Data Privacy Rules deals mainly with legislations and authorities regulating the use of personal data of individuals or organisations by persons who are entrusted to do so (for e.g Telecommunications Company like MTN) and also administers penalties for defaulters of these rules.
In the beginning, the Federal Republic of Nigeria through section 37 of the 1999 constitution as amended in 2011 made provisions for the protection of the rights of her citizens to their privacy. As time progressed, other subsequent legislations came up to support the above and in a way, extend the above proviso. These legislations include;
A) Child Rights Act which protects privacy as it relates to children.
B) Freedom of Information Act– This legislation aids the public to access public records and information as well as preventing a public institution from disclosing a private information to the public unless the individual so concerned, consents to it.
C) Cybercrimes Act 2011– This Act prevents the interception of electronic communication and imposes data retention requirement on financial institutions.
D) Consumer Code of Practice Regulations 2007- This Regulations enjoins telecommunication operators to take reasonable steps in ensuring that customers’ private data are not accidentally disclosed.
E) Consumer Protection Framework (Issued by the CBN in 2016)– This framework restrains financial institution from disclosing the personal information of their customers.
But the most outstanding legislation that is centred majorly on the protection of data is the Nigeria Data Protection Regulation 2019 issued by Nigeria’s National Information Technology Development Agency (NITDA) and in compliance with the European Union (EU)’s General Data Protection Regulation (GDPR). These rules were made pursuant to section 6(c) of the NITDA Act of 2007 which empowers the Act to make regulations for electronic governance and to monitor the use of data interchange and other forms of electronic communication transactions. The Nigeria Data Protection Regulation 2019 (hereinafter referred to as NDPR) is applicable to all Nigerians both residing in and outside Nigeria and preaches the vital need of obtaining consent, prevention of the unauthorized use of personal data of individuals and most importantly seeks to ensure the protection of data by persons entrusted with the protection of personal data of individuals.
In the author’s humble opinion, these regulations is an elaborate and practical extension of section 37 of the 1999 constitution as amended.
Accordingly and by virtue of the NDPR, a data subject (defined under NITDA Guidelines to an identifiable person who can be identified directly or indirectly in reference to an identification number or to one or more factors specific to his physical, physiological, mental economic, cultural or social identity) possesses the right to the processing of his data without due consent, restrict processing of their data, request deletion of their personal data and receive data in a structured form.
The NITDA seeks to input life into the NDPR by enforcing compliance and penalizing persons and organisation who by commission or omission flout these rules. One of such penalties include the payment of a 2% yearly gross revenue of the preceding year or 10 million naira. To enhance its implementation, there exists an administrative panel created by the NDPR to seek redress in cases of a breach of these regulations.
Interestingly, it is on record that the House of Representatives in Nigeria presided over by Speaker Yakubu Dogara on the 8th of May 2019 voted and passed the Bill which is currently before the Senate and is expected to be passed before the year elapses.
As much as this is a positive step, it is highly recommended that that members of the public (young and old, educated and uneducated) be enlightened one way or the other about this salient innovation in the technological realm of Nigeria.
For a detailed exposition on this, visit AfricaLegal.com/Data Protection Laws, ICLG.com/Data Protection 2018 and Mondaq.com/Nigeria has a Data Protection Regime.