On June 12, 2023, President Bola Ahmed Tinubu signed the Nigeria Data Protection Act, 2023 into law. This landmark legislation marks a significant step forward in establishing a comprehensive framework for protecting the personal information of individuals residing or doing business in Nigeria.

Background

Before the Act, efforts to protect personal data in Nigeria were primarily driven by subsidiary legislation, such as the Nigeria Data Protection Regulation 2019 issued by the National Information Technology Development Agency (NITDA). However, as a secondary source of law, it lacked the robustness and legal weight needed to reassure foreign investors and partners increasingly concerned about data security.

Importance of the Data Protection Act

In today’s digital age, where vast amounts of data are generated, stored, and processed online, privacy and data protection have become paramount. Recognizing this, the Nigeria Data Protection Bureau (NDPB), in collaboration with the International Development Association and the Nigeria Digital Identification for Development Project (NID4D), sponsored the bill that resulted in the Data Protection Act.

Key Provisions of the Act

Objectives

The Data Protection Act aims to:

  • Protect data subjects by ensuring fair, lawful, and accountable processing of personal data.
  • Promote secure data processing practices.
  • Provide a legal framework for regulating and safeguarding personal data.
  • Ensure data controllers and processors fulfill their obligations.
  • Safeguard the fundamental rights, freedom, and interests of data subjects.
  • Strengthen Nigeria’s digital economy and its participation in regional and global economies through the trusted use of personal data.

Definitions

  • Data Processor: An entity that processes personal data on behalf of a data controller.
  • Data Controller: An entity that determines the purposes and means of processing personal data.

Scope and Priority

The Act applies to both automated and non-automated data processing, focusing on entities domiciled, resident, or operating in Nigeria, as well as those processing personal data of Nigerian residents. It does not cover personal or household data processing unless it violates a data subject’s privacy rights. The Act takes precedence over other laws related to personal data processing in Nigeria.

Governing Framework

Personal and Sensitive Data

The Act prohibits unlawful processing of personal and sensitive data. Personal data includes information that can identify an individual, while sensitive data encompasses genetic, biometric, racial, religious, health, sexual, political, and trade union information.

Basic Principles

Data controllers and processors must ensure:

  • Fair, lawful, and transparent processing.
  • Data collection for specified, legitimate purposes.
  • Accuracy and relevance of data.
  • Data security and protection against unauthorized processing, loss, or breaches.

Data Security

Data controllers and processors are obligated to implement technical and organizational measures to protect personal data, including pseudonymization, encryption, and regular risk assessments.

Cross-Border Data Transfer

The Act restricts the transfer of personal data outside Nigeria unless the recipient country ensures an adequate level of protection. This includes enforceable data subject rights, effective data protection laws, and the presence of competent supervisory authorities.

Compliance and Penalties

Data controllers and processors must comply with the Act and related regulations. Non-compliance can result in fines up to ten million naira (N10m) or 2% of annual gross revenue, and potentially imprisonment. The Act also allows for civil damages claims by affected data subjects.

Implementation and Transition

Existing data protection regulations and administrative actions will transition to align with the new Act. The Nigeria Data Protection Commission will oversee the implementation and ensure compliance.

Conclusion

The Nigeria Data Protection Act is a crucial development as Nigeria moves towards a digital economy. By providing a clear legal framework, the Act enhances business confidence, attracts foreign investment, and protects the privacy rights of Nigerian citizens and residents.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts