Nigeria: Your Rights And Obligations Under The Nigeria Data Protection Act, 2023

INTRODUCTION

On 12^th June 2023, the President of the Federal Republic of Nigeria signed the Nigeria Data Protection Act, 2023 ("the Act" or the "NDPA") (previously the Nigeria Data Protection Bill, 2023) into law. The Act provides the much-awaited legal framework for the protection of personal information. One of the principal objectives of the Act is to safeguard the fundamental rights and freedoms of data subjects, as guaranteed under the Constitution of the Federal Republic of Nigeria, 1999. The overall legislative intendment and goal of the Act are to ensure that personal data is processed in a fair, lawful and accountable manner that protects data subjects' rights, and provides means of recourse and remedies, in the event of the breach of the data subject's rights. Also, the Act seeks to strengthen the legal foundations of the nation's digital economy through the beneficial and trusted use of personal data.

The provisions of the Act are superior to the provisions of any other law or enactment, in so far as they relate directly or indirectly to the processing of personal data.

The Act provides detailed transitioning and saving provisions for the previous "data protection regime" under the Nigeria Data Protection Regulation (NDPR) 2019 and NDPR Implementation Framework 2020. The Nigeria Data Protection Bureau ("the Bureau") will essentially be transitioned into the Nigeria Data Protection Commission (the "Commission") which is established under the Act. All documents issued in the name of the Bureau are deemed under the Act to have been issued by the Commission. Officers and employees of the Bureau are deemed to be officers of the Commission. Also, all orders, rules, regulations, decisions, directions, licences, authorisations, certificates, consents, approvals, declarations, permits, registrations, rates or other documents issued by the Bureau and the National Information Technology Development Agency will remain valid and effective as if they were made or issued by the Commission.

Furthermore, the Act draws a distinction between "ordinary" Data controllers or data processors, and Data controllers or data processors "of major importance". The latter are subjected to a stricter regulatory regime under the Act and are required to register with the Commission within six months after the commencement of the Act or on attaining the status of a data controller or data processor "of major importance" (unless they are within the class or organizations exempted from registration by the Commission). The Act empowers the Commission to specify the category of data controller or data processor that may be regarded as data controller or data processor "of major importance". Such organisations are now required to pay fees as may be prescribed by the Commission.

In this article, we have identified the key provisions of the NDPA and discussed some of the changes introduced under the Act, as well as the impact of such changes on businesses and other relevant organisations.

NOTABLE PROVISIONS:

Establishment of the Nigeria Data Protection Commission

The Act establishes the Nigeria Data Protection Commission ("the Commission"). The Commission is  responsible for the regulation of the processing of personal information. The mandate of the Commission  includes fostering the development of personal data protection technologies in accordance with recognised  international best practices, promoting awareness on the obligation of data controllers and data processors, in addition to safeguarding the rights of data subjects.

Under the Act, the Commission has the powers to perform general oversight and regulatory functions  including prescribing fees payable by data controllers and data processors, issuing regulations1 , rules,  directives and guidelines, prescribing the manner and frequency of periodic filings, conducting investigations and imposing penalties in respect of any violation of the provisions of the Act. The  Commission holds the delegated authority to make regulations for carrying out its objectives and  responsibilities under this Act. The authority of the Commission in this regard is extensive and includes  powers to make regulations creating an offence or imposing a penalty that is not more than the penalty  stipulated in the Act.

The Act also provides for the setting up of a Governing Council for the Commission ("the Council"), which  will comprise of a retired judge of Nigeria, the National Commissioner (as defined in the Act), a  representative of the Federal Ministry responsible for Justice, the Federal Ministry responsible for  communications and digital economy, the Central Bank of Nigeria, law enforcement agency and the private  sector. For the purpose of funding the administration and activities of the Commission, a Fund will be  established. The Commission and its principal officers are accorded the protection provided under the  Public Officers Protection Cap. P41, LFN, 2004.

To access the complete article, please click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.