By Olumide Babalola

On the 14th day of February 2024, the Nigeria Data Protection Commission issued a Guidance Notice on the registration of controllers and processors of major importance (Notice) – a commendable regulatory step with embedded questions begging for clarifications. Here are my brief opinionated thoughts on some of the factors listed by the NDPC or the implications of the Notice.

Fiduciary relationship (para 1(2)
First, we must make it clear that the NDPC’s power under the Nigeria Data Protection Act 2023 (NDPA) is to ‘prescribe’ or ‘designate’ but not to define outside the provision of section 65 thus:

“data controller or data processor of major importance” means a data controller or data processor that is domiciled, resident in, or operating in Nigeria and processes or intends to process personal data of more than such number of data subjects who are within Nigeria, as the Commission may prescribe, or such other class of data controller or data processor that is processing personal data of particular value or significance to the economy, society or security of Nigeria as the Commission may designate”

Hence, in my respectful opinion, prescription can be as to the number of data subjects or designation as to value or significance to the economy. From this, designating controllers or processors based on fiduciary relationship (without more) does not only negate the express wording of the section, but it also ridiculously widens the net and thereby makes a mockery of the essence of designation.

For example, the legal definition of fiduciary relationships transcends the business world into social and personal relationships leading to two implications. First, this comes in conflict with the provision of the NDPA which exempts its application from personal or household processing and secondly, this means all private individuals with fiduciary relationships (including social and personal ones) are bound to register as controllers or processors of major importance. This could not have been the intendment of the draftsmen.

Legal competence to generate revenue on a commercial scale (paras 2.2(f), 2.3(g)
According to the NDPC, every controller and processor with legal competence to generate revenue on a commercial scale qualifies as a controller or processor of major importance. This factor is as confusing as it is unrealistic. Since the NDPC has not defined the term, then one wonders whether there are business entities that lack the ‘legal competence’ to ‘generate revenue’ on a ‘commercial scale’. I suspect this is targeted at entities that have fundraising as their business objectives. They however need to clarify otherwise stakeholders will continue to ascribe multiple interpretations.

Need for accountability (paras 2.2(h), 2.3(i)
This factor cuts across all the categories of controllers and processors designated by the NDPC in the notice. The question is – are there businesses without the need for accountability?. It simply confirms the NDPC’s intention to include everybody in their categorisation and simultaneously boost their revenue-generation drive.

SMEs (para 3.1(e)(i)
SMEs that “access to personal data which they may share, transfer, analyse,
copy, compute or store in the course of carrying out their individual businesses” are categorised as controllers of major importance”. Before the NDPA was passed into law, one of the concerns of stakeholders was the implication on the small business’ financial ability to meet the requirements of registration, audit, designation of DPO etc. This clause has now confirmed the fears of many.

No exemptions
Section 48(3)(b) of the NDPA recognises ‘data controller or data processor not of major importance’ meaning this category should be clearly identifiable. In the Notice, the NDPC expects controllers to “Abide by global and highest attainable standards” but the Notice itself refuses to take certain lessons from international standards by expressly listing the exempted entities. For example, the UK ICO exempts the following controllers and processors from paying registration fees: Staff administration; advertising, marketing and public relations; accounts and records; not-for-profit purposes; personal, family or household affairs; maintaining a public register and judicial functions. (see https://ico.org.uk/for-organisations/data-protection-fee/data-protection-fee/exemptions/)

Conclusion
While I sympathise with the NDPC on their necessary revenue drive, they need to avoid all forms of desperation and unjustifiable means towards achieving their imposed target. The categories of controllers or processors covered are ridiculously wide to cover everyone processing data in Nigeria except such persons do not need accountability. As things stand, the Guidance Notice requires further clarification or explanatory notes from the NDPC to clarify the uncertainty surrounding who is covered and who is not.