August 29, 2017
2017 Trends in Data Privacy & Regulation in Nigeria – Practical Considerations for Investors and Technology Companies
We recently provided legal advice to a strategic technology investor on the liabilities under Nigerian law, which a prospective portfolio technology company will be exposed to under the applicable legal framework for data privacy regulation in Nigeria and within the context of possible court action for data privacy breaches. As part of that instruction, we developed an internal data privacy compliance document in line with extant data privacy law in Nigeria which was to be adopted by the Client’s portfolio company. In this update, we reflect and draw on that experience to share, for the benefit of private equity, venture capital and strategic investors and lenders focused on technology or other companies in Nigeria, some useful takeaways, some of the defining trends and some factors to consider when assessing investment risk, when diligencing a portfolio company or when prosecuting or defending class action litigation or other claim, for data privacy breaches in Nigeria.
Please note that this update is not intended to and does not constitute legal advice. If you require specific guidance on the content of this update with respect to your particular situation, please feel free to reach out to your Balogun Harold contact or send us an email at firstname.lastname@example.org.
- As is the case with some of the more developed data privacy jurisdictions, the regulatory approach in Nigeria in the area of data privacy regulation has been incremental. As a result, there is no single federal law regulating the collection, sharing and use of personal data in Nigeria. What obtains in Nigeria is a mix of sectoral and multi-regulatory regimes which overlap in key areas.
- The state of data privacy regulation in Nigeria has significantly improved following the passage of the Electronic Transactions Bill 2017 by Nigeria’s Senate. Before 2017, plaintiffs seeking to enforce data privacy breaches were limited either because the applicable law was limited to a particular industry sector or because of some other legal defect with the extant framework. For instance, the 2013 NITDA Guidelines which set out certain data privacy standards and principles have remained a draft version till date, thereby raising questions as to its bindingness and legal effect. So also, the Consumer Code of Practice Regulation 2007 (the Code) and the Registration of Telephone Subscriber Regulations 2011 (the Regulations) issued by the Nigeria Communications Commission (the NCC) are of limited use to the universe of plaintiffs because they apply largely to service providers in Nigeria’s telecommunication’s industry. The Cybercrimes Prohibitions Act 2015 is notable for criminalizing various types of cybercrimes and imposing minimum data protection requirements on service providers.
- The Electronic Transactions Bill which was passed by the Senate in May 2017, (the Bill) represents a more holistic and wide-ranging repertoire of data protection standards. Amongst others, the broad objectives of the Bill are (a) to create a legal and regulatory framework for the protection of personal data (b) to create a legal and regulatory framework for protecting the rights of consumers and other parties in electronic transactions (c) to create a legal and regulatory framework to facilitate electronic commerce in Nigeria and; (d) to create a legal and regulatory framework for the conduct of electronic transactions using electronic or other media.
- The Bill is significant within the context of data privacy regulation for a number of reasons, some of which we discuss as follows. First, is in terms of the wide scope of its application. In this regard, we note that the Bill applies not only to the processing of personal data wholly or partly by automated means but also to the processing of personal data by manual means via a filing system. In effect, the Bill places data privacy obligations on at least three broad regulated groups, namely (i) technology companies of every kind (ii) traditional companies, other than technology companies, of every kind involved in the manual processing of personal data through a filing system and (iii) traditional companies of every kind transitioning or migrating to or deploying a technological platform to enhance internal processes, services and product offerings. Secondly, the Act creates a statutorily enforceable ground for claiming compensation for data privacy breaches. Thirdly, the Act creates certain rights in favour of consumers. These include, the consumer’s right to stop the processing of own personal data, the right to be informed of the purpose of which own personal data is being processed and the recipients of such processed data and the right to mandate the destruction, withdrawal, suspension or blocking of personal data, subject to certain requirements.
- The Bill also places a number of other compliance obligations on Data Holders, agents of Data Holders and service providers. For instance, the Bill provides that personal data may only be processed with the consent of the data owner and when such processing is necessary for the performance of a contract to which the data owner is a party. The Bill further provides that personal data must be processed in accordance with the rights of data owners under Nigerian law and cannot be transferred outside of Nigeria unless the receiving country provides adequate level of protection for the rights and freedoms of data owners in relation to the processing of data. Data Holders must implement standard technical and security measures having regard to the state of the art, the cost of implementation and the level of security appropriate to the risk represented by the data being processed and the nature of such data. Agents of Data Holders are also required to provide guarantees to provide standard technical and security measures in respect of the data being processed. For a fuller discussion around the scope of the data protection obligations placed on technology or other companies in Nigeria, please write us an email at email@example.com.
- It is useful to note that global technology/internet companies whose services are available in Nigeria, although not incorporated in Nigeria are also subject to data privacy regulation in Nigeria and can be made liable in appropriate circumstances. Also, we find for the most part that local technology companies operating out of Nigeria have relatively weak – in some cases, non-existent- internal procedures for ensuring data privacy and protection and controlling insider threats. This situation will continue to expose technology companies in Nigeria to significant litigation risk, an event which will further deplete shareholder value. On this basis, it is extremely important for investors to make data privacy issues a focal point of pre-investment due diligence and ongoing corporate governance oversight. It may be useful for investors to extract obligations from founder and director,s to put in place standard internal data privacy controls. Overall, founders and business owners must have a clear understanding of the scope and nature of the obligations placed on their businesses under extant data privacy framework applicable in Nigeria.
- Class actions are a recognised procedure under the civil procedure rules of the Federal High Court and the Lagos State High Court. Although an emerging area of litigation, there exists substantial basis upon which plaintiffs can file a class action suit against technology companies or other regulated companies for breach of data privacy. There are also a number of technical objections which technology companies may deploy successfully in the defence of class actions. Based on our observations in the paragraph immediately above, we envisage that local technology companies and global technology companies whose services are available in Nigeria will be subject of increasing class action litigation in Nigeria for breaches of data privacy laws.
- One of the most potent weapons for class action plaintiffs remain section 37 of the constitution of Nigeria. The section guarantees and protects the privacy of citizens, their names, correspondence, telephone conversations and telegraphic communications. This section is critical for a number of reasons – Firstly, the section elevates data privacy to the status of fundamental human rights on equal footing with the basic fundamental human rights of Nigerians to life, fair hearing, dignity of personal liberty, freedom of movement and freedom to associate freely. Nigerian courts have been known to jealously guard fundamental human rights enshrined in the country’s constitution and it is useful to note that in Nigeria, fundamental human rights matters are treated under a special enforcement procedure which is designed to guarantee an expeditious determination of fundamental human rights breaches. Secondly, we note that the section is widely drawn and does not provide analytical blocks that can help the courts to come to an informed decision of what amounts to and the scope of liability for an alleged data privacy breach. The resulting consequence is that the section will continue to be subject to abuse to the detriment of Data Holders as lawyers are wont to ground all sorts of breach actions on this section. Inevitably, court decisions on data privacy breaches based on this section, may remain unpredictable for the foreseeable future. Thirdly, it is important to note that a data breach needs not to have actually occurred in fact, to ground an action for breach of a plaintiff’s right to privacy. Under the extant fundamental human rights enforcement procedure rules in Nigeria, plaintiffs can commence an action where there is a likelihood of breach.
- The principle relating to the legal standing to bring a legal action under Nigerian law remains an effective tool for defence lawyers in this area especially because Nigerian courts are fairly rigid with this principle. However, we take the view that there exists significant room for advancing the position of the law in this area. It is critical to note that the case law around data privacy breaches is still largely evolving and some of the standard defences applicable in other jurisdictions may not be available locally without significant effort on the part of defence counsel to impress the equity of a legal defence on the court.
- We endorse the narrative that data may indeed be the most pervasive and valuable renewable resource of the 21st century. At the heart of the disruptive ability of technology-based companies is the ability to creatively mine and manipulate data to create distinctive value for their customers and shareholders. On this basis, technology companies and companies transitioning to technology-based platforms must make effort to build data privacy considerations into their products and services from the outset, find out where personally identifiable data exists within their systems and put processes in place to protect such data.
 The Bill is now awaiting Presidential Assent and expected to be assented to by the end of September 2017
 NITDA means the National Information Technology Development Agency of Nigeria
 Both the Code and the Regulations place a number of obligations on telecommunications service providers with respect to the need to take reasonable steps to protect customer information against improper or accidental disclosures and to observe certain confidentiality obligations as relates to user information.
 A Data Holder is defined to mean a person who either alone or in common with other persons determines the purposes for which any personal data is or is to be processed. A Data Owner is defined as an individual who is the subject of personal data
 Global tech/internet companies such as Facebook, Apple, Alphabet Inc, Tencent, Instagram, Whatsapp, Truecaller will come under the regulatory purview of local data privacy regulations.