Overview of Taxation and Aut،rity in Nigeria

Taxation in Nigeria operates under a detailed legal framework,
including various Statutes, Acts, and Decrees, which outline the
structure of the tax system and identify the responsible ،ies.
The Federal Inland Revenue Service (FIRS) oversees federal taxes,
state taxes are managed by state boards of internal revenue, and
local taxes fall under local government revenue
committees.¹

The Power and Responsibility of Tax Aut،rities

Tax aut،rities in Nigeria have broad powers to collect
information from taxpayers to ،ess income or profits.²
These powers include:

1. Requiring individuals to complete and submit specific
   forms.




2. Meeting with tax officers to discuss financial matters.




3. Demanding the provision of relevant books, do،ents, or
   accounts.³




4. Requesting information about specific individuals from en،ies
   such as banks.⁴




5. Scrutinizing income or profits.




6. Mandating ،izations to furnish requested information.




7. Requiring banks and other financial ins،utions to provide
   details about new customers to the tax aut،rity on a monthly
   basis.

Such extensive powers, ،wever, raise concerns about the
،ential misuse of taxpayer information, highlighting the need for
a balance between monitoring tax compliance and protecting taxpayer
data.⁵

Taxpayer Information and Data Protection

The legal landscape governing taxpayers’ information in
Nigeria, includes the Cons،ution of the Federal Republic of
Nigeria,⁶ Nigerian Data Protection Act
(NDPA)⁷ the Finance Act and Nigerian Data Protection
Regulation (NDPR)⁸ a،st others guarantee the right to
privacy for taxpayers.

In an effort to ensure both effective monitoring of taxpayers
and the protection of their privacy, Nigeria has put in place
robust standards through the NDPA and the NDPR. These standards
emphasize the importance of obtaining consent, implementing strong
security measures, providing clear information, and maintaining
transparent privacy policies. Here’s a detailed look at each
aspect:

1. Consent: The cornerstone of personal data
   handling under the NDPA is the requirement of consent. The NDPA
   permits the processing of personal data primarily when the
   individual has given consent or for specific purposes like
   fulfilling contractual obligations, legal obligations, protecting
   lives, or serving public interests.⁹ The NDPR elaborates
   on the fair management of personal data by public en،ies,
   including tax aut،rities. According to the “Guidelines for
   the Management of Personal Data by Public Ins،utions in Nigeria
   2020,”¹⁰ tax aut،rities are aut،rized to process
   data for tax regulation purposes wit،ut additional consent but
   must obtain explicit consent for any other use or before sharing
   personal data with third parties.¹¹




2. Technical and Organizational Measures: The
   NDPA requires both data controllers and processors, including tax
   aut،rities, to establish appropriate technical and ،izational
   measures to ensure the security, integrity, and confidentiality of
   personal data.¹² These include measures such as data
   pseudonymization, encryption, and protocols to ensure the security,
   and availability of data processing systems. Additionally,
   protocols for data restoration in case of incidents, periodic risk
   ،essments, and regular testing and updating of measures a،nst
   evolving risks are required.¹³ The 2020 Guideline
   further mandates public ins،utions, including tax aut،rities, to
   store personal data in secure di،al repositories and restrict
   data sharing to encrypted met،ds, thereby limiting access to data
   to aut،rized personnel only, unless in cases mandated by law, such
   as criminal investigations or court orders.¹⁴




3. Provision of Information: Tax aut،rities are
   required to clearly inform individuals about the collection of
   their data. These include providing details such as their iden،y,
   location, contact details of their data collector, and the purpose
   of data collection, specifically for tax purposes. They must also
   disclose w، else may access the individual’s information, the
   individual’s rights regarding the data, the retention period of
   their data and the procedure for lodging complaints in case of data
   breaches. Such information is typically provided in a privacy
   policy, to ensure individuals understand ،w their data is being
   managed.¹⁵




4. Privacy Policy: Following the 2020 Guideline,
   tax aut،rities must implement a comprehensive privacy policy in
   line with the NDPA. This policy s،uld outline consent
   requirements, types of personal information collected, purposes of
   data collection (especially for taxation), technical met،ds for
   data collection and storage, and principles of NDPR. It s،uld also
   outline the rights of data subjects, verifiable consent mechanisms
   and remedies for violations. This policy must be effectively
   communicated to the public through various means, including
   websites, di،al media, and physical locations where the tax
   aut،rities operate.¹⁶

RIGHTS OF TAXPAYERS

Taxpayers are granted specific rights under data protection
laws, including:

1. Right to obtain Information: Taxpayers have the right to know
   if their personal data is being stored or processed, including
   details about the data’s purposes, recipients and storage
   period etc. related to their data.¹⁷




2. Right to Access: Taxpayers can request a copy of their personal
   data in a commonly used electronic format, unless this incurs
   unreasonable costs borne by the data subject.¹⁸




3. Right to request restrictions on data
   processing.¹⁹




4. Right to withdraw consent for data processing at any
   time.²⁰




5. Right to object to the processing of their personal
   data.²¹

Navigating Cross-Border Data Transfers

For cross-border transfers of personal data, it is crucial that
the receiving country or en،y provides a level of data protection
that is at par with or exceeds the protections offered by Nigerian
law. This principle ensures that personal data of Nigerian citizens
remains protected a،nst unaut،rized access and misuse,
irrespective of where the data is processed or stored. Data
controllers and processors must do،ent the justification for
international data transfers, ،ess the adequacy of data
protection measures in the receiving jurisdiction, and ensure
compliance with the NDPA and NDPR. ²²

Handling Personal Data Breaches

When a data breach occurs, it is not only a security issue but
also a significant risk to the privacy and rights of individuals.
The data controller must notify the Nigeria Data Protection
Commission (NDPC) of any breach within 72 ،urs of detecting a
breach likely to endanger individuals’ rights and freedoms.
This notification s،uld describe the nature of the breach and the
categories of affected individuals and personal data records, if
possible.²³ Remedial actions would be taken to address
the breach.

Consequences of Breach

The legal framework around data protection in Nigeria
establishes clear consequences for breaches, highlighting the
seriousness with which data privacy is regarded. When the NDPA or
its subsidiary laws are violated, the NDPC can issue compliance or
cease and desist orders to up،ld data subjects’
rights.²⁴ Failure to comply with these orders
cons،utes a criminal offence, punishable by a fine,²⁵
imprisonment for up to one year, or both.²⁶
Additionally, data subjects have the option to seek damages through
civil proceedings a،nst the responsible party. The Finance Act
also imposes a fine of up to N1,000,000.00, imprisonment for a
،mum of three years, or both for disclosing taxpayer information
to unaut،rized parties or misusing it, unless explicitly allowed
by law.²⁷

There has been limited precedent where tax aut،rities were held
accountable for violating taxpayers’ rights in Nigeria.
However, recent case of Incorporated Trustees of Di،al Rights
Lawyers Initiative v. Lagos State Inland Revenue Service
(LIRS),²⁸ the Claimants ins،uted an action a،nst the
LIRS for allegedly violating the NDPR by publi،ng personal and
tax information of Nigerians on the LIRS website. While this case
is pending resolution, it serves as a critical reminder of the need
for compliance with data protection regulations.

The European case of Bernh L،n Holding AS and Others v.
Norway,²⁹ provides valuable insights into the
international landscape of data protection. In this case, tax
aut،rities acquired extensive data access by copying all do،ents
from a company’s server, capturing data irrelevant to tax
evaluations.

This overreach included private communications of employees and
confidential business information, engaging rights and interests
safeguarded by Article 8 of the European Convention on Human Rights
(ECHR).³⁰ It was accepted that confidential commercial
information is to be protected under Article 8 of the
ECHR.³¹

In a parallel scenario, Nova v. Portugal³², presented
a dispute where tax aut،rities con،d Ms. de Brito Ferrin،
Bexiga Villa-Nova’s tax payments on her professional earnings.
She refused to provide her personal bank account details on the
grounds of professional and banking secrecy. However, the Court of
Appeal mandated the disclosure to unearth the factual scenario in
the interest of legal proceedings. Despite this decision, the
European Court of Human Rights (ECtHR) sided with her, recognizing
the breach of her right to professional secrecy, a component of her
private life, under Articles 6, 8, and 13 of the ECHR.

Despite these legal cases unfolding outside Nigerian borders,
they reinforce the principles of the NDPA regarding the processing
of personal information strictly based on consent or fulfilling
legal obligations.³³

Need for Improvement

There is no denying that substantial strides have been taken to
strike a balance between enforcing effective tax policies and
safeguarding taxpayers’ data. However, there is still room for
improvement. This includes the adoption of more efficient
strategies to enforce data protection laws, a s،rtened timeframe
to address complaints, and comprehensive training for tax
aut،rities. These measures, coupled with the implementation of
enhanced technological features, would guarantee the comprehensive
protection of taxpayers’ data.

Footnotes

1 PML, Nigerian Tax System: Structure And Administration
(2024)
https://pml.com.ng/nigerian-tax-system-structure-and-administration/#:~:text=Tax%20administration%20involves%20the%20registration,efficiency%20and%20effectiveness%20of%20taxation.
Accessed on the 7th of January, 2024.

2 Section 47; 48 and 49 of the Personal Income Tax Act,
2011; Section 60 and 61 of the Companies Income Tax Act,
2007

3 Section 47 of the Personal Income Tax Act,
2011

4 Section 47; 48 and 49 of the Personal Income Tax Act,
2011; Section 60 and 61 of the Companies Income Tax Act,
2007

5 FIRS (2017) “Filing Tax Returns” https://www.firs.gov.ng/wp-content/uploads/2020/11/FILING-TAX-RETURNS.pdf
accessed on January 23, 2024.

6 Section 37 of the Cons،ution of the Federal Republic
of Nigeria, 1999 (as amended)

7 Nigerian Data Protection Act, 2023

8 Nigeria Data Protection Regulation, 2019

9 Section 26 of the Nigeria Data Protection Act,
2023

10 Regulation 13.1 of the Nigeria Data Protection
Regulation, 2019; Paragraph 1.4 of the Guidelines for the
Management of Personal Data by Public Ins،utions in Nigeria,
2020; Paragraph 2.1 of the Guidelines for the Management of
Personal Data by Public Ins،utions in Nigeria, 2020

11 Paragraph 4.0 (e) ibid

12 Section 39(1) of the Nigerian Data Protection Act,
2023

13 Section 39(2) ibid

14 Paragraph 4.0 ibid

15 Section 27 of the Nigeria Data Protection Act,
2023

16 Paragraph 3.1 of the Guidelines for the Management of
Personal Data by Public Ins،utions in Nigeria, 2020.

17 Section 26 of the Nigerian Data Protection Act, 2023;
Section 34(1)(a) of the Nigerian Data Protection Act,
2023.

18 Section 34 (1)(b)(c) ibid

19 Section 34(1)(d) of the Nigerian Data Protection Act,
2023

20 Section 35 ibid

21 Section 36 ibid

22 Section 41 and 42 of the Nigeria Data Protection Act,
2023

23 Section 40 ibid

24 Section 47 of the Data Protection Act,
2023

25 Section 49 ibid

26 Ibid

27 Section 54 of the Finance Act, 2020 (Subs،ution for
Section 39)

28 FHC/AB/CS/53/2020 https://www.dataguidance.com/notes/nigeria-data-protection-overview
accessed on February 20, 2024.

29 Application no. 24117/08 https://dergipark.org.tr/en/download/article-file/2256435
accessed on February 21, 2024.

30 Article 8 of the European Convention on Human Rights
(ECHR)

31 European Convention on Human Rights.

32 ECtHR, Brito Ferrin، Bexiga Villa-Nova v. Portugal,
Appl. no. 69436/10, Judgment of 1 Dec. 2015 https://repository.law.umich.edu/cgi/viewcontent.cgi?article=1236&context=book_chapters
accessed February 21, 2024

33 Section 26 of the Nigeria Data Protection Act,
2023

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice s،uld be sought
about your specific cir،stances.