A new Data Protection Act (the Act) was signed into law on June 14, 2023, by Nigerian President Bola Ahmed Tinubu[1]. This legislation establishes a legal framework to protect individuals’ personal information, regulate data practices in Nigeria, and address concerns regarding data security, consent, and individual rights[2]. The Act repeals the Nigerian Data Protection Regulation and establishes the Nigeria Data Protection Commission[3] (the Commission) which replaces the previously established Nigeria Data Protection Bureau. The Act also provides for a Commissioner who shall head the Commission and be responsible for the execution of the policies and administration of its daily affairs[4].
Under the new Act, the processing of personal data must adhere to certain principles, which emphasize that it should be conducted in a fair, lawful, and transparent manner[5] both in the private and public sectors. Prior to the usage or processing of data, individuals whose data are collected, known as data subjects, are required to provide their consent[6], which they can also withdraw at any time[7].
The scope of the Act applies to the processing of personal data, whether automated or not, by data controllers or data processors domiciled, resident, or operating in Nigeria, as well as to the processing of personal data that occurs within Nigeria. It also applies to data controllers or data processors not domiciled, resident, or operating in Nigeria but who process data of subjects in Nigeria[8]. The Act in its application, exempts the processing of personal data conducted solely for personal or household purposes provided that, such activities do not violate the right to privacy of the data subject[9]. It goes further to exclude data controllers or data processors from its scope when the processing of personal data is carried out by a competent authority for purposes such as, the prevention, investigation, detection, prosecution, or adjudication of a criminal offence, execution of a criminal penalty, prevention or control of a national public health emergency, national security in the public interest, and the administration of legal claims in or out of court procedure[10]. The Act additionally grants the Commission the authority to create further exemptions[11]. Non-compliance with the Commission’s orders is subject to criminal penalties, and sanctions can be imposed on companies or individuals found to be in violation of the law[12].
The Act also safeguards Individuals’ rights as data subjects by granting them the authority to request information regarding the type of data being collected, its storage location, and the entities authorized to access and utilize this data[13]. It acknowledges the requirement for obtaining consent from a parent or legal guardian on behalf of children (persons under the age of 18 years as described under the Child Rights Act)[14] or persons lacking the legal capacity to disseminate their data[15]. A noteworthy addition in the new Act is the inclusion of a cause of action for non-compliance. In the event of a violation of the law, a data subject who is aggrieved by a decision, action or inaction of a data controller may lodge a complaint with the Commission.[16] If dissatisfied with the Commission’s order on the matter, they may seek redress through civil proceedings.[17] It is important to note that, the burden of proof lies with the data controller, who must demonstrate that they obtained the consent of the data subject[18].
The Nigeria Data Protection Regulation 2019 which served as the initial framework for data protection rights in the country, was a step in the right direction and it paved the way for the enactment of the new Act which represents a highly anticipated and comprehensive legislation designed to effectively regulate and tackle complexities of emerging data protection and privacy issues. The new Act imposes greater responsibility on data controllers and processors to safeguard privacy rights. It introduces the requirement for conducting data privacy impact assessments in cases where data processing could potentially pose significant risks to the rights and freedoms of a data subjects.[19] Additionally, it specifically addresses the rights of children when assessing their personal data which is a positive step compared to the previous regulation. This approach ensures that adequate measures are taken to safeguard the privacy of individuals especially vulnerable groups such as children.
However, there are still some ambiguities that may need to be addressed. For instance, the Act provides that data processing is considered lawful if it is necessary for the legitimate interests pursued by the data controller, data processor or a third party to whom the data is disclosed[20]. It goes further to provide instances where interests in processing personal data are not considered legitimate[21]. The inclusion of legitimate interests may potentially be exploited by some data controllers and processors as a means to evade their obligations under the Act. Another limitation of the Act is the absence of a defined timeline for data controllers to respond to rights requests from data subjects regarding their personal data[22]. It is essential to address this issue and establish a specific timeframe in order to enhance transparency and accountability. Also, there is concern about the Commission’s true independence[23] due to the President’s authority to appoint and dismiss both the chairman and members of the governing council.[24] The power dynamic has the potential to influence the Commission’s decisions.
The introduction of this Data Protection Act is a highly positive step, considering the numerous incidents of hacks and data breaches that have adversely impacted both Nigerian citizens and individuals worldwide. This Act will promote the adoption of cutting-edge personal data protection technologies, aligned with internationally recognized best practices, thereby contributing significantly to Nigeria’s digital economy. These advancements are anticipated to have far-reaching implications for businesses, government agencies, and individuals and are expected to generate numerous job opportunities, marking a significant leap for the advancement of the sector.
Our insightful investment guide for Nigeria as a destination of choice for investment and doing business can be consulted here
Reach out to our team of lawyers and business advisors at Centurion Law Group. We seamlessly guide our clients through Africa’s abundant investment opportunities.
Leon Van Merwe – leon.vdmerwe@centurionlg.com
Keseena Chengadu- keseena.chengadu@centurionlg.com
Author: Ariteshoma Etete, Junior Associate, Centurion Law Group, Nigeria.
