Data protection: Between NCC and data protection commission
On Monday, June 2023, the Nigeria Data Protection Bill was signed into law by the President of the Federal Republic of Nigeria, His Excellency, Bola Ahmed Tinubu. The Nigeria Data Protection Act, 2023 (the Act), is the very first principal legislation on data protection in Nigeria.
The signing of the Act was a positive response to the various campaigns by stakeholders in the Data Protection ecosystem for a unified primary legislation on data protection. It was believed that a unified primary legislation would help to position Nigeria as one of the progressive countries championing the Data Protection movement globally.
It would be recalled, that despite several stakeholders’ engagements and lobbying, the President Mohammadu Buhari’s administration failed to pass the bill into law. Therefore, the passage of the Act by President Bola Ahmed Tinubu few weeks after his inauguration was seen by practitioners as a glimmer of hope and a sign of more positive developments in data protection and privacy in Nigeria.
One of the significant features of the Act was the creation of the Nigeria Data Protection Commission (the NDPC) tasked with the responsibility of ensuring compliance with the provisions of the Act.
Prior to the passage of the Act and the establishment of the NDPC, the Nigeria Data Protection Regulation (the NDPR), a subsidiary legislation of the National Information Technology Development Act (NITDA), was the only law on data protection in Nigeria. NITDA was directly in charge of enforcing data protection compliance in Nigeria. Two years ago, the Nigeria Data Protection Bureau (the NDPB) was set up to take over the data protection regulatory compliance task from NITDA and remained the regulator until the passage of the bill when it transitioned into the NDPC.
Few days ago, a regulation styled as the “Data Protection (Communications Services) Regulations, 2023 (the draft Regulations),” found its way into the public domain. It is assumed that the draft Regulations is a proposed subsidiary legislation being introduced by the Nigeria Communications Commission (NCC) for data protection in Nigeria’s telecommunication sector.
Although there has not been any official communication regarding the draft Regulations, a cursory look at same shows that it is a replication of the content of the major provisions in the NDPA. Although the essence of the draft Regulations is still unknown, a wild guess would suggest that NCC plans to initiate a regulation that would enable it take charge of regulating data protection and privacy within the telecommunication sector.
While the introduction of the draft Regulations may appear a laudable idea, data protection practitioners who have been involved in the campaigns leading to the birth of the NDPA and NDPC would not have difficulties in identifying the negative impact the draft Regulations will have on the advancement of data protection in Nigeria.
Compliance would become a burden and enforcement would occasion avoidable hardship on industry practitioners, particularly the telecommunication (telecom) industry who are the target of the draft Regulations. Some may in fact see the move by NCC as a clear attempt, to undermine, stifle and render redundant the recently created NDPC, particularly in the telecom industry. What is more? The draft Regulations is silent on the provisions of the NDPA and failed to recognize the existence of the NDPC.
In order to drive home the point being made on the danger of the draft Regulations, let us examine some of the similarities and conflicts between the draft Regulations and the NDPA.
The Similarities and Conflicts between the Draft Regulations and NDPA
Reporting Breach of Personal Data
Section 40 of the NDPA and Regulation 9 of the NCC draft Regulations outline steps that data controllers/processors should take in the event of a data breach. However, the differences in the specific reporting requirements and timelines mentioned in the two laws are potential recipe for contradiction and confusion.
Under the NDPA, in the event of a breach, the initial step is for data processor to notify the data controller. If the breach is likely to result in a risk to the rights and freedoms of individuals, the data processor must also notify the NDPC within seventy-two hours. Additionally, if the breach is likely to result in a high risk to the rights and freedoms of a data subject, the data controller must immediately communicate the breach to the affected data subject.
In contrast, the draft Regulations mandates licensee (data controller/ processor), to immediately notify the data subject of any leak of their personal information. Furthermore, it requires the data controller to rectify the breach within seventy-two hours of becoming aware of it. The provision also stipulates that the licensee must report the breach to the NCC.
The differences between the two laws regarding reporting obligations and timelines indeed create a contradiction in the steps that data controllers/processors should take in the event of a breach. The NDPA emphasizes the notification to the NDPC, while the draft Regulations focuses on immediate notification to the data subject and reporting to the NCC.
Sanctions for Violations
Both Section 48 of the NDPA and Section 40 of the draft Regulations address the enforcement measures and sanctions that can be imposed on data controllers/processors for violating the provisions of their respective laws. Both laws provide for the imposition of fines as a form of sanction.
Section 48 of the NDPA mentions penalties or remedial fees, while Section 40 of the draft Regulations specifically outlines an administrative fine of N10,000,000.00. Both laws emphasize the importance of remedying the violation. Section 48 of the NDPA includes a provision requiring data controllers or data processors to remedy the violation, while Section 40 of the draft Regulations mentions that the infraction should be remedied or discontinued.
The duplication of provisions between the draft Regulations and the NDPA would create challenges and potential hardships for data controllers/processors. When two sets of regulations overlap and impose similar but potentially conflicting requirements and sanctions, it can lead to confusion, increased compliance burdens, and potential contradictions.
In the scenario where both the draft Regulations and the NDPA have overlapping provisions and sanctions, it is crucial for clarity and harmonization to be established. Data controllers may face difficulties in determining which set of regulations to follow and how to comply with both simultaneously.
Ideally, efforts should be made to avoid duplicating provisions and ensure consistency and coherence in data protection legal framework. Instead of introducing sector-specific regulations that replicate the provisions of the NDPA, the NCC ought to collaborate with the NDPC and work towards a unified approach that recognizes the authority and expertise of the NDPC in data protection matters.
To be continued tommorow.
Get the latest news delivered straight to your inbox every day of the week. Stay informed with the Guardian’s leading coverage of Nigerian and world news, business, technology and sports.