On the 12th of June 2023, the President of the Federal Republic of Nigeria, Bola Ahmed Tinubu, GCFR, signed the "Nigeria Data Protection Act" (NDPA), into law. The Act is Nigeria's maiden legislation on Data Protection and was heralded by the Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Regulation Implementation Framework 2020. The new act provides a legal framework for the protection of personal information, and the regulation of the processing of personal information. The Act applies to both automated and manual processing of personal data. To aid the understanding of the act, we have explained key provisions and also highlighted some changes introduced by the Act below.

Establishment of the Nigeria Data Protection Commission and a Governing Council.

Section 4 of the NDPA establishes a Nigeria Data Protection Commission (NDPC) which shall be an independent body in the performance of its functions1. The Commission which shall be a body corporate, shall have its headquarters in the Federal Capital Territory2. The functions of the commission as stipulated by the Act extend to all activities geared towards the effective protection of personal data, essentially, the commission will regulate both the activities of data subjects, data processors and data controllers as empowered by the Act. The Governing Council of the NDPC shall be headed by a Chairman and the Council is charged with the responsibility of piloting the affairs of the Commission, policy formulation for the commission, and delivering the objectives for which the commission has been established.3

Principles of Personal Data Processing.

The Act encapsulates the basic principles of data processing and charges data processors to process data in ways that ensure fairness, lawfulness, and transparency. Data processors are also charged to collect data for a specific explicit and legitimate purpose and only process the data for such purpose. The Act also specifies the basis for the retention, storage, and protection of personal data as follows. 4

  1. Lawful Basis of personal data processing.

Section 25 of NDPA outlines the metrics by which the lawfulness of data processing can be measured. They include; the performance of a contract, compliance with a legal obligation, protection of the interest of a data subject or another person, performance of a task in the public interest, or exercise of official authority vested in the data controller or processor. In the same vein, the act outlaws all forms of data processing that override the fundamental rights and freedoms of data subjects. The act also declares as unlawful, the processing of data in a manner that the data subject did not envisage at the time of collection of data. Perhaps most importantly, the essence of consent is provided for, and the burden of proof is vested on the data controller who asserts that a data subject consented to the processing of his personal data.

  1. Obligations of Data Controllers and Data Processors.

Data Controllers are vested with the duty to provide data subjects with information regarding the identity of the data controller, place of business, and means of communication with the data controller and its representatives (where necessary), the recipients or categories of recipients of the personal data, the rights that accrue to the data subjects, period of retention of the data collected, right to lodge a complaint with the NDPC, and the existence of automated decisions making (and other consequences related)5

  1. Registration of Data Controllers and Data Processors of Major Importance.

The Act distinguishes between "ordinary" Data controllers or data processors, and Data controllers or data processors "of major importance". Data Controllers and Data Processors of major importance are required to register with the NDPC within six months of the commencement of the Act, or six months after becoming a data processor or controller of major importance.6

By the Act, a "data controller" is an individual, a private entity, a public Commission, an agency or any other body who, alone or jointly with others, determines the purposes and means of processing of personal data. While a "data processor" is also defined as an individual, private entity, public authority, or any other body, that processes personal data on behalf of or at the direction of a data controller or another data processor.

The NDPC has the power to remove from the register the names of any data processor or data controller who notifies it that it has ceased to operate as a data processor or controller. The NDPC shall also prescribe the fees and levies to be paid by the data processors and controllers.

  1. Requirement of Data Privacy Impact Assessment.

The Act makes it mandatory for data controllers to carry out a Data Privacy Impact Assessment where the nature, scope, context, or purpose of processing personal data, is likely to result in high risk for the data subjects. The Act also stipulates the items to be contained in such Data Privacy Impact Assessments. The NDPC is empowered to make such guidelines or directives regarding the Data Privacy Impact Assessments. 7

  1. Processing of Data of Children and Persons Legally Unable to give Consent.

The Act enjoins the data controllers to obtain the consent of the parent or legal guardian of a child or person lacking the legal capacity to consent to data processing. To this end, data controllers must apply appropriate mechanisms to verify age and consent. The NDPA identifies the presentation of a government-approved identification as appropriate means of identification. However, the requirement of consent shall not apply in instances of processing for the protection of the vital interests of the child or such legally incapacitated person. Also, processing for medical, scientific or social care is exempted.8

  1. Appointment of Data Protection Officers for Data controllers of major importance.

All data controllers of major importance are mandated to designate a person as a Data Protection Officer. Such Data Protection Officer (DPO) must be knowledgeable in the field of data privacy and data protection. However, such a person must not be a member of the organization. The data controller may appoint a DPO engaged under a service contract. 9

  1. Requirement of Licensing for Data Protection Compliance Organizations.

Persons may be licensed to monitor, audit and report on compliance by data controllers and data processors with not only the NDPA but also rules and regulations made by the NDPC.10

  1. Security of Data

Data Processors are required to establish and implement appropriate technical and organizational measures to ensure the security, integrity and confidentiality of data, including protection against all forms of loss and misuse.11 Section 40 further requires the data processors to report personal data breaches to NDPC.

  1. Cross-Border Transfer of Data

Cross-border transfer of data is subject to two requirements.

  1. The data controller or processor must be subject to codes or rules that afford an adequate level of protection;
  2. Other bases12 which include; the data subject's unwithdrawn and informed consent, a necessity for the performance of a contract, the sole benefit of the data subject, public interest, establishment or execution of legal Defence, and the protection of vital interests of a data subject who is physically or legally incapable of giving consent.

For enforcement, the NDPC may receive a complaint from any aggrieved data subject, investigate such complaint, make representations to the data processor or controller on behalf of a data subject who is a complainant, issue appropriate compliance orders against a data processor or controller who has violated any requirement under this Act, make appropriate enforcement orders or impose appropriate sanctions.

The penalty fees prescribed by the Act are divided into two categories; a standard maximum amount (N2, 000, 000 or 2% of gross revenue in the preceding financial year) for data processors and controllers who are not of major importance.

The second category for the data processors and controllers of major importance imposes a penalty of the higher maximum amount (N10, 000, 000 or 2% of its annual gross revenue in the preceding year). The Commission may also issue appropriate compliance and enforcement orders. The orders of the Commission are subject to judicial review within 30 days after they are made. This does not preclude the right of data subjects to recover damages from data processors and controllers, by instituting civil proceedings. Data Controllers and Processors will also be held vicariously liable for the acts or omissions of its agents or employees about its business. 13

CONCLUSION.

The NDPA is a long-anticipated step in the right direction as far as data privacy and protection in Nigeria is concerned. The spirit and intendment of the legislation are to be realized in the various sections for which the Commission is empowered to make regulations, for instance, the prescription of types of personal data and processing exempt from the application of this act14. Thankfully, the recent regulations enacted and published by the Commission, have come to enable the smooth operation of the welcome developments in the Act.

Footnotes

1. Section 7 NDPA

2. Section 4(3) NDPA

3. Section 12(1) NDPA

4. Section 24 NDPA

5. Section 29 NDPA

6. Section 44 NDPA

7. Section 28 NDPA

8. Section 31 NDPA

9. Section 32 NDPA

10. Section 33 NDPA

11. Section 39 NDPA

12. Section 43 NDPA

13. Sections 46-53 NDPA

14. Section 3(3)

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.