AUTHOR: FORTUNE I. UGWUMBA (Associate, Starlion Legal)
BACKGROUND OF DATA PROTECTION IN NIGERIA
In the ever-evolving landscape of cutting-edge technologies like Artificial Intelligence, Machine Learning, and other ground-breaking innovations worldwide, governments are taking decisive action to safeguard the privacy and sensitive data of their citizens and businesses. By enacting comprehensive Privacy and Data Protection laws, they aim to shield against risks such as data exposure, leaks, and breaches.
Even African nations like Nigeria have been proactive in this regard. In 2019, Nigeria introduced the Nigerian Data Protection Regulation (NDPR) under the administration of the Nigerian Information Technology Development Agency (NITDA). Building upon that foundation, the Nigerian Data Protection Bureau (NDPB) took charge and, most recently, the newly inaugurated President of Nigeria signed the Nigerian Data Protection Act, 2022 into law. This momentous development marks the transition from the Nigerian Data Protection Regulation, 2019, to a new era governed by the law.
Now that you are up to date, let’s delve into the exciting aspects of this new legislation and how it will impact Nigerian citizens, companies, and corporations,
IMPACT ON CITIZENS
The theoretical idea behind privacy and data protection hinges on the concept of control. This means that a citizen (data subject) should have absolute control over the collection, processing, and use of their personally identifiable and non-identifiable information.
However, prior to 2019, the processing of personal data by data controllers (DC) and data processors (DP) was done in an unchecked and unregulated manner. The absolute consent of the data subject was not duly sought and obtained before processing. In fact, there was no detailed lawful basis for processing, except in the instance of government use for national security and public order purposes.
In 2019, the NDPR attempted to address this deficit, but it suffered from inadequacies. The new Act has now reinstated control to the data subject. Section 26 of the Act places great importance on obtaining the consent of a data subject, clarifying that silence cannot be considered as consent to process data.
Moreover, the new Act empowers the data subject to request specific information before giving consent for their data to be processed[1]. This information includes:
- Details on the lawful basis for processing the data subject’s data.
- Who, other than the data controller, will receive the information of the data subject?
- What are the rights of the data subject?
- What is the retention period for the processed data?
- Will there be automated decision-making in the data processing?
- What is the process for lodging complaints, among others?
Another significant point worth mentioning is that the new Act enables data subjects to seek civil remedies through the courts if data controllers or other entities fail to comply with the provisions of the Act.[2]
The Act also provides adequate protection for children by mandating that the consent of parents or legal guardians must be sought and obtained before processing their data. Other rights of citizens (data subjects) are also outlined in Sections 34-38 of the Act.
TAKE HOME FOR COMPANIES – A COMPLIANCE COOK-A-THON
The new data protection Act in Nigeria introduces several important provisions that will significantly impact data processing organizations and their compliance with data protection regulations. Here are some key takeaways for companies:
Appointment of a Data Protection Officer (DPO): Organizations processing personal data of data subjects are required to appoint a compliance officer known as the Data Protection Officer. The DPO will be responsible for ensuring that data protection mechanisms and models are integrated into the organization’s day-to-day activities[3].
Mitigation of Data Breaches: In the event of a data breach, the Act prescribes specific actions that data processors should take to mitigate risks. This includes communicating with both the Nigerian Data Protection Commission and the affected data subjects, following guidelines on the content of such communication.[4]
Cross-Border Data Transfers: The Act establishes criteria for cross-border data transfers. Data transfer activities should be conducted to countries that have adequate data protection laws in place. In some cases, explicit consent from the data subject may be required before executing such transfers.
Registration with the Commission: Data processors or controllers of “major importance” are required to register with the Nigerian Data Protection Commission within six months of the Act’s commencement.
Data Privacy Impact Assessment (DPIA): Organizations must conduct a Data Privacy Impact Assessment before processing personal data that could potentially pose a high risk to the data subject’s freedom. The Act, however, does not explicitly define the categories of data that may result in high risk.[5]
Processing of Sensitive Data: The Act stipulates the legal basis for processing sensitive data. Such processing must adhere to the principles of lawful processing and comply with the legal basis provided in Section 30 of the Act.
For a comprehensive understanding of the obligations imposed on data controllers and processors, it is advisable to refer to Section 29 of the Act.
Conclusion
Overall, the new data protection Act in Nigeria aims to enhance compliance in data processing organizations, establish safeguards for data subjects, and provide a framework for protecting personal data in line with international best practices.Top of Form
[1] See Section 27, Nigerian Data Protection Act, 2023
[2] See Section 52, Nigerian Data Protection Act, 2023
[3] Section 32, Nigerian Data Protection Act, 2023
[4] Section 40.
[5] Section 28.
STARLION LEGAL 