Against a backdrop of regulatory awareness-raising and dissemination, this article explores the early days of the High Authority for the Protection of Personal Data (HAPDP), highlighting the obstacles encountered, which may explain the delay in launching its first monitoring programme. We then examine this programme to assess whether it represents a genuine shift towards effective control or whether it is an extension of the initial preventive strategy. Finally, suggestions will be made for strengthening the work of the HAPDP and promoting compliance with data protection standards in Niger.
The HAPDP, established under Law No. 2017-28 of 03 May 2017 as one of the newest supervisory authorities in French-speaking West Africa, began operations in 2020, facing major challenges related to insufficient resources and constant adjustments to its status. Compared with its counterparts in Burkina Faso, Ivory Coast and Senegal, it remains the authority that has undergone the most reforms .
These obstacles have delayed the implementation of effective controls for several years and have also influenced the understanding of the regulations by the controlled parties, known as data controllers. In its first year of operation, the HAPDP adopted a rather uninviting strategic approach by setting up data processing forms without first consulting the controlled parties . This approach gave rise to difficulties, in particular problems in understanding the texts and the reluctance of some players to pay the costs of issuing compliance certificates . As a result of these initial difficulties, the ideal conditions for effective controls were clearly not in place during these first few years, especially as only four receipts were issued between 2020 and 2021, according to the HAPDP’s official statements . This raises questions about the criteria used by the authority to declare a controller compliant.
Despite these limited figures, at the end of 2021 the HAPDP published on its website a list of data controllers deemed to be compliant with the law. This initiative raises questions about the proactivity of the players monitored in adapting to data protection standards. The publication of this list can be interpreted as a reaction to the need to report on the state of compliance in the country, but it also highlights the need to readapt the Niger authority’s strategy. The strategy, reviewed and adapted in the course of 2021 with the support of partner organisations such as the Organisation internationale de la francophonie (OIF) , the Commission de l’informatique et des libertés (CNIL) and various networks , was a significant step forward in consolidating the authority’s status and strengthening the capacity of its staff . This approach has given rise to the “2021-2025 Strategic Plan”, from which the 2023 control programme under review is directly derived.
A closer look at the HAPDP’s statement regarding the players audited under this programme reveals a selection of key sectors that are likely to process significant volumes of personal data. The sectors mentioned, such as transport companies, healthcare, banking and insurance, are often areas where the processing of personal and sensitive data is frequent. In particular, the transport sector seems to be the one where the transfer of personal data is most apparent.
Nevertheless, it is surprising that the telecommunications sector, as well as certain public structures and bodies, are not among the sectors targeted.
On the first point, it is important to emphasise that the entire data production industry is largely based on telecommunications, managed by operators in the sector. More specifically, mobile telephony stands out in West Africa as a key sector in facilitating connectivity and the massive exchange of data between the various players. The HAPDP should have paid particular attention to the compliance of these operators.
With regard to the second point, with the current emergence of so-called “public administration modernisation” projects and the proliferation of biometric data processing initiatives by public authorities and partners, it would have been wise for the HAPDP to give priority to these activities during its initial monitoring activities.
In conclusion, the checks carried out by the HAPDP teams appear to be more of an educational and awareness-raising exercise for data controllers than a genuine control process with a repressive purpose. In comparison, however, the CDP in Senegal introduced two interesting mechanisms in the early years of its existence. The first, known as the call for declaration, requires data controllers to comply with the legislation. The second, called a request for explanation, usually leads to compliance, and follows a complaint. These approaches have the advantage of preparing the ground for possible inspections, while at the same time incorporating an educational dimension. This experience could inspire the Nigerian authority to readjust its strategy and incorporate similar methods in order to strengthen its influence in an ecosystem that seems relatively less receptive to the issue of personal data protection.
By Mahadi MAIFADA MAGOUDANI, PhD in digital law.