By Tolulope Idowu [email protected]
The recent call by the Nigeria Data Protection Commission (NDPC) for all data controllers and processors to register has raised questions about its legal basis and potential overreach. While Section Section 5(d) of the Nigeria Data Protection 2023 mandates registration for those of “major importance,” the NDPC’s blanket request seems to deviate from this stipulation.
The NDPC’s demand for universal registration raises concerns about exceeding its legal mandate. Section 5(d) of the NDPA clearly outlines the need for registration only for “data controllers and processors of major importance.” However, the NDPC’s public notice omits this qualifier, creating confusion and potentially exceeding its legal authority.
Learning from Other African Data Protection Laws:
Comparative analysis with other African nations reveals a more refined approach to data controller/processor registration. In Kenya, Section 18 of the Data Protection Act 2019 empowers the Data Commissioner to set specific thresholds based on industry, data volume, sensitivity of data, and other relevant criteria. This allows for a more targeted and justifiable registration process. Similarly, Uganda’s Data Protection and Privacy Act 2019 requires registration of “every person, institution or public body collecting or processing personal data,” offering a clear and comprehensive approach. Article 29 & 30 of the Rwandan Law also offers specific details registration requirements for registration as a data controller or processor.
The Need for Clarity and Guidelines:
The lack of clear guidelines regarding “major importance” in the Nigerian context leaves data controllers and processors uncertain about their registration obligations. This ambiguity can lead to confusion, unnecessary compliance burdens, and potential legal challenges.
Recommendations for a More Justified Approach:
To address these concerns, the NDPC should take the following steps:
Issue Clear Guidelines: The NDPC should define “major importance” through detailed and publicly available guidelines. These guidelines should consider factors like industry type, data volume, data sensitivity, and potential risk of harm to individuals.
Implement Threshold-Based Registration: Similar to Kenya’s approach, the NDPC could establish thresholds for mandatory registration based on pre-defined criteria. This would ensure a more targeted and proportionate approach.
Engage with Stakeholders: The NDPC should actively engage with data controllers, processors, and civil society organizations to discuss the registration process, clarify expectations, and address concerns.
Conclusion:
While the NDPC’s goal of data protection is commendable, its current blanket registration call lacks clear legal justification and creates unnecessary burdens. By adopting a more balanced and transparent approach, informed by best practices and stakeholder engagement, the NDPC can achieve its objectives while ensuring compliance with the law and fostering a more predictable regulatory environment.