Introduction
The Nigerian government officially enacted the Nigeria Data Protection Act, 2023 on June 12, 2023. This Act represents a crucial milestone in Nigeria’s efforts to establish a comprehensive legal framework for safeguarding the personal data of individuals who live or conduct business within the country.
Before the Act was put into effect, the Nigerian government agencies made efforts to protect personal data through subsidiary legislation, including the Nigeria Data Protection Regulation 2019 (referred to as the “Data Protection Regulation”), which was issued by the National Information Technology Development Agency (NITDA). It became imperative subsequently that a standard law needed to be enacted in line with the “big data” evolution.
Application and Scope of the Act
The Act is applicable to data controllers or data processors who are based, reside, or operate in Nigeria, as well as those who process personal data within Nigeria. It also extends its jurisdiction to data controllers or data processors who are not based, reside, or operate in Nigeria, as long as they process personal data of individuals in Nigeria. This is different from the NDPR, which primarily focuses on individuals residing in Nigeria or Nigerians residing outside Nigeria. It is important to note that the Act does not cover the processing of personal data carried out by individuals solely for personal or household purposes. Additionally, the Act provides exemptions for activities conducted by competent authorities in relation to the specified rights and obligations. These exemptions include investigations and prosecutions of crimes, national public health emergencies, national security, and publication in the public interest for journalism, education, art, and literary purposes. The Act also grants the Commission the authority to establish further exemptions through regulations.
Creation of the Nigeria Data Protection Commission
The Act establishes the Nigeria Data Protection Commission (referred to as “the Commission”) as an independent entity with perpetual succession and a common seal. The Commission is granted transitional provisions that enable it to assume all the powers and responsibilities of the existing NDPB. Its primary responsibilities include raising awareness among data controllers and processors about their obligations under the Act, as well as overseeing the implementation of its provisions. Additionally, the Commission is entrusted with advising the government on policy matters related to data protection and privacy, licensing, accrediting, and registering organizations that offer data protection compliance services. Furthermore, the Commission is authorized to propose legislative changes to the Minister, including amendments to existing laws, among other functions.
Right of Children
Due to the exposure of young users to the evolving terrain of information technology and social media tools such as youtube, the Act was able to extend its powers to the right of children in data protection. The Act states that, where a data subject is a child or another individual lacking the legal capacity to consent, a data controller shall obtain the consent of a parent or other appropriate legal guardian of the child or other individual, as applicable. There is therefore a technical commitment on data controllers as they are expected to apply appropriate mechanisms in order to verify the age of users and obtain lega consent.
Data Processing
Section 25 of the Act outlines the key principles that govern the processing of personal data, including lawfulness, fairness, transparency, data minimization, accuracy, purpose limitation, storage limitation, integrity, and confidentiality. The Act places a higher responsibility on data controllers and processors by emphasizing their duty of care in data processing and the need to demonstrate accountability for complying with the principles outlined in the Act.
One notable provision of the Act is the recognition of legitimate interest as a valid basis for processing personal data. Legitimate interest allows organizations to process personal data when it is necessary for fulfilling business-related responsibilities that may not be justified by a legal or contractual obligation. Examples of legitimate interest include data processing for fraud prevention and employee-employer relationships. However, it is important to note that legitimate interest cannot be used as a basis for processing personal data if it infringes upon the fundamental rights and freedoms of the data subject, is incompatible with other lawful bases, or if the data subject would not reasonably expect their personal data to be processed in such a manner.
Cross-Border Data Transfer Arrangement
This segment takes care of the transfer of personal data to another country or jurisdiction. Basically, a data controller or data processor is not allowed to transfer personal data from Nigeria to another country under this law. Under the Act, personal data can only be transferred from Nigeria to another country if the recipient of the personal data is subject to a law, binding corporate rules, contractual clauses, codes of conduct or certification mechanisms that afford an adequate level of protection with respect to the personal data. A closer look at Section 43 of the Act shows and stresses that a level of protection is adequate if it upholds principles that are substantially similar to the conditions for the processing of the personal data provided for in the Act. The Act further stresses in Section 44 other bases for the transfer of personal data outside Nigeria contained in the Act. The Act empowers the Commission to create jurisdictions to be restricted from receiving data from Nigeria. These regions which the Commission deems as not providing adequate protection for the international transfer of data will not be approved or allowed to receive personal data from Nigeria.
Rights of a Data Subject And Legal Requirements for Consent
According to Section 27 of the Act, the responsibility lies with the data controller to prove that they have obtained the consent of the data subject. It is important to note that the data subject’s silence or inactivity cannot be considered as consent. Consent can be given in written, oral, or electronic form. The data subject also has the right to withdraw their consent at any time, without affecting the legality of prior data processing. The Act provides more rights for data subjects compared to the NDPR. These rights include the ability to confirm the processing of their personal data, obtain information about its purpose and retention periods, request corrections or deletions, file complaints with the Commission, and receive a copy of their personal data in electronic format promptly. Additionally, data subjects have the right to object to the processing of their personal data and to not be subject to decisions based solely on automated processing.
Data Privacy Impact Assessment
The Act emphasizes the importance of conducting a data protection impact assessment (DPIA) in situations where the processing of personal data could potentially pose a significant risk to the rights and freedoms of individuals. It also requires the data controller to seek consultation with the Commission before proceeding with the processing if the DPIA indicates a high risk to the rights and freedoms of data subjects. The Act provides a definition of DPIA and grants the Commission the authority to issue guidelines and directives regarding DPIA, including specifying the types of processing that require a DPIA.
The Act also establishes a heightened level of protection for sensitive personal data. Sensitive personal data refers to information concerning religious or other beliefs, sexual orientation, health, race, ethnicity, political views, trades union membership, criminal records, or any other sensitive personal information. In general, a data controller or processor is prohibited from processing sensitive personal data unless explicit consent is obtained from the data subject, it is necessary for vital interests, it is based on legitimate interests with appropriate safeguards, it is required for the performance of rights and obligations under employment law, or other lawful bases. The Act also grants the Commission the authority to define additional categories of personal data that may be classified as sensitive personal data, specify additional grounds for processing such data, and establish safeguards. Regarding the rights of children, the Act states that if the data subject is a child or lacks the legal capacity to consent, the data controller must obtain consent from a parent or legal guardian. Data controllers are also responsible for implementing suitable mechanisms to verify age and obtain consent.
Data Controllers and Data Processors of Major Importance
According to the Act, Data controllers and data processors of significant importance must register with the Commission within six months of the Act coming into effect. The Act defines these entities as those who are based, reside, or operate in Nigeria and handle or plan to handle personal data of a specified number of data subjects within Nigeria, as determined by the Commission. Additionally, the Commission has the authority to designate certain classes of data that hold particular value or significance to Nigeria’s economy, society, or security. The Commission also has the power to grant exemptions from registration to specific classes of data controllers and processors.
Remarks and Conclusion
The Act no doubt is comprehensive on all the contemporary subjects around data protection in Nigeria. With the incessant abuse of data currently experienced in the country, this piece of legislation will serve as an eye-opener to all stakeholders and data processors. It is further hoped that there will be a successful execution of the Act. It is also expected that the Commission will commence its legally assigned tasks and release frameworks, guidelines for the smooth operations of the Act.
DISCLAIMER: Please note that this article is meant to offer general information on the topic and does not establish a client/attorney relationship between readers and our Firm, nor does it serve as legal advice. Our team of legal experts is available to provide specialized legal advice tailored to the readers’ specific circumstances.