Poor awareness, manpower threaten data privacy in Nigeria, says Olatunji
The National Commissioner for the Nigeria Data Protection Commission, Dr Vincent Olatunji, speaks with ADEYEMI ADEPETUN about the issues of data management, sanctions on erring organizations and contributions to the economy, amidst other germane issues.
The Nigeria Data Protection Commission is new; many people might not know what the commission is capable of doing. Can you speak on some of the roles of NDPC?
Globally, the way we interact with ourselves, either for work, business or social activities is mostly online; there is hardly anybody that can survive daily interactions without digital platforms. When we do this, we exchange our personal information on a regular basis in terms of our names, telephone numbers, house addresses, BVN details and so on. These are referred to as our personally identifiable information. There are some other information that are sensitive, which include, health records, political opinion, labour union activities, among others. These are categories of personal data that can be used to identify you as a natural person. The rate at which this information is exchanged on a regular basis has necessitated concerns because many people use them maliciously other than those for which they were collected for. It may be identity theft, scam, unauthorised access to accounts.
For example, you go to a business centre, to make a photocopy of your ID card or passport. After photocopying, you discover it was not clear, you ask for another one which is clear. You then walk away, leaving the ‘unclear’ photocopy; criminals can take such, to register a SIM and hand it over to kidnappers or armed robbers. Your identity may now be used to commit the crimes. Another means to use the ID card is gaining access to the money in your account and before you know it, you start getting withdrawal alerts that you never authorized; this means someone has accessed your bank details to steal from your account.
This issue has been taken seriously globally. The standard now is that whosoever has another person’s information must put in place adequate technical and organisational measures to protect the privacy of the information. This is what brought the idea of having laws for data privacy and protection. In fact, it has been declared as a human right issue as far back as 1948 by the United Nations. In Africa, there was the African Union Convention on Cyber Security and Personal Data Protection of 2014. Even at the level of ECOWAS, as far back as 2010, there was a Supplementary Act for all ECOWAS countries to put in place Data Protection Laws and have independent authorities to implement the laws. But the major turning point globally was that of the EU, the GDPR in 2018. All these are targeted at protecting information people are sharing regularly.
In fact, in Nigeria, the issue of protecting personal identifiable information is a constitutional matter. Section 37 of the Federal Constitution of Nigeria, 1999 as amended, speaks to the need to protect our data and maintain privacy, among others.
In Nigeria, the turning point was in 2019, when the Nigerian Data Protection Regulation was issued and with it, the Nigeria Data Protection Bureau was created in February 2022 by the then President, Muhammadu Buhari.
Part of what we were told to do was to have a principal law for data protection in Nigeria and that was why we agreed to work with stakeholders.
The work on having a principal law commenced in earnest but could not be signed into law before the end of his tenure. Gladly, President Bola Ahmed Tinubu identified the importance of this law for lives and livelihoods and on June 12, 2023, barely 10 days into his administration, he signed the Nigeria Data Protection Bill into law. By that singular act, Nigeria joined the international community of countries with adequate data protection laws. In fact, Nigeria is highly esteemed because it learnt from others and came up with arguably the most progressive law in the world as at today.
So, at NDPC, we are mandated to implement that law. We are to ensure that the data privacy rights, freedom and interest of all Nigerians are adequately protected. In effect, we must hold data controllers and processors accountable for any personal data that is with them.
As the regulator, we are to ensure that the data of Nigerians are collected, processed, stored and shared, in a safe and secure manner through appropriate safeguards.
There have been clamours from different quarters for data residency. What is your take on that?
This brings to the fore the issue of data sovereignty, which is the ability to supervise what happens to the data of subjects as a sovereign nation.
But looking at the digital world, is it possible for any country to actually operate in isolation without actually sharing data with other countries? For instance, you sit in Nigeria and visit Amazon to buy things. They ship it to you and you receive it. Another example is, you are here in Nigeria, your doctor attends to you from abroad and you are diagnosed, among others. So, it is very difficult to say that all your data must reside where you are domiciled locally.
What we are trying to do in that regard is to have data classification. That is, what category of data is compulsory to be stored within Nigeria locally and what category of data can be shared with any other country. When doing this, it means that the other country must also have in place adequate safeguards in terms of their own laws, data protection, certifications, standard contractual clauses, among others.
Part 8 of our law addresses this as cross-border transfer of data, where it specifically states the conditions to be met in terms of transfer of data. To be candid, no country can work in isolation because the world is now a global village and there is a need to carry out transactions seamlessly across the globe. Nothing in this value chain must be done in a way that puts our economy or security in peril and as a Commission, we are absolutely conscious of this.
President Tinubu targets one million digital jobs from the IT sector, how can the NDPC help in achieving this?
The statutory requirement for data controllers to engage data protection officers is a big avenue for job creation. The last time we did the analysis, we figured that we would need 500,000 Data Protection Officers. Currently, those that are qualified in the field are not up to 10,000. So, there is a gap of 490,000 jobs that can be created. å Through training and equipping the data protection officers, we will create jobs. The model we have adopted so far, and backed by the law, is a Public-Private Partnership model, where we licence Data Protection Compliance Organisations to carry out compliance as a service to data controllers and data processors. With that, we have been able to licence over 150 DPCOs, and there are people employed in these organisations (5–10 people). These people will earn their living through their various data protection compliance jobs.
In fact, at the last count, we identified about 17 different services which the DPCOs offer and they are creating jobs. Also, that segment is now worth over N5 billion in just three years of implementation. This speaks to the type of job and value that can be created.
We are going to expand our tentacles to every part of the country by ensuring that data management becomes a culture in Nigeria. We are very sure that lots of jobs will be birthed from this sector that will bring to fruition the target of Mr. Presiådent.
What is Nigeria doing about big tech firms and their usage of personal data?
We are working on how big tech firms use our personal data. One good thing about our law is its ability to adapt to situations. For instance, emerging technologies and how we address issues of privacy that come up with their usage. The law empowers us to issue regulations in order to control what happens with them. Globally, the attention is focused on social media networks and even solution providers. Just recently, Meta was fined by the Ireland’s Data Protection Commission. This demonstrates the level of importance attached to data protection. Also, Microsoft was fined recently in the U.S. If these companies could be fined, it means no one is above the law and whichever country or region they are in, they need to take measures to comply with data privacy laws.
Also, what we are trying to do in Africa is to have a coordinated privacy law to guide the operations of multinationals and service providers in Africa. Gradually, we will get there but for now, Nigeria, has a law to properly monitor what they are doing, and we will do a whole lot with the law.
What will you say is the biggest issue with data privacy in Nigeria?
Awareness and manpower are our major challenges in applying the data law in Nigeria. Many Nigerians do not know their data rights. Very soon, we would be coming up with a lot of awareness activities for people to know their rights. Whatever data that is being collected, the data subjects need to know the essence of it.
We will also create awareness activities for data collectors and data processors. They need to understand why they collect peoples’ data. It is crucial that the organizations they work with provide timely training for them, especially as new data driven systems keep emerging.
We have been inundated with complaints of the data of Nigerians being siphoned through the PoS terminals. This is the reason I said earlier that awareness and education matter in this line of process. We sensitize organizations, including banks, schools, digital lending companies that we have had cause to investigate and take them through the compliance mechanism.
Can we know outcomes of some of the investigations NDPC has carried out?
We have investigated and interrogated the activities of so many, especially in the banking sector, telecommunications, consulting, and digital lending companies. In the banking sector, we have taken appropriate remedial actions against three banks; we fined Soko Loans N50 million, and they are still sorting out how to pay. If we go all the way, that is the full weight of the law; the fines would effectively cripple businesses and create unemployment.
What we do now is to make them pay a remediation fee and take them through regulatory compliance. We are trying to improve compliance culture, to encourage companies to make it part of their practices. Regarding some of the investigations, they are ongoing, and it takes time.
The Commission has realised over N250 million from this remediation, levies and registration fees within one and a half years. We register firms and individuals that carry out compliance on our behalf.
How far is NDPC engaging the CBN on the recent directive handed to banks that they should get the social media handle of their customers?
They cannot implement the regulation without the consent of the data subjects, who are to give out their social media handles. They need to get their consent. People need to willingly avail you of the right to collect their social media information because these are personal information.
Secondly, if there is going to be anything of such, there are guidelines that must be drawn out. Also, the regulation could be in the public interest, which is another basis for data processing. If they are doing so, they need to put in place guidance to ensure that it remains that way.
These are some of the things we are working on with them to ensure that there are no ambiguities in the implementation of the regulation. In their regulatory role in the financial sector, they have the right to do a lot of things, but at the same time, that right should not override the rights of Nigerians. This is why we have asked that we work together to look at the best way to handle it.
The regulation is likely to still fly but it would be based on the consent of the data subject. For the purpose of investigation, for instance, the likes of Hushpuppy and Woodberry were caught with the help of their social media activities. If this is the case, it will be on a basis of legal obligation, i.e., it forms part of their obligations in carrying out their mandate.
How far has NDPC gone in terms of blacklisting firms that are not adhering to data privacy laws?
When we started that process, there was no law, but this is no longer the case. However, rather than blacklisting firms, we encourage all organisations dealing with data to register with the Commission as soon as the portal comes up.
This is because if we don’t know those we are trying to regulate, we cannot effectively regulate them. So, we are starting with registration, after we would have the yearly data protection compliance audit report, which would hold between January and March 31.
We are also starting a Whitelist based on the transparent metrics for adequate protection. Considering the compliance audit returns process, we would have the Whitelist by March 2024. If one is expected to be on the Whitelist but is not, there is the danger of being blacklisted.
To be on the Whitelist, two things apply; be verifiably transparent and be prepared always to address grievances of data subjects. This doesn’t mean your system must have zero risk- there is no such thing in data processing; however, those who negligetly or criminally violate the right of data subjects and fail to carry out remediation as required by law will definitely be blacklisted and will also face appropriate legal penalties.
Related
Latest
Get the latest news delivered straight to your inbox every day of the week. Stay informed with the Guardian’s leading coverage of Nigerian and world news, business, technology and sports.
0 Comments
We will review and take appropriate action.