Data protection has never been at the forefront of political discourse in Nigeria, it has always been a topic of discourse among selected groups with keen interest and understanding in the space. It is not far-fetched to see why this has been the situation for so long. Nigerians are a very communal people, one Nigeria has been plagued with a non-international armed conflict, inflation and recession, lack of electricity and moreover the past decade. There are about 200 million Nigerians today and the number continues to grow. Within this number in 2017, the Minister of education noted that 60 million Nigerians(Premium times,2017) were unable to read or write. Another worrisome statistic highlights that only 104.4 million people had internet access in January 2021(data reportal,2021).
These figures directly impact interest in data protection and understanding of it for an informed public is the basis of civic engagement.
There is no primary Data Protection Legislation in Nigeria. However, there is a subsidiary legislation; the Data Protection regulation.
The National Information Technology Development Agency (NITDA), is the government agency with the mandate to create frameworks for the planning, research, development, standardization, application, coordination, monitoring, evaluation and regulation of Information Technology practices in Nigeria. And in line with this mandate, issued the Nigeria Data Protection Regulation (NDPR/The Regulation) in January 2019. NITDA can be said to be the “self-appointed” data protection regulator in Nigeria. The NDPR was issued on 25th January 2019 pursuant to Section 6(a,c) of the NITDA Act, 2007.
This followed the year the European Union General Data Protection Regulations (GDPR) took effect, influencing other countries, including Nigeria.
The regulation’s goals upon implementation were to protect people’s rights to data privacy, foster safe-conduct for transactions involving the exchange of Personal Data, prevent Personal Data manipulation, and ensure that Nigerian businesses remain competitive in international trade thanks to the safeguards to be provided.
The regulation applies to all Nigerians and all transactions where personal data is processed regardless of how it is conducted.
There are sector-specific laws when it comes to data protection covering the area of data these sectors potentially collect. Some of which are:
- The 1999 Constitution Of The Federal Republic Of Nigeria
- NITDA Regulation
- The National Identity Management Commission (Nimc) Act 2007
- The Child Rights Act
- Freedom Of Information Act 2011(Foia)
- Cybercrimes (Prohibition, Prevention etc) Act 2015 (Cppa)
- Central Bank Of Nigeria Consumer Protection Framework 2016 (Cpf)
- The Nigeria Communications Commission (Registration Of Telephone Subscribers) Regulations 2011 (Ncc Regulations)
- The Credit Reporting Act 2017 (Crpa)
Developing issues around data Protection
Data protection is a relatively new concept in Nigeria that is gaining more traction. With various government initiatives that have collected biometric data, new private actors and tech companies on the scene, data protection advocacy has become a necessity.
There have also been concerning policies in recent times such as the famous nin-sim linkage, the device management system and the updated sim policy of the ministry of communications.
Pursuant to this, there have been several attempts at passing data protection bills in Nigeria. In 2019 there were two data protection bills (HB504, HB564). Both went through the first reading and have not moved since. Another draft bill was proposed in September 2020 by an agency of the Federal Government where they brought together several stakeholders to make input. This bill is yet to be presented to the National Assembly.
A Digital Rights and Freedom Bill was proposed and passed in 2016, asserting the rights of internet users in the digital world, but it never received presidential assent and is now back in the National Assembly. At the same time, several data privacy laws were cited as potentially harmful to the development of an open and inclusive internet, including the Cybercrime Act 2015, the Lawful Interception of Communication Regulation (which has been used to target journalists), the Hate Speech Bill, and the Social Media Bill.
Advocacy Efforts in Nigeria
Paradigm Initiative has tried to increase awareness of citizens to the need for data protection in Nigeria for an informed public is the basis of civic engagement. We hope that in arming more people with knowledge the more concern the topic will see. In a bid to create awareness we had capacity building programs and media engagements. We also undertook policymaker engagements and consultations. One of such engagements was with the National Identity Management Commission (NIMC), which is the agency in charge of collecting the biometric data of Nigerians to roll out inclusive digital identity systems and therefore one of the primary data processors in Nigeria. We started in Uyo Nigeria, in 2020 where we put together citizens, independents, civil society actors and journalists in a room with the commission to speak to the issues they have encountered using registering and enrolling for the identity systems. A lot of those questions in 2020 were centered around the capacity of the commission and how they intend to capture 200 million Nigerians. Paradigm Initiative found out that the questions were intelligent but not all-encompassing.
In June of 2021, we scheduled such engagements with the commission in another set of states; Kano and Lagos states. In these engagements, we took a different approach. The engagements were to be two-day events with the first day being a Data protection workshop and the second day a digital identity stakeholder engagement.
The results were tremendously different, we found that by the second day the engagements were the most robust we had ever had. Participants were curious about who had access to the data collected, how often they gain this access, the systems used to store them and more. At these events, we learnt about the NIMC governance board that has representatives from major government data processors in a bid to regulate them as well. These are;
- A representative of the Nigeria Immigration Service
- A representative of the Office of the National Security Adviser
- A representative of the National Population Commission
- A representative of the Central Bank of Nigeria
- Chief of the Defence Staff
- A representative of the Department of State Security Service
- A representative of the Corporate Affairs Commission
- Three Persons who are knowledgeable in Information Communication Technology or Identity Management to represent the public
The commission also went ahead to let us know that a new data protection bill is in the works where the input has been made by various stakeholders and it is at the brink of going to the National Assembly.
While we wait for this legislation to reach the National Assembly in Nigeria we will continue in the push toward data protection legislation.