INTRODUCTION
In the ever-evolving digital landscape, where corporations and businesses rely on processing personal data to conduct their activities, protecting personal information has become a paramount concern. On 12th June 2023, a significant step was taken to address this concern in Nigeria as President Bola Ahmed Tinubu, signed the Nigeria Data Protection Act 2023 (“the Act”) into law. This landmark legislation provides a comprehensive legal structure to safeguard the fundamental rights and freedoms of data subjects (individuals) while ensuring the secure and lawful processing of personal data. Previously, the primary regulation governing data processing in Nigeria was the Nigeria Data Protection Regulation 2019 (NDPR), issued by the National Information Technology Development Agency (NITDA) which had been criticized for lacking the authority of a primary Law of the federation.
In this article, we will explore the substantive provisions of the Act, shedding light on its expected impact on data protection practices in Nigeria.
OBJECTIVES OF THE ACT
In line with the rights and protections offered by the Constitution of the Federal Republic of Nigeria’s 1999, the Act’s primary objective is to protect the rights and interests of data subjects. The objectives are as follows:
- Safeguarding the fundamental rights and freedoms, and the interests of data subjects as guaranteed under the 1999 Constitution of the Federal Republic of Nigeria;
- Providing for the regulation of processing of personal data;
- Promoting data processing practices that safeguard the security of personal data and privacy of data subjects;
- Ensuring that personal data is processed in a fair, lawful and accountable manner;
- Protecting data subjects’ rights and providing means of recourse and remedies, in the event of the breach of the data subjects’ rights;
- Ensuring that data controllers and data processors fulfill their obligations to data subjects;
- Establishing an impartial, independent and effective regulatory Commission to superintend over data protection and privacy issues, and supervise data controllers and data processors; and
- Strengthening the legal foundations of the national digital economy and guaranteeing the participation of Nigeria in the regional and global economies through the beneficial and trusted use of personal data.[1]
APPLICABILITY OF THE ACT
This Act applies to data controllers or data processors domiciled in, resident in, operating in Nigeria processing personal data within Nigeria or data controllers or data processors who though not domiciled in, resident or operating in Nigeria, are processing personal data of data subjects in Nigeria. However, Nigerian citizens living abroad are omitted from its application.[2]
This Act further exempts its application to data processing carried out for personal or household purposes without violating the fundamental right to privacy of the data subject.[3] Additionally, when competent authorities process personal data to prevent crimes, address national public health emergencies, ensure national security, defend legal claims, or publish information in the public interest for journalism, educational, artistic, or literary purposes, the Act does not apply in those specific cases.[4]
ESTABLISHMENT OF THE NIGERIA DATA PROTECTION COMMISSION, ITS GOVERNING COUNCIL AND TRANSITIONAL PROVISIONS
The Act creates the Nigeria Data Protection Commission (NDPC) and a governing council to replace the Nigeria Data Protection Bureau (NDPB). However, it includes a transitional provision that allows for the seamless transfer of all powers and duties of the Bureau to the Commission.[5] By virtue of the transitional provisions, all previously existing contracts, permits and regulations etc. issued by the National Information Technology Development Agency (NITDA) and the Nigeria Data Protection Bureau (NDPB) shall continue in effect and align with the Act’s provisions. The NDPC is an impartial, independent, and effective regulatory body tasked with controlling, overseeing and enforcing the proper processing and handling of personal information.[6] Its main objective is to safeguard privacy and provide for security of personal information and to uphold data protection practices in accordance with the law.
PRINCIPLES AND LAWFUL BASIS FOR PROCESSING PERSONAL DATA
At its core, the Act aims to promote data processing practices that prioritize the security and privacy of data subjects. This involves setting clear principles to ensure that personal data is processed fairly, lawfully, and transparently.[7] Section 25 of the Act provides a list of instances where data processing would be considered lawful. These include processing data for legal obligations of the data controller and processor, vital interests of the data subjects, performance of a contract, public interest, and legitimate interests of a data controller or third-party.[8] However, the term “legitimate interests” is not explicitly defined in the Act. To address this, the Act incorporates safeguards to ensure that legitimate interests cannot be used as a broad basis for processing personal data. So, if they infringe upon the data subject’s fundamental rights or are incompatible with other lawful bases or if the data subject wouldn’t reasonably expect their data to be processed in a particular manner, then such processing is not permitted.[9] The Act also empowers data subjects, by emphasizing the importance of their informed and specific consent before their personal data can be processed.[10] Regarding sensitive personal data, the Act places restrictions on its processing. While the Act does not provide an exhaustive list of what sensitive data entails, it allows the Commission to prescribe additional categories of sensitive personal data as needed.[11] Overall, the Act aims to strike a balance between data processing for legitimate purposes and the protection of data subjects’ rights.
The Act further includes provisions for consent in regard to children or a person’s lacking capacity to consent. However, there is some ambiguity regarding the age of consent. Section 31(5) suggests that a child above the age of 13 can consent to the processing of their personal data. On the other hand, section 65 adheres to the definition of a child provided in the Child Rights Act, which is persons below 18 years of age as children. Despite this uncertainty, section 31(6) ensures that this Act does not contradict the provisions of the Child Rights Act. This seems to indicate that section 31(5) might not be read to contradict the Child Rights Act.
RIGHTS OF A DATA SUBJECT
The Act provides data subjects with essential rights, including the right to be informed, right to rectification or erasure, right to lodge complaints with the commission, right to object to data processing (with exceptions for public interest or other legitimate grounds), right to withdraw consent, the right to object to automated decision-making (with three exceptions which are for the performance of Contract, authorized by law, and where consent has been given).[12]
PERSONAL DATA BREACHES PROCEDURE
The Act provides a comprehensive data breach management process offering data subjects recourse and remedies, reinforcing their rights in this digital age. In the event of a breach, the data processor must inform the data controller. The data controller then assesses the breach’s risk level to determine if it poses a potential “risk or high risk” to the rights and freedoms of affected data subjects.
If the data controller believes that the breach may result in a risk, they must promptly notify the Commission within 72 hours of becoming aware of the breach. On the other hand, if the breach is likely to lead to a high risk to data subjects’ rights and freedoms, the data controller is obliged to immediately inform the affected data subjects.[13] This process ensures timely action in the event of a data breach.
CROSS-BORDER DATA TRANSFERS
Under the Act, data controllers and processors are prohibited from transferring personal data to other jurisdictions unless the recipient of the data is subject to a law or framework that offers an adequate level of protection for personal data, in line with the Act’s provisions. The Commission is empowered to issue guidelines on assessing adequacy and providing bases for transferring personal data outside Nigeria where there is no sufficient level of protection in place.
The bases for transfer may include obtaining consent, fulfilling contractual obligations, serving the public interest, and other circumstances as determined by the Commission. This ensures that data transferred outside Nigeria receives an appropriate level of protection, safeguarding data subjects’ privacy and rights even when data moves across international borders.[14]
DATA CONTROLLERS AND DATA PROCESSORS OF MAJOR IMPORTANCE Under the Act, data controllers and data processors of major importance have a legal obligation to register with the Commission within six months of the Act’s commencement or upon becoming a data controller or data processor of major importance. Additionally, they must appoint Data Protection Officers (DPOs) possessing expert knowledge of data protection law and practices. The Commission has the authority to prescribe fees or levies on data controllers and processors of major importance. The registration process involves notifying the Commission and providing all necessary information as required by the commission. If there are significant changes to this information, the Commission must be notified within 60 days of such changes.
The Act also grants the Commission the power to issue licenses to individuals who possess the required expertise to monitor, audit, and report on data controllers’ and processors’ compliance. However, specific guidelines for qualifying as data controllers or processors of major importance have not been issued yet.[15] These provisions are to ensure that entities handling significant amounts of data are accountable and have appropriate structure.
COMPLAINT, INVESTIGATION AND ENFORCEMENT UNDER THE ACT
The Act establishes a process to investigate complaints filed by data subjects who feel aggrieved. The Commission will create a dedicated investigations unit to handle and follow up on these complaints. If the Commission finds that a data controller or processor is likely to violate the Act, it can issue a “Compliance Order,” which may include a warning, a requirement to comply, or a cease-and-desist order. Failure to comply with the order can result in fines, imprisonment for up to one year, or both.[16]
Once the Commission completes its investigation and confirms a violation, it can issue an “Enforcement Order or impose sanctions” on the data controller or processor. These measures may include various remedies for the affected data subject, compensation, accounting for profits gained from the violation, or payment of penalties or remedial fees as prescribed by the Act.[17]
If any person is dissatisfied with the Commission’s order, they can seek judicial review within 30 days.[18] In civil proceedings, data subjects can also claim damages. Convicted data controllers, processors, or individuals may face forfeiture of assets under the Proceeds of Crime (Recovery and Management) Act. Moreso, if a corporate entity or firm commits an offense, both the entity and its principal officers may be personally liable unless the officers can prove they were unaware and took reasonable steps to prevent the offense. Data controllers and processors may also be held responsible for the actions or omissions of their agents or employees.[19] These provisions ensure that data subjects receive justice, and that data controllers, processors, corporations, or individuals are accountable for their actions concerning personal data in Nigeria. These measures will contribute to strengthening the legal foundations of Nigeria’s national digital economy and ensure the country’s active participation in regional and global economies through promoting trusted and responsible use of personal data.
CONCLUSION
The Act represents a pivotal shift towards prioritizing data privacy and protection. Its aim is to empower data subjects and create a reliable digital environment that nurtures innovation, growth and progress. By emphasizing personal data security and upholding privacy rights, the Act sets a new standard for data handling in Nigeria’s digital landscape. With the Act’s implementation, a promising era of improved data security, accountability, and protection emerges. All individuals and entities involved in processing personal information will be held to higher standards, ensuring the utmost privacy for citizens. This landmark legislation is a significant stride towards fostering a culture of data privacy and reinforcing trust in Nigeria’s digital ecosystem.
-WRITTEN BY ONYINYE IGBOANUZUE FROM A&E LAW PARTNERSHIP, ABUJA.
[1] Section 1(a)-(h)
[2] Section 2
[3] Section 3(1)
[4] Section 3(2)
[5] Section 4 and 64
[6] Section 5 and 8
[7] Section 24(1)(a)
[8] Section 25(1)(b)
[9] Section 25(2)
[10] Section 26
[11] Section 30(1)(2)(3)
[12] Section 34-38
[13] Section 40
[14] Section 41-43
[15] Section 32, 33, 44 and 45
[16] Section 46, 47 and 49
[17] Section 48
[18] Section 50
[19] Section 51-53
The A & E Law Partnership Blog 