Data protection under NDPR: Obligations of companies and rights of customers

Introduction

In today’s fast-growing digitalized marketplace, there is a significant deviation from the traditional means of visiting a store to purchase a product or obtain services as it has become convenient for consumers to click a few buttons, input other personal information and receive the product or services within a specified time frame. During the process of divulging the information, data is being collected and companies may store these data for different reasons such as making effective business decisions, forecasting consumer behaviour to products or services, improve consumer experience, understand competitors among others.

It is safe to state that data sharing is based on trust founded upon the customer-company relationship and the company has a corresponding responsibility to protect such data. This means that where customers share their data with any organization, the law guarantees their right to data privacy.

Threat to Data Privacy

In recent times, companies are placed with the herculean responsibility to ensure their customers’ personal data are protected and safe against cyberbullying, hacking and threats. However, breaches of data privacy by several Organizations have been making headlines across the world. For example, Twitter allegedly suffered data breach when hackers accessed over 200 million email addresses of its users. With the rising threat to data privacy, countries are enacting laws that protect and regulate data such as the United Kingdom’s Data Protection Act 2018, Rwanda’s Data Protection Law 2021, African Union Convention on Cybersecurity and Personal Data (2014) ratified by 55 member states of the African Union. In the same way, Nigeria made a giant leap by passing the Nigeria Data Protection Regulation (NDPR) 2019 under the National Information Technology Development Agency.

Legislation

In Nigeria, the privacy of customers is a fundamental right which is first guaranteed under Section 37 of the Constitution of the Federal Republic of Nigeria. However, the NDPR is the primary legislation for data protection in Nigeria. Under this regulation, companies have diverse responsibilities in collecting, storing, using, processing and sharing their customers’ personal data[1]. They are required to specify the purpose for requesting data from their customers, ensure data protection policies are in place and obtain a clear consent of data subjects (customers[2]) before processing any data relating to him or her.

Rights of Customers (Data Subjects) under the NDPR

The NDPR seeks to advance the privacy of data subjects with certain rights such as;

1. Right to access data: A customer has the right to request and access any information collected by the company. Such request will only be granted where the customer has a proof of identification[3].
2. Right to correct data information:  Where there is an inaccuracy in a data information, a customer has the right to notify and instruct that the company, without unnecessary delay, corrects the data information. If there is need to include an additional information to ensure data accuracy, the customer has the right to provide the same.[4]
3. Right to deletion of personal information: A customer has the right to request that his/her personal data is forgotten/deleted under circumstances such as[5]: where consent is withdrawn, where the data is no longer required, where the customer objects to the data processing, where there is legal mandate to remove such information among others.
4. Right to withdraw consent: A customer has the right to withdraw consent at any time and the company shall inform him/her of the method for such withdrawal. However, the withdraw shall not affect the lawfulness of data processing based on consent given before withdrawal.[6]
5. Right to data motility or portability: Customers have the right to receive personal data from companies in a structured, commonly used manner and machine-readable format. Also, the customer may choose to transfer such data to another company or individual without hindrance from the initial company where the data processing is based on consent, carried out by automated means or based on contract.[7]
6. Right to lay compliant to relevant authorities: Just as there are laws to protect, there are agencies established for the implementation of these laws. A customer has a right to lay complains or object to a company’s data privacy measures by reporting to the relevant authority through his/her legal practitioner.

Obligations of Companies

Where a customer shares his/her personal data with a company, the NDPR has placed certain legal obligations on companies such as;

1. Companies owe a duty of care to their customers and must be accountable for their acts and omissions in respect to data processing.
2. Where a company intends to obtain data information from its customers, they are required to be transparent by stating in their data privacy policy- the specific data collected, method for data processing.[8]
3. Companies are required to develop a data security measures to protect data such as firewalls, data encryption among others[9].
4. Customers’ personal data shall not be transferred except by an explicit consent of the customer.
5. Customers personal data shall be protected against hazards and breaches such as theft, cyberattack, viral attack, dissemination, manipulations of any kind, damage by rain, fire or exposure to other natural elements.
6. Companies are required to store customers’ data for the period it is reasonably needed. Where parties do not agree on the specific timeframe for storage, the NDPR Implementation Framework 2020[10] has made further provisions for the lawful duration of storing data which are as follows;

• three years after the last active use of a digital platform;
• six years after the last transaction in a contractual agreement; or
• upon the presentation of evidence of death by a deceased’s relative; the Data Controller and/or Processor must immediately delete the Personal Data of the deceased Data Subject unless there is a legal obligation imposed on the Data Controller to continue to store the Personal Data; and
• immediately upon a request by the Data Subject or his/her legal guardian where:
  1. no statutory provision provides otherwise; and
  2. the Data Subject is not the subject of an investigation or suit that may require the Personal Data sought to be deleted.

From the above, it is safe to state that companies are required to follow through not only data security measures but also data governance practices. Uploading privacy policies have become a global data governance practice for companies with websites and online stores. A typical privacy policy will address the customers’ privacy rights, customers’ consent, confidentiality rights, use of customers’ personal information, protection and sharing of customers’ data among others.

Lawful Justification for Data Processing

Personal data of customers must be lawfully processed and there are certain circumstances highlighted under Regulation 2.2 of NDPR;

1. Where the data subject consents to the processing of his/her personal data.
2. Where the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
3. Where compliance with a legal obligation to which the Controller is subject;
4. Where in order to protect the vital interests of the Data Subject or of another natural person, and;
5. Where the performance of a task carried out is in the public interest or in exercise of official public mandate vested in the controller;

Consequences for Breach of Data Privacy

The NITDA imposes the following penalties[11], in addition to any other criminal liability, on companies found to be in breach of the data privacy rights of its customers (data subject);

1. Companies with personal data of more than 10,000 customers, payment of the fine of 2% of annual gross revenue of the preceding year or payment of the sum of 10 million Naira, whichever is greater;
2. Companies with personal data of less than 10,000 customers, payment of the fine of 1% of the Annual Gross Revenue of the preceding year or payment of the sum of 2 million Naira, whichever is greater.

The Implementation Framework[12] further suggests that the NITDA may impose certain administrative orders including: suspending an organisation’s service pending further investigations; issuing a notice warning the public to desist from patronising the organisation; or referring the matter to the appropriate regulatory agencies for sanction and to prosecute the organisation.

Application of Laws on Data Privacy Breaches

In 2021, it was reported that NITDA officials conducted an investigation into the company’s websites, applications, technical documents and concluded that there was data protection breach. The company was fined N5,000,000, placed under a six- month oversight by NITDA on implementation of prescribed security controls and preparation of data security documents between the company and its Information Technology providers; among others.

However, the NITDA has ceased to act as an agency for the implementation of data protection and has been replaced by the Nigeria Data Protection Bureau (NDPB) which was established in February 2022. The Bureau is saddled with the responsibility to protect the rights of natural persons to data privacy; foster safe conduct of transactions involving the exchange of personal data; prevent manipulation of personal data and to implement the provisions of NDPR. Recently, the NDPB began investigations into an alleged breach of data privacy by some Nigerian banks and has said it would ensure the strict adherence to data governance practice.

While this article focuses on NDPR, there are other sector-specific laws, regulations and their agencies that may also apply to some companies or individuals. For example; the Patient’s Bill of Rights[13] and the National Health Act[14] guarantees the privacy and confidentiality of medical records and information of patients; The Federal Competition and Consumer Protection Act[15] guarantees the confidentiality of business secrets of parties where the Commission has become privy to such information during the course of its investigation.

Conclusion

We are in the age where both domestic and international trade are carried out with ease through the use of the internet. Cross-border transfer of personal data may pose yet another data protection challenge for Nigerian companies especially due to difference in global data privacy laws and enforceability. However, where such company is dealing with customers that are Nigerians, the NDPR will apply[16] and it is irrelevant that such customer is not resident in Nigeria.

It is important that companies with online presence have well-drafted privacy policies on display and they must ensure customers understand and sign these policies before a client-customer relationship is formed.

REFERENCES

[1] The Regulation has defined “personal data” as any information relating to an identified or identifiable natural person (‘Data Subject’) and it could be a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM, Personal Identifiable Information (PII) and others.

[2] Data subjects are natural persons under the NDPR and for the purpose of this article, data subjects includes customers

[3] Regulation 3.1(1) NDPR

[4] Regulation 3.1(8) NDPR

[5] Regulation 3.1(8) NDPR

[6] Regulation 2.3 (1) (c) NDPR

[7] Regulation 3.1 (12) NDPR

[8] Section 5.2 NITDA

[9] Section 5.2 (a) NITDA

[10] Section 8.2

[11] Regulation 2.10

[12] Section 10.1.4 of the Implementation Framework, 2020

[13] Launched by Vice President Yemi Osinbajo in July 2018

[14] 2014

[15] 2019

[16] Regulation 1.2 NDPR