This article was co-written by Dorcas Tsebee, AICMC, Gbemi Adedayo Ojedokun, and Ridwan Oloyede.
The data protection landscape in Nigeria has had another remarkable year. After previous failed attempts, a renewed effort was made this year for another data protection bill. The new effort will be presented as an executive bill, and the Senate has promised to accelerate its passage within 30 days of its presentation. In February, the Minister of Communication and Digital Economy announced that the Nigeria Data Protection Bureau (NDPB) would replace the National Information Technology Development Agency (NITDA).
The Lagos State House of Assembly adopted the recommendations to enhance the draft Lagos State Data Protection Bill. In the latter part of the year, NITDA published a draft national data strategy for the use of both personal and non-personal data. According to the timeline for implementing the strategy, certain steps are currently in progress. The Secretary to the Government of the Federation issued a directive requiring all government agencies to implement the NDPR, among other measures. While this was the first year in three in which the data protection authority did not issue any sanctions, there were court judgments against the sending of unsolicited emails and illegally opening a new account without the customer’s permission. Similarly, the Federal Competition and Consumer Protection Commission (FCCPC) suspended the operations of some digital lending companies and requested that mobile app hosting stores remove them.
Also, during the year, some policy proposals could impact data protection. For instance, the Central Bank of Nigeria released the draft Operational Guidelines for Open Banking in Nigeria, which created some data protection obligations for regulated entities. The year also saw the introduction of the Nigeria Intelligence Gathering Commission Bill, whose provisions have nothing to do with bolstering the country’s frail surveillance legal and regulatory framework.
Nigeria Data Protection Bureau: a year of “burrowing”
Despite ongoing debates regarding the legitimacy of the NDPB, it has continued to fulfil its duties as the data protection authority. The bureau made ongoing efforts to raise awareness through offline and online events, its social media platforms, engagement with various government officials, and partnerships with other organisations. The bureau also hosted a stakeholder session towards drafting a bill and a validation exercise for the new bill. In addition, the NDPB issued a compliance notice to all data controllers, requiring them to meet certain requirements for inclusion in an adequacy whitelist programme. The deadline has been extended to January 2023. As part of its cooperation efforts, the bureau signed a number of memoranda of understanding with various government ministries, agencies, and departments. It established a mutual enforcement desk with the FCCPC. In addition, investigations into the violation of the data protection regulation were announced.
We have highlighted some of the trends we anticipate in 2023.
A new data protection law was introduced by the government in 2022. Although the head of the NDPB stated that it would be passed before the end of the year, we anticipate that this bill will be passed by the first quarter of 2023 or before the current legislature’s term expires, as the Senate promised to do so within 30 days of its introduction. The bill is expected to be signed into law in the first or second quarter of 2023. The enactment of the law will ensure the complete transition and formal establishment of the NDPB as the country’s data protection authority, as it has been operating without an establishing law since February 2022.
At the state level, the Lagos State Data Protection Bill is expected to be passed and signed into law. We also anticipate some progress with Ogun State’s version of the bill. It will not be surprising to see other state governments follow suit, considering there may be changes in leadership in different states of the federation.
We anticipate more sector-specific guidance and regulations that will either specifically address or have a broad impact on data protection. Specifically from the Securities and Exchange Commission, the Nigeria Insurance Commission, the Federal Competition and Consumer Protection Commission, and the Central Bank of Nigeria. The Nigeria Communication Commission is also expected to release an amendment to the Registration of Telecommunications Subscribers Regulation, which it opened for public comment in 2022.
We anticipate significant progress on some pending legislative proposals, such as the Electronic Transactions Bill, the Digital Rights and Freedom Bill, the Electronic Government Bill, and the National Electronic Health Record Bill, which are all stuck at the committee report stage. Finally, we anticipate that the proposed amendment to the Cybercrimes Act will be presented before the end of the current legislative cycle. A version of the bill was introduced in the House of Representatives for its first reading in November.
In 2021, the FCCPC, in collaboration with five other agencies, formed a task force to address issues in the digital lending ecosystem. In 2022, the FCCPC and the NDPB signed a memorandum of understanding. More collaboration between government agencies across different sectors and levels of government is expected in 2023. Similarly, the new directive from the secretary to the government of the federation to public authorities to implement the NDPR may result in various government agencies and departments requiring data protection for licencing, maintaining licencing, or dealing with the agencies.
A few notable cases are pending before various courts that could impact various aspects of data protection in the coming year. The Digital Rights Lawyers Initiative has filed a suit in the ECOWAS court requesting that the Nigerian government enact a data protection law. The decision is due in March 2023. A similar judgment by the same court directing the Nigerian government to amend some provisions of the Cybercrimes Act is yet to be complied with.
Also, how tracking technologies, government-led surveillance, and international data transfer are used in Nigeria could change if three cases filed by the Ikigai Innovation Initiative are resolved within a year. The first case involves challenging tracking technologies in a public-facing mobile application deployed by the Economic and Financial Crimes Commission. The second case is contesting the authorisation granted to law enforcement agencies to access databases from the Nigeria Identity Management Commission by the Minister of Communications and Digital Economy without legitimacy or safeguards. There was no response to the Freedom of Information request about the existence of safeguards. Finally, the third case contends that NITDA violated its rules by issuing a whitelist of countries with adequate data protection laws. The lawsuit challenges the rationale underlying the designation of certain nations without data protection laws or authorities as having adequate jurisdiction.
The year is expected to be the year Nigeria finally gets a comprehensive data protection law after two decades of trying and failing. We also expect more organisations to make efforts to improve the maturity of their privacy programmes, more informed and empowered data subjects, and a regulator ready to embrace the full stretch of its mandate. The regulator may consider publishing timely guidelines, guidance, and self-assessment toolkits to make compliance easier. Complaints should also be resolved in a timely manner, and the status of complaints should be updated on a regular basis, as this may increase trust in the ecosystem.
A slight variation of the article will be published by the IAPP later next year as part of its global legislative prediction.