The year 2023, was significant in the Nigeria data privacy and protection landscape. In this bulletin, we have summarized the most notable events for 2023 and highlighted important data privacy and protection activities expected to dominate the headlines in Nigeria in 2024.
YEAR 2023
1. ENACTMENT OF THE NIGERIA DATA PROTECTION ACT 2023
The Nigeria Data Protection Act (NDPA) 2023, was enacted into law on June 12, 2023. Prior to the enactment of the Nigeria Data Protection Act 2023, the Nigeria Data Protection Regulation (NDPR) 2019, a subsidiary law that established the basic structure for data privacy and protection, governed the regulatory environment.
2. ESTABLISHMENT OF THE NIGERIA DATA PROTECTION COMMISSION
The Nigeria Data Protection Commission (NDPC) was established by the NDPA 2023 and is authorized to carry out general regulatory and supervisory activities. The NDPA transitioned the Nigeria Data Protection Bureau (NDPB) established in 2022, into the Nigeria Data Protection Commission. The NDPA preserved all licensing activities, fines issued, operations, etc. of the Nigerian Data Protection Bureau.
3. ISSUANCE OF FINES AND INVESTIGATION OF DEFAULTING ORGANIZATIONS
The Nigeria Data Protection Commission investigated and issued fines to several organizations for violating various data privacy and protection laws in 2023. The commission fined several banks and institutions and investigated over nine (9) major institutions, as well as over one hundred (100) other private sector institutions for various degrees of data privacy breaches. The fines paid by defaulting organizations totaled over two hundred million (200,000,000) naira.
4. FEDERAL HIGH COURT ORDERS REVIEW OF THE WHITELIST OF COUNTRIES WITH ADEQUATE DATA PROTECTION LAWS
The Federal High Court sitting at Abuja on 28th November 2023 delivered a judgment in Suit No: FHC/ABJ/CS/1246/2022 which was instituted by the Incorporated Trustees of Ikigai Innovation Initiative against the National Information Technology Development Agency (NITDA). The suit challenged among others, the Binding Corporate Rules (BCRs) and Standard Corporate Clauses (SCCs) introduced by the Nigeria Data Protection Implementation Framework (NDPIF) 2020; and also the validity of the Whitelist annexed to the NDPIF for non-compliance with the provisions of the NDPR 2019.
The NDPIF was issued by NITDA (the former regulatory authority of the NDPR 2019) in November 2020 to aid compliance with the NDPR 2019. Ikigai argued that several countries listed in the Whitelist did not have an adequate level of personal data protection in contravention of the requirements of the NDPR 2019.
The Court upheld all the claims of the Plaintiff and set aside the Binding Corporate Rules (BCRs) and Standard Corporate Clauses (SCCs) introduced by the NDPIF. The Court also set aside the whitelist annexed to the NDPIF, and ordered NITDA to comply with the requirements of the NDPR 2019 to ensure that only countries that have an adequate level of personal data protection are included in the Whitelist. However, the NDPC and no longer NITDA, is now the data protection regulatory authority, and BCR's and SCC's have now been introduced by the NDPA 2023.
5. NIGERIA DATA PROTECTION COMMISSION COMPLIANCE AUDIT RETURNS ( CARs) GUIDANCE NOTICE
In November 2023, the Nigeria Data Protection Commission published a Guidance Notice ("Notice") providing clarifications to data controllers and data processors regarding the filing of data protection COMPLIANCE AUDIT RETURNS ("CARs") for the 2022 and 2023 cycle.
6. EXTENSION OF TIME TO FILE DATA PROTECTION COMPLIANCE AUDIT RETURNS
The Nigeria Data Protection Commission (NDPC) initially extended the deadline for data controllers and processors to file their annual data protection compliance audit returns for the 2022 period from March 15, 2023 to June 30, 2023, and further to September 30, 2023. The NDPC finally extended this deadline to December 31, 2023, through the CARs Guidance Notice. By the above, data controllers and processors who are yet to file the annual returns for the 2022 cycle can still do so upon payment of a penalty in the sum of 50% of the filing fees.
7. INTRODUCTION OF COMPLIANCE MEMORANDUMS
By virtue of the CARs Guidance Notice, a data controller or data processor via a Memorandum may outline a time bound intention to regularize its data processing activities in line with the NDPA. This memorandum is to be signed by the DPO and sent to the NDPC as part of its CARs no later than 31st March 2024. It is important to note however that the statutory deadline for filing of CARs for the 2023 cycle is 15th March 2024, and the deadline for filing of the Memorandum is not an automatic extension of the CARS filing deadline.
8. NDPC PUBLISHES THE NIGERIA DATA PROTECTION STRATEGIC ROADMAP AND ACTION PLAN (NDP-SRAP) 2023-2027
In a post made on its official X (former Twitter) handle, the Nigeria Data Protection Commission announced it had published its Nigeria Data Protection Strategic Roadmap and Action Plan (NDP-SRAP) 2023–2027 following more than 18 months of discussions and debates led by the Strategic Roadmap and Action Plan (SRAP) Committee, which was established on March 30, 2022. The SRAP Committee engaged with experts within and outside Nigeria.
The NDP-SRAP is a set of measures designed by the NDPC to promote the growth and consolidation of a sustainable and trustworthy Data Protection and Privacy (DPP) ecosystem in Nigeria. The NDP-SRAP is anchored on 5 pillars: Governance, Ecosystem and Technology, Human Capital Development, Cooperation and Collaboration, and Funding and Sustainability.
The roadmap, if successfully implemented, is expected to create a favorable environment that enables the secure, dependable, trustworthy and effective use of personal data for developing reliable systems and procedures to drive innovation. Such environment would empower individuals and businesses to support data protection compliance across industries, facilitating the trustworthy usage of personal data through robust security policies, dependable data handling protocols, and effective safeguards anchored on thoughtful education and ethical data practices.
YEAR 2024
1. COMMENCEMENT OF FILING OF COMPLIANCE AUDIT RETURNS FOR THE 2023 CYCLE
From January 1, 2024, the filing of annual data protection compliance audit returns (CARs) for the 2023 cycle shall commence. Filing of CARs is a legal requirement provided by the NDPR 2019 and the NDPIF 2020, and is preserved by the NDPA, 2023. All data controllers and processors that have processed a) the personal data of 1000 data subjects within the last 6 months, or b) the personal data of 2000 data subjects within the last 12 months, are mandated to prepare and file their annual CARs with the Nigeria Data Protection Commission before March 15, 2024. CARs are prepared and filed through licensed Data Protection Compliance Organizations (DPCOs).
2. ISSUANCE OF THE NIGERIA DATA PROTECTION ACT GENERAL APPLICATION AND IMPLEMENTATION DIRECTIVE (NDPA GAID)
The Nigeria Data Protection Commission is expected to issue the Nigeria Data Protection Act General Application and Implementation Directive (NDPA GAID) within the 1st Quarter of 2024. This information was made available in the NDPC CARs Guidance Notice highlighted above. The NDPA GAID is expected to provide guidance on the obligations of data controllers and processors amongst others, for the proper implementation of the NDPA 2023.
3. ARTIFICIAL INTELLIGENCE (AI) AND EMERGING TECHNOLOGIES REGULATION
With the increased deployment of artificial intelligence systems and emerging technologies that process personal data in Nigeria, it is expected that the Nigeria Data Protection Commission will place business entities and organizations that deploy these technologies under increased scrutiny and searchlight, to monitor and ensure compliance with applicable data privacy and protection laws and regulations while processing personal data.
4. ENFORCEMENT OF THE NIGERIA DATA PROTECTION ACT 2023.
The Nigeria Data Protection Commission is expected to intensify its oversight and enforcement activities. As such, it is predicted that there will be a greater scrutiny of the data privacy practices of individuals and organizations that function as data controllers and processors by the NDPC, which may see an increase in enforcement orders, sanctions and fines handed out to defaulting entities. This is especially in view of the expected NDPA GAID and the recent NDPCSRAP publication.
5. NDPC INDUCTION TRAINING FOR DESIGNATED DPO'S
The Nigeria Data Protection Commission is expected to organize an induction training in January 2024. All designated Data Protection Officers (DPO's) are required by the earlier highlighted Guidance Notice to participate in the training. The training will focus on data subjects' rights and compliance obligations of data controllers and data processors under the NDPA 2023 and its General Application and Implementation Directive.
CONCLUSION
The year 2023 represents a watershed moment for data privacy and protection in Nigeria. With the impending release of the Nigeria Data Protection Act General Application and Implementation Directive (NDPA GAID). The year 2024 is projected to be a beehive of activities as the Nigeria Data Protection Commission seeks to ramp up enforcement activities concerning data privacy and protection compliance. This will likely be in the form of nationwide awareness campaigns, as well as investigations, sanctions, enforcement orders, and fines against defaulting individuals, and organizations.
As data privacy and protection evolves as an obligation for individuals and business entities in Nigeria and beyond, ALF will remain at the forefront of industry developments, providing updates, insightful analysis, and the legal expertise to aid the navigation of the complexities of the industry and ensure adequate compliance in its dynamic environment.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
