Scope and applicability of the NDPR
Every law creates rights and/or duties1in relation to one or more classes of persons. As we mentioned in the preceding issue, the NDPR was developed in recognisance of the need to protect the right to privacy guaranteed pursuant to Section 37 of the 1999 Constitution. Thus, the NDPR created additional rights, and imposed correlative duties and responsibilities, on different classes of persons, to ensure the optimal enjoyment of the existing constitutional right.
Who can enjoy the data rights created under the NDPR?
The concept of legal personality supposes the existence of two categories of persons under the law – natural persons and non-natural persons. A natural person is a living human being, Conversely, a non-natural person (also known as a juristic person or a juridical person) is a non-human entity established by or pursuant to a law, and includes corporations, trade unions, incorporated trustees, government agencies, NGOs, etc. While certain rights automatically accrue to natural persons by virtue of being human, the rights enjoyed by non-natural entities are directly traceable to specific enabling laws.
The data rights created by the NDPR can only be enjoyed by natural persons. In other words, to enjoy the data rights created by the NDPR, one must be a human being. It is not in doubt that non-natural persons also have unique identifiers – in the case of a corporation, those identifiers would include company name, RC number, registered address, tax identification numbers, and other similar identifiers. However, the well-established principle of law – that corporations and other non-natural persons do not have personal privacy rights2 – would have informed the decision of NITDA to limit the enjoyment of data rights under the NDPR to only natural persons.
The rights afforded by the NDPR are enjoyable by Nigerian citizens and residents only. For Nigerian citizens, the country of residence of such a citizen is immaterial. Aliens must be physically living in Nigeria to enjoy the data rights under the NDPR. What happens where an alien is illegally residing in Nigeria? It may be argued that the legal status of such an alien is not material, for the purposes of enjoying the rights afforded by the NDPR. This position is further supported by the fact that the NDPR was silent on the legal status of ‘residents’ covered under the regulation. Alternatively, it can also be argued that only a lawful resident should enjoy the legal protections afforded under the Nigerian body of laws.
Who has obligations under the NDPR?
The duties and obligations imposed under the NDPR are largely targeted at data controllers and data administrators.
A data controller was defined by the NDPR as “a person who either alone, jointly with other persons or in common with other persons or a statutory body determines the purposes for and the manner in which personal data is processed or is to be processed.” A data controller controls what personal data is collected, why such data is collected, how such data is collected, where the collected data is stored, and when the data is disposed of. The use of the word “person” in that definition is noteworthy, as it applies to all categories of persons recognised under Nigerian law. All businesses and entities in Nigeria qualify as data controllers.
A data administrator (also known as a data processor) is a person or an entity that processes data at the instruction of, and for purposes specified by, a data controller. Financial institutions, recruitment firms,
1 The words rights and duties are used loosely to refer to all categories of jural relationships, including privileges, powers, immunities, liabilities, and disabilities.
2 This was most recently restated by the US Supreme Court in FCC v. AT&T Inc., 562 U.S. 397 (2011)
outsourcing agencies, tax auditors, etc. may act as data administrators for entities in Nigeria (although they may be classified as data controllers in other contexts).
What transactions are covered by the NDPR?
The NDPR applies to all transactions in which the personal data of Nigerian citizens and residents are, or are intended to be, processed. That covers every transaction that involves collecting, using, and/or storing information relating to an individual.
However, the NDPR does not generally apply in the following circumstances:
- Use of personal data by government agencies saddled with the responsibility of ensuring national security, public safety and order, or by their agents;
- Use of personal data for purposes of criminal and tax investigations; and
- Domestic (family) matters.
Lastly, it must be noted that the non-applicability of the NDPR in these circumstances does not inhibit the right of an affected data subject to enforce a perceived privacy breach by way of fundamental rights enforcement under Chapter IV of the 1999 Constitution.
NICCOM LLP is a licensed Data Protection Compliance Organisation (DPCO), and can provide data protection compliance audit services, as well as other related services required by businesses. As a law firm, we are positioned to proffer legal advice on the impact of the NDPR to your organisation, and suggest recommendations on process improvement, where necessary
