By Lynda Ugo Ezike
INTRODUCTION
Inflamed by a conflux of factors such as: rapid advancements in globalized digital networks, the ever-heightening dependence on financial platforms, and the expansion of sophisticated information and communication technologies (ICTs), modern societies have become deeply entangled in a complex network of personal data exchanges. As such, an epoch of unprecedented datafication has been ushered in. The complex data-based ecosystem necessitates the storage, processing and transmission of personal information, piercing through every facet of individuals’ lives – from
daily transactions, to participation in the political sphere, to engagement with diverse sectors like energy, entertainment, fintech and healthcare etc. There are, however, grave risks such as: fraud, data breach, abuse, manipulation, corruption, compromise, as well as loss and theft of information, associated with the aforementioned use of personal data. It has, therefore, become extremely crucial for there to be the safe keeping of a person(s) or organizations’ information in the possession and control of a Data Controller.
Nigeria considers its electric power industry to be on par with its national security.[1] This means that the power industry is not left out from being in the vanguard of digital and technological advancements, as they strive to continually break the barriers of innovation. The (renewable) electricity industry, for instance, is going through a significant technological revolution, whereby households and organizations are being digitally connected to renewable energy systems. This is aimed at increasing and easing up the way in which natural resources are used by way of technology, as opposed to relying on conventional
fossil fuels. The ineludible use of technology in the power industries would, therefore, automatically give rise to the processing of data. Consequently, this leads to the dire need to protect the said personal data/information from the negative ramifications connected to personal data breaches and unauthorized access to personal data within this dynamic technological environment. Thus, data protection and privacy have become fundamental to the safeguarding of energy consumers’ (data subjects’) personal information to such an extent that there is the prevention and protection of the occurrence of the risks
attached to the processing and transfer of data. Effective data protection can be attained by developing and putting into practice, solid data security protocols in addition to inviolable data protection regulations – designed to address the risks connected to personal data processing activities.
This article explicates the connection between technology, privacy, and data protection in Nigeria’s electricity industry. It also analyzes the pertinence of sound data privacy practice in the electricity sector, and how the relevant data protection regulatory frameworks, when adhered to judiciously, can attenuate the risks connected to the industry’s inexorable use of technology.
The Concept of Data Protection and Privacy
What is Data Privacy and Protection?
Personal data is considered by section 65 of the Nigeria Data Protection Act 2023 to be any information that directly or indirectly identifies an individual. Privacy rights, in Nigeria, are recognized as constitutional rights – as they guarantee and protect the citizens’ privacy – including their household; phone, email or telegraphic communications[2]. For example, in the case of Bi-Courtney Aviation Services V Kelani (2021)[3], it was held by the Court of Appeal that a person’s image forms an integral part of their ‘right to privacy’ as enshrined within section 37 of the Constitution of the Federal Republic of Nigeria 1999 (as Amended) (the CFRN)[4].
Following on from the above, the protection of data, i.e., ‘Data Protection’ can be defined as the process of safeguarding important data/information from corruption, theft, compromise or loss (data breaches), and supplying the tools or resources necessary to restore the data to a functioning state in the event that something happens that makes it unavailable or unsuitable.[5] The principle of data protection mandates every organization processing and in control of sensitive (personal) information – whether digitally or otherwise, to ensure the information is appropriately protected. This principle is predicated on the rights and proclivity of individuals to decide on the degree to which they disclose their personal information to others.
Laws Governing Data Privacy and Protection in Nigeria
Data protection regulations were created in response to the dangers associated with the processing of personal data and the imperative to safeguard individuals’ or organizations’ critical and confidential information. Furthermore, data protection regulations mandate the deployment of data security techniques that safeguard personal data from unauthorized access, theft or loss. The relevant laws governing data protection and privacy activities in Nigeria are the:
Constitution of the Federal Republic of Nigeria 1999 (as amended)
Nigeria Data Protection Regulation 2019
Nigeria Data Protection Implementation Framework 2020
Guidelines for the Management of Personal Data by Public Institutions in Nigeria 2020
The Nigeria Data Protection Act 2023
The Guidance Notice on Registration of Data Controllers and Processors of Major Importance 2024
Industry-specific regulations that contain data protection provisions e.g. Credit Reporting Act 2017, National Identity Management Commission Act 2007; the Consumer Code of Practice Regulations 2007; the Registration of Telephone Subscribers Regulations 2011; the Registration of Telephone Subscribers Regulations 2011 etc.
Organizations in the electricity industry are mandated to adhere to the above-listed laws regarding the protection of the (personal and sensitive) data they control and process. Failure to comply with the regulations could lead to the imposition of sanctions, fines, business disruptions brought on by investigations, jail terms for principal officers of organizations, and so on. It is, therefore, beneficial for organizations carrying out operations in the sector to comply with data protection regulations as it would help with the mitigation of risks like security breaches and data losses. Also, organizations that mismanage data and fail to take cognizance of the said laws could expose themselves to: license revocations, damaged reputation, loss of customers, regulatory penalties, associated losses and legal liabilities.
The Nexus Between Privacy and Data Protection, and the Electricity Industry
The Nigerian Data Protection Commission regards the electric power sector as strategically significant to the economy – akin to national security, and organizations or service providers within the sector that process personal data are regarded as Data Controllers and Data processors of Major Importance (DCMIs and DPMIs).[6]
According to the Nigeria Data Protection Commission’s Guidance Notice on the ‘Registration of Data Controllers and Data processors of Major Importance (DCMIs and DPMIs)’ issued on the 14th of February 2024 by the Nigeria Data Protection Commission (NDPC), DCMIs and DPMIs are companies that operate, offer services or handle personal data in the electric power industry.
DCMIs and DPMIs are considered to have “particular value or significance to the economy, society or security of Nigeria”[7]. Thus, companies in the electric/power industry as DPMIs and DCMIs, do not only have a legal duty to comply with data protection regulations, but also a critical responsibility in ensuring that personal data entrusted to their care is conscientiously protected. This would foster trust and confidence in stakeholders of the industry and facilitate the successful implementation of technology-driven electricity initiatives.
Therefore, the robust safeguarding of information is paramount for electricity companies as they transition into data-driven businesses that use both personal and electricity data as tools for energy efficiency mechanisms. One of the primary objectives of the energy industry is to successfully achieve the decarbonization of the industry by way of transitioning from the use of carbon-intensive fossil fuel energy to renewable energy options. This is aimed at curtailing greenhouse gas (GHG) emissions and achieving zero fossil carbon existence. Such energy decarbonization efforts in recent years have been heavily impelled by advances in digital technology. The power sector is primarily herded by technology – which is a tool necessary for the decarbonization, efficacy and productivity of the said industry. As more electricity companies leverage technology, new security and personal data breach risks arise. As such, a proactive viewpoint and understanding of the practice of data protection is needed if the energy sector is to continue its digital transformation. Only when such safeguards of personal data are in place can the advantages of digitalization be fully harvested and enjoyed.
3.1 The Importance of Privacy and Data Protection in the Electricity Industry
As a matter of course, an electricity organization’s sensitive data such as its intellectual assets, employee/management’s information, as well as trade secrets, are at the core of its competitive advantage and success. The exposure of these valuable assets to illicit parties may have severe consequences on the organization, including lost revenue, lower market share, and damaged reputation. Businesses may face regulatory sanctions, damage control costs and legal expenses – in conjunction with direct financial losses. Also, the illegal access of an organization’s data by unauthorized persons leads to criminal activities – e.g., identity fraud, blackmail, illegitimate financial gains, information misappropriation etc.
In view of the fact that a company’s most precious assets in today’s digital environment are the data it manages and processes, cyber threats are becoming more complicated, with potentially devastating outcomes as discussed above. Therefore, (electricity) companies are required to take notice of the pertinence of data security and cyber-attack risks that may negatively affect them. A company’s sensitive and personal data must be protected at all cost, and one of the best ways to achieve this is by having sturdy data privacy and protection structures in place. This includes the strict compliance with all applicable laws pertaining to data protection.
Companies within the electricity industry strive for advancements in technology to spur development, as the sector is the cornerstone of global infrastructure and trade. This digitalization of the electricity sector calls for responsible data management, collection, sharing, storage and communications – to ensure the protection of data in companies’ possession against the risks connected to data usage. For ease of comprehension of the subject matter, the intersection between data protection and privacy and the energy industry will be discussed in seriatim.
3.2 The Interconnection between Privacy and Data Protection, and the Electricity/Power Industry
Durable data protection practice becomes more critical as organizations and homes adopt digitally connected technologies and information-driven devices, particularly in the electricity sector. Thus, the bridge between the energy sector and data privacy and protection is largely predicated on the varied and continuous use of personal data-driven technology to adeptly carry out operations relating to the industry. For example, the payment of electricity bills electronically i.e., via online platforms, is the benefit (financial) technology proffers to electricity consumers in a bid to avoid the laborious and hazardous task of making payments with physical cash. However, this produces data protection-related issues – because processing personal data via technology has prompted the escalating frequency of data breaches, privacy violations and cyber-attacks.
Within digitalized electricity distribution networks, smart meters and all other comparable smart applications serve as a medium through which electricity consumers actively monitor their energy consumption rates instantaneously. This is made practicable by the fact that such devices collect and process comprehensive data on patterns of energy consumption at brief intervals. This transparency is further enhanced by interactive online energy retail platforms, serving as a vehicle through which a variety of innovative services are made available. These innovative services foster empowered consumer engagement through data-driven insights, enabling proactive management strategies for cost reduction and environmentally conscious choices. Ultimately, the promotion of energy conservation within communities is the goal of companies operating within the electricity/power sector.
The electricity Distribution Companies (Discos) in Nigeria play the important role of providing electrical power to the end-users – by way of technology. A technology that has profoundly impacted the Nigerian electricity industry is the smart meter. A smart meter is an electrometer that periodically captures data on a customer’s voltage level and power consumption – without the need for physical meter readings.[8]. So, in an effort to improve Nigeria’s Discos financial viability while reducing their loss of earnings, the emplacement of the prepaid smart meter technology serves as a catalyst to ensure the sustainability of the electricity sector.[9] Smart meter usage is essential to the stability of Nigeria’s electrical system and is necessary for a dependable, reasonably priced, and sustainable energy economy.[10] In comparison to the traditional electromechanical meters – of which an employee from the electricity distribution company would manually take down information on the power user’s consumption matrix at certain intervals by logging the reading on the meter, digital smart meters allow for communication between the consumer and utility company in addition to recording customers’ kilowatt-per-hour usage[11]. They also allow for the breakdown of energy usage into smaller, discrete time intervals. This information aids households with reducing energy expenses and amplifies reliability by availing electricity suppliers with relevant data about the quantity of electricity being used throughout their service areas. This availability of data reduces energy prices for homes and improves dependability by giving electricity end-users and electricity suppliers better insight into the amount of electricity consumed.[12]
However, there are identifiable data protection challenges that spring up regarding the utilization of a smart meter. In using the smart meters, data such as the quantity of power usage of the consumers would be conveyed to the customer such that he/she possesses the requisite information about his/her consumption use. This said data would also be communicated to the electricity supplier as a means to monitor and secure payments for the power afforded to the customers.[13] As such, it can be said that the detailed information collected on energy usage patterns brings to bear data protection issues. The data collected and stored can reveal insights into an electricity consumer’s behavior and routines – thereby requiring strong privacy security measures. For example, such information can be used to detect fraud, support, or refute an alibi etc.
[14] Relevant authorities or personnel, such as law enforcement or electricity distribution companies would be able to obtain personal information from smart meters, including: a person’s daily schedule, the types of appliances he/she uses in his/her home, and whether or not they are in their place of abode.[15] The disclosure and flow of the personal information or data to the various relevant parties involved, thus, introduces data protection-related concerns.
Another issue of import regarding data protection matters in the electricity sector revolves around the adoption of financial technologies to facilitate the payment of electricity bills by energy consumers. Cashless or online payments are, therefore, great technological innovations by fintech companies that aid the electricity sector with the ease of conducting business and transactions. Such payments are typically made by way of licensed information communication technology platforms
e.g., the internet, mobile applications, smartphones etc.[16] Nigerian Distribution Companies, such as the Eko Electricity Distribution Company Plc (EKEDC), in pursuit of eliminating cash-based transactions, have encouraged their customers to consider modern e-payment mediums for payment of electricity bills[17]. There is thus, an urgent need for there to be accessibility to cashless/online payments options via fintech/mobile payment companies, for Discos in Nigeria – as they are more feasible, convenient and affordable. Following on from the above, it can thus be stated that in this modern financial technology era, energy companies can be deemed to be data processors or controllers of major importance.
Personal or sensitive data, as well as online transactions are typically maintained by a database/ledger known as ‘blockchain’. Payment systems use blockchain technology to collect, process and analyzes data.[18] Such online payment systems used in the electricity sector, are consequently and unfortunately vulnerable to cyber-attacks, fraud and unauthorized access to personal/consumer data, as well as sensitive data belonging to organizations. Additionally, when electricity consumers seek to pay their electricity bills via the energy companies’ websites, they are exposed to website/internet Cookies. Internet Cookies permit web servers to save, monitor or track the website visitor’s online/browsing activities, and connect individual web requests into a session – depending on the type of cookie. Unauthorized access to and abuse of the personal data in the possession of the company is a possibility – and the consequent damages attached thereto are dire and could threaten the integrity of a company that acts as a data controller/processor. This, thereby, necessitates: the need for the existence of sturdy data protection frameworks; the investment in robust security measures; the necessary compliance; the safeguarding of energy consumers’ personal data; and the promotion of corporate digital responsibility.[19]Another point worthy of note is that Discos may use Client Management Systems or Customer Engagement Platforms to help manage energy consumers’ accounts, track the services rendered, maintain
a relationship and communication with (potential) customers and proffer possible personalized recommendations. Also, for certain (agreed-upon or not) purposes, the said energy consumers’ personally identifiable information may be shared with third-party vendors or external parties. Third-party service providers play a critical role in supporting the electricity industry through the outsourced service they render. Such third-parties may include: data analytics firms, insurance companies, healthcare and technology vendors, auditors, regulatory bodies, outsourced labor contractors etc. Identifiable privacy issues such as increased personal data breach risks will, therefore, arise during the electricity companies’ course of operations when dealing with third party vendors and adopting the use of
Client Management Systems. Electricity firms are advised to have the necessary and appropriate measures in place to mitigate these risks associated with their third-party partners.
In the context of the safeguarding of personal data, it is also important to consider an electricity company’s employees – as almost all organizations have at least one or more employees supporting the organization in achieving its goals and objectives. In a general sense, the employees of companies carrying out operations in the electricity sector would, in the ordinary course of business, have their (and possibly families’) personal data processed, controlled and distributed. Such information may be required for the application of health insurance/coverage, for instance. Furthermore, personal
information pertaining to visitors of the company – which may be imputed in the ‘Visitors Registers’ or their images captured on CCTVs, are also in the control of the electricity companies. Such information could be an easy target for personal data security breaches – thereby leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the said personal information processed, transmitted or controlled. This triggers an urgent need for the establishment of the apposite technical and organizational initiatives that guarantee the protection of the personal data the electricity company possesses or handles.
The Obligations of Electricity Players under the Nigerian Data Protection Act and Relevant Regulations: Key Data Protection Considerations
The Nigerian Data Protection Act imposes on, electricity companies the legal obligation and duty to ensure the adequate protection of all personal data it processes. As earlier noted, if an organization in the electricity power sector processes personal data, it is regarded as having “particular value or significance to the economy, society or security of Nigeria” [20], and is, therefore, adjudged to be a data controller of major importance[21] by the Nigeria Data Protection Commission. Electric power companies are mandated, by virtue of the Nigeria Data Protection: Registration of Data Controllers and Processors of Major Importance Guidance Notice 2024, issued under section 5 (d) of the NDPA, to be registered as data controllers and data processors of major importance[22]. It is, thus, pertinent for companies operating in the electricity sector to comply with all the relevant laws governing the practice of data privacy and protection.
Also, electric power companies must take into consideration and embed in their privacy programs, the following principles when processing (personal) data they control:
Lawfulness, Transparency and Fairness: Companies carrying out activities in the electricity industry should see to it that the personal data of their employees and customers in their control are processed in accordance with all applicable laws. Therefore, the processing of data must be done solely on lawful bases. Section 25 of the NDPA outlines the legal grounds/bases for the processing of data[23], namely:
“The data subject has given consent to the processing of her personal data for one or more specific purposes
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
Processing is necessary for compliance with a legal obligation to which the controller is subject
Processing is necessary in order to protect the vital interests of the data subject or of another natural person
Processing is necessary for the performance of a task carried out in the public interest or in exercise of official public mandate vested in the controller
Processing is done in the electricity company’s legitimate interest”[24]
On the principle of fairness, electricity companies must ensure that their processing activities do not negatively impact data subjects and must be done in accordance with their reasonable expectations. Thus, electricity consumers and employees of electricity companies (data subjects) should be notified about the electricity companies’ processing activities and display the requisite compliance.
Last, electricity companies must also be completely transparent in its operations by providing to its customers, specific data about its policies and practices relating to the collection, use, processing, retention, destruction and reporting of their personal data it controls/processes.
Accountability
Essentially, the principle of accountability notes that the data controller has the primary duty to ensure compliance with the relevant data protection laws and is responsible for the personal information within its control. Should any problems arise with regard to the personal data of the data subjects considered, the data controller will be held liable or accountable.
An electricity company, as a DCMI, bears a legal duty to data subjects with regard to protecting their data within its control. They are also held accountable for any actions or inactions regarding the processing of such data[25]. This means that an electricity company is legally obligated to handle the data subjects’ personal information in its possession and control, adequately and appropriately. This fosters an environment of openness and trust.
Furthermore, electric power companies, when processing the personal data of more than 1000 Data Subjects, must as a matter of obligation, submit an annual data protection audit returns to the Nigerian Data Protection Commission by the 15th of March of the subsequent year.[26] Within the electricity sector, a data protection audit consists of a comprehensive assessment of the records, processes and procedures surrounding personal data processing employed by organizations acting as Data Controllers or Processors. This examination, via the audit, ideally strives to ascertain data controllers’ and processors’ adherence to the stipulations outlined in all pertinent regulations, standard industry practices, and the organization’s established data protection policies – during its processing activities.
Processing Limitation/Specification: When processing personal data, section 24 of the NDPA affirms that the personal data in the possession of the Data Controller of Data Processor must be collected for specific, clear-cut and lawful purposes[27]. Such information is not to be further processed in a way that conflicts with the aforementioned primary purposes. To cite an instance, if an energy customer is paying for his/her electricity bill via the electricity company’s payment platform, the information imputed by the said consumer and collected by the data processor, must be used for the sole purpose of payment and any other expressly consented-to terms, and not for perhaps, advertising reasons (unless consented to or justified under another legal basis for processing which must be disclosed to the customer . This means, therefore, that the personal data collected must be:
I) relevant, used and confined to the specified, clearly-defined and legitimate purposes for which it was collected,
ii) shared only with authorized persons and third-parties who have a legitimate need for the information – only to be processed further if it is in accordance with the original purpose,
iii) stored correctly and securely.
Data Minimization: The data collected and processed by the electricity company acting as a data controller/processor, must be solely confined to the processing purpose. The two primary factors to consider for the processing of data are: ‘Necessity and Proportionality’.
Necessity: Personal information collected must strive to be suitable for realizing the aim of the processing activity. This should be done by considering the use of “alternative, less intrusive measures” to collect and process data.
[28] Proportionality: The amount of personal data collected by the electricity company to attain a processing objective must be justifiable, appropriate and moderate or reasonable.
Storage Minimization: The personal data stored by electricity companies must be retained for a period within which the said data will be reasonably needed. This means, therefore, that data cannot be retained for an indefinite period, and once the purpose for which the data subject’s information collected has been fulfilled, then the data held should be deleted after a reasonable period.
Data Subject Participation: Electricity consumers, employees and companies – as active participants, are upon request, to be notified of the use and communication of their personal information and shall be granted access to their data. They can also challenge an organization’s compliance of the provisions of data protection regulations. Further, they may object to the (in)accuracy and completeness of the information being processed, and have it altered as might be required.
Information Quality/Accuracy: This principle expounds on the need for electricity companies as DCMIs to only obtain and process correct, up-to-date and accurate data about the data subject. Electricity companies as data controllers are, therefore, obligated to ensure information –e.g. residential/office addresses, in their control are recent and correct. This can be done by permitting data subjects to exercise their right to the amendment of their personal data for the purpose of maintaining the quality of and updating personal information.
Security Safeguards: Electricity companies must ensure that they adopt strong security measures to the extent that the personal data in their control are not at risk of unauthorized intrusion, cyber or viral attacks, theft and manipulation. While no personal data security measures is impenetrable, section 24 (2) of the NDPA mandates a data controller and data processor – in this case, an electricity company, to “use appropriate technical and organizational measures to ensure confidentiality, integrity and availability of personal data.”[29] This is aimed at ensuring that personal data (digitalized or manual/analogue) security and safety meets certain minimum standards under the law, as the negative ramifications connected to data breaches are destructive. Electricity companies must, thus, implement safety measures on their systems such as encryption or pseudonymization of sensitive and personal data of electricity consumers – e.g., on their payment platform etc.
Recommendations on the Good Privacy and Data Protection Practice in Electricity Companies under the Nigerian Data Protection Legal Framework
Considering the above, any policy, tool or recommendation that would be effective in mitigating the risks associated with consumer data use in electricity systems must be grounded in robust data protection legal frameworks. The Nigerian data protection legal regime is structured such that it caters to the rising proportions of processing of personal data in the electricity industry. Electric power companies, which are defined by law as data processors and controllers,[30] are mandated to implement measures that cater to the protection of its data subjects[31]. This is to guarantee the security, availability, integrity and confidentiality of personal data in the possession of electricity companies – for the purpose of protecting against incidents relating to data breaches.[32] Some measures electricity companies should consider for the effective practice of data privacy and protection are:
The Establishment of Security Measures to Protect (Personal) Data: To adequately secure electricity companies’ data, they must employ data security measures laid out in the NDPA, such as: employing pseudonymization and encryption technologies; set up firewalls; creating avenues to restore the availability and access to personal data timeously in the situations where it is necessary; granting access to specific authorized individuals; maintain and the consistent training of staff on the subject matter, etc.[33]
Conduct Data Protection Audits: Conducting internal data protection audits regularly, and also as directed by the NDPR 2019[34] would greatly aid the electricity company to identify and mitigate the risk of possible data breaches that may occur internally and/or externally. Also, it would bring to the fore, gaps in the data protection and privacy practice of the organization that require closing up.
Third-Party Risk Management: when an electricity company uses the services of third-party vendors that necessitates the processing of personal data, it should ensure that it conducts data protection due diligence, and have a data processing agreement[35] between both parties – i.e., the third party and the electricity company (and the electricity company’s employee’s consent). Furthermore, the companies should routinely conduct data protection impact assessments[36] where sensitive data of electricity consumers are processed. This would ensure that the personal information of the electricity consumers and customers being processed by the third party is done in accordance with all governing data protection regulations.
Creation of Internal Data Privacy Policies: Electricity companies must also develop clear internal policies[37] for collecting, processing and using smart meter and other personal data in their control. E.g., the company may create a data retention schedule/policy that clearly sets out the duration for which personal data might be kept as well as its deletion. Also, employee data collected by companies for e.g., health or background checks, must be handled diligently by the electricity companies and the third-party vendors (health clinics etc.). In general, such companies should have robust personal data governance frameworks taking into consideration global industry standards, and updating such frameworks as processes increase, and laws and standards change. These frameworks would also dictate access controls, ensure the accuracy of electricity consumers/employees/partners’ (data subjects’) information, how to handle data subject rights requests, amongst others. They would also guarantee that there is, available, the presence of appropriate structures addressing cross-border personal data transfer – if the need arises.
Notifying Data Subjects of their Information Collected: Electricity companies must be transparent as they owe a duty of care to their data subjects[38] regarding the personal and sensitive information collected from them. The companies must divulge the reason to the data subjects for collecting the said data and the way in which their information will be used. This entails having vigorous privacy notices at every point of personal data collection.
Conclusion
The pertinence of privacy and data protection in Nigeria’s electricity/power industry cannot be overemphasized. The utilization and advancement of technology in the electricity sector – in conjunction with the digitalization of the industry – has occasioned the inadvertent control, processing and transfer of (personal) data. Nigeria’s data protection regulatory framework addresses all issues that may stem from an electricity company’s data processing activities and expounds on the importance of safeguarding the data privacy rights and personal data of its data subjects. Electric power companies are to integrate data protection principles, as outlined in the relevant data protection regulations, into their daily data processing activities. Such data protection processing activities must be lawful, fair and transparent; necessary and proportional; accurate etc. Furthermore, electricity companies must ensure that they adhere to the relevant data protection laws to avoid sanctions from the relevant regulatory bodies, preserve their business reputation, mitigate the risk of personal data breaches, and protect their stakeholders’ information. The said laws play the role of a guide by offering succinct information on the principles and practice of data protection which electricity companies can easily make reference to. This can be achieved by complying with all applicable data protection regulations, managing third-party risks, conducting annual data compliance audits, and developing and adopting security measures to protect personal data. It is also noteworthy to mention that the NDPA 2023 General Application and Implementation Directive (GAID) 2024[39] is a highly anticipated regulation that electricity companies should watch out for.
By Lynda Ugo Ezike
B.A Economics (Memorial University of Newfoundland)
LL.B (Hons) (University of Southampton)
LL.M in Oil and Gas Law (Distinction) (University of Aberdeen)
B.L (Hons) (Nigerian Law School)
[1] NDPC Guidance Notice: Registration of Data Controllers and Data Processors of Major Importance 2024, s. 1
[2] Constitution of the Federal Republic of Nigeria 1999 (as amended), s.37
[3] Bi-Courtney Aviation Services V Kelani (2021 LPELR – 56365 (CA)
[4] Constitution of the Federal Republic of Nigeria 1999 (as amended), s.37
[5] Olumide Babalola, Babalola’s Law Dictionary of Judicially Defined Words and Phrases (Noetico Repertum Inc, 2nd edn, 2018)
[6] Nigeria Data Protection Commission: Registration of Data Controllers and Data Processors of Major Importance Guidance Notice 2024, s. 1(c)(x)
[7] Ibid
[8] Ibid
[9] Dr. Ayodele Oni, The Nigerian Electricity Market: Understanding the Transactional, Legal & Policy Issues (Ciplus Limited, 2021) 213
[10] Megan Mclean, ‘How Smart is Too Smart? How Privacy Concerns Threaten Modern Energy Infrastructure’ (2016) Volume 18, Issue 4 Vanderbilt Journal of Entertainment & Technology Law
[11] Sonia k. Mcneil, ‘Privacy and the Modern Grid’, (2011) 25 Harv J.L &Tech
[12] Samuel J. Harvey, ‘Smart Meters, Smarter Regulation: Balancing Privacy and Innovation in the Electric Grid’, (2014) 61 UCLA Rev.2068,
[13] n 3
[14] Cheryl Dancey Belough, ‘Privacy Implications of Smart Meters’ (2011) Chi-Kent Law Review
[15] Kaisa Huhta, ‘Smartening Up While Keeping Safe/Advance in Smart Metering and Data Protection Under EU Law’, ENRL, 38:1
[16] Dian Purnama Anugerah and Masitoh Indriani, ‘Daata Protection in Financial Technology Services: Indonesian Legal Perspective’ (2018) IOP Conf. Ser.: Earth Environ, Sci 175 012188
[17] Stanley Opara, ‘Eko Disco to Stop Cash Payments, Seeks Consumers’ Cooperation’ The Guardian (16th August 2018)
[18] Dian Purnama Anugerah and Masitoh Indriani 2018 IOP Conf. Ser.: Earth Environ. Sci 176 012188, ‘Data Protection in Financial Technology Services: Indonesian Legal Perspective’ page 6
[19] Hassan H. H. Aldboush and Marah Ferdous, ‘Building Trust in Fintech: An Analysis of Ethical and Privacy Considerations in the Intersection of Big Data, AI and Customer Trust’ (2023) Int. J. Financial Stud, 2023 11(3), 90 <https://doi.org/10.3390/ijfs11030090> accessed 8th of January, 2024
[20] Section 1 (2) The Nigeria Data Protection Commission Guidance Notice: Registration of Data Controllers and Data Processors of Major Importance 2024, NDPC/HQ/GN/VOL.02/24
[21] Ibid
[22] Nigeria Data Protection Act 2023 s,5
[23] Ibid, s. 25
[24] Ibid
[25] Articles 2.1 (2) and (3) of the Nigeria Data Protection Regulation 2019
[26] Section 4.1 (6) and (7) Nigeria Data Protection Regulation 2019
[27] Nigeria Data Protection Act 2023 s. 24
[28] Volker und Markus Shecke Case and Anor v Land Hessen [2010] (9C-92/09) and (9C-93/09)
[29] Nigeria Data Protection Act 2023 S.24
[30] The NDPC Guidance Notice: Registration of Data Controllers and Data Processors of Major Importance
[31] Nigeria Data Protection Regulation 2019 s. 2.6
[32] n 19 (section 39)
[33] NDPR 2019, S. 2.6 and NDPA 2023, S. 39-40
[34] Nigeria Data Protection Regulation 2019, s. 4.1(7)
[35] Ibid s. 2.7
[36] Nigeria Data Protection Act 2023 s. 28
[37] Nigeria Data Protection Regulation 2019, s.2.5
[38] Nigeria Data Protection Act 2023 s. 24(3)
[39] NDPA 2023 General Application and Implementation Directive (GAID) 2024, NDPC/NDP Act – GAID/001/2024
In this article:
