by Oluwagbeminiyi Ojedokun (CIPP/E) and Ridwan Oloyede (FIP, CIPP/E, CIPM)
The revised National Cybersecurity Strategy was released. In August 2021, the Nigeria Communication Commission (NCC) released the draft Registration of Telephone Subscriber Regulation for public comment. In addition, the Lagos State legislature held a public hearing for its Data Protection Bill. There were also significant court decisions impacting data protection. Finally, the government announced plans to draft a new data protection bill.
2022 is going to be another momentous year, and these are some of the things to expect:
Proposed Bills and Legislations
The most significant proposed legislation is the Nigeria Data Protection Bill 2020, establishing a supervisory authority. The bill was expected to be presented as an executive bill to the legislature. However, the bill’s progress had stalled since 2020, when it was first released for public contribution. In November 2021, the government announced a request for a proposal to draft another data protection bill. Consequently, ditching the previous effort. That will be the third attempt at enacting a data protection law since 2018.
We expect to see progress with the Digital Rights and Freedom Bill. The President declined assent to the previous version of the bill in 2019, which has now been revised, re-introduced in the House of Representatives, and expecting the House committee report. In addition, the Electronic Transaction Bill is expected to see some progress. The bill is currently expecting the Senate Committee on Banking Insurance and Other Financial Institutions report. NITDA is also expected to make progress with the amendment of its establishing Act, granting it additional powers over the regulation of digital services and data.
While some of the proposed laws advance privacy protection, some pose risks to privacy, like the Integration of Private Closed Circuit Television Infrastructure into the National Security Network in Nigeria Bill and the Internet Child Pornography Prevention Bill, 2019, pending before the House of Representatives. Both proposed laws failed to include sufficient safeguards. In addition, the proposed amendment to the draft NCC Registration of Telephone Subscriber Regulation retained the provision of the 2011 regulation that allowed the NCC to disclose subscribers information to security agents. However, only a court of law should grant such authorisation.
There is a likelihood of more sector-specific frameworks from other regulators, which will increase the compliance landscape for organisations besides the existing body of laws. For example, the Central Bank of Nigeria may finally release its Data Protection Regulation, mooted since 2018. There could also be the creation of a government department specifically concerning data protection within a ministry.
Progress is expected on the National Electronic Health Record Bill, awaiting the Healthcare Services Committee report. In addition, we expect to see a revised version of the National Health ICT Strategic Framework, whose mandate expired in 2020.
State to legislate on data protection
With the effort by the Lagos State government to enact a data protection law, we may see the trend where other state governments will either release their data protection law or pass a law with privacy or data protection implication. Another state in the South-West of the country reportedly has a draft law to be presented to its legislature.
State governments’ attempt to legislate on data protection may force organisations processing personal data of data subjects in such states, even when not based in the state, to register with the respective state governments’ data protection commission.
There has been much conversation on pervasive practices of some digital lending companies, and regulators are starting to pay attention. There is a pending bill before the House of Representatives to regulate the activities of the lenders. There are also pending litigations filed against some lenders for violation of privacy. Significantly, we expect increased coordinated action from the Federal Competition and Consumer Protection Commission, Central Bank of Nigeria, and NITDA (the substantive data protection regulator) to reign in the lenders. In addition, there could be potential secondary legislation to specifically address the growing concern in that ecosystem.
There are growing examples of violations of the law by private and public institutions. While there could also be rising effort to comply with the existing law, it is minuscule compared to ongoing violations that pervade. Nevertheless, there is still so much that needs to be done to make data protection part of how people live, do their job, build products and provide services. Organisations and public authorities need to understand their obligations and make a genuine effort to build an effective privacy program. “There is more work to be done in raising awareness of data subjects – aware enough to invoke their rights and make informed decisions”. The regulator also needs to do its job by enforcing the law and not passing over clear violations, even if committed by a government agency. Finally, the country should enact a federal data protection law.
A slightly different version was submitted in December 2021 for the IAPP 2022 legislative tracking whitepaper.