Nigeria Data Protection Act

Photo Source: Loyal Nigerian Lawyer

The Nigeria Data Protection Act is the legal framework that gives every Nigerian citizen and resident binding judicial precedents on data privacy according to the standard prescribed under the NDP Act. The Data Protection Act was ratified by the President (Bola Ahmed Tinubu) on June 13, 2023 and is Nigeria’s first Act that establishes a comprehensive framework to safeguard personal data. The Act establishes the Nigeria Data Protection Commission (NDPC), also referred to as the “Commission”, to replace the Nigeria Data Protection Bureau (NDPB) established by former President Muhammadu Buhari. The objective of the Act, amongst others, is to safeguard the fundamental rights and freedoms and the interests of data subjects as guaranteed under the 1999 Constitution of Nigeria.

Objective of the Act

Data plays a crucial role in influencing decisions and motivating actions in today’s interconnected world. Because of the high probability that information contains personal data and the need to prevent its misuse, many nations have passed legislation guaranteeing data protection as a fundamental human right, and Nigeria is no exception.

The nation’s commitment to individual privacy and security is evident in Section 37 of the Constitution of the Federal Republic of Nigeria 1999 (as amended) (“the 1999 Constitution”), which explicitly guarantees citizens right to privacy. This provides the foundation for Nigeria’s legal framework on data privacy and protection. In light of the aforementioned, the Act’s primary goals are:

1. Safeguard the fundamental rights and freedoms, and the interests of data subjects, as guaranteed under the Constitution of the Federal Republic of Nigeria, 1999;

2. Provide for the regulation of processing of personal data;

3. Promote data processing practices that safeguard the security of personal data and privacy of data subjects;

4. Ensure that personal data is processed in a fair, lawful and accountable manner;

5. Protect data subjects’ rights, and provide means of recourse and remedies, in the event of the breach of the data subject’s rights;

6. Ensure that data controllers and data processors fulfil their obligations to data subjects;

7. Establish an impartial, independent, and effective regulatory Commission to superintend over data protection and privacy issues, and supervise data controllers and data processors; and

8. Strengthen the legal foundations of the national digital economy and guarantee the participation of Nigeria in the regional and global economies through the beneficial and trusted use of personal data.

Unveiling the Act

The Act comprises twelve (12) parts, labeled Part I through Part XII. The first four (4) parts focus on the Commission’s specifics and organizational structure. Parts V through VIII outline the Data Protection Principles and key implementation requirements. Part IX emphasizes the registration of data controllers and processors, which is of significant importance. Parts X and XI address enforcement and legal proceedings, while Part XII highlights the Act’s various additional provisions. For more details, see a copy of the Act here See copy of the Act here

Scope and Application of the Act

The Act covers data controllers and processors who have their headquarters, normally reside in Nigeria, or conduct business there, or where personal data processing takes place. As long as they are processing the personal data of data subjects in Nigeria, the Act also applies to data controllers and processors who are not domiciled, normally reside, or normally operate in Nigeria. This contrasts with the NDPR, which focuses on Nigerians living abroad or natural persons living in Nigeria.

In addition, the Act provides the boundaries of applicability by exempting activities carried out solely for personal or household purposes and various activities carried out by competent authorities. The Act also empowers the Commission to create further exemptions by regulation.

Authority of the  Act

Photo Source: NDPC

The Nigeria Data Protection Commission (“NDPC”) is the primary data protection authority and is responsible for enforcing the NDPA in Nigeria. It was officially created by the Nigeria Data Protection Act (NDPA) to handle all matters related to protecting people's personal information. Importantly, even though the NDPA is a new law, it did not get rid of the older rules known as the Nigeria Data Protection Regulation (NDPR). Instead, those older rules are still in place and continue to work alongside the new law.

The Framework: NDPR

The Nigerian Data Protection Regulation, 2019 (‘NDPR’) issued by the National Information Technology Development Agency (‘NITDA’) is the main data protection regulation in Nigeria. Through precisely defined duties for data controllers and processors as well as explicit guidelines for data transfers to foreign countries, the NDPR safeguards the rights of data subjects.

Status of the NDPR—The DPA is Sovereign

The status of the NDPR has come under scrutiny since Nigeria passed the DPA. The NDPR does not automatically disappear with the passage of the DPA, despite what some may have thought or anticipated. The DPA preserves any regulations enacted by the National Information Technology Development Agency (“NITDA) or the Nigeria Data Protection Bureau (NDPB) on the subject of data protection prior to the enactment of the DPA. This implies that unless the NDPR is repealed, replaced, amended, or changed, it and all rules enacted under it will stay in effect.

The DPA also stipulates that in cases where any law conflicts or is inconsistent with its provisions, the DPA takes precedence. This effectively makes the DPA the primary data protection law in Nigeria, and as a result, other frameworks and guidelines created in accordance with the NDPR, such as the Public Institution Guidelines 2020 and the NDPR Implementation Framework 2020, are subject to the DPA's provisions. This helps to balance out any potential areas of conflict or contradiction between the DPA and the existing framework.

Impact of the Act

The Nigerian Data Protection Act, of 2023, has had several significant effects on various stakeholders and the overall data protection landscape in Nigeria. Here are some of the key effects of the NDPA:

●  Strengthened Data Protection Framework: By establishing important terms, principles, and responsibilities for data controllers and processors, the NDPA has given Nigeria a comprehensive legal framework for data protection and established explicit rules for the appropriate management of personal data.

●  Improved Data Security: As a result of the NDPA's emphasis on data security measures, businesses have been forced to implement more robust security procedures and protections to shield private information from hackers, illegal access, and breaches.

●  Improved Individual Privacy Rights: Under the NDPA, data subjects now have a number of rights regarding their personal data, such as the ability to access it, ask for changes, and refuse to have their information processed.

●  Consent-Based Data Processing: The Act highlights how crucial it is to get data subjects' legitimate consent before processing their personal information. As a result, data processing procedures have become more open, and people are now better aware of how their data is being utilised.

●  Cross-Border Data Transfers: The NDPA establishes rules for the transmission of personal information outside of Nigeria, guaranteeing that the necessary data security safeguards are in place.

●  Appointment of a Data Protection Officer (DPO): In order to manage data protection issues, the NDPA mandates that specific organisations choose a Data Protection Officer (DPO). As a result, organisations' data protection positions have become more professional, and data management accountability has increased.

Implication of the Act

One of the key features of the DPA 2023 is that it applies to both public and private entities that process personal data, including incorporated trustees. Incorporated trustees are legal entities that are formed by a group of persons who share a common goal or interest, such as religious bodies, charities, clubs, associations, foundations, etc. Incorporated trustees are required to register with the Corporate Affairs Commission (CAC) and comply with the provisions of the Companies and Allied Matters Act 2020.

Implication for Individuals

●  Enhanced Privacy Rights: People have more control over their personal information thanks to the NDPA. They are entitled to view their data and have it corrected when needed, as well as to know how and why their data is being processed;

●  Consent and Choice: Prior to the processing of an individual's data, that person must give specific, informed consent. They are so empowered to decide how their personal data is used;

●  Protection Against Data Breach: The NDPA mandates that companies tell people as soon as possible about a data breach so that they can take the appropriate safety measures;

●  Improved Data Security: By guaranteeing that their data is sufficiently shielded from unwanted access, individuals gain from organisations' improved data security procedures.

Implication for Businesses

●  Compliance Requirements: Companies must follow the NDPA's rules and principles to make sure that data processing operations are done in a fair, transparent, and legal manner;

●  Accountability and Responsibility: Companies must designate a Data Protection Officer (DPO) to oversee compliance and be held accountable for safeguarding the personal data they handle;

●  Organisations must carry out Data Protection Impact Assessments (DPIAs) for high-risk data processing operations to make sure privacy concerns are sufficiently recognised and reduced;

●  Cross-Border Data Transfers: Companies that work with foreign partners must adhere to the NDPA's regulations when sending personal information outside of Nigeria, making sure that sufficient security measures are in place;

●  Data Breach Notification: To increase transparency in data management, organisations must notify the Nigerian Data Protection Commission (NDPC) and impacted persons of data breaches.

Implication for Data Handlers (Service Providers, Processors)

●  Contractual Obligations: written contracts specifying the roles and responsibilities of data handlers and controllers in data processing must be signed by both parties;

●  Compliance with the NDPA: Data handlers are required to abide by the NDPA's rules and do as data controllers advise while processing data;

●  Implementing suitable security measures is necessary for data handlers to safeguard any personal information they may have.

●  Data handlers must adhere to best practices in data handling since they may be held accountable for violations or non-compliance with the NDPA.

Challenges in Executing the Act

1. Lack of Awareness: A large number of Nigerian people and companies are still either ignorant of the NDPA's existence or do not completely comprehend its obligations. Widespread Act compliance is hampered by this ignorance.

2. Lack of Resources: Some businesses, particularly smaller ones, do not have the funds or know-how to set up strong data security procedures and designate Data Protection Officers (DPOs) as required by the NDPA.

3. Insufficient Capacity of the Nigerian Data Protection Commission (NDPC): The regulatory agency in charge of implementing the NDPA, the NDPC, may find it difficult to adequately monitor and supervise the large number of data controllers and processors in the nation because of its limited resources and capacity.

4. Data Breaches: These incidents continue to be a major worry, and some companies might not have strong systems in place to identify and notify data breaches in a timely manner.

5. Limited Legal Precedents: Because the NDPA is still in its infancy, there might not be many case laws or legal precedents that offer precise instructions on how to interpret and implement the Act in particular circumstances.

6. Data Protection Officer (DPO) Experience: Since there is a greater need for DPOs than there are available, it might be difficult to find and train certified DPOs with adequate data protection experience.

Enforcement of the Nigeria Data Protection Act

According to section 46(3), if the Commission has cause to suspect that a Data Controller or Data Processor has broken the Act, it may launch an independent investigation. Additionally, the Act fully highlights a data subject’s rights. For example, under section 51, a data subject who experiences harm, loss, or injury as a result of a data controller or processor violating this Act may sue the data controller or processor for damages.

Similar to this, a data controller or data processor may be required by an enforcement order to compensate a data subject who has been harmed, lost, or injured as a result of a violation.

Furthermore, the following is a breakdown of the penalties for violating the Act for data controllers of considerable importance and those who are not:

●        Whichever is greater between ₦10,000,000 and 2% of the Revenue of the Preceding Year for Data Controllers or Data Processors of major importance

●        Whichever is greater between ₦2,000,000 and 2% of the Revenue of the Preceding Year- for Data Controllers or Data Processors not of  major importance.

In addition to the fine above, the data controller or processor may face imprisonment for a term not more than one year or both.

Conclusion

The creation of the Nigeria Data Protection Act 2023 exhibits the Federal Government’s new stance to step up efforts to guarantee that all organisations covered by the Act collect and handle personal data in accordance with industry best practices.