WHAT ARE THE OBJECTIVES OF THE NIGERIAN DATA PROTECTION ACT 2023 (NDPA)?
The Nigeria Data Protection Act 2023 (the “Act”) was signed into law by President Bola Tinubu in June 2023. The Act institutionalized and streamlined the protection of personal information in Nigeria, by giving statutory backing to the concept of data/privacy protection. The objectives of the Act as stated in the enactment include:
- Giving proper effect to Privacy protection recognized as a fundamental right under the 1999 Constitution;
- Regulating the processing, including the use, collection and transfer of personal data by organizations;
- Recognizing specific Data Subject rights, and providing redress mechanisms for breach scenarios;
- Institutionalizing enforcement process by establishing an independent data protection commission;
- Imposing compliance obligations on business entities engaged in the processing of personal information.
Underlying every regime of data protection is the recognition that information about individuals belongs to them as of right, and they should always exercise control over its use, particularly in an ever-evolving ubiquitous digital landscape.
WHICH AGENCY IS RESPONSIBLE FOR ENFORCING COMPLIANCE WITH THE NDPA?
The Nigerian Data Protection Commission (NDPC) is established as an independent body to enforce compliance with the Act. Enforcement of privacy protection prior to the enactment of the Act was under the supervision of the Nigeria Data Protection Bureau (“NDPB” or the “Bureau”). The operations of the Bureau have now been merged with and subsumed under the NDPC (“the Commission”).
WHAT IS THE EFFECT OF THE NDPA ON THE NDPR 2019?
The Act did not discard the previous legislation issued by the National Information Technology Development Agency (NITDA) - Nigeria Data Protection Regulation (NDPR). It, however, recognized a co-existence between the NDPR and the NDPA with the idea that both laws will assist to fill in legislative gaps where one law is silent on a particular matter. Hence, the Act, NDPR, as well as other regulations and/or circulars issued by NITDA or NDPB, are all still applicable to data protection in Nigeria.
WHAT ARE THE POWERS OF THE NIGERIAN DATA PROTECTION COMMISSION?
The Commission is given wide investigatory and enforcement powers under the Act, in addition to the enjoyment of an independent status as a data protection regulatory body. This independent status brings the operations of the Commission in line with international best practices as obtained in jurisdictions with strong Data Protection legislation such as the UK, the EU, and Canada. The enforcement powers of the Commission under the Act include law-making powers to make regulations and issue directives that give proper effect to the provisions of the Act. The Commission is equally given the statutory power to hear complaints from Data Subjects, carry out investigations into data processing activities of organizations, conduct hearings on data protection issues under the Act, register Data Protection Compliance Organisations, and in deserving cases impose sanctions and/or penalties for breach of the Act.
WHAT ARE THE CRITERIA USED IN DEFINING PERSONAL DATA AND DATA PROCESSING UNDER THE ACT?
The Act defines personal data as information relating to an individual which can be used directly or indirectly to identify the person or used in combination with other information to identify a person. This definition represents the standard definition for personal data in many jurisdictions across the world. The definition extends to pseudonymized information (i.e., data that can no longer be attributed to a specific individual without the use of additional information), an identification number, location data, online identifiers such as IP addresses and cookies, as well as physical, physiological, genetic, psychological, cultural, social, or economic information about an individual. The salient factor is that the information/data uniquely identifies a person.
Data Processing, on the other hand, means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure or destruction, and does not include the mere transit of data originating outside Nigeria. The carrying out of any of the following activities is enough to activate the obligations imposed by the Act.
IS THERE PROCESSING OF PERSONAL DATA THAT IS EXEMPTED FROM THE AMBIT OF THE ACT?
The Act exempts the processing of personal data under certain circumstances from the ambit of the Act. Exempted processing are the following:
- Processing of personal data for personal or household use. E.g. sharing images about another person on social media. The processing must be under circumstances that do not constitute a violation of the privacy rights of others.
- Processing by a government agency for national security or law enforcement purpose.
- Processing for artistic and journalistic purposes, or news reporting.
- Processing to preserve public health. E.g. publication of contact tracing information during the COVID-19 pandemic to contain the spread of the virus.
WHAT ORGANIZATIONS HAVE AN OBLIGATION TO COMPLY WITH THE ACT?
The Act adopts the EU standard of applying the provisions of the Act to all processing activities of organizations on the basis of their domicile in Nigeria. Thus, any Nigerian entity engaged in data processing as defined above must comply with the Act regardless of where the Data Subject is located in the World. It is immaterial for the application of the Act that the information is processed digitally or manually. Thus, the Act applies to all organizations that deal with personal information regardless of their digital or physical presence.
Entities that routinely engage in data processing activities within the scope of the Act include e-commerce platforms, Hospitals, Hotels, social media platforms, online businesses, financial institutions, insurance businesses, real estate companies, estate agents, law firms, and many government institutions not exempted from the Act.
The Act equally adopts the Accountability Principle which is common to many data protection legislation across the world. The Accountability Principle imposes an active duty on organizations to ensure compliance with the provisions of the Act.
ARE THERE TERRITORIAL LIMITATIONS TO THE OPERATIONS OF THE ACT?
The Act has extra-territorial scope as it applies to the processing of personal data of persons resident in Nigeria by any commercial entity regardless of where the processing activity takes place in the World. The crucial element for the extra-territorial scope of the Act is that the processing relates to the personal data of a Data Subject resident in Nigeria.
Thus, multi-national digital, social media, and web-based platforms such as Facebook, Amazon, Spotify, Google, and Twitter with their base of operations abroad are under obligation to comply with the Act in processing the personal data of their subscribers or users who are resident in Nigeria.
WHAT IS THE LAWFUL BASIS FOR PROCESSING PERSONAL INFORMATION?
The Act adopts the bases for processing common to many data protection legislation in developed countries. These are:
- Consent of the data subject which is specific to the particular processing operations, and the consent must not have been withdrawn by the Data Subject;
- Contractual necessity where the processing activity is necessary to the performance of a contract between the Data subject and the Data Controller;
- Compliance with a legal obligation owed by a Data subject or the Data controller;
- Protection of the Vital Interest of the Data Subject especially under circumstances where the data subject is unable to give consent;
- Performance of a Public duty by a statutory body;
- Protection of the legitimate interest of the Data Controller subject to the limitation that the legitimate interest pursued by the data controller must not override the Fundamental rights of the data subject.
It is instructive to point out that any dealing with personal information by a data processor that cannot be accommodated within these 6 lawful bases is prohibited and unlawful under the Act.
ARE THERE RESTRICTIONS ON THE TRANSFER OF PERSONAL DATA ABROAD FOR PROCESSING?
The Act does not prohibit the transfer of personal data to a foreign country for processing. The primary obligation in respect of the transfer of data abroad is to ensure that the transfer is done under circumstances that provide and guarantee an adequate level of protection commensurate with those under the Act to the Data Subject.
Primarily the Commission has published a Whitelist of countries whose legal systems presumptively provide an adequate level of data protection commensurate with the standards of the Data Protection Act.
Concerning countries not included in the Whitelist published by the Commission, the following safeguard measures can be adopted to protect the rights of the Data subject whose personal data is transferred:
- Contractual clauses which incorporate the protection under the Act;
- Certification mechanisms that grant an adequate level of protection under the Act;
- Binding corporate rules for companies forming part of the same undertaking or group;
- Adherence to a code of conduct/practice which has been approved by the Commission.
An important element for the transfer of personal data abroad for processing purposes is that it must be accommodated within the six (6) lawful bases provided above in all cases, with the most important element being consent of the individual.
ARE THERE DESIGNATED STAKEHOLDERS UNDER THE ACT?
- The Data Subject – This is the most important person for whose benefit the Data Protection Act was enacted. Organizations processing personal information are at all times mandated to protect the rights of data subjects recognized under the Act.
- The Data Controller – This is the entity that decides on the purpose and means of data processing. The data controller could be an individual, a corporate entity, or a government institution. The Data Controller holds the primary duty of accountability under the Act.
- The Data Processor – This is the entity that processes personal data on behalf of or at the direction of the data controller. Credit scoring agencies and organizations providing cloud services are examples of organizations that readily qualify as data processors. The data processor just like the data controller may be an individual, a corporate entity, or a statutory body.
- Data Protection Officers (DPOs) – prior to the enactment of the Data Protection Act, every organization that processes personal data is obligated to appoint a DPO or engage a separate entity that will render DPO services on its behalf. Under
the Act, the data controller, the data processor, or a representative acting on their behalf are obligated to appoint DPOs for the purposes of ensuring compliance with the Act.
- Data Protection Compliance Organisations (DPCOs) – DPCOs are independent entities that will now be licensed by the Data Protection Commission to provide data protection compliance, audit, and consulting services to business entities. The operations of DPCOs under the Act have now been brought under the direct control of the Data Protection Commission.
- The Nigerian Data Protection Commission (NDPC) – The Commission is the primary enforcement agency responsible for the implementation and enforcement of the Data Protection Act.
WHAT RIGHTS DO DATA SUBJECTS HAVE UNDER THE ACT?
The Act recognizes data protection rights common to international best practices. These rights include:
- The right to access information about the personal data being processed by a data controller;
- The right to rectification of information found to be inaccurate;
- The right to be forgotten which requires the data controller to delete data no longer required for processing;
- The right to restrict processing;
- The right to data portability which requires the transfer of personal data to a data controller chosen by the Data Subject;
- The right to object to processing in appropriate cases.
WHAT ARE THE PENALTIES FOR BREACH OF THE ACT?
The Act imposes different penalties depending on the nature of the breach. The penalties are determined by the nature of the offense and the status of the offender. Generally, a monetary fine not exceeding N10 million is imposed in the case of an individual offender. The fine is increased to a threshold of N10 million to N50 million in the case of a corporate entity. The amount of the monetary fine is determined by the level of culpability of the offender.
The Act also allows the Data Protection Commission to impose non-monetary penalties, in appropriate cases, such as the suspension of a data processing operation or process.
Finally, the Act allows a Data Subject whose rights have been violated to approach the Federal High Court to seek appropriate legal redress.