.jpg)
1. INTRODUCTION
1.1. In the digital world today, safeguarding personal data and information is no longer simply a necessity but has become a subject for which several jurisdictions all over the world seek to legislate on and regulate upon. This is as a result of the vital role which Data processing (which includes collection, transfer, storage, alteration, retrieval, restriction, etc.) plays in several aspects of our individual and business life. More companies are fully aware of the value of having, keeping, and protecting data of various kinds whether user data for marketing purposes or intellectual data for business development purposes. One thing is common, Data is immeasurably valuable.
1.2. Moreover, the increasing presence of startups and technology platforms which house and process the data of individuals has created a risk factor. All over the world, there now exist several vicious elements seeking to exploit loopholes and several attempts to breach personal data stored in databases have greatly increased, with there being reported cases in Nigeria of actual breach of sensitive personal data of individuals and companies.
1.3. The foregoing has thus created a new scope and sphere of operations for government agencies such as the National Information Technology Development Agency (NITDA), Federal Competition and Consumer Protection Commission (FCCPC), and the Nigeria Police Force. These agencies have since commenced a crackdown on organizations regulated by them that have been reported to repeatedly breach the basic principles of data management and protection with their unfair practices. Notable examples include Digital Money Lenders such as Okash, EasyCredit, Easy Moni, Sokoloan, and a host of others. In 2019, the Lagos State Internal Revenue Service (LIRS) inadvertently exposed taxpayers’ identities on a web portal. Although this error was quickly fixed, the NITDA slammed the LIRS with a ₦1 million fine for breaching the provisions of the Nigeria Data Protection Regulation.
In 2021, the NITDA received over 40 petitions from members of the public on abuse of personal data by some lending companies. The Agency teamed up with the FCCPC to carry out investigations which led to the imposition of a ₦10 million fine and some other administrative sanctions on Sokoloan Lending Company.
The lending companies were later shut down by the federal government for violating data privacy of customers. More recently, in July 2023, Microsoft revealed that threat actors had successfully breached Outlook accounts of approximately 25 organizations including the U.S. State and Commerce Departments. Hence, safekeeping and overseeing the use of data have become essential global issues. In commitment to best international practices in data protection, Nigeria's President Bola Ahmed Tinubu on June 12, 2023, passed into law the Nigeria Data Protection Act ("NDPA” or “the Act”).
1.4. Considering the foregoing, this article highlights the objectives of the Act, its scope of application, and critical innovations brought by the Act.
2. STATUS OF THE NIGERIA DATA PROTECTION BUREAU AND NIGERIA DATA PROTECTION REGULATION
2.1. The Nigeria Data Protection Regulation (“NDPR”) was issued in 2019 by the National Information Technology Development Agency (NITDA) to safeguard the rights of natural persons to data privacy. For lack of a designated authority to oversee data protection in Nigeria, the Nigeria Data Protection Bureau (“NDPB” or “Bureau”) was established in 2022 by the Nigerian government. The Bureau was established to collaborate with stakeholders in achieving the objectives of the NDPR. It, however, lacked legislative backing.
2.2. Consequently, the Act created a new regulatory body which is the Nigeria Data Protection Commission (the “Commission"). The Act provides for the subsumption of all organs of the NDPB into the Commission while the NDPR remains in effect until expressly repealed.
3. THE NIGERIA DATA PROTECTION ACT 2023
3.1. The Nigeria Data Protection Act 2023 has been acknowledged by stakeholders in the Nigerian Data Privacy Industry to be a novel and welcome development as it seeks to change the landscape of data privacy practices in the country. The basic principles governing data processing under the Act are lawfulness, fairness & transparency; purpose limitation; data minimization; integrity & confidentiality; storage limitation; and accuracy.
3.2. More importantly, the Act provides a legal framework for the protection of personal information and establishes the Nigeria Data Protection Commission as the apex regulatory body with the duty of the regulation of the method, procedure, and way Data Controllers handle the processing of personal information and Data. The Commission also has oversight functions in relation to the Act.
4. OBJECTIVE OF THE ACT
4.1. The Nigeria Data Protection Act 2023 has the following objectives:
5. Safeguarding the fundamental rights, freedom, and interests of data subjects as guaranteed under the 1999 Constitution of the Federal Republic of Nigeria;
6. Providing for the regulation of the processing of personal data;
7. Promoting data processing practices that safeguard the security of personal data and privacy of data subjects;
8. Ensuring that personal data is processed in a fair, lawful, and accountable manner;
9. Protecting data subjects' rights and providing means of recourse and remedies in the event of the breach of the data subjects' rights;
10. Ensuring that data controllers and data processors fulfil their obligations to data subjects;
11. Establishing an impartial, independent and effective regulatory Commission to superintend over data protection and privacy issues and supervise data controllers and data processors; and
12. Strengthening the legal foundations of the national digital economy and guaranteeing the participation of Nigeria in the regional and global economies through the beneficial and trusted use of personal data.
13. SCOPE AND APPLICATION OF THE ACT
5. 1 The Nigeria Data Protection Act 2023 applies to automated (without human intervention or permission) and non-automated data processing in Nigeria.
5.2. The Act also applies to data controllers or processors resident in or operating in Nigeria. Its application further extends to entities incorporated under Nigerian law, as well as those not domiciled in, resident in, or operating in Nigeria but processing the personal data of persons resident in Nigeria.
5.3. Provided that the processing of personal data does not infringe on a data subject's fundamental right to privacy, the Act does not apply to data processing for personal or household purposes.
6. KEY INNOVATIVE PROVISIONS
The Act brings about the following innovations to the Nigerian Data Protection regime:
6.1. Establishment of the Nigerian Data Protection Commission
The Act establishes the Nigeria Data Protection Commission which is an independent body tasked with the responsibility of promoting awareness to data controllers and data processors on their obligations under the Act and supervising the implementation of the provisions of the Act.
6.2. New Categories for Data Controllers
The Act introduces Data Controllers and Data Processors of Major Importance (DCPMI), mandating registration with the Nigeria Data Protection Commission within six months of becoming a DCPMI or of the commencement of the Act. A DCPMI may only be exempted from this requirement where the Commission considers it unnecessary or disproportionate to register the same.
Under the Act, a Data Controller or Data Processor of Major Importance is defined as an entity situated, residing, or conducting operations within Nigeria that processes or intends to process personal data of a quantity exceeding that which the Commission may prescribe, pertaining to individuals located within Nigeria. Alternatively, it encompasses any data controller or processor handling personal data that holds value or significance for the Nigerian economy, society, or security, as designated by the Commission.
The specific parameters of the qualifications for DCPMI are, however, yet to be defined by the Commission. These parameters will hinge upon the quantity of data subjects whose information is being processed and the importance or relevance of the data being processed. One would naturally expect that agencies of government who process personal information of members of the public such as the Nigeria Identity Management Commission (NIMC), security intelligence agencies such as the Nigeria Intelligence Agency (NIA) and even Banks and other financial institutions would fall into the category of DCPMI. It is worthy of note, however, that the previously existing Nigeria Data Protection Regulation had placed yardsticks for data controllers including those processing data of over 10,000 data subjects per annum; those processing sensitive personal data in the regular course of business; those that possess critical national information infrastructure (as defined under the Cybercrimes (Prohibition, Prevention, etc.) Act 2015), as a basis for compliance with certain obligations.
This benchmark is likely to influence the volume of data subjects in relation to the DCPMIs under the Act as it can be implied as the minimum benchmark until a regulation is issued in this regard. The Act mandates that eligible entities fulfil specific registration criteria. These include designating a data protection officer (“DPO”), who may be an employee of the data controller/processor or an external consultant; and adhering to varying penalty fines for any breaches as prescribed by the Commission.
6.3. Introduction of Legitimate Interests as a Basis for Processing Personal Data
The Act introduces a data controller's legitimate interest as a legal basis for processing personal data. However, when these legitimate interests override the fundamental human rights of the data subject; are incompatible with other lawful bases of processing under the Act; or do not give the data subject a reasonable expectation that the personal data would be processed in the manner envisaged, then "legitimate interest" will not be a lawful basis for processing. Hence, the litmus test for legitimate interest is that the rights and freedoms of the data subject are guaranteed. This standard test is recommended by the United Kingdom's Information Commissioner's Office (ICO).
6.4. Data Privacy Impact Assessment
Data controllers are required to carry out a data privacy impact assessment (DPIA) when processing personal data that likely poses a high risk to the rights and freedoms of data subjects. Where the DPIA evidences an increased risk of violating the fundamental rights and freedoms of the data subjects, the data controller
must consult the Commission before processing data.
6.5. Definition of Sensitive Personal Data
The Act defines Sensitive Personal Data and expressly sets out conditions for processing the same, which operates to improve the administration of personal data in Nigeria.
Although this was defined in the erstwhile Regulations, it allows the Commission to include additional categories of sensitive personal data as it deems fit. According to Section 30 of the Act, sensitive personal data is defined to mean personal data relating to genetic/biometric data, race or ethnic origin, religious or philosophical beliefs, health status, sex life, political opinions, trade union membership, and other information prescribed by the Commission as sensitive personal data.
6.6. Legal Capacity to Consent to Data Processing
The Act provides that where the data subject is a child as defined under the Child’s Right Act or a person lacking the legal capacity to consent, a data controller is required to obtain the consent of the parent or the legal guardian of the data subject and apply appropriate mechanisms to verify the age and consent. Consent will, however, not be required where the processing is:
1. Necessary to protect the vital interest of the child or person lacking the legal capacity to consent.
2. Carried out for purposes of education, medical or social care undertaken by or under the responsibility of a professional with a duty of confidentiality.
3. Necessary for proceedings before a court relating to the individuals.
Furthermore, the Commission is empowered to make regulations for circumstances that relate to the processing of personal data of a child of 13 years and above by electronic means at the specific request of the child.
7. OBLIGATION TO FILE ANNUAL AUDIT REPORT
7.1. Data controllers and processors that process personal data of over 2000 data subjects in 12 months are required to carry out a yearly data protection audit through the services of a data protection compliance organization (DPCO) licensed by the Commission. The DPCO reviews the company’s documentation, assesses its practices and staff knowledge, and then provides recommendations. The audit is then submitted to the Commission not later than March 15th, the following year. The Act creates no new criteria for conducting these audits and so the provisions of the NDPR and Implementation Framework remain in force.
8. OFFENCES AND SANCTIONS FOR NON-COMPLIANCE
8.1. Where the Commission is satisfied that there has been a case of non-compliance after the conclusion of an investigation, the Commission may make any appropriate enforcement order or impose a sanction on the relevant data controller or processor. The applicable penalty fines differ based on whether the offending data controller or processor is of major importance or not. Those of major importance are fined a “higher maximum amount” which is the higher sum between ₦10 million and 2% of its annual gross revenue in the preceding financial year. Those not of major importance are fined a “standard maximum amount” which is the higher sum between ₦2 million and 2% of its annual gross revenue in the preceding financial year. Criminal proceedings are also available against a defaulter.
9. SHORTCOMINGS OF THE ACT AND RECOMMENDATIONS
9.1. As much as the Act brought several notable innovations and merits to the Nigerian digital economy, it also has some lacunae that need to be filled. An example is the gap between the Act and some provisions of the NDPR. The Commission needs to harmonize the NDPR by issuing the relevant guidelines and making clarifications on the requirements for compliance in the Act especially pertaining to data controllers and processors. There should also be more stringent prerequisites for the appointment of licensed DPOs to ensure their competence for the job and to promote the Organization's compliance with the requirements of the Act. With the aid of expert opinion, companies and businesses need to evaluate their levels of compliance with the emerging data protection policies to avoid breaches and consequent penalties due to certain unfounded implications. Furthermore, the Act does not permit cross-border transfer of personal data unless the recipient country has adequate laws on data protection, binding corporate rules, contractual clauses, a code of conduct, or certification mechanisms with a sufficient level of protection. The Commission should define “cross-border travel” to clarify if it is more extensive than mere data routing. The Act also fails to provide sufficient details on the terms to be included in agreements entered between data controllers and processors.
10. CONCLUSION
10.1. The promulgation of the new Act is indeed a welcome development in Nigeria. This is a step in the right direction and will go a long way to improve General Data Protection Regulation in Nigeria.
10.2. The NDPA will guarantee the safety of Nigerians’ data from unnecessary data breaches caused by subtle data collection without relevant consent.
10.3. The Act although novel and first of its kind in Nigeria, is considered a vast improvement from where we were and therefore there is room for improvement in the provisions of the Act to reflect best practices in data protection law.
10.4. Data controllers and data processors are advised to consult with their lawyers, particularly lawyers with expertise in Data Protection Compliance, to ensure full compliance and avoidance of liabilities for non-compliance. As a licensed DPCO, SHQ Legal is keen to assist organizations and individuals safely navigate the data protection and privacy space.
