On Monday, June 12, 2023, President Bola Ahmed Tinubu signed the Nigeria Data Protection Act (NDPA) 2023 into law, making it the first Data Protection Act in Nigeria. Prior to the enactment of the Act, the Nigeria Data Protection Regulations (NDPR) 2019, was the only piece of legislation dedicated to data privacy and protection in Nigeria.[i] At a time when there have been calls by stakeholders for proper legislation as opposed to the NDPR which is most viewed as a mere regulation, the enactment of the NDPA appears to be a step in the right direction.
The objective of the Act is to safeguard the fundamental rights and freedoms, and the interests of data subjects, as guaranteed under the Constitution of the Federal Republic of Nigeria, 1999[ii], an objective wider than what obtains under the NDPR.
It is against this background that this piece aims at examining the salient provisions of the NDPA viz-a-viz implications for individuals (data subjects) and businesses alike.
The NDPA contains some commendable provisions, some of which shall be examined in detail below;
- Application of the Act: The provisions of the Act are applicable to the processing of personal data, whether by automated means or not.[iii] Also, the Act governs the processing of data where the data controller or data processor is domiciled in, resident in, or operating in Nigeria; the processing of personal data occurs within Nigeria; or the data controller or the data processor is not domiciled in, resident in, or operating in Nigeria, but is processing personal data of a data subject in Nigeria.[iv]
The scope of application of the Act is more comprehensive than what obtains under the NDPR which limits its application to natural persons residing in Nigeria or residing outside Nigeria who are citizens of Nigeria.[v]
However, where the processing of data is solely for personal or household purposes, the provisions of the Act shall not apply.[vi] Other exemptions/limitations of the scope of application of the Act bothering on public interest grounds are also contained in the Act.[vii]
2. Establishment of Nigerian Data Protection Commission (NDPC) and its Governing Council: The Act also establishes the NDPC thereby replacing the Nigerian Data Protection Bureau which formerly regulates the processing of personal data in Nigeria. The NDPC shall be a body corporate, with perpetual succession and a common seal capable of suing and being sued in its own name as well as holding, acquiring, and disposing of its property.[viii] The functions of the commission are listed in section 5 of the Act.[ix]
While one may begin to brood over the need to set up the commission as created under the Act, the Act as provided under section 64 states that same shall align with what obtains under the Bureau and any subsequent formation shall not affect same.
3. Processing of Personal Data: In line with international standards, section 24 of the Act lists the core principles that guide personal data processing by data controllers and data processors. This is similar to the principles contained in Regulations 2.1 of the Nigeria Data Protection Regulations 2019 however, the principles listed under the Act are more extensive and these include; Lawfulness, Fairness and Transparency, Purpose Limitation, Data minimization, Storage Limitation, Accuracy, Integrity, and Confidentiality as well as Accountability[x]
Similarly, a duty of care is imposed on data controllers and data processors in their processing activities[xi] and they must ensure adequate technical and organizational measures are put in place to safeguard personal data.[xii]
4. Rights of Data Subjects: The Act equally guarantees certain rights to data subjects which include the right not to be subject to automated decision-making, the right to data portability, the right to object to processing, right to withdraw consent, right to erasure, right to rectification, right to restriction of processing, right to complain, etc.[xiii]
5. Data Protection Compliance Services: The Commission may license a person or body, to monitor, audit, and report on compliance by data controllers and data processors in line with the provisions of the Act as well as regulations, guidelines, directives, and codes of conduct issued by the Commission pursuant to the provisions of the Act.[xiv]
Unlike what obtains under the NDPR and the NDPR implementation Framework, 2020 which limits the qualification for a Data Protection Compliance Organization (DPCO) to professional service consultancy firms, information technology service providers, audit firms, and law firms, an individual can now be licensed to carry out data protection compliance services under the Act.
6. Lawful Basis for Processing Data: The Act provides a lawful basis for processing personal data. These include consent, the performance of a contract, compliance with a legal obligation, protection of vital interest, public interest, and legitimate interest. [xv]
As opposed to what obtains under the NDPR, the inclusion of legitimate interest as a lawful basis for processing personal data is highly commendable.
7. Data Protection Impact Assessment: Where the processing of data may result in high risks to the rights and freedoms of data subjects, a data controller shall carry out a Data Protection Impact Assessment (DPIA) which shall contain a systemic description of the envisaged processing, an assessment of the necessity and proportionality of the processing, an assessment of the risks to the rights and freedoms of data subjects as well as the measures envisaged to curtail the risks.[xvi]
A DPIA is a process designed to identify the risks and impact of the envisaged processing of personal data.
8. Data Protection Officers: The Act requires data controllers of major importance to appoint a Data Protection Officer (DPO) who shall advise such data controller, monitor compliance with the Act as well as act as a point of contact with the NDPC on issues bordering on the provisions of the Act.[xvii]
Under the Act, a data controller of major importance is a data controller domiciled, resident in, or operating in Nigeria and processes or intends to process personal data of more than such number of data subjects who are within Nigeria, as the Commission may prescribe, or such other class of data controller or data processor that is processing personal data of particular value or significance to the economy, society or security of Nigeria as the Commission may designate. [xviii]
9. Restriction on Cross-Border Transfer of Data: Where personal data is to be transferred outside Nigeria, the recipient country must be subject to a law, binding corporate rules, contractual clauses, code of conduct, or certification mechanism that affords an adequate level of protection with respect to the personal data in accordance with the NDPA.[xix]
However, where there is no adequacy of protection afforded by the recipient country, a cross-border transfer of personal data can only be validly made where it accords with the conditions stated in Section 43 of the Act.
10. Data Security and Report of Personal Data Breaches: The Act enjoins data controllers and data processors to implement appropriate technical and organizational measures to ensure the security, integrity, and confidentiality of personal data in their possession or under their control, including protections against accidental or unlawful destruction, loss, misuse, alteration, unauthorized disclosure, or access.[xx]
Also, where a personal data breach has occurred with respect to personal data being stored or processed, the data controller shall notify the commission within seventy-two hours of becoming aware of such breach where that breach is likely to result in a high risk to the rights and freedoms of affected data subjects. [xxi]
11. Registration of Data Controllers and Data Processors of Major Importance: The Act provides that data controllers and data processors of major importance shall register with the Commission within six months after the commencement of the Act or upon becoming a data controller or data processor of major importance. [xxii] To register with the Commission, the particulars required to be submitted to the Commission are stated in Section 44(2).
The enactment of the Data Protection Act 2023 is a laudable one being the first of its kind in Nigeria which is a step forward to protecting the rights of data subjects. It also contains provisions which if implemented effectively, will lead to the protection of the rights of data subjects which will be in conformity to the provisions of the constitution on the right of privacy and in line with international standards.
Despite the laudable provisions, the Act nevertheless reeks of some shortcomings such as the non-repeal of the NDPR, apparent lack of independence of the NDPC, absence of clarity on its application to artificial persons, absence of a timeline for data controllers to respond to data subject access requests, etc. It is recommended that the above shortcomings should be looked into in future legislation to ensure the Nigerian data privacy regime is in tandem with standard global practices.
The Act remains a step in the right direction and with the proper implementation and enforcement will have a significant impact on the data privacy and protection regime in Nigeria.
[i] The Nigeria Data Protection Regulation 2019: Implementation Framework, 2020 was also released in 2020 to amplify the NDPR.
[ii] Section 1
[iii] S. 2(1)
[iv] S. 2(2)
[vi] S. 3(1)
[vii] See Section 3 (2) of the Act
[viii] S. 4 (2)
[ix] The powers of the commission are listed under section 6 of the Act.
[x] See generally section 24 of the Act
[xi] Section 24 (2) of the Act
[xii] Section 24(2) of the Act
[xiii] See Part VI of the Act
[xiv] See section 33 of the Act
[xv][xv] See Section 25 of the Act
[xvi] See Section 28 of the Act
[xvii] See Section 32 of the Act
[xviii] See section 65 of the Act
[xix] See section 41 of the Act
[xx] See Section 39 of the Act
[xxi] See Section 40 (2) of the Act
[xxii] See section 44 of the Act
Email us: [email protected]