Data Protection Bill 2017 [HB. 2]
OBJECTIVE OF THE BILL
The objective of the Bill is to provide statutory protection to personal data and regulate the processing, storage, archiving, retrieval and sharing of personal data in Nigeria
NUMBER OF CLAUSES/PARTS
The Bill has 12 clauses including short title
RELATED EXISTING LEGISLATIONS
GENERAL PROVISIONS OF THE BILL
The Bill has 12 clauses, which covers issues such as handling of personal data of citizens, access and sharing of such personal data amongst Federal Government Agencies as well as penalties/sanctions for unlawful handling/disclosure of such personal data.
1. Handling of Personal Data
Clause 1 provides that all “personal data” must be obtained and processed “fairly and lawfully”. Appropriate technical and organizational measures are expected to be put in place to protect personal data from theft, destruction, damage or unlawful access.
Furthermore, Clause 1(4) prohibits the transfer of personal data from Nigeria to any foreign country unless such country has similar data protection legislations.
2. Right of Access to Personal Data
The Bill gives individuals the right to request from any “data controller” (body/entity/person who keeps personal data) for information in relation their personal data, except where such information would involve disclosing another individual’s information (Clause 2(1)).
Nonetheless, the data controller may still grant such request if it relates to the prevention or detection of crimes, national security or internal security (Clause 2(4)). The grant of this request must be “reasonable in all circumstances”. Clause 2(6) provides the conditions to be fulfilled in determining whether the request is “reasonable in all circumstances”.
3. Disclosure/Sharing of Personal Data
The most noteworthy part of the Bill is Clause 3(1), which provides that a data controller can disclose any personal data to the Nigerian Police or other Security Agencies without the consent of the individual (data owner). This means that organisations such as Banks, Insurance Companies, Religious Organisations, and Educational Institutions etc. must provide all personal data of their clients/customers/members to the Nigerian Police and Security Agencies. This contradicts Section 14(2)(a) of the Freedom of Information (FOI) Act, which provides that a public institution shall not disclose personal data without the consent of the data owner.
Furthermore, the National Identity Management Commission Act, under Section 26(1)(a) & (b) provides that no person shall have access to another’s personal information without the approval of the Commission and the consent of the individual or data subject/owner.
By virtue of the provisions of Clause 3(2), a data controller must comply with a disclosure request once a certificate issued by the Minister responsible for Defense or Interior has been served on the data controller. The Minister shall state that the disclosure is in the interest of internal or national security.
Furthermore, Clause 4 provides that the Ministries, Departments and Agencies (listed under Schedule A of the Bill) may share personal data of individuals amongst themselves without the consent of the individual.
4. Prevention of Misuse of Personal Data
Clauses 5 – 7 provide for the prevention of the misuse of personal data of individuals by data controllers. Personal data should not be used for direct marketing, under an automated decision-making process or any process that may cause damage or distress to the individual.
When an individual suffers distress as a result of any contravention by a data controller, he would be entitled to compensation (Clause 8(1)).
5. Rectification, Blocking, Erasure and Destruction
Where the personal data of a person is inaccurate, such person may apply to the court, requesting for the rectification, blocking, erasure or destruction of the inaccurate data. The Bill did not clearly define which “court” was referred to in the Bill.
Clause 10(1) provides that it is an offence for any person to unlawfully obtain or disclose personal data. However, no penalty/sanction is attached to this offence.
Also, a person who sells personal data that has been unlawfully obtained/disclosed is liable upon conviction to a term of 2 years imprisonment or fine of N1,000,000.00 (One million Naira). While a person who offers to sell personal data that has been unlawfully obtained/disclosed is liable upon conviction to a term of 1 year imprisonment or fine of N500,000.00
PROVISIONS OF THE BILL SIMILAR WITH EXISTING LEGISLATIONS
1. Cybercrimes (Prohibition, Prevention Etc.) Act 2015: - Under Section 38(2)(b), a service provider in Nigeria shall release any data to the relevant agency/authority on request. Clause 3(1) of the Bill provides that a data controller disclose personal data to the Nigerian police or other security agencies for the purpose of preserving national security.
2. Nigerian Communications Act 2011. Section 146(2) provides for furnishing of information of subscribers/users by the Telecommunication Service Providers to relevant authorities as far as it is reasonably necessary in preventing the commission or attempted commission of an offence in Nigeria.
ISSUES IN THE BILL
1. The Bill is titled “DATA PROTECTION BILL” but the core issue that the bill deals with is “Personal Data” not Data in general. It would be good and appropriate if the Bill could be re-named to aptly describe its core objective e.g. “PERSONAL DATA PROTECTION BILL”
2. The Bill does not define or specify “the court” which has jurisdiction over the legislation. It may be necessary to state which court is vested with original jurisdiction to determine issues arising from operation of the Bill
3. The Constitution of the Federal Republic of Nigeria, 1999 (as amended) ('the Constitution'), which provides for the fundamental rights of its citizens and upholds the right of privacy sacrosanct. Section 37 provides for the guarantee and protection of the privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications. Clause 3(1) & (2) appears to derogate on this right to privacy as the Minister in charge of Defense and Interior may issue a certificate to authorized persons to obtain a citizens personal data without their consent on grounds of protection of internal security.
Vesting such powers in the two Ministers raises serious concern about Constitutional guarantees of human rights. Both ministerial positions would naturally have a mindset of abuse of rights. To protect the rights therefore there needs to be judicial application or review of such requests. Accordingly, the said section should be rephrased as follows –
“Subject to subsection (2) of this section, a data controller may, without the consent of the data subject, disclose personal data to the Nigerian Police or other Security Agencies described in the National Security Agencies Act for the purpose of safeguarding internal or national security on presentation of an order of the court and certificate issued by the Minister responsible for Interior or Defense”
“A data controller shall comply with a disclosure request pursuant to subsection (1) of this section only where a certificate in relation to the personal data or data subject issued by the Minister responsible for Interior or Defense and an order obtained from the court are presented, stating that the disclosure is in the interest of internal or national security”
4. The definition of “personal data” in the Interpretation Clause is vague and quite unhelpful in determining the type of personal information that is covered by the Bill.
5. The Bill does not provide for a definite period for the storage of personal data. Clause 1(2) is very ambiguous and may be abused by data controllers. The CyberCrimes (Prohibition, Prevention, etc) Act under Section 38(1) prescribes 2 years.
6. One of the safeguards for protecting citizens from abuses of government agencies is that the courts approve arrest or search warrants before the law enforcement agencies can implement it. The Bill does not provide this important check to the powers of the Minister of Interior/Defence to issue disclosure orders to data controllers.
7. Clause 8(1) provides for compensation to individuals whose personal data have been misused or mishandled by data controllers. However, it would be helpful if the “quantum” of compensation can be properly defined and laid out. Leaving it vague as it is in the Bill may mean that the interpretation should be at the pleasure of the court.
8. Clause 9 of the bill is exactly similar to Section 14 of the Data Protection Act 1998 of the United Kingdom
This Bill seeks to provide for personal data protection as well as regulate the processing of information relating to individuals, such as the process of obtaining, holding, use and disclosure of such information. This is an important bill since there is no comprehensive law on data protection in Nigeria and thus, personal data of citizens are vulnerable to mishandling/misuse.
Nevertheless, the Bill should seek to strike a balance between the rights of individuals to privacy and the ability of organizations to use data for the purposes of their business only. It is imperative that the legislation should ensure that personal data/information of Nigerian citizens are kept safe and secured, and not obtained or used unlawfully by government agencies.