Nigeria has suffered several data breaches recently, and its data protection commissioner wants to change that

The just-appointed commissioner for Nigeria’s new data protection commission, Vincent Olatunji, tells TechCabal how he plans to end data breaches in the country.

Earlier this month, Nigeria’s president, Bola Tinubu, signed the Nigeria Data Protection Bill 2023 into law. The new law, which went into effect immediately, was proposed by the immediate-past government of Muhammadu Buhari, and provides a legal framework for the protection of personal information and the practice of data protection in Nigeria. The law also creates a new national body for the enforcement of the provisions contained in the act.

The new body—the Nigeria Data Protection Commission (NDPC)—will be headed by Vincent Olatunji. A certified public-private partnership specialist (IP3 Specialist) and a PECB-certified data protection officer, Olatunji joined the National Information Technology Development Agency (NITDA) in 2002, rose to the position of director in 2014, and became acting director-general in 2016. In February 2022, he was appointed the NDPB’s first national commissioner, and he has been tasked with protecting Nigerians and their data.

How the Nigeria Data Protection Commission was created

On a call with TechCabal, Olatunji said that the immediate former minister of the digital economy, Isa Pantami, was responsible for the creation of the Nigeria Data Protection Commission (NDPC). The NDPC was initially a body under the National Information Technology Development Agency (NITDA), but for Nigeria to be in line with the ECOWAS Act on Personal Data Protection [pdf], there needed to be an independent supervisory authority for data protection.

“We explained to the minister that it would be difficult to get results if we did not have a body specifically in charge of implementing data protection laws. He then sent a memo to the president, which was approved,” Olatunji said. The creation of the law and commission is also in line with the right to privacy enshrined in Section 37 of the Nigerian Constitution.

According to Olatunji, part of the president’s approval mandates that the NDPC be funded by NITDA and the Nigerian Communications Commission (NCC) for three years. “After that period, the commission should be self-sustaining. We should be able to generate money to fund our activities and even create revenue for the government,” he said.

Image Source: Faith Omoniyi/TechCabal.

The powers of the Nigeria Data Protection Commission

When asked how the commission would be able to enforce fines against international companies, Olatunji referenced Nigeria’s large market. “They know the market is here; they cannot afford not to obey our laws. We have already fined some financial institutions that did not comply with the laws, and they paid. Between the time we started and now, we have generated over ₦200 million for the government. However, we use a balanced approach so businesses can grow in Nigeria.”

In an interview with Arise TV, Olatunji said that the commission has the power to create regulations for emerging technology and impose fines on companies that have committed a breach of data protection. “Going to the legislature to amend our laws before we can regulate emerging technologies would be too cumbersome. That’s why we made our laws flexible. The law empowers the commission to issue regulations, which would be as powerful as the act itself,” he explained to TechCabal.

Data protection in Nigeria is still in a dire state. In the first quarter of this year, Nigeria was ranked as the 32nd most breached country in the world. This coincided with a 64% increase in breaches from the previous quarter. When asked if the commission will investigate breaches even without a public complaint, Olatunji said, “That is one of the principal functions of the commission. We can independently conduct investigations in any sector that has to do with personal data protection. If there is a data breach anywhere, we have the power to investigate, and whatever decision we make is binding. However, companies have the right to appeal, and the Supreme Court has the final say.”

A corollary effect of the dire state of Nigeria’s data protection has been the unethical use of Nigerians personal data by companies. Last month, TechCabal wrote about the unethical debt collection methods employed by some loan apps. Although several loan apps have denied using customer data unethically, it is something that is on Olatunji’s radar. “From my experience with Soko Loan, I know that a lot of Nigerians have been damaged psychologically by the messages they send out to people. We started investigating them [loan apps] under NITDA, and now that we are independent, it’s one of the things we will focus on.”

Olatunji added that because of the complexity of these loan applications, a multi-pronged approach by different regulators, such as the central bank, the Economic and Financial Crimes Commission (EFCC) and NITDA, would be employed to create regulations that would govern them.

The commission can license, accredit, and register bodies to provide data protection compliance services. However, according to Olatunji, because the “expertise in data protection services in Nigeria is low”, the commission has had to employ a public-private partnership model. “For instance, we have over 500,000 data controllers and processors, and each of these organisations should have a data protection officer, but there are not up to 10,000 certified data protection officers in the country.”

To address this deficit, the commission started licensing data protection compliance organisations. “They are companies that have expertise in data privacy and protection, who can go to companies, talk to them, create awareness, and assist with data privacy and protection policies. As of last count, these organisations are now offering about 17 different services that we did not even think about when we started this process. One good thing that has come out of this is that over 9,000 jobs were created within three years. We started by experimenting with about 17 [organisations], and now there are 168 [organisations],” he said. Olatunji also added that the commission regularly conducts “quality checks” on the organisations and that 18 of these organisations have since had their licences revoked.

Although there has been a clamour for data to be hosted locally in Nigerian data centres (Nigeria has only 11), Olatunji believes that a hybrid model would be best suited for Nigeria’s data. “It is not realistic for you to say that all your data must be hosted locally, so what we have done is create standards for cross-border data transfer in the Act [Sections 41, 42, and 43].”

Criticisms of the Data Protection Act

One criticism of the act has been that “legitimate interest” was added as a legal basis for processing personal data, but the act does not clearly define what “legitimate interest” means. Olatunji told TechCabal that “legitimate interest” was added to cater for a scenario where a data processor needs to process data but does not fall under the bases of consent, contractual obligation, legal obligation, vital interest, and public interest. He added that “legitimate interest” would only suffice if it was not in conflict with the other bases.

Another criticism of the National Data Protection Act is that it does not specify the quantum of data processed by a data controller or data processor to qualify as a data controller or processor of major importance. Olatunji clarified that only the commission can specify this and that the exemption is deliberate because the requirement would constantly change as new developments happened.

What does Olatunji want to achieve in office?

When asked what he would like his legacy to be after his tenure, Olatunji told TechCabal that he wants to change how Nigerians think about data. “I want us to get to a level whereby every Nigerian will know their rights in terms of how their personal data is collected, processed, shared, and stored. I also want to leave a legacy where data processors and controllers know their obligations in the area of accountability. I want a place where personal data protection is a culture.”