A Data Protection Law Is Not Enough
By: ‘Gbenga Sesan

On Wednesday, June 14, Nigeria got its long-awaited comprehensive data privacy and protection legislation when the Data Protection Bill 2023, which the 9th National Assembly passed, was signed into law.

The new law seeks to protect data by “providing for the regulation of the processing of personal data; promoting data processing practices that safeguard the security of personal data and privacy of data subjects; ensuring that personal data is processed in a fair, lawful and accountable manner; protecting data subject’s rights, and providing means of recourse and remedies, in the event of the breach of the data subject’s rights; ensuring that data controllers and data processors fulfil their obligations to data subjects; establishing an impartial, independent, and effective regulatory Commission to superintend over data protection and privacy issues, and supervise data controllers and data processors; and strengthen the legal foundations of the national digital economy and guarantee the participation of Nigeria in the regional and global economies through the beneficial trusted use of personal data.

In many ways, this is great news for citizens whose data remained unprotected for far too long in a country with too many biometric collection projects and with a history of data abuse. Yes, there was a hurried secondary gap-filling legislation, the Nigeria Data Protection Regulation (NDPR), but it was problematic, and its implementation was overseen by an agency that lacked legitimacy until a Nigeria Data Protection Bureau (NDPB) was established in February 2022. 

With this primary law that provides a much-needed comprehensive legal framework for the protection of personal information and the practice of data protection, Nigeria has now solidified its place on the list of African countries that are serious about data privacy and protection, which are extremely important elements for the promotion of the trust that powers the data economy.

One of the challenges that this new law has immediately addressed is the need for an

independent — read that as INDEPENDENT — data protection regulatory agency because it is the right way to do it and also because all violators must be checked, including government agencies themselves. Unfortunately, the headquarters of data abuse impunity in Nigeria is somewhere between various government agencies, so it is important to have an umpire that will not bark at erring citizens, bite companies that mishandle data but slap the wrist of government entities or representatives that disobey the law.

There are too many examples of violations that have bedevilled Nigeria in terms of data

handling and the list of perpetrators includes airlines, banks, digital loan apps, hospitals,

telecommunications companies and government institutions such as the Nigeria Immigration Service (NIS), Independent National Electoral Commission (INEC), and National Identity Management Commission (NIMC), among others. 

By the way, the digital loan apps are in a class of their own with their famous threatening messages including fake obituaries, sent to anyone unfortunate enough to be on the contact list of their clients.

Examples of breaches that I am always quick to reference include sensitive data such as e-mail addresses and phone numbers that are frequently advertised for sale online, and information of registered voters that appeared online following a data breach in September 2016. Sensitive health data processed by a bank on behalf of a hospital was made available online, and laptops were sold still holding subscriber information that was captured during the SIM card registration process. Recently, sensitive customer data taken from Nigerian banks were made available for sale on the dark web, similar to how subscriber information of 37 million Nigerians was put up for sale in 2020.

There is too much work to be done, but the odd move of establishing a data protection bureau ahead of the proper legal framework required could be a blessing in disguise. The existing Nigeria Data Protection Bureau (NDPB) should set the ball rolling by immediately taking on the work already cut out for the newly established independent data protection regulator, the Nigeria Data Protection Commission (NDPC).

However, the NDPB’s history, including the fact that it was carved out of the power-hungry National Information Technology Development Agency (NITDA) due to the influence of the former Minister of Communications and Digital Economy, will provide a challenge for its new independent status. In addition to this, Section 60 of the new Data Protection Law, which suggests that a Minister can control an independent agency, contradicts Section 7 of the same law, which clearly states that “The Commission shall be independent in the discharge of its functions under this Act.” That is a tough area to navigate, and that will not be helped by the fact that civil society was taken off the list of stakeholders that should be appointed to join the Data Protection Commission’s Governing Council.

This is why having the law is not enough; how we implement it is as important! 

While it readies itself to protect the independence that will determine its ability to deliver on its much-awaited mandate, the NDPB must immediately begin massive education and awareness for citizens and data handlers — including companies and government institutions — so that everyone knows their rights and responsibilities. As my colleague and I told the NDPB team when we visited their office just before the Bill was passed, we will hold their feet to the fire, especially on independence and ensuring justice for citizens. This does not in any way take away from the fact that Nigeria must be congratulated for this

achievement, but at times, the reward for success is the hard work of maintaining — or

improving — the new status quo.

As we get to work on data protection, Paradigm Initiative and partners will continue advocacy for the second half of the work we started many years ago—the Digital Rights and Freedom Bill (DRFB). In 2019, when the DRFB got to then-President Buhari’s table for his signature, he declined assent and asked that we decouple the previous version of the Bill so that Data Protection could be a separate bill while the DRFB focuses on human rights in the digital environment. 

With the 10th National Assembly now in place, work continues on making sure that this complementary digital rights and freedom law happens for Nigeria. Congratulations, Nigeria, but getting a data protection law is not enough. Stakeholder involvement must be the norm, with frequent updates from the NDPC and no opacity in its operations. An immediate rapid-fire implementation process must begin with nationwide awareness of the data rights that the Commission was established to protect and the independence of the Commission must be protected so it can do the work it was established for.