GDPR has become a buzzword lately. It came into effect on 25th May 2018 and has led to an abundance of updated privacy policies and data protection agreements. It seems to have taken on the stature of the monster in the closet. Comply or the GDPR will get you! With fines of up to €20m (twenty million Euros) or 4% of annual global turnover, this monster has huge teeth. So what is this monster and is it hiding in your closet ready to pounce?
The European Parliament and Council of the European Union (the EU) passed Regulation (EU) 2016/679, better known as, the General Data Protection Regulation, (GDPR) on 27th April 2016. The purpose of the regulation is to protect the personal data of EU citizens formally called data subjects. In today’s digital world, the use and processing of personal data is more or less a necessity with even mundane tasks being carried out online and requiring at least some mode of identification. The EU recognizes this and also the fact that the protection of the personal data necessarily processed is a fundamental human right. Both of these realities led to the GDPR which regulates the activities of data controllers and processors with hefty sanctions for non-compliance.
Data controller is simply the fancy word for the person or company that request for personal data for any purpose while data processor is the company that processes the data obtained which may or may not also be the data controller. Some of the key provisions of the GDPR include the right to be forgotten which is the right of the data subject to have all of its personal data stored by a data controller or processor deleted permanently. The data subject also has the right to demand a dossier of all its personal information held by a data controller at no fee and to easily withdraw its consent to the processing of his data at any time. On their part, the GDPR requires data controllers and processors to obtain the consent of the data subject to process his data in a simple and intelligible document and make it just as easy for the data subject to withdraw its consent. Data controllers and processors are also required to implement adequate security measures and inform the data subject of a breach in their security without undue delay.
Who does the GDPR apply to?
This monster seems formidable indeed but its most terrifying aspect is its ability to reach across oceans. The scope of the GDPR is remarkably wide, intended to cover not only the activities of data controllers and processors in the EU but also apply to the processing of personal data of citizens of the EU by data controllers and processors outside the EU. The definitions of the terms “personal data” and “data processing” are also markedly broad. Personal data is defined as any information relating to an identified or identifiable natural person including a name and an address (both physical and IP). Data processing is likewise defined as any operation performed on the data including collection. In practical terms therefore, the GDPR applies to almost all modern day information technology companies offering services to EU citizens. Every website through which goods are sold requiring a name and delivery address or offering services or information that requires registration with an email or telephone number could come under the scope of the GDPR. At least in theory. But are Nigerian companies required to comply with the GDPR and what if they don’t? Could Nigerian companies feel the monster’s huge teeth or would it be left outside huffing and puffing?
How can the GDPR be enforced?
Generally, the GDPR can be enforced in two ways: fines from the regulator and a civil liability suit from a data subject. The easiest and most straightforward situation would be the case of Nigerian with branches or operations in the EU for instance some of the banks. The scope of the GDPR is broad enough to cover data processing done by a company in the EU even if the data processing itself is not done in the EU. Thus depending on how the data is processed, the subsidiary of a Nigerian company in the EU could be held responsible for non-compliance with the GDPR in its processing of data in Nigeria and fined by the regulator in the EU. In the same way, a data subject could also sue the EU subsidiary for damages done to it as a result of the failure of the Nigerian company to comply with the GDPR. Things get a little tricky where the Nigerian company has no presence in the EU.
Enforcement of the GDPR in Nigeria
In principle, the laws of the EU cannot be enforced outside the EU neither can sanctions from EU regulators without the active connivance of local authorities. But that does not mean Nigerian companies get a pass. The use of bi-lateral and multi-lateral treaties and registration of foreign judgments could serve to bring the monster inside. Nigerian data processors could also invite the monster in by executing a Data Protection Agreement containing an indemnity clause with data controllers in the EU effectively binding themselves to reimburse the data controller for any damages or sanction imposed on them due to non-compliance with the GDPR by the data processor. In addition, the EU regulator could employ a number of secondary means of ensuring compliance including imposing sanctions on EU companies affiliated in any way with non-compliant Nigerian companies or making it difficult for non-compliant Nigerian information technology companies to operate in the EU.
Even in the absence of sanctions, Nigerian companies would be remiss to ignore the GDPR completely. In the first place, in order to do business with any company in the EU that requires data processing, the Nigerian company would most likely be required to sign the abovementioned Data Protection Agreement effectively making itself subject to the GDPR. Furthermore, foreign investors and entities with an EU presence are not likely to invest in, or pursue affiliation with a company that could at some point expose them to sanctions or any sort of regulatory action. In addition to possible liability, the foreign investor or business partner would also consider its reputation. With the current prevalence of ethical and moral considerations in business, an investment in a company that refuses to comply with laws aimed at protecting the privacy of its clients is not likely to be desirable to foreign companies. Therefore while it may not be mandatory for Nigerian companies to comply with the GDPR, doing so could be necessary from a commercial standpoint.
By Martina Aguocha