Matters eRising with Olusegun Oruame
To give a peep into its 2024 regulatory activities, the Nigeria Data Protection Commission (NDPC) recently issued a Code of Conduct for Data Protection Compliance Organizations (DPCOs) in Nigeria signaling it will actively focus on enforcement against breaches.
Instilling a national culture of data protection or privacy in corporate Nigeria, particularly among the big data controllers, is a perpetual struggle that the privacy watchdog appears now keen to address.
Globally, regulating and addressing privacy issues with big tech companies like Meta, Google, Amazon, TikTok, and others have been thorny, tortuous and even controversial for many regulators and policy makers.
While the tech giants continued to debate the limits of regulations, regulators are increasingly becoming even more determined to stretch the law and impose sanctions with hefty fines for privacy breaches.
Within the European Union (EU), where the General Data Protection Regulation (GDPR) is applicable, operators are beginning to come to terms that regulators are no longer shy to impose fines. The ‘no-shy’ resort to fine is forcing the likes of Facebook (Meta) and TikTok to pay greater attention to privacy issues.
TikTok was fined EUR 345 million (about $367 million) by the Data Protection Commission (DPC), Ireland’s data watchdog, for failing to protect children’s privacy.
2023 witnessed a groundbreaking GDPR fine
Indeed, as Data Privacy Manager noted: “the year 2023 witnessed a groundbreaking GDPR fine surpassing €1.2 billion to Meta (formerly known as Facebook). Of the top 20 GDPR fines recorded, seven were imposed on Meta or Meta-owned companies.
“Astonishingly, this single fine alone comes close to eclipsing the combined total of all GDPR fines issued by January 28, 2022, which was approximately €1.64 billion.
“Collectively, GDPR fines have now reached over €4 billion. These figures demonstrate the ongoing commitment to upholding data protection regulations and highlight the increasing financial consequences of non-compliance.”
It is a similar trend whether in the Americas or Asia. Privacy watchdogs are increasingly using the big stick once there are cases of breaches established against big data controllers.
Africa regulators applying the stick
Regulators in Africa are equally leaving the carrot to apply the stick as they make progress with fostering a national privacy culture through awareness and legislation.
In Kenya, TikTok has agreed to have its content monitored as it risks not just fine but total ban in that country after authorities alleged the Chinese social network giant was promoting “inappropriate or offensive content.”
Just this month, Worldcoin, the multinational cryptocurrency and digital ID firm, announced it would be resuming its operations in Kenya next year having agreed to comply with the conditions set by Kenya’s data privacy regulator.
Earlier in the year, Worldcoin was forced to close shop after the Office of the Data Protection Commissioner announced it was investigating the firm “to ensure compliance with the law.”
When WorldCom initially launched service, it was “collecting biometric data, in exchange of free WorldCoin tokens (WLD) worth about 7,700 Kenyan shillings ($55)” from thousands of Kenyans which authorities determined was in breach of the country’s privacy law.
The bottom line is that data protection and issues of privacy is only beginning to become management issues in corporate Africa. While different jurisdictions push ahead with awareness campaigns and legislations to tackle privacy abuses, many big multinationals and even large sized local firms that are major data controllers are playing ostrich forcing regulators to adopt a more aggressive approach.
Time to tweak conciliatory posture and be the assertive regulator
Nigeria has made remarkable progress in its data privacy journey having successfully had the Nigerian Data Protection Bill signed into law this year to become an Act and, perhaps, usher in a more assertive privacy ombudsman in 2024.
Before now, and for a mix of factors, including the need to first create awareness, engage stakeholders, and perhaps, because of lack of a statute, the privacy ombudsman appeared to have adopted a conciliatory approach to dealing with data controllers.
Now, with a statute and appreciable level of milestones in its data journey, the NDPC cannot but be more assertive. The country has achieved a lot of backend progress beginning with the institution of the Nigeria Data Privacy Regulation (NDPR) and the setting up of the Nigeria Data Protection Bureau (NDPB) all of which transitioned to become Nigeria Data Protection Act (DPA) and the Nigeria Data Protection Commission (NDPC) as the executing agency.
Much have been done in terms of policy formulation and even awareness but not so much with enforcement and it has to do with understandably, the conciliatory posture of the NDPB now NDPC.
Progress by NDPC should mean data controllers must be accountable
Those milestones clearly affirmed that 2024 should see some aggressive enforcement while the commission strengthens the other areas it has made progress including engagement and collaboration to establish communication channels with big corporate players and tech giants allowing the NDPC to continuously engage in dialogue about data protection regulations.
It is time for big corporate players and tech giants to be made more accountable and forced to get serious with issues of data protection and users’ privacy. It appears only the stick will work while the NDPC consolidate all the other areas it has made progress.
What are the other areas the NDPC needs to strengthen while it wields the stick? Important in the list is public awareness. Yes! There have been educational campaigns by the NDPC in terms of public awareness to educate users about their rights regarding data privacy but this is still very limited. There is still a lot to be done to push awareness campaigns, empower users to make informed decisions about their data sharing practices, and avoid the awkward Worldcoin scenario that played out in Kenya. Today, the likes of Facebook (Meta) and TikTok get away with appalling breaches requiring the NDPC to investigate and apply the law. Financial institutions and many other major data controllers still treat customers’ privacy issues with levity.
Then there is user consent. The DPA already lays out the ground rules for user consent and transparency. It is now left for the commission to aggressively enforce the rules that ensure tech and finance companies obtain explicit consent from users before collecting, processing, or sharing their data. As is the case in Kenya, the NDPC must ensure that operators have transparent privacy policies that are easily accessible and understandable to users. For now, the policies around consent by most organisations to users are vague and leave users with no choice than to adhere to policies that negate the law.
Of course, there is the significance progress made in the area of data risk assessments and impact analysis. Right from its days as the manager of the NDPR, the privacy watchdog had laid out the steps for data risk assessments and impact analysis mandating Data Protection Compliance Organisations (DPCOs) to help data controllers conduct regular risk assessments and impact analyses of how they handle user data can identify potential vulnerabilities and areas for improvement. The annual data audit filing by DPCOs has created a unique Nigerian solution in the data protection industry.
The year 2024 should see a more robust ‘Complaint Resolution Mechanisms’ that makes available an easy to access and streamlined window for users to report data privacy violations that also ensures a swift and effective mechanism for addressing these complaints.
Then there is the data localization requirements that will require a strong push for implementing regulations that mandate the localization of data within Nigeria to allow for better control and oversight of user information. This is a long haul for the NDPC requiring wider stakeholders’ engagement including other sister agencies and closer look into existing statutes and government policies as this may entail stipulating that user data must be stored on servers within the country’s borders.
Pressure to impose fines
A very important point to note is that there will be a lot of pressures on the NDPC from the presidency. This government needs money and is driven by a vision to internally generate fund through regulatory agencies considered to be statutorily empowered to make money through payment of annual levies and imposition of fines.
The Nigerian Communication Commission (NCC) is modeled on this premise and in 2023, the Federal Competition and Consumer Protection Commission (FCCPC) demonstrated it could delivered too like the NCC. The commission generated in excess of N56 billion despite despite zero budgetary allocation and remitted about N22.4 billion to the federal government. About 90% of its 2023 revenue derived from sanctions and penalties against organisations that breached the law guarding its operation as a regulator.
Since 2022, the FCCPC has been notably aggressive with its regulatory framework targeting digital money lenders (DMLs), also called loan apps. It ceaselessly applied sanctions and penalties; in some cases, delisting DMLs deemed to operating outside of the law.