ArticlesTechnology

Analysis of Nigeria’s Data Protection Framework in the Light of International Human Rights Standards on Privacy by Ndubueze, Ebere L.

Introduction

The word “data” is defined [1] to mean characters, symbols and binary on which operations are performed by a computer, which may be stored or transmitted in the form of electronic signals and is stored in any format or any device. Simply put, data is information regarding anything from any sphere of life.
In Nigeria, there are legal and administrative frameworks for the protection of data. These frameworks are general and sector specific respectively. It is the aim of this paper to examine and critically analyse the regulatory framework for data protection in Nigeria through the eye of International Human Rights standards on privacy.

International Human Rights Standards on Privacy

International human rights law provides a clear and universal framework for the promotion and protection of the right to privacy. [2] The Universal Declaration on Human Right encapsulates this standard thus “no one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation.

Everyone has the right to the protection of the law against such interference or attacks.” [3] Article 17 of the International Covenant on Civil and Political Rights 1966, contains similar provision. While Article 16 of the Convention on the Rights of the Child 1989 provides same in respect of children, Article 14 of the International Convention on the Protection of All Migrant Workers and Members of Their Families 1990 provides same regarding migrant workers and their family members.

Legal Framework for Data Protection in Nigeria

Preliminarily, Nigeria does not have a principal data protection legislation. However and remarkably so, the recent ‘Nigeria Data Protection Regulations 2019’ hereinafter referred to as ‘NDPR’, [4] is a subsidiary data protection legislation that meets international human rights standards on privacy, in that it criminalises arbitrary interference with a person’s data privacy.

Regarding data security, it is provided that [5] anyone involved in data processing or them control of data, shall develop security measures to protect data; such measures include but not limited to protecting systems from hackers, setting up firewalls, storing data securely with access to specific authorized individuals, employing data encryption technologies, amongst others.

Under section 5(2)(3) NDPR, a duty of care is owed to a data subject, by any person entrusted with or in possession of the data subject’s personal data: This person shall also be accountable for his acts and omissions in respect of data processing.

Another data privacy protection measure commensurate with Article 12 UDHR 1948, is Section 9 NDPR where it is recognized that, any medium through which personal data is being collected or processed, shall display a simple and conspicuous privacy policy that the class of Data Subjects being targeted can understand.

Other legislations that concern data protection In Nigeria include:
i. The 1999 Constitution of Federal Republic of Nigeria (as amended): Section 37 of which guarantees and protects privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications. However, this constitutional right to privacy is also constitutionally restricted under Section 45(1)(a)(b), where any law that is reasonably justifiable in a democratic society in the interest of defense, public safety, public order, public morality or public health, allows: or for the purpose of protecting the rights and freedom of other persons.

ii. Cybercrimes (Prohibition, Prevention, etc) Act 2015: It criminalises abuse and misuse of data for fraudulent purposes under Section 36, and imposes a duty of record retention and data protection on service providers by Section 38.

iii. National Identity Management Commission Act 2007: It established the National Identity Management Commission (NIMC) whose function pursuant to Section 5(a), is to amongst others, create, manage, maintain and operate the National Identity Database. By Section 6(a), the Commission has powers to request for any data from
any person on matters relating to its functions. This presupposes an implied duty on the Commission to ensure adequate protection of all data collected therefrom.

iv. Nigerian Communication Commission Act 2003: It regulates the communication industry in Nigeria, and established the Nigerian Communication Commission (NCC) under Section 3(1) for that purpose. Remarkably, the Commission has made a number of regulations with data protection flavour in the telecommunications industry,
pursuant to its powers under Section 4 of the NCC Act. These regulations include: the Consumer Code of Practice Regulation 2007, [6] the Registration of Telephone Subscribers Regulation 2011, and the Nigerian Communications (Enforcement Process, etc) Regulation 2005.

Administrative Framework for Data Protection in Nigeria

Notably, there is no single data protection authority in Nigeria. Under data related legislations, there are different authorities responsible for data protection. Some of these include:

i. National Information Technology Development Agency (NITDA): This Agency is the data protection authority under the Nigerian Data Protection Regulation 2019.

ii. Nigerian Communication Commission (NCC): This is the data protection authority under the Consumer Code of Practice Regulation 2007, the Registration of Telephone Subscribers Regulation 2011, and the Nigerian Communications,(Enforcement Process, etc) Regulation 2005 and Guidelines for the Provision of Internet Service.

iii. National Identity Management Commission (NIMC): This is the data protection authority under the NIMC Act 2007 and the mandatory use of National
Identification Number (NIN) Regulations 2015 and 2017.

Summary and Conclusion

The foregoing aptly reveals not only the international human rights standards on privacy, but also the regulatory framework for data protection Nigeria. It is also evident therefrom that, Nigeria is not lagging behind in her data protection framework, in the light of international standards on privacy.

The yesterday’s ‘Nigeria Data Protection Regulations 2019’ speaks great volume in this regard. It is therefore hoped that adequate measures will be employed to attain effective enforcement of Nigeria’s laws in data protection.


Endnotes

1 Section 4 Nigeria Data Protection Regulation 2019.
2 UNHR – International Standards. Available at
https://www.ohchr.org/EN/Issues/Privacy/SR/Pages/Internationalstandards.aspx accessed on 23 September 2019. 3 Article 12 UDHR 1948.
4 NDPR was issued by the National Information Technology Development Agency (NITDA) under the NITDA Act on
25 January 2019.
5 Section 10 NDPR 2019. 6 This is made pursuant to Section 4(b)(p) and 106 of the NCC Act.


Ndubueze is a law graduate of University of Calabar, Nigeria and a prospective student of the Nigerian Law School. She has a penchant for legal research and writing with particular interest in Environmental Law, Intellectual Property Law, Information Technology Law and Alternative Dispute Resolution. She can be reached via ndubuezeeberelene@gmail.com, 08169008219 and Ebere Ndubueze on LinkedIn.

Leave a Reply

Your email address will not be published. Required fields are marked *