Countries have fought with multinational and local corporations over the protection of individual personal data, which has become a topic for legislation around the world.
The goal of this article is to examine Nigeria’s data protection framework, including its strengths, weaknesses, and restrictions, and to compare them to the international standard for human rights regarding privacy.
Data protection and Nigeria
The Nigeria Data Protection Regulation 2019, a subsidiary legislation issued by the National Information Technology Development Agency, serves as the primary legal framework for Nigeria’s data protection. The Nigerian Data Protection Regulation (NDPR) was published on January 25, 2019, following Section 35 of the National Information Technology Development Agency Act.
Ensuring the security and privacy of personal data is the primary goal of the NDPR. Regulation 1.2 of the NDPR 2019 states that the NDPR’s provisions apply to any transactions involving the processing of natural persons data in Nigeria. Therefore, it is sufficient to conclude that the NDPR applies to the gathering of personal information about foreign nationals in Nigeria. Additionally, it applies to transactions that call for the processing of personal information relating to Nigerian citizens abroad.
The NDPR’s Regulations 2.2 (a) and 2.3 reaffirm the widely accepted international view that consent is essential when processing the personal data of natural persons. The NDPR states that consent should be obtained voluntarily and shouldn’t be tainted by deceit, coercion, or improper influence. Making sure that consent is given voluntarily is the responsibility of the data controller. Before obtaining the data, the data controller notifies the data subject of his right to revoke consent at any time. Personal information provided to data controllers must be handled with strict confidentiality, kept only for as long as necessary, and collected with due consideration to atrocities, violations of children’s rights, criminal activity, anti-social behaviour, and human dignity.
Strong limitations on the transfer of personal data to third-parties and nations are made available, thereby strengthening and guarding the data of natural persons against unauthorized access. An official contract between the Data Controller and the third-party is required before personal data can be transferred to them, according to Regulation 2.7 of the NDPR 2019. Regarding foreign restrictions, Regulation 2.11 of the NDPR 2019 specifies that the Attorney General of the Federation shall have the authority to regulate and monitor the transfer of data to foreign countries.
Data protection in Nigeria and the international human rights standard on privacy
A definite and universal framework for the protection of the right to privacy is provided by international human rights law. The provisions of the International Covenant on Civil and Political Rights (ICCPR) and the Universal Declaration of Human Rights (UDHR) make this clear. Both Article 12 of the UDHR and Article 17 of the ICCPR guarantee that no one’s privacy will be invaded without their consent. The two treaties also concur that a person’s right to privacy should be guaranteed by their nation’s legal system.
In addition to the two treaties, the Human Rights Committee in its general comment No. 16 in the Official Records of the UN General Assembly, 43rd Session Supplement No. 40 (A/43/40), annexe VI, para. 8 agreed that the personal data of individuals should be protected when provided voluntarily to big data collection enterprises for access to goods, services, and information.
A definition provided by the Human Rights Committee for the term “arbitrary” was that it meant “no interference could take place, except in circumstances permitted by the law of the country.” As a result, it is sufficient to state that state intrusions into people’s privacy are governed by national legal regulations. A nation’s laws must permit interference with personal data to occur there.
The NDPR commendably protects individual personal data and establishes precise rules for the gathering, storing, and transfer of information about natural persons. Additionally, it recognizes global best practices with regard to data controllers’ responsibility, liability, and accountability.
An action deserving of praise is the establishment of an Administrative Redress Panel pursuant to Regulation 3.2 of the NDPR 2019. In annexe V, paragraph 48 of the Official Records of the Human Rights Council, Twenty-Seventh session Supplement No. A (HRC/27/37), the Human Rights Council made recommendations regarding the implementation of the global standard for human rights relating to privacy in 2014. The creation of enforcement mechanisms to hold data controllers accountable for violations of data protection breaches was among the recommendations made; Nigeria complies with this recommendation thanks to the Administrative Redress Panel’s existence.
However, one of the shortcomings of the NDPR stated in Regulation 2.2 (b, c, d, and e) of the NDPR 2019 is the release of personal data without consent in the following circumstances:
- the Data Subject is a party to a contract;
- the Data Controller must comply with legal obligations;
- the Data Subject or another natural person’s interests are at risk; and
- the release of personal data is necessary to carry out a task for the public interest.
However, due to the Human Rights Committee’s agreement on the definition of arbitrary, it still maintains a balance with the international human rights standard on privacy.
Conclusion and recommendations
This article compared Nigeria’s data protection laws to the global standard for privacy protection of human rights.
The NDPR’s rules should be strictly followed, especially those that deal with gathering and protecting personal information about individuals. The NDPR provides an opportunity to understand and adopt the culture of data privacy, thereby assenting to global best practices for human rights.
The National Assembly should pass legislation addressing the protection of personal data to give the issue more attention. Also, clauses that, for any reason, obviate the need for consent to process personal data ought to be either deleted or subject to stringent requirements before they can be satisfied.
Frequently Asked Questions (FAQs)
Yes, all institutions and organizations in Nigeria that collect personal data on individuals must abide by the NDPR’s provisions.
Data subjects are people who provide their personal information to data controllers upon request, whether they are foreigners or Nigerians.
It does, indeed. According to the NDPR 2019, Nigerian citizens living abroad whose data has been misused or is at risk of misuse may file a claim for relief under the NDPR.