The National Commissioner for the Nigeria Data Protection Bureau, Dr Vincent Olatunji, speaks with TEMITAYO JAIYEOLA about the new Nigeria Data Protection Act 2023, protecting the data rights of Nigerians, regulating AI, and more
Nigeria now has a data law after many years of collaborative efforts. Please could you break down how this law would impact the average Nigerian?
The major focus of the law is to implement measures that will protect the data rights of Nigerians. That whatever data is being collected, processed, stored, or shared in any manner is done properly.
We didn’t have this before. In addition to that, there are a lot of provisions in the law that put in place measures for data controllers to create adequate safeguards to ensure that the data collected is treated properly.
In terms of safeguarding the rights of Nigerians, if there are any issues, a lot can be done now. They have a commission they can report to.
You have been investigating firms for data breaches. Could you enlighten us on this?
We have investigated so many, especially in the banking sector, telecommunications, consulting, and digital lending companies. We have interrogated their activities.
In the banking sector, we have fined about three banks, and Soko Loans in the digital lending sector. We fined Soko Loans N50m, and they are still sorting out how to pay through compliance. There are other banks that we have fined, but the approach we have been using is for them to pay remediation. If we go all the way, that is the full weight of the law, the fines would be a lot.
What we do now is to make them pay a remediation fee and take them through regulation and compliance. We are trying to improve compliance culture. To encourage companies to make it part of their practices, to make it part of their culture, we take them through compliance. Regarding some of the investigations, they are ongoing, and it takes time.
You announced an investigation into MoMo last year. Has that been concluded?
The investigation into MoMo is still ongoing and we are working with them. Ideally, we don’t make our findings public except when the company is not willing to cooperate with us.
The most important thing for us is to ensure that they do what is right to protect users, and to put in place appropriate safeguards for users. Once they are willing to corporate with us, we do not engage in unnecessary publicity that would attract negative feedback to their businesses. We are talking about the ease of doing business here.
There was an organisation that we launched an investigation into and once that got out, shareholders started withdrawing their shares and customers started withdrawing their money. They were panicking that the bank was in distress, and that was not our intention. We just wanted to correct them and make them do the right thing. So, we are working with all those we are investigating to do the right thing.
When any organisation is not willing to do the right thing, we launch full publicity into what we are doing. We are careful because of what can happen because there is an impact when issues around data breaches get to the public.
Also, how has your conversation with Flutterwave been?
The investigation is still ongoing. We are still doing our due diligence to ensure that our decision is right. We do not want to come to a decision in a hurry and realise we did not do our due diligence. When that is done and depending on the impact and extent of the breach, we will fine them or tell them to pay a remediation fee, to ensure that they take more decisive measures. The Flutterwave investigation is still ongoing and would be finished soon.
You recently said the commission would be blacklisting firms that are not adhering to data privacy laws. How is that process going and when is it likely to be implemented?
When we started that process, there was no law, but now we have a law. What we are doing is to encourage all organisations dealing with data to register with the commission between now and December, to ensure that we capture them.
If we don’t know those we are trying to regulate, how can we effectively regulate them? So, we are starting with registration, after we would have the annual data protection compliance audit report, which would hold between January and March 31.
The backlist is likely to be out by March 2024. The backlist is for organisations, companies, and data processors who do not comply with the provisions of the law. We are saying we do not want people to treat data anyhow again.
What would you say is the biggest issue with data privacy in Nigeria?
It is ignorance and capacity. How many data subjects know their rights and ask for it? How many data controllers and data processors know their jurisdictions and how many of them are doing what they are supposed to be doing? That is one, and we need awareness.
Two is the area of capacity. What is the capability and competence of your data protection staff? Do they understand the point of putting in safeguards and ensuring that there is no unauthorised access and malicious use or damage to the data? All these are major issues that we need to address.
Awareness and capacity are our major challenges in applying the data law in Nigeria. Many Nigerians do not know their data rights. Very soon, we would be coming up with a lot of awareness activities for people to know their rights.
The CBN recently asked banks to get the social media handle of their customers. This is something you and everyone have kicked against. You wrote to the CBN, and they have responded. What are you doing about the regulation now?
They cannot implement the regulation without the consent of the data subjects, who are to give out their social media handles. They need to get their consent. People need to willingly avail you of the right to collect their social media information because these are personal information.
Two, if there is going to be anything of such, there are guidelines they must draw out. Also, the regulation could be in the public interest, which is another basis for data processing. If they are doing so, they need to put in place guidelines to ensure that it remains that way.
These are some of the things we are working on to ensure that there are no ambiguities in the implementation of the regulation. In their regulatory role in the financial sector, they have the right to do a lot of things, but at the same time, that right should not override the rights of Nigerians. This is why we have asked that we work together to look at the best way to handle it.
The regulation is likely to still fly. But it would be based on the consent of the data subject. And if for the purpose of investigation, for instance, the likes of Hushpuppy and Woodberry were caught with the help of their social media activities. If this is the case, it will be on an obligatory basis, i.e., it forms part of their obligations in carrying out their mandate.
This means while carrying out their mandates, and if the purpose of investigation they need to know A, B, C, D about a person, there is so much information on social media. We are still working on these details.
There are many conversations about big tech firms and how they use personal data. For instance, the EU’s strong law usage against personal data impacted the launch of Threads in the region. What is Nigeria doing about big tech firms and their usage of personal data?
We are working on how big tech firms use our personal data. One good thing about our law is its ability to adapt to situations. For instance, you talked about emerging technologies, and how we address issues of privacy that come up with their usage. The law has given us the power to issue regulations to be able to control what happens with them. Same thing with social media handles, we have the power in the law to issue regulations to control what they are doing.
Globally, the attention is focused on social media networks and even solution providers. Just recently, Meta was served a fine by the European Data Protection Commission. That demonstrates the level of importance attached to data protection. Also, Microsoft was fined recently in the US. If these companies can be fined, it means no one is above the law. And wherever country or region they are, they need to take measures to comply with data privacy laws.
Also, what we are trying to do in Africa is to have a coordinated privacy law to guide the operations of multinationals and service providers in Africa. Gradually, we will get there. In Nigeria, we now have a law to properly monitor what they are doing, I am sure we will do a whole lot with it.
AI is gaining traction and many people are using its tools. There are conversations around data privacy and the US recently had to extract a commitment from major AI players. Is Nigeria doing anything about this?
AI is part of the emerging technologies that we are talking about. Virtual Reality, the Internet of Things, robotics, and more. For growing technologies, there may be some regulations. In fact, in some countries, ChatGTP has been banned, you can’t use it there. For instance, there are some apps that allow people to know what a child will look like in the future. What if that is used against the child later? This is why regulations will be in place to address the use of emerging technologies in Nigeria.
Many things have been said about the job opportunities and potential for wealth in the data protection sector. Could you expand on that?
The provision for data controllers to engage data protection officers is a big avenue for job creation. The last time we did the analysis, we figured that we would need 500,000 data controllers and processors. Currently, those that are qualified in both fields are not up to 10,000. So, there is a gap of 490,000 jobs that can be created.
Through training and equipping the data protection officers, we will create jobs. The model we have adopted so far, and backed up by the law, is a Public-Private Partnership model, where we licence Data Protection Compliance Organisations to carry out compliance as a service to data controllers and data processors. With that, we have been able to licence over 150 DPCOs, and there are people employed in these organisations (5–10 people). These people will earn their living through their various data compliance jobs.
In fact, at the last count, we identified about 17 different services which the DPCOs offer and they are creating jobs. Also, that segment is now worth over N5bn–N10bn in just three years of implementation. This speaks to the type of job and value that can be created.