Articles

Legislative Predictions for Privacy and Data Protection in Nigeria 2024

Contributors: Adedolapo Adegoroye, Chisom Mbamalu, Dorcas Tsebee, Precious Nwadike, and Ridwan Oloyede

Introduction

A brief overview of 2023

The year began with great anticipation as the country looked forward to enacting a data protection law to bring a two-decade elusive chase to a close. This bill saw rapid progress, receiving approval from the Federal Executive Council in January and swiftly moving to the National Assembly following the president's appeal for speedy enactment. Despite concerns that the outgoing president's administration might not sign it, the new government successfully signed the bill into law in June.

At the beginning of the year, the Nigeria Data Protection Bureau (NDPB) made some progress in its operations before its transition. It announced investigations into various companies for violations of the existing law, although the outcome is unknown. It also released its annual performance report during the year. With the new Act's coming into force, the NDPB transformed into the Nigeria Data Protection Commission (NDPC), marking a significant shift in its mandate and finally getting legislative legitimacy. The NDPC embarked on several awareness initiatives, signing collaboration agreements and memoranda of understanding with different government agencies and entering into strategic partnerships with different governments and agencies. 

The NDPC recently issued a “guidance notice” on filing data protection compliance audit returns under the new Act and the yet-to-be-published General Application and Implementation Directive. It also released a code of conduct for data protection compliance organisations (DPCOs). The Commission also announced that a registration portal will be launched in January 2024, and the implementation directive for the Act will also be published. The code of conduct also referenced Cross-Border Privacy Rules (CBPR), which may likely receive greater attention in the coming year as a mechanism to facilitate international data transfer.

The year also saw an attempt at sector regulation as the Nigeria Communications Commission (NCC) published its draft data protection regulation and held a public consultation on it. There were also notable privacy litigations during the year. The ECOWAS court ruled on a case demanding the Nigerian government enact a data protection law. The court found that Nigeria already has a data protection framework, negating the need for such a compulsion. Concurrently, a separate legal action challenged the enforcement of the Nigeria Data Protection Act, citing the lack of a designated court with jurisdiction over such matters.

Additionally, the Federal High Court's decision to nullify the "Whitelist" of countries for data transfer could significantly impact the international data transfer landscape. In another decision, the EFCC deployed tracking technologies in an app for reporting financial crimes. Despite the app's lack of a privacy notice and user data collection without a disclosed lawful basis, the court ruled that the app's societal value outweighed privacy concerns. This decision overlooked crucial data protection issues like unlawful tracking, the absence of a privacy notice, and the neglect of data protection during app development. The decision is currently on appeal.

Finally, a proposed amendment to the Cybercrimes Act is before the National Assembly and a public hearing was held in November.

Projections for 2024

The year 2023 marked a significant milestone in Nigeria's data protection landscape, as the long-anticipated Data Protection Act was passed in June 2023, putting Nigeria on the list of countries with a comprehensive data protection law. The law established the NDPC to oversee its implementation. 

In 2024, we anticipate the following trends:

Anticipating the implementation framework

Although the Act coming into force presents promising opportunities for the country, it also presents the need for guidance and clarification on some of its provisions. In response, the NDPC inaugurated the Nigeria Data Protection Act General Application and Implementation Directive (NDP Act GAID) Drafting Committee with the mandate to develop an implementation framework for the Act. The Directive is expected to be published in the year's first quarter. Furthermore, the NDPC may release sector-specific guidelines to facilitate adherence to the law in industries such as healthcare, finance, and communications. As a result, we expect businesses, regardless of size, to show an increased eagerness to comply. 

Also, following the court’s decision nullifying the Whitelist, the NDPC is expected to revise the list and incorporate a country-by-country assessment as mandated by the court. The NDPC may expedite the approval of new transfer mechanisms, such as Binding Corporate Rules (BCR), release various modules of approved Standard Contractual Clauses (SCC), and develop a system to facilitate Cross-Border Privacy Rules (CBPR) in line with its Code of Conduct for Data Protection Compliance Organisations (DPCOs).

Sector-specific regulations and collaborations

We anticipate more sector-specific and ancillary regulations. The Nigerian Communications Commission (NCC) held a public consultation on its draft data protection regulation, which is anticipated to be finalised in the coming year. Regulatory bodies like the Central Bank of Nigeria (CBN), Securities and Exchange Commission (SEC), Federal Competition and Consumer Protection Commission (FCCPC), and the National Insurance Commission (NAICOM) might introduce ancillary regulations that, while primarily sector-specific, will also encompass data protection obligations. This approach would integrate data protection seamlessly into the broader regulatory framework of various industries.

We still expect the completion of the amendment to the NCC Registration of Telecommunications Subscribers Regulation, which opened for public comment in 2022. As these unfold, we anticipate more collaboration among regulatory agencies to ensure compliance with data protection standards in the country. This has already manifested in the collaboration between the FCCPC and NDPC.

The return of old legislative efforts

We expect some bills abandoned during the past legislative cycle to make a return  Prominent among these are the Electronic Transactions, Digital Rights and Freedom, Digital Economy, Electronic Governance, Artificial Intelligence and Robotics Research Regulatory Agency, and the National Health Record Bills, which will likely be re-evaluated in the upcoming year. Lagos State’s data protection bill may resurface, and other states may take a cue. In addition, we expect regulatory proposals focused on the use of healthcare data and surveillance issues in the year.  Similarly, the Cybercrimes Act is undergoing a proposed amendment, and we expect it to make some progress during the year.

Uptake in AI regulation

Nigeria is actively pursuing governance strategies for using artificial intelligence (AI). This is visible in the effort to draft a National AI Policy by the National Information Technology Development Agency (NITDA) in 2022 that is yet to be published. In addition, the Federal Ministry of Communications, Innovation and Digital Economy recently published a Strategic Blueprint reiterating the commitment of the Minister to developing a  National AI Strategy. Also, there are two bills before the National Assembly seeking to regulate the use of AI: the AI and Robotics Sciences Bill and the Control of Usage of Artificial Intelligence Technology in Nigeria Bill. We anticipate significant progress with the strategy, policy and bills in the coming year.

Registration of data controllers and processors

The commencement of registration of data controllers and processors is of major importance and is expected to go live. The National Commissioner mentioned on different occasions that the NDPC is working on the launch of the registration portal and has also directed controllers and processors to register before the end of the year (2023). This was restated in the recent meeting of DPCOs, where the Commission declared readiness to publish the implementation directive and registration portal in January 2024. It is expected that before that, the commission will define the metrics for qualification to be a controller or processor of major importance. Precision is necessary for regulatory clarity and is expected to be part of the ongoing implementation directive for the Act.    

Increase in enforcement efforts

As the work of the NDP Act GAID drafting committee progresses, we expect to see the introduction of a complaint resolution and enforcement framework. The introduction will provide a mechanism for enforcement and clarity on the procedure. We expect the NDPC to issue its first enforcement action and notice before the second quarter of 2024. 

Surveillance landscape

The surveillance landscape in Nigeria has grown with increased national budget allocation and the deployment of surveillance technologies, raising concerns about privacy rights. The fear is exasperated by the government's plan to introduce facial recognition technologies at airports in the country. This growth is coupled with potential legislative changes or introductions like the Mandatory CCTV Installation Bill, which recently scaled the first reading, and the Telecommunications Facilities (Lawful Interception of Communication) Bill by the past legislature. These bills, if passed, could enable extensive surveillance without adequate safeguards. Consequently, this situation is anticipated to fuel public resistance and bolster advocacy for digital rights. Civil society organisations are expected to ramp up their efforts against privacy infringements, leading to more strategic litigation and a surge in public engagement in online and offline data protection and surveillance discussions.

Increase in privacy-related litigations

We expect to see more individuals filing complaints and cases for privacy-related violations. We expect increased strategic litigation for privacy rights violations and non-adherence to the law. In addition, we anticipate progress with some existing cases. For example, the progress or a decision in the appeal against the use of tracking technologies by the EFCC filed by the Ikigai Foundation. Additionally, an injunction pending the appeal of the judgement that nullified the Whitelist is anticipated. This may stabilise the international data transfer regime and alleviate uncertainty and concern.

Conclusion

As 2024 unfolds, it is expected to be another transformative year for data protection, building on the enactment of the Data Protection Act. As we anticipate some of the predictions coming to life, we expect the regulator to promptly introduce easy-to-read guidelines, guidance notes, and self-assessment toolkits to streamline compliance. Also, efficiently implementing a complaint-handling mechanism that allows data subjects to track the status of complaints will promote much-needed trust in the ecosystem. These interventions can lay a solid foundation for Nigeria's ongoing commitment to fostering a secure, privacy-respecting digital environment.

A slight variation of the article will be published by the IAPP early next year as part of its global legislative prediction.

You can read our legislative predictions for the previous years and last year’s prediction scorecard.