Legal Frameworks for Data Protection in South Africa and Nigeria

Protection of personal and corporate data is increasingly important for African businesses and individuals. Our Knowledge Series article examines the legal frameworks for data protection in Nigeria and South Africa.

By Cynthia Yav, Associate Attorney at Centurion Law Group’s Johannesburg headquarters

Information and communication technology (ICT) is increasingly at the heart of the development of our societies. With advancements in ICT we have seen different types of data presented in electronic formats and users expect ever more rapid, open and global access to information. Technology today has entirely transformed the way we interact with each other and has had a profound impact on the way in which businesses operate.

Digital information is rapidly becoming one of the most valuable assets of the 21st Century. With the emergence of new technologies and digital corporate development strategies, the need to protect personal information or personally identifiable data has increased considerably and has attracted significant awareness in Africa.

Data Protection

Data protection provides for the legal protection of a person in instances where his or her personal information is being collected, stored, used, disseminated or communicated by another person or institution. It affords individuals the right to know what information about them is being held; it provides a framework to ensure that personal information is handled properly; and it safeguards a person’s right to privacy.

In essence, data protection laws exist to strike a balance between the rights of individuals to privacy and the ability of organisations to use data for the purposes of their business.

Centurion_Knowledge Series_Cynthia_22.3.2016_REV

As is customary with any development, modern ICT developments also entail risks. Stored data can fall into the hands of unauthorised persons and be put to improper use. Persons or entities that have access to sufficient quantities of data are able to invade the privacy of any citizen. To pre-empt any such abuse of privacy, laws must be enacted as a vital part of the protection of an individual’s privacy and personal rights.

A person has the right to determine whether his/her personal data may be disclosed and how it may be used. The right to privacy is widely considered a fundamental human right, and the protection of rights and freedoms, especially with regard to personal data and privacy, is a major concern for many democratic states.

Moreover, data protection is a crucial issue in international trade and the lack of adequate data protection may prove to be a barrier to trade. The Internet knows no borders and as such, effective international co-operation is an essential prerequisite for data privacy and protection laws to function adequately in an international context. Promoting free-flow of information across borders while at the same time ensuring that individuals enjoy the protection of their fundamental rights and freedoms is of utmost importance.

South Africa Legal Framework

South Africa’s Constitution of 1996 guarantees the right to privacy, which may be enforced by the Constitutional Court. The right to privacy is also protected under common law, with restrictions on the interception and monitoring of communications. Section 14(d) of the Constitution states that “Everyone has the right to privacy, which includes the right not to have the privacy of their communications infringed.” The constitutional right to privacy, like its common law counterpart, is not an absolute right as it may be limited in terms of law of general application, and it has to be balanced with other rights entrenched in the Constitution. The recognition and protection of the right to privacy as a fundamental human right in the Constitution provides an indication of its importance.

After eight years of deliberations and numerous reviews, South Africa’s first data protection law, the Protection of Personal Information Act (POPI), was promulgated into law in November 2013. It is heavily based on foreign legislation, in particular the United Kingdom’s Data Protection Act of 1998.

The purpose of POPI is to give full effect to the constitutional right to privacy by safeguarding personal information when it is processed by another party, and to regulate the manner in which personal information may be processed by establishing a threshold of minimum conditions. Further, POPI provides persons with rights and remedies to protect their personal information from processing that is not in accordance with the Act.

POPI applies to every person that processes the personal information of another, where such person is domiciled in South Africa. If the person is not domiciled in South Africa, but makes use of automated or non-automated methods for the processing of personal information in South Africa, then they must also comply with the provisions of POPI. It also applies to all processing of information in the private and public sectors, and cross-border transfers, and recognises a limited number of exceptions.

POPI covers a range of issues including exclusions, the national data protection authority, the regulator, data protection officers, collection and processing of information, consent, transfers, security, electronic marketing, online privacy and enforcement. It also renders non-compliant processing of personal information unlawful and subject to a fine, criminal prosecution and/or imprisonment.

In simple terms, POPI ensures that all South African citizens and institutions conduct themselves in a responsible manner when collecting, processing, storing, sharing and disseminating another person’s or entity’s private information by holding them accountable should they abuse or compromise this data in any way.

In addition to POPI, the Regulation of Interception of Communications and Provision of Communication Related Act of 2002 (RICA) prohibits the interception and monitoring of communications without the consent of a party to the communication unless specified grounds to do so exist.

Nigeria Legal Framework

There is presently no specific or comprehensive legislative framework on privacy or protection of personal data in Nigeria. Several bills have been drafted that should address areas bordering on data protection and ICT, but none of them has yet been passed into law. Nonetheless, there are various industry-specific laws and regulations which provide a certain degree of privacy-related protection.

In this context, the main piece of legislation is the Constitution of the Federal Republic of Nigeria Act of 1999, Chapter C23, as amended, which provides in section 37 that: “The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected”.

The Freedom of Information Act of 2011 in section 14 provides that a public institution is obliged to deny an application for information that contains personal information unless the individual involved consents to the disclosure, or where such information is publicly available. Section 16 provides that a public institution may deny an application for disclosure of information that is subject to various forms of professional privilege conferred by law (such as lawyer-client privilege, or health worker-client privilege).

Other laws that provide privacy-related protections include the Child Right Act of 2003, which limits access to information relating to children; the Consumer Code of Practice Regulations of 2007 issued by the Regulator of the Telecommunications industry, which provides for the protection of customer information against improper or accidental disclosure; and the Cybercrimes Act of 2015, which provides for the prohibition, prevention, prosecution, detection and punishment of cybercrimes and criminalises the interception of electronic communications in certain circumstances.

The National Information Technology Development Agency (NITDA), the national authority responsible for planning, developing and promoting the use of information technology in Nigeria, issued guidelines on data protection pursuant to the NITDA Act of 2007 for organisations that obtain and process Nigeria residents’ and citizens’ personal data within and outside of Nigeria.

Conclusion

There is general consensus that a greater amount of private information is being amassed in databases, and that an increasing number of people now have access to computers and telecommunications resources that may enable them to access and manipulate data.

The need to establish and/or enforce effective data protection systems in both South Africa and Nigeria (more so for Nigeria) has also become a trade and development issue. By way of example, the 1995 European Union Data Protection Directive imposes a standard of protection on any country in which the personal data of European citizens is processed, and such data can only be processed in countries that can guarantee adequate levels of protection. It is therefore imperative for South Africa and Nigeria to tighten enforcement, and/or review the content of their data protection legislation, and/or promulgate data protection requirements into law to ensure that their legislation is brought in line with the legislation of their major trading partners, which have had data protection laws in place for many years.

A number of countries have taken proactive measures to protect the fundamental human right of privacy. These include Zimbabwe, with its comprehensive Access to Information and Protection of Privacy Act; Singapore, with its Personal Data Protection Act; the UK, where the UK Data Protection Act of 1998 is coupled with other UK and EU laws protecting data and privacy; and Ireland, with its Data Protection (Amendment) Act.

While specific legislation is welcomed because it enables South Africa and Nigeria to keep up with international practice in protecting privacy rights, organizations need to carefully consider the impact that such legislation may have on their activities and business. As individuals, these laws carry the obligation for each person to take responsibility to protect their own information.

In the case of South Africa, POPI has made it necessary for all companies to reconsider how they treat the personal information of their personnel, customers and suppliers. This can be an unnerving exercise as POPI creates new rules for every aspect of the information lifecycle – from collection of information through to dissemination and destruction.

Centurion’s multidisciplinary team of specialists has considerable experience advising and acting for clients wth respect to data protection issues in various sectors in Africa, including in cross-border, multijurisdictional transactions. We review clients’ policies, procedures, processes, reporting formalities and transfers to ensure compliance with all relevant and applicable and/or pending data protection requirements in the context of particular transactions, and engage extensively with our clients to find flexible solutions in implementing the requirements imposed by various jurisdictions and laws.