By Bibitayo Emmanuel Ojo
Introduction
The Nigeria Data Protection Act 2023 is a crucial legislation that has significant implications on data controllers/processors and businesses operating in Nigeria. It is designed to ensure that the data of data subjects are processed in a fair, lawful and accountable manner. Here are some of the major highlights of the Act.
Scope
The Act applies to the processing of personal data, whether by automated means or not. The Act applies where the data controller or data processor is domiciled in, resident in, or operating in Nigeria; the processing of personal data occurs within Nigeria; or the data controller or the data processor is not domiciled in, resident in, or operating in Nigeria, but is processing personal data of a data subject in Nigeria.
The Act provides for instances in which the Act will not apply. This includes instances where processing is carried out by competent authorities for the purposes of preventing, investigating, detecting, prosecuting, or adjudicating criminal offences or the execution of criminal penalties in accordance with any applicable law; carrying out by competent authorities for the purposes of preventing or controlling a national public health emergency; carrying out by competent authorities as necessary for national security, and so on.
It is vital to stress that the Act does not apply to personal data processing performed by a data subject exclusively for personal, recreational, or home purposes. While personal or home activity is a reproduction of the exceptions, the Act’s definition and extent of “recreational activity” remain ambiguous.”
Lawful Basis for Processing Data
The basis for the lawful processing of data is spelt out to include: Consent, Performance of a Contract, Vital Interest, Legal Requirement, and Public Interest.
A significant improvement in the Act is the provision for legitimate interest as a basis for data processing. (Section 20(1)(v).) Any interest that benefits one or more parties engaged in the processing of data is referred to as having a legitimate interest. Personal, business or even social interests are all examples of legitimate interests. A data controller must disclose to the data subject what those interests are in order to rely on legitimate interest for data processing. This could be contained in the data controller’s privacy notice.
Data Protection Impact Assessment
The Act requires that a DPIA be conducted where the processing of personal data may likely result in a high risk to the rights and freedoms of a data subject by virtue of its nature, scope, context, and purposes, Similarly, a data controller who has identified high risk embedded in data processing is to consult with the Commission, who will then issue a guideline and directives to be adopted. (Section 23)
Cross-Border Data Transfer.
Part VIII of the Act requires that data be transferred via a legal data transfer agreement accepted by the Commission in accordance with the binding corporate rule, contractual clauses, codes of conduct, or certification mechanisms that provide an adequate level of protection with respect to personal data are in place. The adequacy of protection in this context is secured if it upholds principles that are substantially similar to the conditions for processing the personal data provided for in this Act. Furthermore, the existence of any appropriate instrument between the Commission and a competent authority in the recipient jurisdiction that ensures adequate data protection may also satisfy the impulse of the Commission on the matter of adequate protection.
Appointment Of Data Protection Officer (DPO)
The Act requires the data controller to appoint a DPO with expert knowledge of data protection law and practices, as well as the ability to advise the data controller or data processor and the employees who carry out the processing on their obligations under this Act, as well as to monitor compliance with this Act and related policies of the data controller or data processor
The profound improvement in this Act is that a DPO may be either the employee of the data controller or engaged by a service contract
Independence of Supervisory Authority
One of the key changes brought about by the Act is the establishment of the National Data Protection Commission (NDPC), which is charged with the enforcement of the Act. The Commission has the jurisdiction to investigate, sanction, and prosecute people who violate the law. For the independent discharge of her duty, a governing council shall be appointed for the commission comprised of (a) a Part-time Chairman, who shall be a retired judge of Nigeria; (b) the National Commissioner; (c) a representative, not below the rank of a Director or its equivalent, from (i) the Federal Ministry of Justice, (ii) the ministry responsible for communications and digital economy, (iii) the Central Bank of Nigeria, (iv) a law enforcement agency; and one representative from the private sector and Members of the Council other than the National Commissioner.
Penalty for Non-compliance
Data controllers must ensure that the compliance requirements are met. Failure to comply can result in a fine of a “higher maximum amount” of (a) 10,000,000 and (b) 2% of its annual gross revenue derived from Nigeria in the preceding fiscal year, or a “standard maximum amount” of (a) 2,000,000 and (b) 2% of its annual gross revenue derived from Nigeria in the preceding fiscal year as the case may be.
The improvement in the prescribed penalties for breach of data privacy now encapsulates an imprisonment term of one year where the data controller or data processor is not of significant importance. Notwithstanding the deterrent nature of this penalty, the question that comes to mind is “Who would serve the imprisonment term?” Hence, the word “significant importance “ is not well defined. Could it be that a data controller with less than a thousand data subject fall into this confine? If the answer is in the affirmative, who should then serve the jail term where the data processor is a company limited by liability? All these questions might need to be determined when the law is put to test through live cases and or issuance of implementation guidelines in that regard.
Rights Of Data Subject
Having the following rights as a data subject is a relevant development among other rights enshrined in the Act.
- The Act guarantees the right not to be subjected to automated data processing, such as profiling. The exception to this includes but is not limited to, instances where such is required for the execution or performance of a contract between the data subject and a data controller or authorisation by a written law that also establishes appropriate measures to safeguard the data subject’s fundamental rights and freedoms and interests.
- When a data subject is a child or another individual who lacks the legal capacity to consent, a data controller must get the consent of the child’s or other individual’s parent or other appropriate legal guardian. In the case of a child, the data controller must use appropriate procedures to verify the child’s age. This is possible with the right technology to outsmart the prowess of unauthorised users.
Conclusion
In conclusion, the Nigeria Data Protection Act has introduced some changes, expanding the scope of the law and imposing stricter fines and penalties for violations. Both laws aim to protect the privacy of individuals and regulate the processing of personal data. However, it appears that the Act focuses more on the establishment of the Commission while it pays little attention to emerging issues of data privacy in the society of astronomical development of technology. It was an anticipated development which does not take into consideration most of the opinions of the stakeholders. We have already had the bill assented to, we can always improve on it. Albeit, the herculean procedure for amendment could have been avoided if a robust bill was passed into law.
Bibitayo Emmanuel Ojo bibitayoemmanuel@gmail.com
Bibitayo Ojo is a seasoned lawyer with expertise in Regulatory Compliance, and Policy Making; committed to research on Data Privacy and Protection and continual interest in guiding startups through legal frameworks.