A Legal Practitioner in a Lagos-based law firm, Gbenga Odugbemi, has written an open letter to the National Information Technology Development Agency (NITDA), calling on the Agency to make further clarifications regarding need for licensing fee for the purpose of designating organisations as Data Protection Compliance Organizations (DPCO).
DPCOs are referred to companies licensed by NITDA to offer services related to the Nigeria Data Protection Regulation 2019 (NDPR).
Odugbemi, in the letter sighted by TechEconomy.ng, expressed dissatisfaction with the recent explanation by NITDA on ‘why law firms are ‘licensed’ as Data Protection Compliance Organisations’.
NITDA’s stand is that its “…licensed law firms understand that they represent the Agency in the drive to entrench compliance and help data holding entities to bridge the historical and systemic gap in data protection compliance in Nigeria. Unlike the requirements legal practitioners must fulfil before appearing in the courts of law, the criteria for licensing as a DPCO, requires knowledge of data protection compliance and enforcement, which is not part of the residual knowledge of every lawyer.
But, Odugbemi stressed that NITDA “must expect that lawyers have to be able to deliberate and provide services in this regard without obtaining a license from it. This is the practice everywhere in the world. There is nothing to be innovative about here than causing problem, and potential lawsuits.
HERE is the Letter in Full (as sighted by TechEconomy.ng):
An Open Letter to the National Information Technology Development Agency: a Response to the Agency’s Press Release in respect of my LinkedIn post
I write the letter in response to the Agency’s Press Statement made through her Head of Corporate Affairs and External Relations, Mrs. Umar in its Abuja office on the 28th May, 2020. Having made a post regarding the negative impact that licensing a DPCO (Data Protection Compliance Organizations) could have, I believe I am the legal practitioner referred to in the Press Statement, and I want to use this medium to respond to the issues raised in the said Press Statement, seriatim.
Before doing so, I will like the Agency to understand that my post, irrespective of how challenging it might seem was written from a place of concern for a fledgling system that is trying to catch up on privacy issues, and a system which sought to impose [necessary] compliance requirements on those who hold our data. I also write from the lens of a professional in this field who has been exposed to data privacy and protection issues and practices, internationally.
Having said that, I am saddened that the Agency’s response refused to address the issues highlighted in my original post. For clarity, the germane issues highlighted in my post are:
- The need for a license to provide data privacy-related services [this includes both privacy and data protection services]
- The need for a fee of N50,000 annually from those licensed.
- The need for lawyers/law firms to get a secondary license from the Agency before providing certain data privacy-related services [this includes both privacy and data protection services], especially auditing.
- The fact that your Agency confirmed on your page that one of the services a DPCO is allowed to discharge is “contract drafting”—what notoriously constitutes “law practice”.
- The fact that the license requirement is a compliance obstruction as data controllers would be unable to comply with the submission of their Data Audit report for example by the end of June, 2020 per Regulation 3.1.5, and as determined by the Agency.
Out of these 5 issues, the Agency has only responded to issue 3.
First, in your response, the Agency stated that “…it is factual and legal inaccuracy to equate the right of data privacy or indeed the provision of data privacy-related services, to the right to data protection. Data protection goes beyond protecting personal data privacy; it also involves the processes, systems and rules to ensure the confidentiality, integrity and availability of data.”
This has never been contested, data protection is technical, while data privacy is a legal question bordering on data privacy rights. However, both privacy and data protection at least in the Nigerian context [in the present case] are provided for in the law. There are lawyers [like myself] who have the knowledge or who are striving towards getting the knowledge in the privacy and data protection field. What we are saying is, as lawyers [who possess or striving to possess knowledge in this field of law], we should not need a secondary license from the Agency before we interpret a law or Regulation or engage in services created by law or Regulation.
It would have been different if the Regulation does not have the effect of law per NITDA Act, 2007. But since the Regulation is a function of law, it falls within the purview of what lawyers can deliberate on upon obtaining a law practice license only, not a license from your office. What power does the Agency have to regulate lawyers/law firms? The Agency has no power whatsoever to regulate lawyers or law firms, and cannot prescribe what area of law lawyers can dabble into and what practice they cannot no matter how specialized the Agency tries to cloak this field of law.
If the Agency believes “data protection” is so technical, and that a license is needed before providing that service, then it should license organizations in that regard strictly and alone. But the license the Agency is issuing is for a collective service that combines both “data privacy” issues and “data protection” issues, not just data protection/technical issues. Indeed, the technical services expected of DPCOs as detailed by the Agency is roughly 40% of the services overall. I reproduce the services here for your review.
DPCOs are licensed to provide one or more of these services;
- Data protection regulations compliance and breach services for Data Controllers and Data Administrators
- Data protection and privacy advisory services
- Data protection training and awareness services
- Data Regulations contracts drafting and advisory
- Data protection and privacy breach remediation planning and support services
- Information privacy audit
- Data privacy breach impact assessment
- Data Protection and Privacy Due Diligence Investigation
- Outsourced Data Protection Officer etc.
Core technical data protection issues are partially present in only services 1, 2, 3, 5, and 8. If the Agency had required proof of knowledge for strictly technical issues from lawyers, and then issue a license subsequently, this would have been ideal. But as it stands, muddling legal interpretation and technical issues together, and asking that lawyers get a license is an affront to the law practice license.
Importantly, I want to draw the attention of the Agency to the issue of Data Audit Report that has often been argued [including in your response] to be a service that a lawyer cannot provide because it contains technical/data protection issues. Reg. 3.1.5 provides for what the exercise of conducting an Audit entail. Looking at the exercise, it is my contention that there is nothing “technical” or relating to “data protection” about the exercise that a lawyer could possibly need a license for. I reproduce the exercise below:
- a) the personally identifiable information the organization collects on employees of the organization and members of the public;
- b) any purpose for which the personally identifiable information is collected;
- c) any notice given to individuals regarding the collection and use of personal information relating to that individual;
- d) any access given to individuals to review, amend, correct, supplement, or delete personal information relating to that individual;
- e) whether or not consent is obtained from an individual before personally identifiable information is collected, used, transferred, or disclosed and any method used to obtain consent;
- f) the policies and practices of the organization for the security of personally identifiable information;
- g) the policies and practices of the organization for the proper use of personally identifiable information;
- h) organization policies and procedures for privacy and data protection;
- i) the policies and procedures of the organization for monitoring and reporting violations of privacy and data protection policies; and
- j) the policies and procedures of the organization for assessing the impact of technologies on the stated privacy and security policies.”
The fact that there is no technical requirement from a Data Audit exercise as conceptualized by the Regulation corroborates the reasoning that there is no need for a license [whatsoever] to be obtained by lawyers or law firms before discharging that service. It also negates a part of your response that reads: “However, not every lawyer has the competence to conduct and file Annual Data Audit Report…” Of course, a lawyer can interpret the sections of the Regulation providing for Data Audit Report, and perform the exercise described there.
Your response also contends that the need to procure a license from your office even though lacking precedent, is a testimony to the innovation NITDA is bringing to its regulatory mandate while relying on Lord Denning’s dicta in Parker v. Parker, “If we never do anything which has not been done before, we shall never get anywhere.”
The inaccuracy of this dicta stems from its inapplicability to the context in which it is being used. The fact that something novel is introduced does not in any way mean that it is progressive or appropriate. It is obvious that this “innovation” is a recipe for disaster because a 2019 report shows Nigeria has 3.1 million registered companies. Let’s assume only 1 million of them needs to comply with the submission of a Data Audit Report. Since only DPCOs can conduct an audit and submit same on behalf of the companies, how does the Agency expect only 70 DPCOs licensed by it till date to help conduct and submit a Data Audit Report on behalf of these companies, before June 2020? The “innovations” introduced by the Agency are not well thought out, not only in regards to the unprecedented creation of fee-paying-licensed DPCOs, but including the demand that companies pay an incremental fee to it depending on the number of data subjects’ data they process. In a country like Nigeria, where compliance is being sought and hoped for, imposing a fee as part of the compliance process would only make companies reluctant. It makes one ask whether the Agency is trying to use the compliance process as an avenue to make money from companies or the real interest of the Agency is to supervise and help companies comply with requirements imposed on them?
In your response, you also said: “…it is encouraging to note that Nigeria’s model has become subject of intense studies for adoption within and outside Africa.”
This is definitely an attempt to validate an unfounded and unsubstantiated process. The statement is vague. What exact jurisdiction in the world is reviewing and looking to adopt this type of practice—where lawyers are to be licensed to provide a service that has its root in law? The least the Agency could have done in all righteousness is mention such jurisdiction[s].
Lastly, you also contended that due to the DPCO licensing scheme that “…training and awareness on data privacy protection has been widely entrenched, jobs are being created, bureaucratic bottlenecks have been eliminated in the bid to comply and the country is fast-tracking its progress towards digital economy maturity”.
These assertions are entirely false. How can training and awareness be “widely” entrenched when only 70 DPCOs are to date licensed? How are jobs been created? when more of it can be created with a system where the market is left alone to regulate itself as done in other jurisdictions; also, the creation of DPCOs and the need for them to procure a license directly creates bottlenecks for compliance in contrast to your assertion.
The Agency has refused to answer pertinent questions put to it. The answers it provided to the only question it tried to answer is embedded with flaws, misconceptions, and false ideologies.
In as much as the Agency fuses data privacy—a legal question—with data protection—a technical issue—and plant them in law/Regulations, then, the Agency must expect that lawyers have to be able to deliberate and provide services in this regard without obtaining a license from it. This is the practice everywhere in the world. There is nothing to be innovative about here than causing problem, and potential lawsuits.
The Agency has no power whatsoever to regulate the legal profession in as much as it mixes legal questions with technical ones. Thus, demanding that lawyers get a license from it under the guise of specialty or technicality is an argument that can be made [similarly] by other areas of law including intellectual property law, energy, oil gas law, telecommunications law, real estate, insurance, etc. If lawyers are to get a [special] secondary license before delving into all of these areas of law, what then is the point of the primary license to practice law?
Applying the Agency’s faulty logic to another area of law as “oil and gas law”. This area of law, for example, entails drilling of the earth, the Agency’s reasoning [if it were to be received] is that oil and gas lawyers must prove their knowledge of earth-drilling and obtain a license before they can provide oil and gas law services. This would be absurd, and there is no such requirement. However, it is possible to separate the earth-drilling technical services and issue license on this specific service alone, and not all the services that subsist in “oil and gas” law. Data protection must be seen as a means to an end, the “end” being “legal compliance” because failure to comply with data protection requirements by an organization would trigger civil and criminal actions—all of which are legal actions which are lawyers’ business.
Ideally, the Agency has to let the privacy and data protection market regulate itself. Organizations have to be given the chance to choose who they feel possess the right qualities, qualifications, and ability to help them comply with data privacy and data protection requirements as prescribed by law and the Agency’s Regulation—this is a constitutional right.
The proactiveness of the Agency is welcomed, but the Agency has no business putting a filter on who can provide services and who cannot, it can apply its filter at the point of compliance [at its office] by rejecting compliance efforts that are not up to standard. This approach would alleviate the Agency’s self-imposed unnecessary task so that it can focus on its compliance supervisory functions in contrast to those who provide the compliance services. An instance where the Agency descends into the market and chooses who can perform what and what not while demanding a fee to do so paints the Agency as a money-grabbing organization that has refused to focus on the most important things expected from a supervisory authority. It ultimately also suggests that the Agency is not ready for the growth of the data privacy/data protection practice in the country, and has failed the most important duty it has been trusted with.
Gbenga is a lawyer in the Lagos-based law firm, Feral Law LP, and can be reached at [email protected]