Understanding Data Protection Laws in Nigeria

Understanding Data Protection Laws in Nigeria

NIGERIA DATA PROTECTION ACT, 2023

Due to the increased importance placed on the customer, and general users' information, data protection and privacy should be every organisation's credo and one of its guiding principles. Every data subject has a right to know how their information is processed, used, and protected because it is closely related to their right to privacy within lawful boundaries. It emphasises the need for companies, as well as individual data processors, to hold all data sacred and ensure that all practical measures are implemented in order to secure all data that is collected.

Corporate Data protection strategies have three key focuses:

  • Data availability – Quickly restoring data in the event of theft, loss, or any damage.

  • Control of access – ensuring that data is accessible to those who actually require access, and not to anyone else.

  • Data security – protecting data from malicious use or accidental breaches.

The Nigerian Information Technology Development Agency (NITDA) previously established the Nigeria Data Protection Regulation (2019), which governed the country's data protection regime. This law was regarded as subsidiary legislation rather than principal legislation. The Nigeria Data Protection Act 2023, which is the primary and first regulatory framework for Nigerian data processing and usage, was signed into law in June, 2023. Under the law, businesses are required to implement a data protection internal policy, a data processing Officer, and a privacy policy that guarantees platform users that their data rights are respected, detailing how the business obtains user data, what they do with the data, how and why they share their data with subsidiaries or other third parties, as the case may be.

Scope of Application

Part I of the Nigeria Data Protection Act clearly states the scope of the application of the Act and it includes;

  1. Data processors or data controllers domiciled or operating in Nigeria;

  2. Personal data processing that occurs within Nigeria; and

  3. Data controllers or data processors not domiciled in Nigeria, but process personal data of a data subject in Nigeria.

However, it also provided exceptions to the application of this Act, which includes personal data processed solely for personal or household purposes, provided that the said processing does not violate the fundamental human rights of a data subject. Personal data processed by a competent authority in accordance with any applicable law, for the purposes of prevention, investigation, prosecution, execution of criminal penalty, etc., for the prevention of national public health emergencies, national security, with regard to publication, for journalism and literary purposes, for court procedures, and other legal claims are exempted from the application of the Act.

The Commission may also prescribe the types of personal data exempted by this Act, they can also issue guidance notice to a data controller or processor in regards to data processing exempted if such processing will likely violate the provisions in Sections 24 and 25.

ESTABLISHMENT OF A DATA PROTECTION COMMISSION

The Data Protection Act provides for the establishment of a Commission; Nigeria Data Protection Commission, with its head office in the Federal Capital Territory and empowered to implement data protection policies in its independent corporate capacity. Section 5 of the Act lists the functions of the Commission, and Sections 6 and 7 list the powers, boundaries, and independence of the Commission.

The Act establishes the Governing Council of the Commission and provides the prerequisite qualifications to be appointed as a member of the Council, the remuneration method of allowances for appointed members determined in collaboration with the Revenue Mobilisation Allocation and Fiscal Commission, including the Schedule and the extent of its application in the proceedings of the Council are clearly enumerated in sections 7, 8, 9 and other applicable subsections. The President appoints the Chairman of the Council and the non-ex officio members who under the superintendence of the National Commissioner formulate the overall policy of the undertakings of the Commission, such as ensuring due compliance with ministries and other agencies operating with this Act.

PROCESSING OF PERSONAL DATA

The principles of Data Protection Law are transparency, processing, and secure storage of personal data for the intended purposes within the prescribed laws. In exceptional situations where collated personal data is further processed for the public interest, scientific, historical research, and statistical purposes, or for the legitimate interest pursued by the data controller or processor or a third party the data is disclosed to, provided the fundamental rights and interests of the data subject are not trampled upon, their consent procured and the manner of such procurement is in line with section 26-31 of the Data Protection Act.

Key considerations for processing personal data

  1. Consent: Obtaining data subject consent validly is essential and such consent must be freely given, intentional, and clear. The data processing must be necessary for the data controller to perform its obligation or contract with the data subject. Silence or inactivity of the data subject does not constitute consent and consent through pre-affirmed confirmation does not constitute valid consent.

  2. Data Protection Impact Assessment (DPIA): In circumstances where the processing of personal data will likely result in potential risk to the data subject's rights, a data protection impact assessment shall be conducted by the data controller. If the DPIA indicates a risk to the data subject rights, the data controller is obligated to consult the Commission for directives prior to the processing.

  3. Data Protection Officers (DPO): A data controller of major importance shall designate a data protection officer with expert knowledge of data protection laws and practices as an employee or under a service contract. The DPO shall advise the data processor/controller and their employees about data protection practices, monitor compliance, and act as a point of contact for the Commission on data processing-related issues.

RIGHTS OF A DATA SUBJECT

Data subjects reserve the right to inquire about the processing, protection, storage, and erasure of their personal data and also to lodge a complaint to the Commission if their interest is not protected by the data processor. The data subject has the right to give, withdraw consent, or object to processing their personal data where their interests and freedom are not represented or their initial agreement of the purposes of their data processing has changed. The data processor owes a duty of care to the data subject to safeguard the information and personal data they have access to, as provided in sections 34 to 37 of the Act.

DATA CONTROLLERS AND PROCESSORS

The Act introduces a new categorization for data controllers and processors called "data controllers and data processors of major importance" due to the crucial role they play in the data ecosystem.

The quantity of personal records of data subjects that are processed by data controllers and processors of major significance is higher than the Commission's recommended level, and/or the processing of those records is exceptionally significant to Nigeria's economy, society, or security. Instances of both data controllers and data processors that are banks and enterprises are an excellent fit.

Important data controllers and processors are required to register with the Commission within six months of the Act's implementation and employ Data Protection Officers (DPOs) who have a thorough understanding of data protection law and procedures.

DATA BREACHES

Data controllers are required by Section 40 of the Act to notify the Commission of any data breach within 72 hours of becoming aware of the breach and to provide the affected data subjects with proper notice. A thorough handling process for data breaches to mitigate the risks is provided by the Act. All personal data breaches must be documented by the data controller and data processor. The Commission when notified, may step in to assess if the data processor is inadequate in handling the data breach, and make enforcement orders on the steps to be taken to mitigate likely harm from the breach or sanctions in some cases.

A record of the personal data breached, the effects, and the remedial action shall be documented by the data controller, to enable the Commission to verify that the methods were in compliance with this Act.

CROSS-BORDER DATA TRANSFERS

By establishing prerequisites that must be met before such transfers, Part VIII of the Act assures the protection of personal data moved outside of Nigeria. The Act restricts the transfer of personal data out of Nigeria to another country by a data controller or processor unless the recipient jurisdiction provides similar data protection laws and standards with a sufficient level of data protection.

Adequacy of protection avails the data subject the ability to enforce their rights and seek judicial redress in cases where a data breach occurs, through the existence of an appropriate implement between the Commission and a competent authority in the recipient country that ensures data protection. Although there is a provision for the transfer of personal data outside of Nigeria in the absence of adequate protection if the data subject consents, upon being informed of associated risks. The Commission reserves the right to designate categories of personal data that may be subject to additional specified restrictions on transfer to another country based on the nature of such personal data and risks to data subjects.

SANCTIONS FOR VIOLATIONS

Any violation by a data controller or data processor may result in consequences, which may include paying compensation to the data subject who experienced harm as a result of the infringement. The Commission may direct:

I. Issuance of an enforcement order or sanction upon determining a violation

II. In the case of a data controller or data processor of major importance, this compensation may be up to N10,000,000 (Ten Million Naira)

III. 2% of its annual gross revenue in the prior financial year, and in the case of a data controller or data processor of minor importance, it may be up to N2,000,000 (Two Million Naira) and 2% of its annual gross revenue in the prior financial year.

IV. Imprisonment up to a term of One year.

However, within 30 days of the order, a party dissatisfied with the Commission's decision may appeal to the court for judicial review.

CONCLUSION

Due to the importance attached to data protection by individuals and businesses to exert greater care and effort in managing and controlling their data, these recent provisions are crucial in that they relate to the collection, use, and protection of customers'/clients' sensitive personal information. Compliance officers and attorneys must ensure that their clients and businesses are compliant with this law because every data transfer entails the disclosure of personal information and individual rights apply.

The existing Nigeria Data Protection Regulation 2019, which was created by the Nigeria Information Development Agency to be used in conjunction with the applicable laws applicable to it, had some gaps that the Data Protection Act filled in by covering a wide range of topics and adding new provisions to the structure of data protection in Nigeria, which is constantly evolving.

Reach out to us via for a free consultation about your data protection practice and setting up a compliant structure.