By Olumide Babalola
In 2021, when it seemed the Federal Government (FG) was not serious about enacting a principal data protection law in Nigeria, I approached the Community Court of Justice (ECOWAS Court) to compel the FG to honour its obligation under the Supplementary Act on Personal Data Protection Within the ECOWAS.
That suit (ECW/CCJ/JUD/02/23) predominantly sought an order compelling Nigeria to enact a comprehensive data protection law to address many areas not currently covered by the existing laws. The FG responded by asserting their compliance with their obligations having enacted the following extant legislation bordering on data protection: 1999 Constitution; National Information Technology Development Agency (NITDA) Act (2007); Nigerian Communications Commission (NCC Consumer Code of Practice Regulation 2007; Nigerian Communications Commission (NCC) Registration of Telephone Subscribers Regulation 2011; Freedom of Information Act 2011; Cybercrimes (Prohibition, Prevention, etc.) Act 2015; The Child Rights Act 2003; Consumer Protection Framework 2016; National Identity Management Commission (NIMC) Act 2007; National Health Act (NHA) 2014; Federal Competition and Consumer Protection Act 2019; and the Nigeria Data Protection Regulation 2019.
In its judgment delivered on the 13th day of March 2023, the Court however agreed with them as follows:
“… some of the obligations under the NDPR, such as the designation of data protection officers under 4.1 (2), are not even provided for under the Supplementary Act. Consequently, it is inaccurate for the Applicant to contend that there is no legal framework for protecting privacy or personal data. The Court finds that, although a substantive Act of Parliament may yet set up such a framework, the NDPR and its implementation framework equally constitute a framework within the meaning of the Supplementary Act.”
On the improvement made in the Nigerian data protection industry since 2021:
“The Court further observes that, since the commencement of the action
in July 2021, two significant efforts have been undertaken. First is establishing the Nigerian Data Protection Bureau (NDPB) in February 2022 to take over the function of NITDA to administer the NDPR and its implementation framework. The second is introducing a Nigerian Data Protection Bill 2022 in October 2022. Both actions are commended as consistent with the normative approach by other countries towards domesticating the Supplementary Act.”
On whether the current framework on data protection meets the requirements under ECOWAS Supplementary Act:
“There is a practical value to a State having a single comprehensive law to regulate personal data processing and related matters; hence States must strive towards achieving such uniformity. However, the test for whether any framework satisfies the terms of the Supplementary Act would be based on something other than it being contained in a single legislation or necessarily enacted by an act of Parliament. The substance of the framework, regarding protection scope, implementation framework, and redress mechanisms, weigh more than the optics of the framework.”…
“Admittedly, the Supplementary Act has not been domesticated through substantive legislation or by creating a new DPA as ordinarily desired; but the current legal regime for the protection of personal data in the Respondent country satisfies the object
of the Supplementary Act unless the contrary is proven.”
The Sweet Part
In spite of the (academic) submissions that our data protection legal framework is weak, incoherent, untested, and irregular, this decision appears to have given the status quo a pass mark. Hence, Nigeria is the first beneficiary of a decision by the ECOWAS Court on compliance with the ECOWAS Supplementary Act and such a decision gives a measure of confidence and bragging rights as far as our legal framework on data protection is concerned.
The Court also observed that:
“The second is introducing a Nigerian Data Protection Bill 2022 in October 2022.” And “Respondent has listed a host of legislation containing provisions geared towards meeting the objectives of the Supplementary Act. Admittedly, several of these legislations predate the Supplementary Act and – Child Right Act, Consumer Protection Framework, Federal Competition and Consumer Protection Framework, and Cybercrimes (Prohibition and Prevention) Act – are sectoral and hence narrow in their application despite containing provisions on protecting privacy and disclosure of personal data/information under these legislations.”
Our strongest legislation on data protection are sectoral laws (primary legislation) which carry a heavier weight than the Nigeria Data Protection Regulation (secondary legislation) in the hierarchy of laws. Secondly, the much-awaited Data Protection Act is still on the floor of the House of Representatives with nine days to the end of their legislative term. This kind of decision may breed complacency and reverse the commendable strides we have made toward enacting a principal law for data protection in Nigeria.
Hopefully, the Nigerian judiciary can as well rise to the occasion by supplementing our exiting legal framework with relevant case law towards developing the field.