Save for the Section 37 of the Constitution of the Federal of Nigeria, 1999 (as altered), for many years, protection of data and privacy in Nigeria have only enjoyed sectoral (piecemeal) legislations touching on these subjects. However, steering a turning point in the protection of data in Nigeria, the National Information Technology Development Agency (NITDA) on January 25, 2019, published and issued the Nigeria Data Protection Regulation, 2019 (the Regulation). Commending this achievement, this article is an attempt to critique the concept and structure of data protection in Nigeria using various international human rights standards on privacy as a benchmark.
KEYWORDS: Constitution of the Federal Republic of Nigeria, Data, Privacy, NITDA, Human Rights.
As early as 1976 Paul Sieghart identified the following links between privacy, information flows, and autonomy (freedom) of people when he said:
“In a society where modern information technology is developing fast, many others may be able to find out how we act. And that, in turn, may reduce our freedom to act as we please – because once others discover how we act, they may think that it is in their interest, or in the interest of society, or even in our own interest to dissuade us, discourage us, or even stopping us from doing what we want to do, and seek to manipulate us to do what they want to do.”
The right to privacy is a fundamental human right, recognized in article 12 of the Universal Declaration of Human Rights, article 17 of the International Covenant on Civil and Political Rights and in many other international and regional human rights instruments. Privacy can be considered as the presumption that individuals should have an area of autonomous development, interaction and liberty, a “private sphere” with or without interaction with others, free from State intervention and from excessive unsolicited intervention by other uninvited individuals (see, for example, A/HRC/13/37, para. 11, and A/HRC/23/40, paras. 22 and 42).
“Data” in its general sense means characters, symbols and binary on which operations are performed by a computer. Which may be stored or transmitted in the form of electronic signals is stored in any format or any device. It includes any kind of information (single piece of information) or a set of information that can personally identify an individual or single them out as an individual. The obvious examples are; somebody’s name, address, national identification number, date of birth or a facial image. A few perhaps less obvious examples includes vehicle registration plate number, fingerprints, a computer or smartphone IP address and health records etc.
The need to address the challenges that the digital world brings to the right to privacy is more acute than ever. Driven mostly by the private sector, digital technologies that continually exploit data linked to people’s lives, are progressively penetrating the social, cultural, economic and political fabric of modern societies. Increasingly powerful data-intensive technologies, such as big data and artificial intelligence, threaten to create an intrusive digital environment in which both States and business enterprises are able to conduct surveillance, analyse, predict and even manipulate people’s behaviour to an unprecedented degree. As a consequence, individuals find themselves in a position of powerlessness, as it seems almost impossible to keep track of who holds what kind of information about them, let alone to control the many ways in which that information can be used.
While there is no denying that data-driven technologies can be put to highly beneficial uses, these technological developments carry very significant risks for human dignity, autonomy and privacy and the exercise of human rights in general if not managed with great care.
From all this, and growing public concern on data privacy protection, international and regional actors are increasingly aware of the challenges and beginning to act accordingly. For example, the Human Rights Council mandated a Special Rapporteur on the right to privacy in July 2015. Also, at different regional levels, several measures have strengthened data privacy protections, such as, the OECD Guidelines on the Protection of Privacy, the European Union General Data Protection Regulation, and the African Union Commission Personal Data Protection Guidelines for Africa amongst others, all of which serves as “data privacy protection principle templates” for the Nigerian data protection framework.
- THE NIGERIA’S DATA PROTECTION FRAMEWORK SCORECARD
There is a growing global consensus on minimum standards that should govern the processing of personal data by States, business enterprises and other private actors. International instruments and guidelines reflecting this development include the 1990 Guidelines for the Regulation of Computerized Personal Data Files; the Council of Europe 1981 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data; the 2014 African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention); and the 1980 Organization for Economic Cooperation and Development Privacy Guidelines, updated in 2013 amongst others.
Those standards, particularly the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, have reformed the data privacy frameworks of many States and can direct the design of adequate policy instruments.
On January 25, 2019, the Agency issued the Nigeria Data Protection Regulation (the Regulation). The Regulation took effect on same date. The Regulation seeks among other things, to safeguard the rights of natural persons to the privacy of their personal data by, among other measures, regulating transactions involving the collection, use and exchange of personal data.
In this section, we shall take an elaborate look at the plethora of international human rights standards for privacy protection framework, while concurrently appraising the Regulation in light of these standards.
Basically, international human rights standards on privacy protection are structured on five (5) major pillars;
- State Responsibility to put in Place Adequate Safeguards and Effective Oversight:
One cornerstone of a privacy protection framework should be laws setting the standards for the processing of personal information by both States and private actors. Article 17 (2) of the International Covenant on Civil and Political Rights lays down the need to protect individuals by means of law.
States are to put in place a legal, regulatory and institutional framework that provides for adequate safeguards, including effective oversight mechanisms that will ensure adequate protection of and enjoyment of right of privacy of the people.
Under the preamble of the Regulation, the birth of the Regulation underscores three reasons which are;
- Need to safeguard, regulate and protect online personal information against atrocious breaches from public and private bodies;
- Need to facilitate the contribution of stakeholders and overcome the grave challenges of leaving personal data processing unregulated; and
- Need to follow the international community trend in securing lives and property and fostering the integrity of commerce and industry in the volatile data economy.
The Agency recognizes that protection of right to privacy is broad and not limited to offline – private and secluded places alone, therefore extending the tentacles of the Regulation to touch on online information systems. Recognizing that many public and private bodies have migrated their respective businesses and other information systems online, the Regulation proffers measures that mitigate the impact on human rights from such power and information asymmetries.
The rationality for the enactment of the regulation is in symphony with the spirit of international human rights standards on protection of people’s privacy, just as envisaged in the preamble of the Universal Declaration of Human Rights (UDHR), and the Article 2 (1) of the International Covenant on Civil and Political Rights (ICCPR) which requires States to “respect and ensure” the rights recognized in the Covenant for all individuals within their territory and subject to their jurisdiction, without discrimination.
- Creation of Certain Obligations of the Entities Processing Personal Data
Data privacy protection frameworks should also encompass creation of certain obligations of the actors processing personal data. Those obligations can encircle organizational aspects, such as the establishment of an internal supervisory mechanism, but also include mandatory actions, such as data breach notifications and privacy impact assessments and also duty of care.
There are copious provisions on compliance, and mandatory obligations and other form of obligations set out to both private and public entities processing personal data under the Regulation. They include but not limited to;
- Duty of care and accountability to the Data Subject.
- Publication of data protection policies by the affected entities; to be made in consonance with the Regulation and made available to the public
- Both public and private entities are to designate a Data Protection Officer (or outsource data protection to a competent person/firm) to ensure adherence to the Regulation.
- Annual submission of summary of data protection audit to the Agency by companies who processes more than 2000 Data Subjects within a period of 12 months; and Ni-annual submission of summary of data protection audit to the Agency by companies who processes more than 1000 Data Subjects within a period of 6 months.
These obligations and many others not listed provides an authoritative blueprint for all enterprises, regardless of their size, sector, operational context, ownership and structure, for preventing and addressing all adverse human rights impacts, including the right to privacy.
Through this framework the Agency is able to put the activities of the data controllers in check thereby ensuring that the right to privacy of the people is adequately protected in the digital age.
- Avoidance of Strict Data Localization Requirements
Strict data localization requirements that oblige all data processing entities to store all personal data within the country at issue should be avoided. Contrary to this, the international human rights standards on privacy protection requires that States are to focus on ways to ensure that personal data transferred to another State is protected at least at the level required by international human rights law.
Scoring an A under this standard, the Nigerian data privacy blueprint as envisaged under the Regulation is flexibly designed to allow any transfer of personal data which are undergoing processing or are intended for processing after transfer to a foreign country or to an international organisation to take place subject to the supervision of the Honourable Attorney General of the Federation (HAGF) or consent of the Data Subject (as the case may be.
The Regulation is also framed to ensure development of international cooperation mechanisms that will facilitate the effective enforcement of legislation for the protection of personal data, and to promote the exchange and documentation of personal data protection legislation and practice, including on jurisdictional conflicts with third countries.
- Procedural Safeguards
Procedural safeguards are an integral part of international human rights privacy protection requirements. They represent guarantees for people (the Data Subjects) to redress and enforce their rights against the data controlling entities.
Dancing in perfect symphony with the spirit of this requirement, the Regulation made provision for the Agency to set up a panel to be known as the “Administrative Redress Panel”. The powers of the panel are configured around security of the right of privacy of the Data Subjects. They include but not limited to;
- Power to invite any party (entities) to respond to allegations made against it within seven days
- Power to investigate allegations made against any party (entities) for breach of any of the provisions of the Regulation
It is noteworthy that, the administrative redress available to the Data Subjects under the Regulation does not prejudice the right of the Data Subjects to seek redress in any court of competent jurisdiction.
- State Surveillance
The right to privacy is not only impacted by the examination or use of information about a person by a human or an algorithm alone, even the mere existence of secret surveillance amounts to an interference with the right to privacy; (see the European Court of Human Rights, Rotaru v. Romania, application No. 28341/95, judgment of 4 May 2000)
On this note, the Special Rapporteur on the right to privacy has called attention that data protection legislations should ensure that State surveillance-related activities should be limited, based on the principles of necessity and proportionality, in order to ensure an adequate level of data privacy in all branches of government. This development is in view of the widespread absence of such provision in the legislation of many jurisdictions on data protection.
It is regrettable to note that the data protection framework in Nigeria falls short of this standard. The Regulation does not contain any such provision that deals with State surveillance-related activities.
- CONCLUSION & RECOMMENDATION
The right to privacy can facilitate the enjoyment of other human rights while, its infringement can constrain the enjoyment of other human rights. Equally, it is a right that applies equally to everyone. Any differences in its protection on the basis of nationality or any other grounds are inconsistent with the right to equality and non-discrimination contained in Article 26 of the International Covenant on Civil and Political Rights.
The international human rights standards on privacy protection serves as templates and guidelines for States to follow in developing data protection legislations that will ensure adequate security of people’s privacy. Kudos must be given to the Agency who took a commendable step, inter alia, in ensuring that Nigeria’s data protection framework is in tune with international human rights standards on privacy protection (as reflected in the Regulation). Currently, the Regulation is the most comprehensive legislation (subsidiary) that protects personal data rights in Nigeria. Unlike the Guidelines on Data Protection issued by the Agency in 2013, the 2029 Regulation is more robust and comprehensive, applies assertive language, imposes sanctions on Data Administrators for non-compliance with its provisions and grants enforceable rights to Data subjects.
Notwithstanding the foregoing, in light of the shortcoming of the Regulation in the area of “State surveillance”, this writer seizes this medium to appeal to the Agency for a review of the Regulation. I recommend that, in terms of its scope, the legal framework for surveillance under the Regulation should cover State requests to business enterprises. It should also cover access to information held extraterritorially or information-sharing with other States. A structure to ensure accountability and transparency within governmental organizations carrying out surveillance should also be clearly established in the Regulation.
Emmanuel Omotayo Johnson
* A 500L Law undergraduate of the prestigious Lagos State University, can be contacted through; firstname.lastname@example.org and +2348164878916
 To be hereinafter referred as the Agency.
 Sieghart P., Privacy and Computers, Latimer, London, 1976 p.24
The right to privacy in the digital age; Report of the United Nations High Commissioner for Human Rights, pg.2
See, for example, article 16 of the Convention on the Rights of the Child; article 14 of the International Convention on the Protection of the Rights of All Migrant Workers and Members of Their Families; and article 22 of the Convention on the Rights of Persons with Disabilities.
 Definition of “Data” according to Part Two, Section 4(d) of the Nigeria Data Protection Regulation, 2019
 The right to privacy in the digital age; Report of the United Nations High Commissioner for Human Rights, pg.4-5
 See, for example, article 10 of the African Charter on the Rights and Welfare of the Child; article 11 of the American Convention on Human Rights; and article 8 of the European Convention on Human Rights.
 For detailed guidance, see https://privacyinternational.org/advocacy-briefing/2165/guide-policy-engagement-data-protection and Access Now, “Creating a data protection framework: a do’s and don’ts guide for lawmakers. Lessons from the EU general data protection regulation” (2018).
 To be hereinafter referred as the Regulation
 Preamble of the Nigeria Data Protection Regulation, 2019
 Entities as used here implies all public and private organizations in Nigeria that deal with or control data of natural persons
 See Part Two, Section 9 of the Nigeria Data Protection Regulation, 2019
 Supra at Part Two, Section 5
 Supra at Part Three, Section 32-38
 See A/HRC/32/38, para. 61
 See A/HRC/32/38, para. 61
 Ibid Section 15
 Ibid Part 3, Section 41
 See Article 3(a-c) of the International Covenant on Civil and Political rights (ICCPR) 1966
 See Part Three, Section 39 of the data Nigeria Data Protection Regulation, 2019
 See Paul Bernal, “Data gathering, surveillance and human rights: recasting the debate”, Journal of Cyber Policy, vol. 1, No. 2 (2016).
 See also, Kopp v. Switzerland, application No. 23224/94, judgment of 25 March 1998
 State surveillance-related activities must be conducted on the basis of a law (see A/HRC/27/37, para. 28). The Article 8 of the European Convention of Human Rights (ECHR) is explicit as to the nature of the qualification: “There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others”.
 In many jurisdictions, intelligence and law enforcement agencies are excluded from the provisions of data privacy legislation this is according to the Report of the United Nations High Commissioner for Human Rights on “The right to privacy in the digital age” A/HRC/39/29, pg.10
 See Part One, Section 2-3 of the Nigerian Data Protection Regulation, 2019.
 This is one of the surveillance specific regulations minimum standards as reported in supra at pg.11