Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Nigeria: The Nigeria Data Protection Bureau and some questions requiring urgent answers

In February 2022, the Nigerian President approved the establishment of an entity described as the 'Nigeria Data Protection Bureau' ('the Bureau'), as communicated in a statement widely reported by many news outlets and agencies in Nigeria by Uwa Suleiman – spokesman for the Minister of digital communications and economy, who made the request from the President. Olumide Babalola, Managing Partner at Olumide Babalola LP, discusses the character of the Bureau and raises questions which have come to light following the news of the Bureau's establishment.

mujibwaziri / istockphoto / Essentials collection

Like every stakeholder in the privacy and data protection industry, I received the news at face value with joy and high hopes that our enforcement mechanism has gained another boost, especially since the official statement expressly declared that the Bureau 'has been established in line with global best practice and will focus on data protection and privacy for the country.' However, without necessarily analysing whether or not the Bureau has been ‘established’ in line with ‘global best practices,’ a number of more pressing and practical questions have been thrown open by the official declaration of the Bureau’s establishment as follows:

What would be the identity or form of the Bureau?

The statement is silent on what form the Bureau would take. Currently, it reportedly shares an office with National Information Technology Development Agency ('NITDA'). Hence, as things stand, the Bureau is no more than a department under NITDA as it currently has no separate identity, not even a website where information on its operations can be accessed.

Does the Bureau possess juristic personality?

Admittedly, the Bureau is yet to visibly take off. Unconfirmed reports put its starting date in September 2022. Regardless, without an enabling piece of legislation, does the Bureau, in its present state, possess the capacity to sue and be sued? Is it yet a creation of law? Does the official statement announcing its establishment qualify as 'law' under our legal system to clothe the Bureau with juristic personality?

Will the Bureau replace NITDA as Nigeria's data protection authority?

NITDA issued the Nigeria Data Protection Regulation ('NDPR') in 2019 and donated some oversight functions to itself as the country's data protection authority. While it is conceded that the somewhat confusing interpretation provisions, specifically Articles 1(3)(xxiv) and 1(3)(xxvi) of the NDPR, contemplate the role of other data protection authorities in addition to NITDA, it must be clarified whether the new Bureau would operate as Nigeria's data protection authority to the exclusion of NITDA and others.

Does the presidential approval constitute the establishment of the Bureau?

Many news agencies reported that they had the benefit of reading the official statement announcing the presidential approval, but does this constitute the establishment of the Bureau, or do still await a proper establishment legislation which will comprehensively enable the Bureau to function as an independent body?

It is worth noting that Articles 16 to 18 of the Supplementary Act A/SA. 1/01/10 on Personal Data Protection within ECOWAS ('ECOWAS Supplementary Act') mandate every member state to establish a data protection authority and comprehensively provide for its composition and independence. There is no such information on the Bureau accessible anywhere yet, hence we are left in the dark as to the composition of the team to be headed by the experienced Dr Vincent Olatunji, already appointed as the CEO.

What are the powers, duties, and responsibilities of the Bureau?

Article 19 of the ECOWAS Supplementary Act provides a comprehensive list of the expectations of a data protection authority. Will the Bureau's enforcement powers be the same as those accorded to NITDA under the existing NDPR and its implementation framework, or will its activities be specified in forthcoming principal legislation?

What will become of the Bureau upon enactment of a principal legislation?

Historically, NITDA itself started out as a department under the Ministry of Science and Technology before it became a fully-fledged government agency with an enabling Act. From the news reports, the Bureau will support the process for the enactment of a principal piece of legislation. The follow up question to this is – what happens to the existing Bureau upon the passing of a principal piece of legislation? Will it automatically become a new body under the new legislation? Will the new legislation ratify the earlier activities of the Bureau? Will the Bureau also adopt NITDA's transformation style from a department to a full-fledged independent agency?

Conclusion

In this article, I deliberately refrained from giving my opinionated answers to the questions raised here because the objective of my intervention is not to conclude on the perceived gaps of the establishment process but to provide talking points for the authorities to address.

The industry is a budding one in Nigeria, and it requires the collaboration of all stakeholders to enable it to align with global standards in terms of regulations and enforcement. Hence, the questions raised here are some of my thoughts on the issues that may arise, or have already arisen, from the commendable, proposed 'establishment' of the Bureau. Ultimately, these questions and more need to be answered and addressed for the industry to be properly positioned towards global standards.

Olumide Babalola Managing Partner
[email protected]
Olumide Babalola LP, Lagos