The implementation of the country’s data protection regulation by the National Information Technology Development Agency is raising dust in the telecoms sector as stakeholders are of the view that what Nigeria needs is data protection law and not regulation, writes Emma Okonji
The National Information Technology Development Agency (NITDA), the government agency responsible for policy implementation within the information technology (IT) sector, had since January this year commenced the implementation of the country’s data protection regulation, which seeks to promote the fundamental right of citizens to their privacy. Although the implementation of NITDA’s data regulation is a replica of the European General Data Protection Regulation (GDPR), which took effect in May 26, 2018, industry stakeholders have, however, vehemently opposed to the implementation of NITDA’s Data Protection Regulation, while calling for Data Protection Law. The stakeholders have equally called on President Muhammadu Buhari to sign the country’s Data Protection Bill into law without further delay.
NITDA’s data protection regulation
NITDA had on 25th January 2019 released the NITDA Data Protection Regulation 2019 document, which replaced the NITDA guidelines on data protection that was issued in 2017. The 2019 Regulation seeks to further promote the fundamental right of citizens to their privacy. The regulation seeks to capture international best practices regarding safeguarding the rights of persons to data privacy; the fostering of safe conduct of transactions involving the exchange of personal data; preventing manipulation of personal data; and ensuring that Nigerian businesses remain competitive in international trade.
According to the document, the regulation applies to all transactions intended for the processing of personal data irrespective of the means by which the data is processed or intended to be processed. It also applies to persons residing in Nigeria or residing outside Nigeria but of Nigerian descent. The regulation requires any medium or organisation through which personal data is being collected or processed to display a simple and conspicuous privacy policy that the class of persons whose personal data is to be collected or processed can understand.
The privacy policy is required to contain provisions relating to what constitutes the data subject’s consent to the collection and processing of his or her personal information; a description of collectable personal information; purpose of collection of personal data; and the technical methods used to collect and store personal information.
The regulation places an obligation on anyone or organisation involved in data processing or the control of data to develop security measures to protect such data. Protective measures include the protection against hackers, setting up firewalls, storing data securely with access to specific authorised individuals, employing data encryption technologies, developing organisational policy for handling personal data, among others.
The regulation empowers NITDA to register and license Data Protection Compliance Organisations (DPCOs) who on behalf of NITDA will monitor, audit, conduct training and data protection compliance consulting to all data controllers under the regulation. The document, however, established penalties for a breach of the regulation, in addition to any other criminal liability that such breach might give rise to.
The opposing factor
The Association of Licensed Telecoms Operators of Nigeria (ALTON), has raised concern over what it described as the impending danger in the implementation of the country’s data protection regulation by NITDA. According to ALTON, the implementation of NITDA’s data protection regulation would cause serious regulatory friction between the Nigerian Communications Commission (NCC), the telecoms industry regulator and the NITDA.
ALTON in a statement signed by its Chairman, Mr. Gbenga Adebayo and its Executive Secretary, Mr. Kazeem Oladepo, said the current issue with NITDA implementing its data protection regulation document, would require urgent intervention by the commission to safeguard the interest of market players and preserve the powers of the commission.
According to the statement, “in a bid to avoid a situation where industry members are caught in the crossfire of multiple regulation, we respectfully request the commission’s guidance on how to proceed with the NITDA on the aforementioned frameworks and regulation. The guidance will provide the much-needed clarity for the industry moving forward.
ALTON members argued that data protection regulation is all about public internet and communication, which is directly under the purview of the NCC, and wonder why NITDA, which supposed to confine itself with IT policy implementation, should delve into data protection regulation that is directly under the control of the NCC.
ALTON members argued that what Nigeria needed was data protection law and not data protection regulation.
ALTON had on July 30th, written to the NCC, calling for its intervention, to save the situation of a possible clash in regulatory roles.
According to the letter, which was attention to the Director, Legal and Regulatory Affairs at NCC, Mrs. Yetunde Akinloye, and the Director, Compliance Monitoring and Enforcement at NCC, Mr. Mr. Efosa Idehen, ALTON said by implication, it would appear that NITDA has assumed the role of a Data Protection Agency in Nigeria and its regulation overrides the commission’s existing provision on data processing in the industry.
ALTON noted that NITDA recently announced in the print media that it has commenced investigation of alleged breach of data security of customers by telecommunications companies and banks.
Part of the letter read: “We bring to the attention of the commission, recent enactment of regulations, frameworks and guidelines by the NITDA, which bother somewhat on communications matters within the regulatory purview of the NCC.
“Specifically, we draw the commission’s attention to the following subsidiary legislation(s) and framework(s) issued by NITDA and concerns thereto: 1. Framework and Guidelines for Public Internet Access (PIA) 2019. The said Framework sets out rules for the provision of Public Internet Access without regard to the powers of the commission and extant competition considerations. We note the framework empowers NITDA to license a Public Internet Access Provider (PIAP) which technically is a provider of data services and prescribes minimum quality of service for such providers. The key concern is that NITDA appears to be assuming the role of a parallel regulator for data services.
- Framework for Data Centre Facilities: NITDA wrote to some of our members in July 2019 stating it has commenced registration of Data Centre facilities in Nigeria and requested that they initiate the registration of their Data Centre facilities with NITDA. According to NITDA, the registration is in furtherance of Presidential Executive Orders 003 and 005 on local content development. However, a careful review of the Orders does not reveal anything specific to the operation of data centres.
- Nigeria Data Protection Regulation 2019: The Nigeria Data Protection Regulation 2019 defines the rules governing the processing of data. It contains far-reaching provisions on personal data which includes communications identifiers such as IP address, IMEI number, IMSI number, SIM and Personal Identifiable Information, etc., as well as the procedure for procuring consent from customers and the transfer of data outside of Nigeria.”
“The foregoing developments bring to light the dreaded multiple regulation which has been a reoccurring challenge for the industry,” ALTON said.
Discordant views
Reacting to ALTON’s concern, NITDA’s lawyer, Barrister Emmanuel Edet said NITDA’s mandate permits it to embark on any regulation that has to do with IT. According to him, NCC was established to regulate telecoms and not content that has to do with data protection. Although Edet agreed that Nigeria needed a Data Protection Law, stressed that in the absence of the law, Nigeria could make do with Data Protection Regulation, which NITDA is currently implementing.
Director, Cybersecurity at NITDA, Dr. Dimie Wariowe, said an executive body could make a regulation that can be enforced as law, in the absence of an existing law.
He, however, said when the National Assembly eventually passed a bill on the same regulation and it is signed into law by the president, then the law supersedes the regulation.
“In the absence of the law, the regulation stands to be legally enforced, and NITDA already has a regulation on data protection that is currently being implemented,” Wariowe said, adding that a section of NITDA law states that anyone that violates the regulation of NITDA, can be punished according to the regulation, through the office of the Attorney General of the Federation.
“Nigerians need to know what is contained in the regulation and be mindful of how best to protect their data. If anyone feels infringed, he or she can rely on the regulation to seek redress and get justice,” Wariowe added.
President, Association of Telecoms Companies of Nigeria (ATCON), Mr. Olusola Teniola, told THISDAY that technology evolution that has brought about global convergence, gives NITDA the authority to regulate data in Nigeria.
“Everything is converging and global technology companies operating in Nigeria like Google, Apple, Microsoft are putting pressure on the regulation of technology content that cuts across all sectors of the economy, since there is global convergence that has drawn a thin line between regulation of data, broadcast and telecommunications,” Teniola said.
Teniola, who disagreed with ALTON’s position that data regulation is within the purview of NCC, said the commission had never regulated data centre operators and cloud computing and that convergence of technology has placed NITDA in a vantage position to regulate data in the country.
Teniola therefore, called for review of the laws setting up NCC, NITDA, and the National Broadcasting Commission (NBC), through a stakeholders’ conference where the roles of each regulatory agency would be well spelt out.
A United Kingdom (UK) based IT expert, Mr. Davies Bamigboye, had raised the alarm over the ease at which data belonging to Nigerians were sold and harvested illegally, and blamed NITDA for the failure in enforcing the NDPR before January 2019, for the brewing security crisis on data management.
Clamour for data regulatory bill
Information and communications technology (ICT) stakeholders have stressed the need for Nigeria to have a data protection law that will address issues of data theft and unathorised use of personal data that have over the years, put the privacy rights of Nigerians at risk.
The stakeholders called on President Muhammadu Buhari to sign the Data Protection Bill into law without further delay.
The bill on data protection was passed by the eight National Assembly and presented to President Muhammadu Buhari to sign it into law. The bill was, however, not signed before the expiration of the tenure of the eight National Assembly in May 2019. Hence, the Nigeria has a Data Protection Regulation (DPR) that is currently being managed by the NITDA).
Stakeholders, however, argued that what NITDA has is not a law but a regulatory document that makes implementation and enforcement less effective.
While some stakeholders are calling for the immediate signing of the Data Protection Bill, others want the ninth National Assembly to review the bill and re-forward it to the president for signing.
The Chief Executive Officer, Paradigm Initiative, an advocacy group, Mr. Gbenga Sesan, wants the bill signed into law without further delay. According to him, “NITDA’s Data Protection Regulation does not contain the full details of data protection law and it is not backed by law, which makes its implementation extremely difficult.
“Nigeria needs secondary legislation on data protection and the ninth National Assembly must rise up to the challenge and revisit the bill and review it for speedy approval by President Buhari,” Sesan said.
He further said government must put a stop to a situation where data is collected by Non-Governmental Organisations (NGOs) and other data collecting bodies, and used for personal gains without authorisation.
The EU’s GDPR
Before the initial NITDA Data Protection Guideline of 2017 and the eventual release of its Data Protection Regulation in January 2019, the European Union had long drafted its General Data Protection Regulation called the (EU GDPR), which seeks to protect data policy within the EU and across all nations of the world, where people transact business that is data specific with organizations or individuals located within Europe. The EU GDPR fixed May 25 2018 as deadline for implementation and compliance.
While analysing the EU GDPR of 2018, the Lead Commercial Attorney, Microsoft Middle East and Africa (MEA) Emerging Markets, John Edokpolor, called on businesses in Nigeria, both small and large corporates, to pay attention to the EU GDPR, given the 25 May 2018 compliance deadline. This, he said, was because failure to adhere to GDPR requirements could prevent trade and other business dealings with EU businesses after May 25 2018.
“The new legislation is a milestone on a journey into a new era, where data is the fuel powering companies of all shapes and sizes, from all sectors,” Edokpolor said.
The EU’s GDPR is a new European law designed to protect the privacy of citizens, by setting new standards in terms of how personal data is handled. As the law affects any organization with ties to Europe, it is relevant to businesses around the world.
“As companies increasingly embrace the cloud, they have an unprecedented ability to capture and store massive amounts of data. In parallel to this, advancements in business intelligence technology have given organizations the ability to pull insights from this data that are so rich they are actually predictive in nature. The result is that businesses can stay a step ahead of customer expectations and needs, versus merely reacting to them.
“This is a significant step forward and truly marks the beginning of a new era, one in which data becomes the electricity powering companies. An updated governance framework for data protection is a logical policy component of this new age. Building on these rules, innovation coupled with trust among businesses and citizens will unlock productivity, help companies keep their customers delighted and fuel a new generation of disruptors. Ultimately, all of this translates into growth,” Edokpolor further said.
The EU GDPR compliance was not meant to be the final destination, but rather a one stepping-stone in an ongoing journey towards realising the full potential of digital transformation across economies and communities. Viewed in this light, establishing a firm approach to data governance represents one of the smartest investments a company can make, a good reason why NITDA decided to draft Nigeria’s Data Protection Regulation that is however raising dust in the telecoms industry.
.
