In February 2022, the Nigerian government announced that President Muhammadu Buhari had approved a new agency, the Nigeria Data Protection Bureau (NDPB)
The statement was signed by Uwa Suleiman, Media Aide to the Minister of Communications and Digital Economy, Isa Pantami.
According to Suleiman, the NDPB was established in line with global best practices and would focus on data protection and privacy for the country.
Among other things, the statement credits the introduction of the Nigeria Data Protection Regulation (NDPR) and the National Digital Economy Policy and Strategy (NDEPS) with creating more awareness about data protection and resulting in the “datafication” of the Nigerian economy.
Although we are not sure of the specifics of the agency’s duties, Suleiman says the NDPB will consolidate the gains of the NDPR and support the process for the development of a primary legislation for data protection and privacy.
For now, we can say with certainty that Vincent Olatunji will head the NDPB as National Commissioner/CEO.
Olatunji served as the Acting DG of the National Information Technology Development Agency (NITDA) until October 2016 before handing over to Pantami, nine months after his appointment.
Does Nigeria have a new Data Protection Authority?
The short answer to this is no.
The long answer, which requires some explaining, is maybe.
When NITDA introduced the NDPR, the agency handed itself some oversight functions, effectively becoming Nigeria’s default Data Protection Authority (DPA).
But what are DPAs? According to the European Commission, “DPAs are independent public authorities that supervise, through investigative and corrective powers, the application of the data protection law. They provide expert advice on data protection issues and handle complaints lodged against violations of the General Data Protection Regulation and the relevant national laws.”
So think of a DPA as a bodyguard to ensure your data rights are protected, and companies don’t get away with anything.
In Nigeria’s case, this would apply to the NDPR
However, unlike Europe and other countries — including some countries in Africa — NITDA did not create a separate entity to act as a DPA. A scenario that some have argued goes beyond the powers assigned in the NITDA Act.
Essentially, one could argue that NITDA appointing itself DPA is unlawful or, in legal terms, void.
The NITDA Act empowers the Agency to “develop guidelines for electronic governance and monitor the use of electronic data interchange and other forms of electronic communication transactions as an alternative to paper-based methods in government, commerce, education, the private and public sectors, labour, and other fields, where the use of electronic communication may improve the exchange of data and information.”
In other words, the NITDA Act does not appear to give the Agency the power to issue the NDPR in itself. But that’s a discussion for another day.
Going by this new development, though, it appears that four years into the NDPR’s regime, we might be getting a DPA in the true sense of the word. Let's not get too far ahead of ourselves, though, because there’s still the pesky problem of an establishing law.
In most countries, DPAs are created through a governing law or regulation. A presidential approval does not a DPA make, but this is undoubtedly a step in the right direction, for which we are cautiously optimistic.
For now, however, our earlier answers are still valid. Until NITDA or the Ministry of Communications and Digital Economy confirms whether the NDPB is a DPA, we can only speculate.
Olumide Babalola, Managing Partner at Olumide Babalola LP, believes that “The statement is silent on what form the Bureau would take. It reportedly currently shares an office with the National Information Technology Development Agency ('NITDA').
“Hence, as things stand, the Bureau is no more than a department under NITDA as it currently has no separate identity, not even a website where information on its operations can be accessed.”
What happens to the Data Protection Bill?
According to Suleiman’s statement, the NDPB would “support the process for the development of a primary legislation for data protection and privacy.”
The race to a dedicated data protection and privacy law has taken several turns. Filled with false starts, the closest Nigeria has come to a law passed by the National Assembly was in 2018 with the Nigeria Data Protection Bill 2018. Although both houses passed it in 2019, President Buhari withheld his assent.
The most successful attempt remains the NDPR, a guideline at best.
The Data Protection Bill 2020 (PDF) is currently before the National Assembly, but nothing much has been heard since a stakeholder session held in September 2020.
The Bill provides a much more robust approach to data protection, providing for more categories of data than the NDPR, which appears to deal more with electronic data. It also creates a Data Protection Commission, which should act as Nigeria’s DPA.
Interestingly, there are rumours that the Bill has been abandoned, and the federal government is seeking a consultant to draft a new one.
What this means
Business as usual for now.
Although the uncertainty surrounding the NDPR and NITDA’s power to appoint itself DPA are still dark areas, it’s the best we’ve got for now.
The introduction of the NDPB raises a little wave of dust over Nigeria’s data protection and privacy crate. It raises questions that cannot be adequately answered until we see appropriate legislation or more guidelines and perhaps a “dedicated website.”
What follows should make for interesting times.