CRIITICAL REVIEW OF NDPC’S CATEGORISATION OF DATA CONTROLLERS AND PROCESSORS OF MAJOR IMPORTANCE

By Eliz’beth Layeni and Nonso Anyasi

Introduction

President Bola Ahmed Tinubu recently signed the Nigeria Data Protection Act, 2023 (“NDPA” or the “Act”) into law, thus making it the primary legislation on data protection in Nigeria. Data protection was previously regulated under the Nigerian Data Protection Regulation (NDPR) 2019 and the Data Protection Implementation Framework (DPIF) 2020.

Before the enactment of the Act, the handling and processing of data in Nigeria were regulated under the NDPR and the DPIF. The National Information Technology and Development Agency (NITDA) and the National Data Protection Bureau (NDPB) were the regulators saddled with the responsibility of implementing the NDPR and other data privacy matters in Nigeria.

With the implementation of the Act, Nigeria joins the list of countries with substantive legislation on data protection and privacy. The Act has been received with enthusiasm by data protection experts who predict that it will clarify the grey areas that the NDPR could not address, increase protection for data subject rights, make Nigerian businesses more attractive to foreign investors/participation, and strengthen the country’s position in the digital economy.

Following its enactment, the Act made significant changes to the extant regulation on data protection in Nigeria through the introduction of several concepts. Amongst other things, the Act establishes the Nigeria Data Protection Commission (the “Commission”), which replaces the NDPB and takes on its functions. The Act also introduces the concept of the registration of data controllers/processors of major importance, legitimate interest as one of the lawful basis for processing data, the conditions that must be satisfied when processing the data of children and special persons, robust penalties for non-compliance, and the principle of vicarious liability for data processors and data controllers.

This Article addresses the concept of data controllers/processors of major importance as introduced by the Act (in line with the Guidance Notice issued by the Commission) and analyses its efficiency in safeguarding the security of personal data and the privacy of data subjects during processing activities.

Data Controllers/Processors of Major Importance
The Act introduces the concept of “data controllers/processors of major importance” and places more stringent compliance requirements for data controllers/processors in this category including requirements on registration, compulsory appointment of data protection officers (DPOs), and the maximum penalties for infringement of the Act.

The Act defines data controllers and processors of major importance as those who are resident, domiciled, or operating in Nigeria and who process the data of a certain number of subjects exceeding an amount to be determined by the Commission or who process a class of personal data that the Commission may regard as being of ‘particular value’ or ‘significance’ to the economy, society, and security of Nigeria. We submit that this provision of the Act which leaves the delineation/classification of controllers/processors of major importance to the discretion of the Commission is too vague.

Under the Act, potential data processors and controllers are also required to register with the Commission within 6 (six) months of the commencement of business operations as a data controller or data processor of major importance.

As part of the registration requirements, data controllers and processors are required to disclose to the Commission the nature, purpose, and number of personal data being processed, etc. Additionally, data processors or controllers of major importance shall also notify the Commission of any subsequent changes to the information submitted during registration within 60 (sixty) days of the change.

Subsequently, the Commission has, under a Guidance Notice (the “Notice”) issued on 14 February 2024, attempted to define and outline the compliance requirements for data controllers and processors of major importance. The Notice provides that data controllers and processors will be deemed to have “particular value or significance to the economy, society or security of Nigeria, and shall be designated to be of major importance if they:
process the personal data of more than 200 (two hundred) data subjects in 6 (six) months; or carry out cloud computing services for commercial purposes; or
process data as an organisation or service provider in the financial, commercial, health, education, insurance, export and import, aviation, tourism, oil and gas, and electric power sectors.”

A data controller or processor will also be deemed to be of major importance where they have/owe a fiduciary duty to a data subject, including where the data controller or processor is expected to keep confidential information on behalf of the data subject.

Additionally, the Notice also classified data controllers and processors of major importance into 3 (three) levels of data processing, namely: Major Data Processing – Ultra High Level (MDP – UHL); Major Data Processing – Extra High Level (MDP -EHL); and Major Data Processing – Ordinary High Level (MDP – OHL).

The omission of a specific threshold of data in the Act is also a prominent departure from the NDPR, which had varying compliance obligations for data controllers that handled the personal data of more than 1,000 (one thousand) data subjects and for data controllers that processed the personal data of less than 2,000 (two thousand) data subjects.

The NDPR also based its sanctions on the amount of personal data processed by the data controller. Data controllers who handled the personal data of more than 10,000 (ten thousand) data subjects were, in the event of default, liable to stiffer penalties than data controllers who handled the personal data of fewer than 10,000 (ten thousand) data subjects.

The Notice has now provided a further threshold for the different levels of data processing, in addition to the processing threshold to qualify as a data controller of major importance. Data controllers under the MDP – UHL category process data of over 5,000 (five thousand) data subjects in 6 (six) months, MDP – EHL category processes data of over 1,000 (one thousand) data subjects in 6 (six) months, while MDP – OHL processes data of over 200 (two hundred) data subjects in 6 (six) months.

Under the Act, the financial remedial sanctions for infringement or non-compliance are also divided based on the classification of data controllers/processors of major importance and data/controllers not of major importance. For the former category, the penalty is a “higher maximum amount” which is defined as the greater of ₦10,000,000 (ten million Naira) or 2% (two percent) of the controller’s annual gross revenue in the preceding financial year. On the other hand, controllers/processors not of major importance are subject to fines of “standard maximum amount” which is the greater of ₦2,000,000 (two million Naira) or 2% (two percent) of its annual gross revenue in the previous financial year.

The imposition of maximum penalties on data controllers/processors of major importance under the Act is based on the threshold categorisation alone and not on other important factors such as the nature and impact of the infringement on data subjects. This may result in the Commission focusing only on the market’s big players due to the quest for bigger fines, thus leaving data subjects vulnerable at the hands of the smaller controllers. It is expedient that the Act does not make the mistake of focusing on the large market players alone while ignoring smaller players who can cause even greater risks and damage to personal data and data subjects, merely based on the principle of categorisation.

Our Criticism of NDPC’s Classification
We submit that the criteria for qualification as a data controller or processor of major importance under the Notice (processing of personal data of at least 200 data subjects within a 6 (six) month period) is too broad and ineffective. Although this minimal threshold for designation of controllers or processors of major importance may be spurred by the Commission’s noble intention of introducing stronger safeguards for the personal data of Nigerians, we submit that the approach employed by the Commission is counter-productive for the following reasons.

First, most organisations that process data of Nigerian subjects will fall under the threshold of a controller of major importance and qualify at least under the category of MDP-OHL because all that is required to be classified as a controller or processor of major importance is the processing of personal data of at least 200 persons within 6 (six) months. Nigeria has a very large population of at least 220,000,000 (two hundred and twenty million) persons, the majority of whom are actual and potential data subjects. Hence, many small businesses will fall under the categorisation of MDP-OHL using this threshold, and outside the protection of the “de-minimis rule” which essentially aims to exclude regulators from enforcing “minor” infringements of the law. This defeats the fundamental purpose of delineating crucial data controllers and processors of major importance as entities that should be subject to stricter compliance requirements to ensure the security of personal data and the privacy of data subjects.

Second, the minimal threshold for the classification of controllers of major importance under the Notice renders the provision of section 48 (5) of the Act moot to the extent that it would be difficult to impose the standard maximum amount as a penalty or remedial fee on any data controller or processor, not of major importance. This is because most organisations that process the data of Nigerian subjects will qualify as data controllers and processors of major importance and thus, be subjected to the higher maximum amount as a penalty or remedial fee. Although this may ultimately enhance the deterrent effect of the Act, it would also ultimately water down the punitive and revenue-generating efficiency of the Act as most small and medium-sized businesses which qualify as controllers or processors of major importance would be unable to meet the higher maximum amount and will hence struggle to satisfy the fines for infringement in addition to their other operational expenses.

Consequently, we recommend that other factors should be taken into consideration in imposing penalties for a breach of the Act. The Act imposes penalties on data controllers and processors based on categorisation alone. Other factors that can inform the imposition of maximum penalties could include the risk accompanying such infringement, the nature, gravity, and duration of the infringement, safety measures implemented by the defaulting data controller or processor, and the purpose of data processing.

Conclusion
It is without doubt that Nigeria tried to copy the European Union’s General Data Protection Regulation 2018 (EU GDPR), with minor modifications to fit the Nigerian context. However, the EU GDPR does not use a classification of controllers/processors of personal data based on the number of personal data processed within a given period, as is the case with the Act. The EU GDPR also mandates the supervisory authorities to impose fines and sanctions for non-compliance with the provisions of the GDPR based on the gravity of the infringement. The supervisory authorities within the EU are specifically bound to impose administrative fines on a “case-by-case basis”. In addition, the supervisory authorities are under a legal obligation to consider several factors in the assessment of the fine to be imposed in the case of an infringement. More importantly, the supervisory authorities must ensure that the final amount of the fine resulting from this assessment must be effective, proportionate, and dissuasive in each individual case.

One of the commendable initiatives of the Notice is that it requires data controllers and processors of major importance to abide by global and the highest attainable standards of data processing. Hence, these data controllers and processors may be required to also comply with the EU GDPR standards as a matter of best standards, and also when they engage in processing activity that falls under the scope of the GDPR. Global data processing standards require data controllers and processors to implement safeguards and measures that protect data against hazards.

ABOUT THE AUTHORS
Eliz’beth Layeni

Eliz’beth is a Venture and Technology Attorney. She can be reached via [email protected].

Nonsi Anyasi

Nonso is a Privacy Consultant. He can be reached via [email protected].