Nigeria Data Protection Act, 2023 (NDPA) Restrictions On Automated Data Processing And Artificial Intelligence

Data Protection

The principal Act that regulates and protects the processing of personal data is the Nigeria Data Protection Act 2023. This Act was enacted as a response to the global shift towards data protection and has moved Nigeria's tech industry a step further.

The Act applies to all sectors in Nigeria including the tech sector and its provision encompasses establishment of the Nigeria Data Protection Commission (NDPC), categories of personal data, rights of data subject, principles of processing personal data, breach of personal data, enforcement of data subject rights, cross-border data transfer and others.

Strict adherence with the provisions of the Act is important to avoid committing breach of personal and with provisions emphasizing the strict adherence to the principles of processing personal data which are:

• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimization
• Integrity and confidentiality
• Storage limitation
• Accuracy

Artificial Intelligence

Artificial Intelligence (AI) has witnessed a widespread global adoption, and Nigeria has shown increased interest in AI initiative. In Nigeria, there is currently no specific AI legislation in force, however, there are existing laws that apply to the adoption and use of AI in Nigeria.

They include:

• Data Protection Act, 2023 – which regulates the collection, processing, use and storage of personal data of individuals in Nigeria. Amongst others, the Act restricts the exclusive use of automated decision-making processes for processing personal data except with the consent of the data subject, or for the fulfilment of legal requirements or obligation, or where it is necessary for the performance of a contract involving the data subject.
• Copyright Act 2022 – this Act plays a crucial role in governing the use of AI, particularly in relation to intellectual property rights protection. While the Act protects original works, including literary, musical, and artistic works, audio visual, sound recordings, and broadcasts and attributes authorship and ownership to human creators, the Act does not explicitly address AI authorship, potentially leading to legal uncertainties. However, despite the limitation of the Act on AI authorship, the Act empowers the Nigerian Copyright Commission (NCC) to demand information and access any database relating to copyright, without warrant. In other words, the NCC can potentially demand that an AI deployer provides access to the underlying data used in training its model, to ascertain if it was developed using copyrighted information
• Cybercrime Act 2015 (as amended 2024) – criminalized the unlawful access to a computer system or network for fraudulent purposes and obtains classified information, industrial secret or data that are vital to National Security (section 6)

Nigeria Data Protection Act, 2023 – Section 37 Vs. Artificial Intelligence

Section 37 of the NDP Act restricts the exclusive use of automated decision-making processes for processing personal data that will have legal or similar impact on the data subject except with the consent of the data subject, or for the fulfilment of legal requirements or obligation, or where it is necessary for the performance of a contract involving the data subject

Considering the NDPA's restrictions on automated data processing, AI developers should ensure strict compliance to avoid data breach.

To achieve this, there is need to:

1. Understand the provision of the Act on automated processing

• Protection of data subject fundamental rights, freedoms and interests
• Except regarding the exceptions above, the data subject must have right to obtain human intervention or oversight, express data subject point of view and contest the decision. This must be ensured by the data controller

1. Set up organizational and technical measures for data processing

• Set up organizational or technical measures to implement the rights stated above
• Process data in accordance with the principles of data processing –
• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimization
• Integrity and confidentiality
• Storage limitation
• Accuracy
• Incorporate human intervention or oversight for final decisions. Decisions affecting legal rights, interests or obligation, such as, employment, should not be based solely on algorithms
• Implement tools to allow challenge or review of automated decisions
• Obtain valid consent for high impact AI
• Identify legal basis for processing, as in section 25 of NDPA, e.g. performance of contract, compliance with legal obligation, protection of data subject right etc.
• Implement Data Protection Impact Assessment for high-risk data processing such as surveillance, sensitive data – health information, religious belief, ethnic or racial origin, political affiliation, criminal history, genetic info (genotype, blood group).
• Anonymization of data

1. Documentation and Transparency
2. Maintain records for processing activities

Conclusion

The Nigerian economy and system of government are dynamic and evolving at a rapid rate. The government is also working extremely hard towards striking a balance between innovation and strict adherence to regulatory compliance.

Thus, it is sacrosanct that companies seeking to operate legally and successfully in Nigeria identify and stay compliant with the regulations applicable to their business to prevent avoidable violations.