In recent times, I have had a number of stimulating on and offline conversations with privacy professionals and enthusiasts on the reasons for the dearth of data protection laws and materials in Nigeria and possible solutions.
There is no gainsaying that our country remains on the list of African Countries without a data protection law (the Nigeria Data Protection Regulation 2019 (NDPR) is not considered a law in this context). It is further sad that, in spite of being a signatory to the ECOWAS Supplemantary Act on Personal Data Protection 2010 and African Union Convention on Cyberscurity and Personal Data, we are yet to have a general data protection law.
It must however be noted that, some commendable attempts have been made by in the past by the National Assembly in the mould of the Data Protection Bill 2010 (HB 276, HB 45) and later the Data Protection Commission Bill 2019 as presented to the Executive in May 2019 but it was not deemed worthy of presidential assent for some right or wrong reasons. I also understand that two (2) Data Protection Bills are currently pending before the 9th National Assembly as sponsored by Hon. Yakubu Dogara (HB: 564) and Hon. Ndudi Elumelu (HB: 504) but not so much has been heard about the progress of these very significant bills.
However, as the Federal Government continues to, with respect, struggle in its tracks to deliver a Data Protection Act to the country, States’ Governments have also appeared uninterested in legislating data protection with the exception of one of the states in the southwest which I hear, has concluded works on a bill on data protection in readiness for sponsorship to their House of Assembly.
As it appears that, the States may come to our nation’s rescue faster than the Federal Government, we may need to interrogate the legislative competence of the various Houses of Assembly to make laws on data protection under our extant Constitution.
Data protection as a component of right to privacy
An interrogation of legislative competence must necessarily start from first ascertaining the nature of ‘data protection’ as a concept within the context of law-making powers of the legislative houses concerned. For localization purposes, I will restrict myself to some Nigerian academics who have written on the subject for clarity on the vexed argument as to the relationship of data protection with right to privacy.
Dr. Kemi Omotubora, lecturer of Information Technology Law, University of Lagos, is perhaps, the fiercest critic of conflation of data protection and privacy. In a recent paper she co-authored with another academic from Leeds University, United Kingdom, the learned data protection lecturer decried the problematic definition of personal data because it has blurred the fine lines between the concepts of privacy and data protection that has been drawn from the inception of the data protection regime”
However, she went ahead to acknowledged that: “Following the same track, the European courts have consistently conflated data protection and privacy and treated the former as an extension of the latter.” She referred to a number of decisions (Breyer, Volker, Rundfunk etc) reported in my Casebook on Data Protection, where the European courts ruled on the fusion of data protection with privacy. See ‘Next Generation Privacy’ Information and Communications Technology Law accessible at https://doi.org/10.1080/13600834.2020.1732055
In another co-authored paper titled “Personal Data Protection in Nigeria: Reflections on opportunities, options and challenges to legal reforms”, Dr. L.A. Abdulrauf of the Department of Public Law, Faculty of Law, University of Ilorin, states that:
“In spite of its commercial purposes, there is no denying that, data protection has its roots in the right to privacy in international human rights instruments…Thus, the normative basis of data protection is in the human rights instruments which arguably makes it human right too. While some jurisdictions do not even distinguish privacy from data protection, others have anchored their data protection laws on right to privacy. The relationship between data protection and other human rights also strengthens the argument in favour of it being a human right.”
In his contribution to a book titled “African Data Privacy Laws”, Iheanyi Samuel Nwankwo, a research associate at Institute for Legal Informatics, Leibniz Universitat, Hannover, Germany states at page 47 that:
“But irrespective of these conceptual differences, this chapter will focus on information privacy in Nigeria, that is, the aspect of the law that regulates how personal information is collected, processed, accessed, shared and stored by others….The words “data protection” and “information privacy” are used interchangeable and they are intended to mean the same thing…”
From the foregoing interventions, it appears that, from whatever perspective one decides to view ‘data protection’, the underpinning presumption, especially in Nigeria where there exists no judicial decision at the moment, favours the concept of data protection as an integral constituent of right to privacy and that is where this writer has, unassertively, chosen to pitch his tent until a defining decision is handed down by our courts.
Can State governments legislate data protection?
Apparently, “data protection” or its semblance does not exist under the exclusive legislative list but some commentators have curiously argued that, only the Federal Government of Nigeria has the legislative competence to make laws relating to data protection. Senator Ihenyen, Esq.- a consistent Information Technology Lawyer, in a data guidance note, stated that:
“Following Nigeria’s federal system, only the National Assembly has the power to legislate on broadcasting, posts, telegraphs, telephones, televisions, wireless communication and any incidental matters. This is in accordance with the provisions of the second schedule of the Constitution. The implication of this is that, if Nigeria’s federal legislature failed to legislate on data and privacy related matters, state legislators do not have the power to legislate on them”
Without necessarily commenting on the aptitude or otherwise of Mr. Ihenyen’s opinion above, it is worth of note that, item 28 of the exclusive list provides for “fingerprints identification and criminal records” which are universally classified as sensitive data covered by data protection laws, but that is not to say that, sensitive data alone forms the whole gamut of data protection to make it an exclusive matter.
Although a direct answer to the poser here cannot be found in the Constitution which does not prohibit states from legislating fundamental rights, I will attempt an answer by drawing inferences from a similar but specific data protection laws passed by States Houses of Assembly in relation to fundamental right to privacy.
Freedom of Information Act 2011 (FOIA)
The FOIA was passed in 2011 by the National Assembly to, among other things, make information freely available and for the protection of personal privacy. This Act has been repeatedly argued in various courts to guarantee freedom of expression which includes “freedom to receive information” under section 39(1) and right to privacy under section 37 of the Constitution.
In that same 2011, the Ekiti State House of Assembly followed suit when it passed its own Freedom of Information Law to make information available and protect personal privacy. Not long after that Imo and Delta States also passed their own Freedom of Information Laws which, in part, protect personal data as well.
Conclusively, although these laws are not comprehensive as far as standard data protection provisions are concerned, they are nevertheless States enactments on data protection and right to privacy.
With the absence of any item under the exclusive legislative list ceding sole powers to legislate data protection to the Federal Government, it is this writer’s respectful opinion that, States’ Houses of Assembly possess requisite legislative competence to make laws on the subject.
Olumide writes from Lagos, Nigeria.