In December 2019, the personal data of numerous taxpayers in Lagos State was leaked on the payment portal of the Lagos Internal Revenue Service (LIRS), violating not only their right to privacy under the Constitution but also the provisions of the Nigeria Data Protection Regulation (NDPR) 2019 issued by National Information Technology Development Agency (NITDA) – the regulator.
It should be noted that we had expressed reservations over the ability and suitability of NITDA to play the role of a data protection agency in Nigeria. One would have thought the agency would work to prove doubters wrong by ensuring that violations against its regulations are duly punished.
We are mindful that the Digital Rights Lawyers Initiative (DRLI) has filed suit No. FHC/L/CS/56/2020 against both LIRS and NITDA on the data breach seeking orders mandating NITDA to fine LIRS as provided under the NDPR to the tune of 2% of their annual gross revenue. We are monitoring this process and we will work with the litigant to ensure it is seen to a reasonable conclusion
In addition to the specified fine, the NDPR provides for compensation for victims of a data breach, but the Lagos State government has said nothing about this, in spite (or despite?) of their admission of guilt.
We hereby call upon NITDA to stop paying lip service to data protection In Nigeria and to fulfill its role as a regulator on one hand and Lagos State government to compensate victims of the data breach as admitted. NITDA must give an update on all data breaches reported to it since the inception of the NDPR.
Finally, Nigeria should enact a data protection law duly passed by the National Assembly and signed by the president. The law should set up an independent Data Protection Authority with core mandate for data protection in Nigeria.