Introduction

In an era where information is the new currency, the evolution of data protection has become a paramount narrative shaping the landscape of our digital world.

Given the rapid technological advancement and the exponential surge in data dependency of companies operating within the financial services, healthcare and technology ecosystems at the global stage, there has been a clarion call from stakeholders such as customers and regulators for data-driven companies to take a more proactive and systematic approach focusing on data governance, cybersecurity and information technology architecture, in ensuring the adequate protection and security of data within their possession. Furthermore, 2023 witnessed significant development in the data protection space within Africa and Nigeria with the recent ratification and coming into force of the African Union Convention on Cyber Security and Personal Data Protection and the passage into law of the Nigeria Data Protection Act, ("NDPA") in June 2023.

In commemorating the 2024 International Data Privacy Day, this newsletter offers a summary of recent updates on data protection and privacy in Nigeria and a few chosen jurisdictions.

Part A 

Highlights of Key Data Privacy Updates in Nigeria

1. Enactment of the Nigeria Data Protection Act 2023

On June 12, 2023, President Bola Ahmed Tinubu, GCFR, signed the Nigeria DataProtection Act ("NDPA" or "Act"), 2023 into law. The Act establishes a legal framework for safeguarding personal information and establishes the Nigeria Data Protection Commission ("NDPC" or "Commission") to regulate the processing of personal information.

Notably, Section 64 of the NDPA contains a transitioning framework ensuring that all regulations, licenses, or orders issued by the defunct Nigeria Data Protection Bureau (NDPB) and National Information Technology Development Agency (NITDA) remain in force until they are repealed, replaced, reassembled, or altered. As a result of the foregoing the Nigeria Data Protection Regulation (NDPR), 2019, which was the primary legislation on data protection in Nigeria, remains in effect.

Significant changes introduced by the NDPA that impact data controllers and processors include:

  1. Territorial Scope

    The NDPA has removed the NDPR references to the data subject's nationality and limited the applicability of the NDPA to:
    • controllers and processors domiciled, resident or operating in Nigeria;
    • processing operations taking place in Nigeria; or
    • where the data subjects are located in Nigeria and the controller and processors are not domiciled, resident, or do not operate in Nigeria.

  2. Legal bases for processing

    The NDPA introduces a sixth legal basis referred to as "legitimate interest", as one of the legal/lawful bases for the processing of personal data in Nigeria. The NPDA, just like its counterpart, the European Union General Data Protection Regulation (EU GDPR) and the United Kingdom General Data Protection Regulation (UK GDPR), introduced the "balancing test" which requires "data controller or data processor, or ... a third party to whom the data is disclosed" seeking to rely on legitimate interest to ensure that the pursuit of their own legitimate interest does not override the fundamental rights and freedom of the data subject.

    In addition, other conditions that must be satisfied for the reliance on legitimate interest as a legal basis for the processing of personal data to be lawful include ensuring that the legitimate interest is not incompatible with other lawful bases and that the data subject has reasonable expectation that the personal data would be processed in the manner envisaged.

  3. Additional Requirement for Data Protection Impact Assessment

    In addition to the requirement to conduct a DPIA, the Act introduces the requirement for data controllers to consult the NDPC, where a DPIA indicates that processing data would pose a high risk to the rights and freedoms of data subjects.

  4. Reporting Data Breaches

    Where a data controller suffers a data breach, there are specific reporting obligations that such data controller must carry out depending on the perceived impact of the personal data breach. Under the NDPR, there is an obligation on data controllers to report all types of personal data breaches to the data protection authority. The NDPA has however moved away from this position.

    There has been a paradigm shift from the data reporting requirement under the NDPR as the NDPA now requires data controllers to only report data breaches to the NDPC where such data breaches will result in a risk to the rights and freedoms of the data subjects.

    Based on the provisions of Section 40 (3) of the NDPA, where a personal data breach is likely to result in a high risk to the rights and freedoms of a data subject, the data controller is required to immediately communicate the personal data breach to the data subject(s) including advice about measures the data subject(s) could take to mitigate effectively the possible adverse effects of the data breach. Therefore, data controllers are expected to carry out a detailed assessment under the supervision of the Data Protection Officer (DPO) or privacy team, to ascertain the extent of the breach in order to determine the appropriate remedial actions to be taken including reporting the data breach to the NDPC within 72 hours.

  5. Processing of Sensitive Personal Data under the NDPA

    As part of the purposive intention of the legislative draftsmen to further safeguard the processing of sensitive personal data such as health, genetic, biometric data etc, section 30 of the NDPA codifies specific grounds under which data controllers or data processors (including sub-data processors) can process sensitive personal data and these include:

    • where the data subject has given and not withdrawn consent for the processing activity;
    • where the processing is necessary for reasons of substantial public interest on the basis of a law or where the processing is necessary for public health;
    • where the processing is necessary for the performance of the data controller's obligations or the existing rights of the data subject under employment or social security laws or any other similar laws;
    • where the processing is carried out by a non-profit organisation with charitable, educational, literary, artistic, philosophical, religious, or trade union purposes in the course of its legitimate activities;
    • where the processing is necessary to protect the vital interests of the data subject or another person; and 
    • where the processing is carried out for purposes of medical care or community welfare and undertaken by or under the responsibility of a professional owing a duty of confidentiality.

To view the full article, click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.