The State Of Data Protection In Nigeria

This is Nigeria; anything you see, take it like that.

Nigeria, Africa’s most populous nation, faces a critical challenge in safeguarding its citizens’ personal data.

In an age where data is currency, recent incidents have exposed alarming vulnerabilities in the country’s data protection infrastructure, raising serious concerns about privacy, identity theft, and fraud.

In this article, I examine the current state of data protection in Nigeria, focusing on recent data breaches, the Nigeria Data Protection Act of 2023, the level of compliance across both public and private sectors, and the steps needed to strengthen data security moving forward.

The XpressVerify.com Incident (March 2024)

In March 2024, The Foundation for Investigative Journalism published a shocking report revealing that the website XpressVerify.com had unrestricted access to the National Identification Numbers (NINs) and personal details of registered Nigerians.

For a mere ₦200 (approximately $0.13), anyone could retrieve sensitive information, including:

• Phone numbers
• Full names
• National Identity Number (NIN)
• Addresses
• Photographs

This data was sourced from the National Identity Database, managed by the National Identity Management Commission (NIMC).

The AnyVerify Breach (June 2024)

Just three months later, in June 2024, Tech Cabal reported that another website, AnyVerify, was selling Nigerians’ data for as low as ₦190 (approximately $0.12).

This occurred despite the NIMC’s assurances that steps had been taken to address the March incident, further highlighting the persistent vulnerabilities within Nigeria’s data protection systems.

NIMC licenses its database access to banks, fintechs, and other partners for a fee, yet AnyVerify was not a licensed partner, raising questions about how the website accessed the database.

Government Response and Denials

The NIMC swiftly denied any breach to its database following both incidents.

They asserted that only licensed partners could offer NIN verification as well as access the database.

However, these claims were quickly challenged:

• The Cable’s investigative report revealed that NIMC had recently reinstated the NIN Verification Service (NVS), a system with a troubled history which was originally shut down in 2017 following a World Bank-commissioned investigation that found it to have significant vulnerabilities allowing unlicensed parties to access personal data of all Nigerians in the NIN database.

• These flaws allowed unlicensed parties to access the personal data of all Nigerians captured in the NIN database.

• Some NIMC staff members were implicated in profiting from these transactions.

• The Nigeria Data Protection Commission (NDPC) investigation found NIMC’s security infrastructure compliant but indicated that the March breach resulted from access abuse by NIMC agents and arrests were reportedly made in connection with the incident.

Demonstrating the Breach

The gravity of the situation was starkly illustrated by Gbenga Sesan, Executive Director of Paradigm Initiative.

In a shocking demonstration, Sesan and his team were able to purchase the NIN slip of Dr. Bosun Tijani, the Minister for Digital Communication, under whose jurisdiction the NIMC operates

In a televised interview, Sesan said:

“We got the NIN slip of the minister, Dr Bosun Tijani; we got the NIN slip of the number one data regulator in Nigeria, Dr Vincent Olatunji. We bought them for ₦100 each to demonstrate that this is not a joke. It basically means that your identity is for sale for ₦100.”

The implications of this breach are far-reaching and potentially catastrophic. Sesan elaborated:

“The real implication is that we can do anything with an NIN slip, we can get a SIM card with that.

Who knows if anyone has the President’s SIM card right now? Or the National Security Adviser? A military general leading warfare in a place where they are dealing with terrorists?

What if a terrorist bought the general’s NIN slip, got his SIM card and sent a message to the troops and said, ‘Meet me at 0700. 14 degrees north,’ just to ambush them? The implications are serious. It means that anybody can claim to be you.”

This demonstration not only confirmed the authenticity of the breach but also highlighted its far-reaching implications, showing that even high-ranking government officials are not immune to this massive privacy violation.

Nigeria Data Protection Laws

Nigeria’s journey towards comprehensive data protection legislation has been relatively recent and, some would argue, inadequate.

For many years, data protection was addressed piecemeal through various sectoral regulations and laws, none of which provided a holistic framework for protecting personal information.

The most significant step towards data protection came in 2019 with the introduction of the Nigeria Data Protection Regulation (NDPR) by the National Information Technology Development Agency (NITDA).

In 2022, The Nigeria Data Protection Commission (NDPC) was established to centralise and strengthen the enforcement of data protection regulations.

In 2023, President Bola Ahmed Tinubu signed into law the Nigeria Data Protection Act (NDPA), reaffirming the Nigeria Data Protection Regulation (NDPR) of 2019.

The NDPA ensures the continued validity of all regulations, rules, and guidelines established in the NDPR, unless and until they are repealed.

With the enactment of the Data Protection Act in 2023, the NDPC assumed responsibilities for data protection regulation from the National Information Technology Development Agency (NITDA).

Also Read: Nigerian Regulator Slaps Meta With $220m Fine Over Data & Consumer Protection Laws

Nigeria Data Protection Act (NDPA) – 2023

The NDPA provides a more robust and comprehensive framework for data protection in Nigeria compared to the NDPR.

Key enhancements in the NDPA include:

1. The legitimisation of the Nigeria Data Protection Commission (NDPC): The NDPA legitimised the establishment of the NDPC to oversee the implementation and enforcement of data protection laws. This central regulatory body ensures a more coordinated and effective approach to data protection compliance and enforcement.

2. Expanded Rights for Data Subjects: The NDPA explicitly outlines the rights of data subjects, including the right to be informed, right of access, right to rectification, right to erasure, right to restrict processing, right to data portability, and the right to object.

3. Enhanced Data Security Requirements: The NDPA mandates that data controllers and processors implement robust security measures, such as encryption, pseudonymisation, regular risk assessments, and security testing, to protect the integrity and confidentiality of personal data.

4. Stricter Conditions for Cross-Border Data Transfers: The NDPA imposes stringent conditions for transferring personal data outside Nigeria, requiring that the recipient country has adequate data protection laws or that explicit consent is obtained from data subjects.

5. Clearer Obligations for Data Controllers and Processors: The NDPA provides detailed guidelines for data controllers and processors, including the requirement for written contracts with third-party processors, adherence to data protection principles, and implementation of appropriate technical and organizational measures to safeguard personal data.

In addition, the Act introduces a class of “Data Controllers of Major Importance” (DCMIs) and “Data Processors of Major Importance” (DPMIs), which are subject to more stringent requirements.

In February 2024, the Commission issued a Guidance Notice that clarified the definition as it was not explicitly defined in the act.

A data controller or processor is deemed of major importance if they:

(a) Operate in sectors like financial services, communication, healthcare, education, insurance, or exports.

(b) Process the personal data of more than 200 individuals within six months.

(c) Provide ICT services involving the use of digital devices with storage capacity owned by others.

DCMIs and DPMIs are mandated to register with the Commission.

These entities are also classified into three levels, based on their level of data processing:

• Major Data Processing Ultra Level (MDP-UHL)
• Major Data Processing- Extra High Level (MDP-EHL)
• Major Data Processing-Ordinary High Level (MDPOHL)

6. Increased Penalties for Non-Compliance: The NDPA introduces higher penalties for non-compliance.

Data Controllers and Processors of Major Importance (DCMIs and DPMIs) face even stricter penalties, with fines exceeding ₦10,000,000 or 2% of their annual gross revenue of the preceding financial year, if they are found in violation of the Act or its subsidiary regulations.

Regular data controllers and processors, by contrast, are subject to fines of ₦2,000,000 or 2% of their annual gross revenue.

7. Automated Decision-Making Provisions: The NDPA addresses the issue of automated decision-making, granting data subjects the right to avoid decisions made solely based on automated processing, which could significantly impact their rights and freedoms.

8. Broader Scope of Application: The NDPA applies to data controllers and processors both within Nigeria and those outside Nigeria who process the personal data of Nigerian data subjects.

Also Read: Nigeria’s Data Protection Watchdog Collects ₦400 Million in Fines

The State Of Data Protection In Nigeria

In Nigeria, as with many developing nations, the implementation of policies often falls short of their ambitious text.

Data protection is no exception, plagued by the all-too-familiar bureaucratic inefficiencies that have become a hallmark of governance in the country.

The Nigeria Data Protection Commission (NDPC) reports a stark disparity in compliance rates: while the private sector achieves a modest 55%, the public sector lags significantly at a mere 15%.

This discrepancy is particularly alarming, given the sensitive nature of what is at stake.

Perhaps most concerning is the case of the National Identity Management Commission (NIMC), the very institution entrusted with safeguarding the personal information of Nigerian citizens.

Despite its critical role, the NIMC has repeatedly fallen victim to data breaches, seemingly unable to fortify its systems against such incursions.

This vulnerability is symptomatic of a deeper malaise within Nigeria’s public sector.

The pervasive culture of corruption, where almost every service has its price, undermines the integrity of data protection efforts.

The unspoken rule seems to be that there’s always someone willing to be compromised for the right amount.

Compounding this issue is the apparent lack of accountability.

Data breaches, no matter how severe, rarely result in significant consequences for those at the helm.

According to Sesan, evidence of the NIMC database breaches was sent to the NDPC yet the NIMC only got a slap on the wrist.

The absence of high-profile prosecutions or dismissals suggests that such incidents are not deemed sufficiently scandalous to warrant decisive action from the administration.

Until there’s a fundamental shift in this paradigm – one that prioritises data security, enforces strict accountability, and views data breaches and manhandling as the serious violations they are – the rot will continue to permeate the system.

The gap between well-intentioned policies and their practical implementation remains a critical challenge in securing the data rights of Nigerian citizens.

What Needs to Change

There are concrete steps that can be taken to secure the personal data of Nigerians and restore public trust.

The path forward requires a multi-pronged approach, encompassing stronger enforcement, technological upgrades, comprehensive legislative reforms, and a culture shift towards accountability.

Here are the key solutions that must be prioritised:

Strengthening Enforcement of Data Protection Laws

Current enforcement of the NDPA remains inconsistent. One of the most pressing issues is the lack of accountability for data breaches in the public and private sectors. There needs to be swift and decisive action when laws are violated.

Solution:

• Empower the NDPC: The Nigeria Data Protection Commission (NDPC) must be given the necessary resources and authority to act independently and enforce penalties without interference. This includes more frequent audits, regular compliance checks, and faster response times to reported breaches.

• Zero Tolerance for Corruption: There needs to be zero tolerance for corruption within the public sector, especially in agencies like NIMC, which are entrusted with citizens’ personal information. Efforts must be made to ensure that those responsible for breaches face severe legal consequences, including criminal charges.

• Public and Private Sector Transparency: Both public and private organisations should publish regular transparency reports on data security measures and compliance with NDPA regulations. This would not only boost accountability but also provide citizens with clearer insights into how their data is being protected.

Technological Upgrades and Infrastructure Improvements

The National Identity Management Commission (NIMC) and other data-handling agencies must modernise their technological infrastructure to defend against breaches. The increasing sophistication of cyberattacks and the sheer volume of data being handled demands state-of-the-art security systems that can withstand evolving threats.

Solution:

• Adopt Advanced Cybersecurity Technologies: Government databases, especially those containing sensitive personal information like the NIN database, need to be upgraded with advanced encryption, multi-factor authentication, and real-time monitoring systems to detect and block unauthorised access.

• Regular Security Audits: Independent audits by third-party cybersecurity firms should be conducted regularly to identify weaknesses and vulnerabilities in Nigeria’s data protection infrastructure. These audits must lead to actionable improvements, not just reports that gather dust.

• Collaboration with Global Security Experts: Nigeria should collaborate with international cybersecurity bodies to learn from best practices and adopt cutting-edge technologies that are already being used successfully around the world.

Cultural Shift Towards Data Protection and Privacy

A major barrier to effective data protection in Nigeria is the lack of a privacy-conscious culture—both within organisations and the general public. Many citizens are unaware of their data rights, and organisations often prioritise profit over privacy, which leads to weak security measures and a casual attitude towards breaches.

Solution:

• Public Awareness Campaigns: The government, in partnership with NGOs and educational institutions, should launch nationwide campaigns to educate citizens on their data rights and how to protect themselves. This could include easily digestible guides on how to check if their data has been compromised, how to protect their online identity, and how to report breaches.

• Mandatory Data Protection Training for Companies: Organisations, particularly those handling sensitive data, should be mandated to provide regular training on data protection laws and privacy practices to all employees. Employees should be fully aware of the importance of safeguarding personal data and the legal consequences of mishandling it.

• Incentivise Compliance: Instead of only focusing on penalties for violations, the government should consider incentives for companies that achieve high levels of compliance with data protection laws, such as tax breaks or public recognition.

Comprehensive Legislative Reforms and Implementation

While the NDPA offers a solid foundation for data protection, there are gaps in its implementation. More specific guidelines on how to handle data breaches, alongside greater clarity on the responsibilities of private and public sector organisations, could further strengthen the law.

Solution:

• Introduce Clearer Guidelines on Breach Management: The NDPA should be supplemented with clear guidelines on how organisations should respond to a data breach. This includes timelines for notifying affected individuals, offering compensation or support, and steps to prevent similar breaches in the future.

• Expand the Scope of Data Protection: The law should be extended to cover emerging technologies such as AI, biometrics, and big data analytics, ensuring that these systems adhere to the same rigorous privacy standards.

• Improve Data Retention Policies: New regulations should require that data controllers only retain personal data for as long as necessary. This will prevent the long-term storage of sensitive information, reducing the risk of data breaches.

Encouraging Private Sector Responsibility

The private sector plays a critical role in protecting personal data, yet many companies still operate without full compliance with the NDPA. There is often a lack of accountability, especially in industries where personal data is central to operations.

Solution:

• Mandatory Data Protection Officers (DPOs): Large organisations should be required to appoint a Data Protection Officer (DPO) who oversees compliance with the NDPA, handles data protection issues, and ensures that proper security measures are in place.

• Audit and Reporting: Regular data audits should be mandated for companies handling large volumes of personal data, with these audits being publicly reported. This will make companies more transparent and help build consumer trust.

• Stricter Penalties for Non-Compliance: The government should enforce the penalties outlined in the NDPA, ensuring that companies who violate data protection laws face meaningful consequences, including hefty fines and reputational damage.