgotten is a right which stipulates that personal data were obtained or available shall be erased when such data is inadequate, irrelevant and excessive in relation to the purposes for which it was collected. A typical example is when a search engine operator would be obliged to delete the links to related pages.
The right to be forgotten would allow residents of Nigeria ask data processors or data controllers i.e search engines to remove links to “inadequate, irrelevant or … excessive” content pursuant to the provisions of Section 20 of the bill.
The right to forgotten was made prominent by the case of Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González. In that case, the Court of Justice of the European Union (CJEU) held that an individual could apply to an internet intermediary or online content service sharing provider to prevent information about the individual from coming up in searches or on the internet intermediary’s platform.
The CJEU further noted that the applicability of the doctrine has a broad territorial scope, and should the need arise results gotten be delisted on a search engine’s platform. The Court further found that the fundamental right to privacy is greater than the economic interest of a commercial firm and, in some circumstances, the public interest in access to Information.
3. Data Localisation
Data localization is the act of keeping data on any device that is physically present within the borders of a specific country where the data was generated.
The provisions of Section 36 provide that “The Data Commissioner shall mandate Data Controllers and Data Processors of Personal Data pursuant to this Bill, to record, systematize, accumulate, store, host, amend, update and retrieve Personal Data on devices that are physically located within Nigeria’s territorial jurisdiction.“
The provision would ensure that the Nigerian government having to deal with cybersecurity threats or individuals worrying about the right to privacy. It would also lead to the creation of more jobs for persons resident in Nigeria.
Although the provisions of section 36 can best be described as a protectionist clause it may lead to a development known as splinternet or cyber-balkanization which means the segregation of the internet by various regions due to factors such as technology, nationalism, commerce and laws.