The status of data protection reform in Nigeria

The need for a comprehensive data protection law in Nigeria has once again resurfaced with the recent publication of the 2015 U.S. Chamber of Commerce’s International IP Index. Nigeria’s overall score remained at 9.81 out of 30 points (same as in the 2014 report), placing the country 25th out of the 30 countries assessed.  Among other things, the fact that there is no regulatory terms for data protection of clinical data submitted for market registration application to agencies such as the National Agency for Food and Drug Administration and Control (NAFDAC) contributed to this low rating.

It has to be stressed however that a good number of public institutions in Nigeria collect, process and store personal data in the course of executing their functions. Unfortunately, legislation establishing these institutions did not make adequate provisions for personal data protection. For instance, the National Population Act  1989 tasks the National Population Commission to “establish and maintain a machinery for continuous and universal registration of births and deaths, throughout the Federation”, but no provision is made on how to protect this database. Similarly, the National Identity Management Commission Act 2007 which created a national database for identification purposes provides in its 2nd schedule that:  full name; other names by which the person is or has been known; date of birth; place of birth; gender; the address of the individual’s principal place of residence in Nigeria; and the address of every other place in Nigeria where the individual has a place of residence may be recorded in a registered individual’s entry in the database.  Again, data protection principles were not enshrined in the legislation and no concrete provision is made for informational privacy and data security, except to make it an offence to unlawfully disclose or access personal information in the national database.

Other legislation dealing with processing of personal data such as the Immigration Act, the Federal Road Safety Commission Act, the Independent National Electoral Commission Act, the Insurance Act, etc, also lack framework for information privacy and data security. The financial sector is also worthy of mention here, where personal data is constantly processed without any concrete information privacy law to protect the bank customers. The Central Bank of Nigeria Act 2007 and the Banking and Other Financial Institutions Act 2004 (BOFIA) do not have provisions in this regard. And with the introduction of cashless transactions and online services including e-commerce, e-banking, etc, more personal data is likely to be processed and stored by financial institutions, which heightens the risk of such institutions being constant target for hackers.

Apart from the federal laws, a number of state laws also require citizens to provide personal data such as in land registration or for tax purposes without concrete data protection provisions. In the absence of a comprehensive data protection law both at the federal and state level, little or no informational privacy  is guaranteed to the data subjects irrespective of their constitutional right to privacy as set out in s. 37 of the 1999 Nigerian Constitution. This is premised on the fact that there has been little or no robust judicial activism in respect of constitutional or common law protection of privacy in Nigeria as seen in South Africa for example.

The above notwithstanding, it has to be pointed out that there have been some remarkable efforts at reforming informational privacy law in Nigeria such as the publication of the National IT Policy in 2001 and submission of various bills to the parliament that consider data protection or information security wholly or partly. Of all these legislative instruments, two bills are outstanding with respect to data protection – the Data Protection Bill 2010 (HB 276, HB 45) and the Electronic Transaction (Establishment) Bill 2013 (SB 248). The Data Protection Bill 2010 is the first federal bill in Nigeria that wholly focuses on data protection, and is now before the House of Representatives Committee on Interior having passed the second reading in 2012. The Electronic Transaction (Establishment) Bill 2013 on the other hand, which only partially considers data protection, has passed through the first reading in February 2013. There are other bills such as the Cybercrime Bill 2014 (SB 438) passed by the Senate in October 2014 that will assist in data protection. If these bills are passed into law, they will have a combined effect of establishing a regulatory framework for data protection and information security in Nigeria.

There are also regional and sub-regional treaties on the subject of data protection that Nigeria has participated in drafting. Within the West African sub-region for instance, Nigeria participated in the adoption of the ECOWAS Supplementary Act A/SA. 1/01/10 on Personal Data Protection in 2010 and has indeed signed it, which by virtue of its Article 48 is an integral part of the ECOWAS Treaty. Although there is no evidence that Nigeria has published the Supplementary Act in its official gazette for it to be locally enforceable, it has to be pointed out that because the Supplementary Act is an integral part of the ECOWAS Treaty it creates an obligation on ECOWAS member states, and sanctions could be meted out against any state who fails to implement it. Nigeria also participated in the adoption of the African Union Convention on Cyber-security and Personal Data Protection in 2014. The inclusion of personal data protection in chapter II of the Convention means that state parties who accede to and ratify the convention are committed to establishing a legal framework for data protection, including the establishment of an independent data protection authority. But the convention will require accession by fifteen states before coming into force.  So far, no AU country has ratified it. The above notwithstanding, it has to be stressed that Nigeria operates a dualist system where international treaties do not have local effects until they are domesticated by the Nigerian parliament as prescribed by s. 12 of the 1999 Constitution.

The above efforts are commendable and in the right direction, although some argue that they come too slowly, and in some instances uncoordinated or inadequate. However, there are prospects now that the rapid increase in online transactions and agitations by consumers about misuse of their personal data in marketing and e-commerce context will catalyze these legal reforms. This is for example seen as one of the objectives of the proposed Electronic Transaction (Establishment) Bill 2013.Similar clamour from local businesses with online presence in Nigeria for a legal framework that would boost their global competitiveness in the area of data processing may bring about change in the attitude of the government. As new cloud data centres are springing up in Nigeria, one may also expect pressure to mount on the government to introduce serious data protection reform.

 

Iheanyi Samuel Nwankwo

Institute for Legal Informatics, Hannover

You might also like