Now Reading:

National Data Protection Regulations – Legal Alert

Business Regulations, Law & Practice	4493 VIEWS
Business Regulations, Law & Practice
4493 VIEWS

Monday, 29 April 2019 / 02:56PM / By Oserogho & Associates / Header Image Credit: TechEconomy.ng

Introduction

The value, benefits, significance and risks associated with Data Information and Privacy, to modern daily activities, is no longer under-rated.

The National Information Technology Development Agency (“NITDA”) is statutorily obligated to develop Regulations which protects all electronic data information.

In compliance with the above-mentioned statutory obligations of NITDA, NITDA has published the Nigeria Data Protection Regulations (“NDPR”) to protect all electronic data Information.

Objectives of Data Protection Regulations

The fundamental objective of the NDPR or the Data Protection Regulations is the safeguard and the protection of the data rights, privileges and privacy of individuals who are of Nigerian descent, irrespective of their country of residence.

All public and private organisations who exercise any form of control over the data of individuals are required to, as from the commencement of the NDPR, circulate publicly their respective Data Protection Policies.

Summaries of all the Data collected and processed are to be delivered to NITDA.

Data User/Subject Consent

The Data Information of a Person can only be collected and or processed in accordance with the specific, legitimate and lawful consent of a Data User or Subject. Such consent must not be obtained by fraud, misrepresentation, coercion or undue influence.

No consent is to be sought, given or accepted in any circumstances that may engender directly or indirectly the propagation of the violation of any children’s rights, hate and other anti-social norms.

Any Data consent given must also be freely and easily withdrawn at any time by the Data User or Subject without any explanation for the withdrawal proffered. Similarly, the Data User has the right to the portability of his data where such portability is technically feasible.

A recognised key exception to the above consent rule is the processing and use of the personal data of an individual for scientific, historical, public interest research or other statistical purposes. Where however such Data is to be transferred to a third party, the prior consent of the Data Subject or User must again be obtained.

Data User Additional Rights

All Data Users or Subjects have a constitutional right to the protection of the privacy to their personal Data. Where the Data User gives his or her consent to the processing and use of the User or Subject’s Personal Data, all the data collected must be protected from all foreseeable breaches or hazards like the theft of such Data, cyber-attacks, viral attacks, hacking or the manipulation of any kind of such Data, etc.

Data Controllers, Processors and Custodians also owe a Duty of Care to all Data Users and Subjects.

Administrative Redress

Without prejudice to the right of the Data User or Subject to seek redress in a Court of Law, NITDA is required by the NDPR to establish a Administrative Redress Panel to among other things investigate and determine allegations of data breaches with appropriate redresses proffered by this Panel for any Data breach.

The Administrative Redress Panel is also empowered to during the course of its investigation, make administrative orders or directives which protects the Data Information which is under the NDPR investigation.

Additional Penalties for Data Breaches

In addition to the above-mentioned Administrative Reliefs, and any Criminal Liabilities arising from any Data Breach, other Reliefs and or Penalties for any Data Breach or for any non-compliance with any of the above Data Regulations is in the case of a Data Controller with more than 10,000 Data Subjects or Users the payment of a fine, the greater of 2% of the Data Controller’s Annual Gross Revenue for its preceding financial year-end or the sum of N10,000,000 (Ten Million Naira); whichever of the latter two that is greater.

For a Data Controller with less than 100,000 Data Subjects, the additional fine is the greater of 1% of the Data Controller’s Annual Gross Revenue for the preceding financial year end or the payment of N2Million as the fine for any Data Breach.

Conclusion

It is of practical concern that the Data Protection Regulations only protects individuals who are of Nigerian descent. Foreigners and corporate bodies Data do not appear to be protected under the NDPR.

It is also of great concern that unlike the more robust European Data Protection Regulations, manpower proficiency on the part of the Data Protection Regulator, Data Processors and Controllers among others may not be in tandem with the spirit of the provisions of the NDPR. A good example is the reality that many government establishments do not have functioning, up to date online presence and information.

The registration and licencing of external Data Protection Compliance Organisations by NITDA is likely to be inimical to the supervisory and manpower building capacities of NITDA itself.

It is of further concern that the office of the Attorney General of the Federation (“AGF”) has some supervisory roles where a person’s data is to be transferred to a foreign country or organisation. Does the AGF have the required information technology surveillance personnel and equipment to monitor any such Data transfers? This is especially as most Data these days are transferred and processed online, in real time, from various countries.

Disclaimer:

This is a free educational material. It does not serve as a source of solicitation, advertisement or the offering of legal services or advice of any kind. No Client/Attorney relationship is therefore created. Readers are strongly advised to always seek from qualified Legal Practitioners, competent legal counseling to their specific factual situation.

Intellectual Property Protected!

This material is protected by International Intellectual Property Laws and Regulations. This material can therefore only be reproduced or re-distributed for non-profit educational purposes under the strict condition that our Authorship of this material is explicitly acknowledged, and our above Disclaimer Notice is prominently displayed. [ contactus@oseroghoassociates.com ]