National Commissioner for the Nigeria Data Protection Bureau (NDPB), Dr. Vincent Olatunji, has recently discussed the new Data Protection Act 2023 in the country, which aims to protect the data rights of the citizens and regulate the use of Technology such as AI. Now that Nigeria has a data law (similar to the EU’s data laws) after many collaborative efforts, the major focus of the bureau is to implement measures that will protect the data rights of Nigerians. He said that there are a lot of provisions in the law that enact measures for data controllers to create safeguards that ensure that data is treated properly.
One of the work of NDPB is investigating firms for data breaches. The commissioner stated that the bureau has invested many in the banking, telecoms, consulting and digital lending sectors. For instance, Soko Loan was fined N50 million in the digital lending sector and along with approximately three banks in the banking industry. The agency makes these fined firms pay a remediation and take them through Regulation and compliance. The aim is to improve the compliance Culture of these firms.
Some firms would be blacklisted for not adhering.
Now that the country has a data law, the bureau has encouraged all organizations dealing with data to register with them between the present and December. Olatunji said that it is to ensure that the commission has their information captured as they cannot be effectively regulated if the organizations that they are trying to regulate are not known. After the registration, the agency would have the annual data protection compliance audit report, which would be held between January and March.
As for firms that would be blacklisted for not adhering to Data Privacy laws, the process is ongoing and being implemented. The blacklist is likely to be released by March 2024. The list is for organizations, companies, and data processors who do not comply with the provisions of the law. The bureau is essentially saying it does not want people or organizations to treat data in a careless manner. Apart from the digital lending company (Soko Loan) and three banks, the agency announced an investigation into MoMo last year and he said that the investigation into Flutterwave is also still ongoing.
Biggest issues with data privacy in Nigeria are ignorance and capacity.
Speaking on the root of the issues with data privacy, the commissioner said that ignorance and lack of capacity play significant roles. Many data subjects neither know their rights nor ask for it. Even many data controllers and data processors do not know their jurisdictions. To solve this problem, he said that awareness is needed. On the area of capacity, he questions the capacity and competence of data protection staff in firms. “Do they understand the point of putting in safeguards and ensuring that there is no unauthorized access and malicious use or damage to the data?” he inquired rhetorically.
Awareness and capacity are major challenges in applying the data law in Nigeria, he said. But that the government would devise awareness activities for people to be enlightened. Recently, the Central Bank of Nigeria (CBN) had asked banks to require that customers submit their Social Media handles. Olatunji said that the CBN cannot implement such without the consent of data subjects – Nigerians. “People need to willingly avail you of the right to collect their social media information because this is their personal information,” he said.
Law to properly monitor big firms now exists.
Olatunji revealed that the agency is working on how big firms use citizens’ Personal Data. This includes firms such as Google, Meta, Twitter, etc. He said that the ability of the new law to adapt to situations is one of its advantages. For instance, the law has given the bureau the power to issue regulations to be able to control how emerging technologies operate and to be able to address issues of privacy in usage. Globally, the attention is focused on social media networks and even solution providers because of the importance of data protection. He said that now that the country has a law to properly monitor what these big firms are doing, Nigeria and the rest of Africa will gradually get to a point where they can achieve effective regulation.
