REINTERROGATING DATA LOCALISATION LAWS IN NIGERIA By Data

RE-INTERROGATING DATA LOCALISATION LAWS IN NIGERIA By Data Privacy and Protection Group

TABLE OF CONTENT 1. Contributors. . . . 4 2. Introduction. . . . 6 3. Nature of Data Localisation. . . . . 7 4. The Nigeria Data Protection Bill 2020. . . . . 10

TABLE OF CONTENT 5. Operation of Data Localisation Laws in Some Foreign Jurisdictions. . . . 13 6. Recommendations. . . 18 7. Conclusion. . . . 20

CONTRIBUTORS 1. EWAOLUWA VICTORIA OLASOJI (OBAFEMI AWOLOWO UNIVERSITY) 2. DAVID ADEMOLA OLAJIDE (OLABISI ONABANJO UNIVERSITY) 3. GLORY IDOWU BOLUWATIFE (UNIVERSITY OF LAGOS) 4. EMIOLA OLALEKAN YUSUF (BAYERO UNIVERSITY KANO) 5. FAITH B. ADERIBIGBE (AJAYI CROWTHER UNIVERSITY) 6. SOLOMON VENDAGA ATER (UNIVERSITY OF ABUJA)

CONTRIBUTORS 7. RACHAEL IBRAHIM DAWHA (AHMADU BELLO UNIVERSITY) 8. ENIOLA OLUWASEUN ASHADE (UNIVERSITY OF LAGOS) 9. HALIMA UMMI ISMAIL (BAYERO UNIVERSITY KANO) 10. CHIBUIKE EWENIKE (UNIVERSITY OF LAGOS) 11. MARYAM ABDULGANIYU YUSUF (BAYERO UNIVERSITY KANO) 12. MONDAY UNIVERSITY) KAYODE FOLARANMI (OBAFEMI AWOLOWO

INTRODUCTION The flow of data across borders is a contentious issue countries encounter when developing data protection laws and regulations. In the Internet era, data naturally flows across national boundaries and gains value due to the flow. It has become a basic consensus that data flow can lead to technology flow, capital flow and talent flow. In this sense, the requirement of data localization seems to run counter to it. Proponents for data localization argue that it is essential for information security, data privacy, national data sovereignty, law enforcement, potential support for businesses, among others. Opponents of data localization, however, regard it not only as a trade barrier, but even as a way to undermine the global interconnectedness of the Internet and thus overturn the existing world order.

NATURE OF DATA LOCALISATION Primarily, data localization is a compulsory legal mechanism and permission to use, process and store data within its territory of origin. It is a way of storing data within the physical boundaries of the country from which the data originates. Thus, data governed by a country’s localization law cannot be transferred to another country for storage and processing (except in cases where certain conditions have to be met). In other words, data subject’s data cannot be moved, transferred or exported outside the country of its origin unless certain terms are fulfilled.

NATURE OF DATA LOCALISATION Data localization laws are sometimes referred to as “data sovereignty laws” because they reflect a country’s assertion of sovereignty over data originating from that country. It can be said that there are three types of Data Localization measures commonly employed, which are: (i) Requirements to store all data in facilities located inside of the state; (ii) Requirements to store specific sets of data in facilities located inside of the state; and (iii) Requirements to transfer data only to states with adequate legislative and security measures in place with particular purposes and for a limited time. Data localization measures may be seen as an information barrier, as they can limit information and data flow across borders.

NATURE OF DATA LOCALISATION The requirements for data localization is rapidly evolving and has been recently enforced in many countries including: Vietnam, Indonesia, Brunei, Iran, China, Brazil, India, Australia, Korea, Nigeria and, most recently, Russia. Nigeria has required all subscriber and consumer data of ICT service providers as well as all government data to be stored locally within the country since December 2013 through its Guidelines on Nigerian Content in ICT.

THE NIGERIA DATA PROTECTION BILL 2020 The draft of the Data Protection Bill 2020 was recently introduced by the Federal Government through the Legal and Regulatory Reform Working Group which was constituted in March, 2020, in furtherance of the Federal Government’s implementation of the Nigeria Digital Identification for Development Project. The Bill goes seeks to protect personal information such as banking records, academic transcripts, health records, and personal subscription data. Under the Bill, what constitutes personal data is not exhaustive as it makes a provision for definitions to be included in guidelines to be made by the Data Protection Commission. The Bill sets out six categories of persons covered by the proposed Act which include Nigerian citizens, Nigerian residents, organizations incorporated in Nigeria, unincorporated joint ventures or associations (businesses) operating partly or wholly in Nigeria; persons who maintain an office, branch or agency through which business activities are carried out in Nigeria; and foreign entities targeting Nigerian residents.

THE NIGERIA DATA PROTECTION BILL 2020 On its face, the Bill seems to repeat the provisions already in the NDPR, however, it sheds more light on protections provided in the NDPR. It also appears to be in line with global best practices and may position the country as a more formidable presence in the world markets, if passed into law. The incoming Bill has critically addressed the void created by the absence of data Protection laws in Nigeria. However it is expected that answers would be provided on the questions that arise from the review of the Bill before it's passed into law. However, Nigeria Data Protection Bill of 2020 doesn’t holistically address data localization, nor poses as a tool which should aid effectual data localization within the country.

THE NIGERIA DATA PROTECTION BILL 2020 According to the Bill, the trans-boundary transfer of personal data may only take place where an adequate level of protection based on the bill is secured in the recipient State or international organization. The trans-boundary transfer of personal data may also take place where the data subject has given explicit, specific and free consent, after being informed of risks arising in the absence of appropriate safeguards; the specific interests of the data subject require it; and prevailing legitimate interests, especially public interests are provided for by law. These provisions are synonymous with those contained in the NDPR except that the requirement for the supervision of the Attorney General required under the existing regulation has been avoided. To a considerable extent, this part of the bill eliminates the bottlenecks that may arise in fulfilling the conditions of international transfer of data.

OPERATION OF DATA LOCALISATION LAWS IN SOME FOREIGN JURISDICTIONS Tll date, at least thirty-four countries have adopted data localization laws, including Germany, Russia, Greece, Taiwan, China, Vietnam, Malaysia, Brazil, and Australia. In Russia, Data Protection Act No. 152 FZ dated 27 July 2006 (DPA) and the Information Technologies and Information Protection Act No. 149 FZ dated 27 July 2006, provides that data collected by cooperation if their nature of business has to do with collecting, recording, systematization, accumulating, storing, clarifying (updating and modifying) and extracting personal data must be localized in Russia. This law also applies if an international company uses the domain names “. ru, . рф”, has a Russian-language website, receives payment in Russian rubles or delivers goods to the Russian Federation. In essence, any company doing business in Russia or with Russians may be affected by the law, even if it is not registered in Russian data localization law does not prohibit further processing of Russians’ personal data abroad, if this data was previously included in a Russian database and is updated there as necessary

OPERATION OF DATA LOCALISATION LAWS IN SOME FOREIGN JURISDICTIONS In Indonesia, the Government Directive 82 of 2012 mandated that all electronic system operators who provide public services” must establish a data center in Indonesia. However, 7 years later through Regulation 71 of 2019, Indonesia repealed the former law and has now restricted data localization requirement to “public electronic system operators” only. conditions as provided by the Article. In the United Arab Emirate (U. A. E), data localization legislation exists in the finance sector. ‘The Regulatory Framework For Stored Values and Electronic Payment Systems’ by the Central Bank of The UAE (2017) is of the provision that all Payment System Operators (PSPs) to store and retain all User and transaction data exclusively within the borders of the UAE.

OPERATION OF DATA LOCALISATION LAWS IN SOME FOREIGN JURISDICTIONS In Australia, Data localization is required when it comes to the health Sector. All personal health records are to be stored in Australia only. However, it is important to note that Some countries are against the Data Localization policies as trans-boundary data flows generate higher productivity, greater innovation, and improved sustainable development.

OPERATION OF DATA LOCALISATION LAWS IN SOME FOREIGN JURISDICTIONS However, it is important to note that Some countries are against the Data Localization policies as trans-boundary data flows generate higher productivity, greater innovation, and improved sustainable development. Article 19. 12 of the Agreement between the United States of America, the United Mexican States, and Canada(USMCA 2020) which was signed Provides that “No Party shall require a covered person to use or locate computing facilities in that Party’s territory as a condition for conducting business in that territory. ” Consequently, UK-Japan Comprehensive Economic Partnership Agreement which was signed in September, 2020 has put a ban to data localization. Under the deal, British businesses will not have to bear the extra cost of setting up servers in Japan.

OPERATION OF DATA LOCALISATION LAWS IN SOME FOREIGN JURISDICTIONS The Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), a trade agreement between Australia, Brunei, Canada, Chile, Japan, Malaysia, Mexico, New Zealand, Peru, Singapore, and Vietnam which entered into force a majority of signatories in January 2019, contains specific provisions prohibiting data localization. While recognizing that each country may regulate data, Article 14. 13 of the CPTPP includes a prohibition on data localization as a condition for conducting business in that territory. The CPTPP includes a broad exception to the localization rule, To fall within the exception any such law must (i) serve a legitimate public policy objective, (ii) must not be applied in an manner that does not constitutes arbitrary or unjustifiable discrimination or disguised restriction on trade, and (iii) does not impose restrictions on the use or location of computing facilities greater than are required to achieve the law's objective. The specific policy objective of any law may be set by each country, and is not subject to contestation.

RECOMMENDATIONS It is important to note that the free flow of data is essential to the growth of the digital economy, which makes the enforcement of data localization in some countries a major bottleneck for some Internet-enabled services and industries. The role here is not only that of the governments or the regulators of these countries to propose solutions, but it is rather a global responsibility where governments and industry players should make a concerted effort to guarantee information flow and security. Such moves have recently been witnessed with Verizon Media launching its One. Search privacy-focused search engine which is designed to “forget” users’ data and not share it with advertisers. This feature was designed with consumer privacy in mind and it is the same reason that Google cited when it launched its plan to phase out its support for third-party cookies in Chrome by 2022.

RECOMMENDATIONS Essentially, moderate requirements such as the right to be forgotten, the ability to provide consent to use personal data, among others, can be pushed through precise, clear and easy to understand terms of use. A survey conducted in the US in 2017 found that over 90% of people agree to terms of use of a given service without reading them. Again, the Nigerian Data Protection Bill 2020 should target to enhance the privacy of citizen’s data much more within its territory of origin. Having also aiming to maintain the safety of data in Nigeria, the leakage of such outside the base country should be strictly secured unless otherwise—where particular terms and conditions have been met. Additionally, parameters and structures should be set up to accentuate the implementation of the intention of the NDP bill. Finally, bilateral relationships between countries are expected to aid data localization. Breach of it should be reported and given the expedient attention it deserves.

CONCLUSION The continuous increase in the number of internet users evidently confirms the statistical record that more than half of the world’s population is online. This has consequently influenced the lives of these users as there is an uptick in the flow of data nationally and across borders, data captured includes those used for financial services, healthcare, telecommunications, media, politics education, legal services etc. However, as this flow of data is faced by the illicit activities of cyber criminals, the concern is now driven to the protection of these users privacy. This is why Data Localization requires companies and institutions that use, store or process data online to do so in the country where data originates from.