Nigeria: Data Protection Laws Put to Test As Privacy Breaches Rise

10 March 2024

Data privacy breach is a growing concern for Nigerians as more people fall victims to scammers and other criminals who mostly harvest their victims' data through either careless or deliberate act of some data collector agencies and companies in the countries.

As connectivity becomes more affordable and ubiquitous, and more businesses and financial transactions are conducted online, demand for personal data of customers increases by the day.

Though Nigerians have become increasingly tech-savvy and some of them are now being conscious regarding how much data they share, yet there are many who still share their data without caring to know what is done with their data.

According to a survey by McAfee, more than 40 per cent of people worldwide are of the view that they lack control over their personal data, and one-third of parents do not know how to explain online security risks to their children. In 2008, there was widespread information regarding how top brands such as Facebook, Panera Bread and Sacramento Bee experienced data breaches that exposed several millions of personal records to abuse by criminals. There appears to be a lucrative market for data, and hackers tend to sell data they steal to professional scammers.

Data protection is a contentious issue in Nigeria where personal data is collected with no assurance of protection. The problem is compounded by the surge in incidents of data breaches. In January 2022, for instance, a hacker claimed to have accessed the NIN database, but the National Identity Management Commission (NIMC) denied the breach. There have been many other reported breaches like this, with the organisations involved often denying them.

Some banks and other financial institutions have also been found guilty of breaching their customers' data. Which is why the federal government is now taking data protection issue seriously.

Now, amid this rising privacy concerns, experts said companies in the country must prioritise customer trust by complying with data protection laws and implementing proactive privacy measures.

With regulations like Nigeria's Data Protection Act of 2023 in place, businesses need to secure customer consent for data processing and invest in robust security measures.

The Country Manager Zoho Nigeria, Kehinde Ogundare, said in the face of growing concerns, companies operating in the country need to be mindful of the increasing privacy mindset of their customers. Aside from regulatory compliance, Ogundare said companies should actively demonstrate that they care about their customers' privacy concerns in order to build and sustain trust and to show they're taking a proactive approach to protect their personal information.

The importance of regulatory compliance

The Zoho Country Manager said: "The first step any company should take to safeguard their customers' privacy is ensuring they're compliant with all of the relevant laws and regulations. In countries like Kenya and Nigeria, data protection regulations are relatively new.

"The Data Protection Act of 2019, enforced by the Office of the Data Protection Commissioner (ODPC), regulates data protection in Kenya. The act expressly prohibits organisations from processing personal data if their consent has not been provided first. Each organisation must have a data controller and/or a data processor whose responsibility is to prove they've obtained consent before processing a person's data.

"Nigeria's Data Protection Act, meanwhile, was signed into law in 2023. The act governs both manual and automatic data processing. The act also established the Nigeria Data Protection Commission (NDPC), which is an independent body that governs data protection and regulation in the country. In addition to defining sensitive personal data as including an individual's genetic and biometric data as well as their race, ethnicity and health status, among other things, the act also provides specific grounds for the processing of this sensitive personal data. According to the act, such data can be processed where consent is provided or where processing is necessary for social security or employment laws."

Ogundare said both of these laws are in line with similar laws and regulations around the world, such as Europe's GDPR. That means they're not only a good place for Nigerian and Kenyan businesses to start for compliance, but they also help businesses gain good footing when it comes to protecting customer data should they start operating internationally.

However, he said companies should view regulatory compliance as the bare minimum when it comes to meeting their customers' privacy needs. Given the parlous state of privacy protection across many African countries, going above and beyond with customer privacy can be a positive differentiator for companies that get it right.

He added that among the initiatives they can also undertake in this direction are investing in data centre security to minimise the collection of data, requesting permission from customers while collecting sensitive information, and ultimately reducing their reliance on selling user data for revenue gains. Another initiative that organisations can implement is implementing multi-factor authentication if they require customers to log in to an account to access their products and services.

Another aspect that businesses should pay close attention to is which technology vendor they work with to run their internal operations. Businesses should ensure the third-party tech tools they deploy within their IT infrastructure also come with strong data privacy and protection controls, and the corresponding vendors also practice transparent data collection practices. Should one of these vendors fall victim to a cybersecurity breach, the customer data of the organisations using it could easily fall into nefarious hands.

While there are many negatives associated with data protection failures, including reputational damage and legal punishments, Ogundare said it's also important that organisations understand the positives associated with proactive data protection.

High up on the list of those positives is building trust, he said. "Customers who trust the companies they buy from are more likely to be loyal in the long term, make repeat purchases in the future, and act as evangelists to others."

FG vows to enforce data protection laws

The federal government has said that the Nigeria Data Protection Commission (NDPC) has been empowered to enforce data compliance, to prevent violation of people's data rights. The Minister of Communications, Innovation and Digital Economy, Dr Bosun Tijani, said this in Abuja.

"President Bola Tinubu has given us the mandate to transform public service with technology, it means that a whole lot of things we do will be digitalised, and a lot of the services citizens consume over the next coming months and years will also be digitalised.

"And as agencies collect and share data, it will be needed for us as a government to be able to protect data, and NDPC will be ensuring compliance," Tijani said.

Also speaking on the issue, the National Commissioner/CEO of NDPC, Dr Vincent Olatunji, said that the commission's efforts at ensuring efficient security in the data protection ecosystem have earned it recognition globally.

According to him, Nigeria has been admitted into the Global Privacy Assembly, where it shares knowledge and experience with other 130 countries that are members.

He noted that the commission's enforcement activities across the country have resulted in generating over N400 million in revenue for the government.

"Nigeria's data protection ecosystem has also continued to expand opportunities for new jobs, up to the tune of over 10,000. Through remedial actions for completed cases, we have generated over N400m revenue for the government.

"In addition, to foster compliance, we have increased the number of Data Protection Compliance Organizations from 103 to 163. As a result of this, annual audit filing has increased to over 2000 per annum while the cumulative revenue in the sector is estimated at N6.2bn and approximately 10,100 jobs have been created so far," he said.

Safeguarding Nigerians' personal data our top priority - FG

The federal government has also said that safeguarding Nigerians' personal data is its top priority, and it will not compromise this under any guise.

Dr Olatunji emphasised the increasing digitisation and its impact on various aspects of human life, particularly the sharing of personal data such as names, phone numbers, email addresses, NIN, and BVN; all of which are crucial in identifying individuals.

He said, "There are some personal data that are sensitive, which require additional safeguards, such as our health records, labour union affiliation, sexual orientation, and information that can be used for discriminatory purposes."

He stressed the significance of compliance with the Nigeria Data Protection Act, especially for the Ministry of Interior, which serves as a major data controller due to its oversight of agencies such as the Nigeria Immigration Service, Civil Defense, Nigerian Correctional Service, Federal Fire Service, Nigeria Security and Civil Defence Corp, and the National Identity Management Commission.

Dr Olatunji stated, "Something as fundamental as our international passport, which now carries our NIN, serves as our primary identity, equivalent to a social security number... we have come to collaborate on strategies to enhance the integrity of the data of Nigerians."

What you should know about Nigeria Data Protection Act

A new data protection body

The key provision of the law is the establishment of the Nigeria Data Protection Commission, which replaces the Nigeria Data Protection Bureau (NDPB) established by immediate past President Muhammadu Buhari in February 2022. The new body will be headed by a National Commissioner appointed by the President for a term of four years which is renewable once.

According to Section 6 of the Act, the powers of the Commission include issuing regulations, rules, directives and guidance under the Act; engaging consultants for assistance in the discharge of its functions; imposing penalties; prescribing fees payable by data controllers and data processors in accordance with data processing activities, and prescribing the manner and frequency of filing, and content, of compliance returns by data controllers and data processors of major importance to the Commission.

The Act also provides for creating a Governing Council to be chaired by a retired judge of a superior court of record. The members of the Council--who the President will appoint--will be part-time members other than the National Commissioner.

Framework for processing data

Section 24 of the Act outlines the principles of the processing of personal data, stating that the data controller or data processor must ensure that data is collected legitimately and "processed in a manner that ensures appropriate security," while Section 25 provides the lawful basis for personal data processing anchored on the consent of the subject data for the specific purpose or purposes for which the data will be processed. Similarly, section 34-37 establishes the rights of a data subject - a person whose information is being collected.

The law also prohibits the cross-border transfer of personal data, except if there is legal backing. Also, it states that all data controllers and processors of significant importance must be registered with the Commission within six months of the commencement of the Act.

Banks, telecoms, oil firms to lose 2% revenue for data breach - FG

Commercial banks, telecommunications companies, and other organisations will lose two per cent of their annual revenue to the Federal Government for any breach of their customers' data, the Nigeria Data Protection Commission (NDPC) has said.

Olatunji said depending on the impact on the victim and other factors, the sanctions could be more or less severe.

He said: "At the core of the NDPR is the essence of respect - respect for the personal data of our citizens, respect for privacy, and respect for digital rights. This respect is now solidly etched in the NDPA."

AllAfrica publishes around 600 reports a day from more than 110 news organizations and over 500 other institutions and individuals, representing a diversity of positions on every topic. We publish news and views ranging from vigorous opponents of governments to government publications and spokespersons. Publishers named above each report are responsible for their own content, which AllAfrica does not have the legal right to edit or correct.

Articles and commentaries that identify allAfrica.com as the publisher are produced or commissioned by AllAfrica. To address comments or complaints, please Contact us.