INTRODUCTION

On 4 th February 2022, President Muhammadu Buhari approved the establishment of a  new government agency, the Nigeria Data Protection Bureau (NDPB). According to the  official press release announcing its establishment, the NDPB would be responsible for  consolidating the gains of the NDPR and supporting the process for the development of  a primary legislation for data protection and privacy. The NDPB is expected to enforce compliance with the provisions of the Nigeria Data Protection Regulations 2019 (NDPR).  Prior to this time, the National Information Technology Development Agency (NITDA),  had been solely responsible for data privacy regulation and compliance in Nigeria.  While it is beyond doubt that the regulation of data processing was long overdue and the  NDPR was a fairly decent effort by government, the enforcement of data protection  compliance has been fraught with several challenges. This article seeks to highlight some  of the challenges affecting data privacy compliance in Nigeria, and proffer practical and  useful recommendations to address these challenges.

CHALLENGES OF DATA PRIVACY COMPLIANCE IN NIGERIA

Inadequate Sensitization on Data Protection

Despite the issuance of the NDPR in 2019, there is still a lack of awareness on its existence  much less its provisions. Many data subjects including the educated and uneducated are  ignorant of their rights with respect to the protection and integrity of their personal data.  Equally, data controllers who process personal data do so with insufficient or non-existent  understanding of the provisions of the NDPR and their respective obligations. It is also  common to find many data controllers misconstrue their obligations under the NDPR  such as erroneously assuming that they are only subject to the provisions of NDPR when  they process the personal data of up to 2000 data subjects.

Lack of an Independent and Regulatory Authority

There have always been concerns with respect to the degree of independence of NITDA  from government control. This is because NITDA is domiciled and under the general  supervision of the Federal Ministry of Communications and Digital Economy (Ministry).  Presently, there is limited information on the extent of NDPB's subordination to the  Ministry or even NITDA. However, there is a high likelihood that NDPB will still be under  the residual control and supervision of the Ministry particularly since the NDPB was not  established pursuant to any statute and was only created by executive fiat. Without a  doubt, the various levels of government in Nigeria outstrip the private sector when it  comes to the volume of personal data collected and processed. In fact, the digital economy  policy of the federal government is primarily anchored on data collection and processing.  Consequently, the need for an independent data protection agency that can hold  government accountable for its use and processing of personal data cannot be  overemphasized.

In addition to having an independent regulatory agency, it is also vital to ensure that the  agency has sufficient man-power and technical resources to discharge its duties  efficiently. For instance, NITDA was severely incapacitated in terms of manpower and  technical resources to effectively administer and enforce the provisions of the NDPR  throughout the country.

Lack of a robust legal framework

There is no gainsaying that the NDPR is a commendable initiative by the government  aimed at plugging the absence of a legal regime on data protection in Nigeria prior to its  passage in 2019. However, the NDPR itself was conceived as an interim measure which  should prepare the ground for the enactment of a substantive and comprehensive  legislation on data protection in Nigeria. This partly explains the several deficiencies and  loopholes in the NDPR which has significantly constrained data protection compliance in  Nigeria. Some of these lapses in the NDPR include the lack of an extra-territorial scope in  the regulations which could have regulated issues relating to cloud storage of personal  data collected from Nigeria on servers located in other countries, absence of any  obligation to appoint a legal representative in Nigeria for data controllers who process  personal data obtained from the country, absence of any requirement for data controllers  to keep record of processing activities among others. This partly explains the scanty body  of legal jurisprudence on data protection in Nigeria.

Absence of stiff penalties to serve as deterrence

It is a notorious fact that most individuals do not practice voluntary compliance unless  there is a real threat of sanction. In fact, some potential defaulters tend to weigh the  prescribed penalty/cost for breach against the benefit they may derive therefrom in  making a decision on whether to comply or not. As such, for any enactment to achieve  high compliance, there must be a stiff penalty regime. Furthermore, the damaging  consequences of breach within the context of data privacy on a data subject, justifies the  imposition of severe penalties for breach. However, the NDPR regime on penalties in  inadequate. The maximum penalty for a data breach as prescribed under the NDPR is 1%  of the annual gross revenue of the preceding year or payment of the sum of N2,000,000  (whichever is greater) where the data controller processes less than 10,000 data subjects,  or 2% of the annual gross revenue of the preceding year or a payment of the sum of  N10,000,000 (whichever is greater). In contrast, the GDPR provides for a maximum  penalty of €20,000,000 or 4% of annual global turnover whichever is greater.

Recommendations

Extensive Sensitization Campaigns on Data Privacy

The NDPB should undertake widespread sensitization campaigns on the provisions of  the NDPR and the imperatives of respecting data privacy. The sensitization campaigns  should be targeted at both data subjects to educate them on their rights, and data  processors to enlighten them on their respective obligations and penalties for non- compliance under the NDPR. NDPB should also partner with the conventional media as  well as utilize social media in ensuring maximum reach and increased visibility.  Increased Funding and Governmental Support for an Independent Regulatory Agency  It is expedient that the Federal Government adequately fund the NDPB in order to improve its capacity and efficiency. The staff strength of the NDPB should also be  significantly expanded since their area of responsibility covers the entire country.  Necessary tools and technology including periodic training on the global trends and  developments in data privacy practice should be made available to the NDPB staff by the  government. Crucially, the government should grant NDPB the autonomy to conduct its  affairs with minimal governmental/ministerial control and influence. This will enhance  the efficiency and productivity of the NDPB in the discharge of its assigned regulatory  duties.

Enactment of a Substantive and Comprehensive Legislation on Data Privacy

It is long overdue for the country to have a substantive legislation on data privacy to replace the NDPR. Many African countries including neighboring countries like Ghana  have since passed specific legislations on data privacy in their respective countries. The  enactment of substantive legislation rather than a subsidiary regulation also tends to  positively portray a country as taking data privacy seriously. In fact, the data privacy  profiles of a country are now critical considerations for investment decisions by foreign  investors. In this respect, the data privacy regulatory authorities of many countries  including the GDPR now prohibit their private and corporate citizens from  transferring/sharing data collected from within their shores with countries with no or  ineffective data privacy laws. However, it is heartwarming that the NDPB has as one of  its core mandates - supporting the process for the development of a primary legislation  for data protection and privacy.

Prescription of Stiffer Penalties and Determined Enforcement

The NDPB should also endeavor to scale up the penalties prescribed in the Data Protection  Bill where necessary to further disincentivize breach and promote deterrence. In the  meantime, the NDPB can improve on enforcement by applying the penalties prescribed  on defaulters without discrimination. The NDPB should also consider pursuing legal  actions including canvassing novel arguments on areas where there are apparent lacunas  in the NDPR with a view to having the courts make pronouncements on such issues and  thereby enriching the jurisprudence on data privacy. Doing so will instill deterrence in  potential defaulters and enhance the profile and regulatory efficacy of the NDPB.

Conclusion

The establishment of the NDPB is a laudable initiative by the government which signals the government's acknowledgement of some of the challenges of the previous regime  under NITDA. With the benefit of hindsight as it relates to NITDA's challenges in the  enforcement of the NDPR as outlined in this article, the NDPB can aim to do better and  avoid some of the setbacks encountered by NITDA. However, given the lack of clarity on  the specific remit of NDPB as well as the lack of a statutory backing to its creation, there  are speculations that the NDPB is a stop gap intervention itself. This should nevertheless  not deter the NDPB from striving to be efficient and impactful, as the gains and successes  recorded by it can be of immense value to any successor agency and will certainly help  deepen the practice of data privacy in Nigeria.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.