Thursday, 29th February 2024
To guardian.ng
Search

Data protection: Between NCC and data protection commission

By Ifeoma Peters
26 July 2023   |   3:57 am
Section 31(5) of the NDPA states that the NDPC shall create regulations in line with the objectives of the Act when processing personal data of a child aged 13 and above. This specifically applies to the provision of information and services...

NCCE building, Abuja

Section 31(5) of the NDPA states that the NDPC shall create regulations in line with the objectives of the Act when processing personal data of a child aged 13 and above. This specifically applies to the provision of information and services through electronic means at the child’s explicit request. On the other hand, Regulation 11(5) of the draft Regulations allows for reliance on the consent given by a child aged 13 or older. This consent is applicable for the provision of information and services through electronic means when individually requested by the recipient.

These two provisions indeed present a contradiction. Data controllers/processors faced with these conflicting laws may find themselves unsure about the appropriate course of action.

Sections 41, 42, and 43 of the NDPA establish the basis for transferring personal data to another country, particularly focusing on the adequacy of protection and steps to be taken when adequate protection is lacking. Notably, the Act grants the authority to determine the adequacy of the recipient country’s protection regime. However, Regulation 34 of the draft NCC Regulation seems to introduce a potential conflict of power. It empowers the NCC to determine the adequacy of the recipient country’s protection regime. According to Section 34(2) of the Regulation, licensees are required to obtain approval from the NCC, which will consider whether the location provides a sufficient level of data protection before issuing such approval.

This raises questions regarding the compliance obligations for data controllers and processors who obtain consent from the NCC. Does obtaining consent from the NCC eliminate the need to comply with the requirements listed in Section 41 of the NDPA? Additionally, a data controller (licensee) will become confused whether he can proceed with data transfers solely based on obtaining consent from the NCC without adhering to the requirements outlined in Section 42 of the Act.

The NDPA in Section 38 provides for the data subject’s right to data potability. There is no mandate to a data controller and processor to refuse the data subject the right to data portability, it only provides for the conditions upon which data subject may exercise such right. It also provides the obligations it would impose on a data controller or data processor, in relation to costs and timing. However, Regulation 31 of the draft Regulations, empowers the licensee to refuse data portability in certain cases. This section again directs data subject to refer written complain to the NCC.

As final thoughts on the challenges the coexistence of the draft Regulations and NDPA portends for data protection in Nigeria, below are few of the immediate concerns: 

The existence of overlapping and conflicting regulations will create a burdensome compliance process for data controllers and processors. They would need to navigate and adhere to multiple sets of requirements, leading to additional costs and administrative complexities. This duplication of compliance obligations hampers efficiency and would be particularly challenging for organizations operating within the telecommunication sector.

The presence of conflicting provisions between the NDPA and the draft Regulations introduces ambiguity and confusion regarding the interpretation and application of data protection principles. Different standards and requirements set forth in the two laws can make it difficult for data controllers and processors to understand their legal obligations clearly, potentially resulting in inadvertent non-compliance.

Inconsistent Enforcement Mechanism 
When two separate regulatory bodies, the NDPC and the NCC, become responsible for enforcing compliance with data protection laws, inconsistencies in enforcement are likely to arise. Different interpretations and enforcement approaches by these entities may lead to unequal treatment and arbitrary outcomes, eroding public trust in the regulatory framework.

Duplicity in laws often leads to prolonged legal disputes and litigation as conflicting provisions require clarification and resolution by courts or other legal bodies. This results in delays in legal proceedings, increased legal costs, and a diversion of resources that could have been utilized more effectively.

Addressing these challenges requires coordinated efforts and a streamlined approach to data protection regulation in Nigeria.  It is important to note that allowing the NCC to proceed with establishing a sector-specific regulation that disregards the NDPA entirely would set a precedent for other sectors to create their own separate data protection regulations. This would lead to fragmentation and setbacks within the Nigerian data protection landscape. Looking at the European context, the General Data Protection Regulation (GDPR) is a uniform legislation recognized across all European countries. Similar harmonization of data protection laws is crucial for the development of a robust data protection ecosystem in Nigeria.

In conclusion, it is essential to recognize that the NDPA, as an act of the National Assembly, takes precedence over any proposed subsidiary legislation such as the draft Regulations. The NCC should focus on collaborating with the NDPC to ensure that the telecom industry is adequately addressed and regulated under the NDPA. If the NCC intends to introduce industry-specific regulations, those regulations must emanate from the NDPC as Regulations made pursuant to the NDPA. This position will also apply to any other sector that believes that its operations have some unique features which needs to be specifically addressed. A situation where every sector decides to introduce a regulation seeking to data protection within its sector is not appropriate and it is antithetical to the spirit of the NDPA and the creation of the NDPC. 
Concluded
Ifeoma is the Managing Partner, DNL Partners DNL Partners is a licensed Data Protection Compliance Organization (DPCO) ifeoma.peters@dnlpartners.com

In this article

0 Comments