By Etisang Solomon
Organizations and individuals depend on processing personal data to carry out their activities. As a result, numerous countries and international institutions have implemented data privacy and protection regulations to establish guidelines for processing personal data while considering the rights, freedom, and interests of data subjects—identifiable individuals whose personal data is collected, stored, transferred, retained, destroyed, etc.
On the 12th day of June, 2023, the President of Nigeria enacted the Nigeria Data Protection Bill, officially establishing the Nigeria Data Protection Act, 2023. This Act provides a legal framework for safeguarding personal information and implementing data protection in Nigeria.
Previously, the primary regulation governing the processing of personal data in Nigeria was the Nigeria Data Protection Regulation 2019 (NDPR), issued by the National Information Technology Development Agency (NITDA). However, the NDPR was considered a subsidiary legislation rather than a primary law.
This article centers on the Nigeria Data Protection Act, 2023(the Act) while highlighting its innovative contributions to data protection practices in Nigeria.
HIGHLIGHTS OF THE NIGERIA DATA PROTECTION ACT 2023
Section 2 of the Act provides that data controllers or data processors resident in, operating in or processing personal data in Nigeria are bound by the provisions of the Act. The Act also applies to data controllers or data processors who do not fulfil the previous conditions but are processing personal data of data subjects in Nigeria.
If the data processing is carried out just for personal/household purposes without violating the right to privacy of the data subject then the Act will not apply to it.
Data processing carried out by competent authorities for the purposes of prevention or detection of crime, control of national public heath emergency, national security, exercise of legal claims and publication in the public interest for journalism, educational, artistic and literary purposes are also exempt from its applicability. This means the government or its agencies are excluded in the course of carrying out their functions.
- THE ESTABLISHMENT OF A DATA PROTECTION COMMISSION
The Act establishes the Nigeria Data Protection Commission and and the appointment of a governing council. The Commission replaces the Nigeria Data Protection Bureau (NDPB) which was the previous body established in 2022 to achieve the objectives of the NDPR.
The Commission, headed by a National Commissioner, is saddled with the responsibility of overseeing the safe practices of data protection in Nigeria which includes fostering the development of data protection technologies, promoting public awareness of data protection, accrediting data protection compliance services, registering data controllers and data processors of major importance, receiving complaints of violations, attaining the objectives of the Act etc.
The Governing Council is headed by a part-time Chairman, who shall be a retired judge of Nigeria. The Council formulates the policy direction of the Commission, approves strategic plans, budget support programs submitted by the National Commissioner and assists the National Commissioner in matters relating to compliance by ministries, and agencies of government et al.
- PROCESSING OF PERSONAL DATA
a) Principles of data protection: Section 24 of the Act highlights the principles to be applied in data processing in Nigeria. Below are the principles and what it means:
(i) Lawfulness, fairness, and transparency: Data should be processed with the data subject’s consent with full knowledge and understanding of the purpose of the processing.
(ii) Purpose limitation : When the purpose of collecting personal data is purely for identification purposes, the personal data should not be used for commercials.
(iii) Data minimization: If the personal data is processed for the purpose of deliveries, there is no need to request for medical history.
(iv) Storage limitation: Time limits should be established for the erasure or periodic review of the personal data.
(v) Accuracy: Personal data processed should not be factually incorrect, this goes even to the details of the name of the data subject.
(vi) Integrity and confidentiality: The data processing needs to be done in such ways that a proper level of security with regards to the personal data is guaranteed.
(vii) Accountability: These specifically sets out that processors and controllers are responsible for, and must be able to demonstrate compliance with, the other principles of data protection.
b) Lawful basis: Section 25 of the Act gives data subjects a level of control of their personal data by placing importance in their informed and specific consent before the processing of their personal data. Silence or inactivity of data subjects do not constitute consent. The Act also makes provisions for other lawful basis for the processing of personal data like performance of contract, legal obligations of the data controller and data processor, vital interests of the data subjects, public interest and legitimate interests.
c) Sensitive Personal Data: The Act restricts the processing of sensitive personal data but provides the exceptions in Section 30. Sensitive data refers to personal data revealing genetic data, biometric data, racial or ethnic origin, religious or philosophical beliefs, health status, sex life etc.
The Commission is empowered to further give categories of personal data that may be classified as sensitive personal data.
- RIGHTS OF A DATA SUBJECT
Data subjects are guaranteed their rights under Part VI of the Act. This includes the right to be informed before any processing, the right to access, correct, erase, restrict and object to the processing of their personal data. Data subjects can also request for their data to be transferred in a commonly used, and machine-readable format to another organization as well as not be subject to a decision based solely on automated processing, including profiling.
Consent can be withdrawn at anytime and the data subject has the right to lodge a complaint with the Commission, though the Act allows for the derogation of these rights if it falls under the exceptions of its applicability under Section 3 of the Act.
- DATA CONTROLLERS AND PROCESSORS
The Act gives a new classification of data controllers and processors called “data controllers and data processors of major importance”.
Data controllers and data processors of major importance are involved in the processing of personal data of data subjects more than the number prescribed by the Commission and/or involved in the processing of personal data of particular value significant to the economy, society or security of Nigeria. Banks are clear examples of data controllers and data processors of major importance
Data controllers and data processors of major importance are mandated to register with the Commission within six months after the commencement of the Act and appoint Data Protection Officers (DPOs) with expert knowledge of data protection law and practices.
- DATA BREACHES
In the event of a data breach, Section 40 of the Act directs data controllers to notify the Commission of the breach within seventy-two hours after becoming aware of it and to adequately inform the data subjects affected. The Act provides a detailed data breach management procedure. The data controller and data processor are also required to keep a record of all personal data breaches.
- TRANS-BORDER DATA TRANSFERS
Part VIII of the Act ensures the protection of personal data transferred outside Nigeria by giving conditions to be fulfilled before such transfers. It requires that the recipient must be subject to a law, contractual clauses or code of conduct that affords an adequate level of data protection.
The Act necessitates the existence of an instrument between the Commission and a competent authority in the recipient country which ensures adequate data protection, a supervisory authority in the recipient country with adequate enforcement powers as well as the recipient country’s international commitments and membership in international organisations.
The Commission however reserves the right to designate categories of personal data that may be subject to additional specified restrictions on transfer to another country based on the nature of such personal data and risks to data subjects though there is provision for the transfer of personal data outside of Nigeria in the absence of adequacy of protection.
- PENALTY FOR VIOLATIONS
The Act prescribes a fine of not less than N10,000,000 (ten million Naira), the imprisonment for a term not exceeding three years, or both fine and imprisonment for any member of Council who makes secret profit in the course of discharging official duties.
A member of the Council with a personal interest connected with the business of the Commission is prohibited from participating in any Council deliberation and voting-related matter. A contravention of this attracts a fine of not less than N5,000,000 (five million Naira), an imprisonment for a term not exceeding two years, or both fine and imprisonment.
A data controller or data processor who has violated any provision of the Act will be subject to sanctions which may include payment of compensation to the data subject, who has suffered injury as a result of the violation.
This compensation may be an amount up to N10,000,000 (ten million Naira) and two percent of its annual gross revenue in the preceding financial year in the case of a data controller or data processor of major importance and in the case of a data controller or data processor not of major importance, an amount of N2,000,000 (two million Naira) and two percent of its annual gross revenue in the preceding financial year.
However, anyone not satisfied with an order of the Commission may apply to the court for judicial review within 30 days after the order was made.
In conclusion, the Nigeria Data Protection Act, 2023 represents a significant step in the right direction towards safeguarding personal data in Nigeria. Its implementation solidifies the rights of data subjects, reducing the need to rely on Section 37 of the constitution of the Federal Republic of Nigeria, 1999 to establish data protection in legal proceedings.
The Act’s establishment of an independent Commission is poised to enhance data protection practices, despite concerns regarding the Commission’s independence due to the Minister of Communications and Digital Economy’s substantial influence over the governing council’s affairs and leadership.
While the Act undoubtedly makes a remarkable contribution to the growth of the sector, it is not without its limitations. One notable shortcoming is the exemption of “competent authorities” from the Act’s applicability and potentially opens avenues for abuse. Furthermore, the Act lacks specified time-frames for responding to data subjects’ rights requests and informing affected individuals in the event of data breaches.
Overall, despite these shortcomings, the Nigeria Data Protection Act, 2023 remains an outstanding contribution to the advancement of the sector, as it sets the stage for enhanced personal data protection in the country.
Etisang Solomon is a Senior Associate with Olumide Babalola LP. He provides bespoke advisory to local and international clients on data protection, risk and compliance issues.