- within Privacy topic(s)
- in United States
- with readers working within the Telecomms industries
- within Privacy, Insurance and International Law topic(s)
1. Governing Texts
1.1. Legislation
The Nigeria Data Protection Act 2023 (the NDPA).
In June 2023, the NDPA was passed into law. It should be noted that the combined reading of Sections 63 and 64 of the NDPA connotes that the provisions of the Nigeria Data Protection Regulation 2019 (the NDPR) and the NDPA shall co-exist unless there is conflict, in which case the provisions of the NDPA shall prevail.
Further to the provisions of Section 64(1) and 64(2) of the NDPA provide for a change in name from Bureau to Commission, and as such the Nigeria Data Protection Commission (NDPC or the Commission) inherited the officers, employees, members of staff, agreements, records, equipment, properties, legal claims and actions, as well as regulations and certifications of the Nigeria Data Protection Bureau (NDPB) and National Information Technology Development Agency (NITDA) that relates to data protection. Hence, the regulator for data privacy and protection in Nigeria is the NDPC.
In addition, the NDPA, under Section 25, introduced 'legitimate interest' as one of the legal bases for processing personal data, in addition to the four other existing legal bases under the NDPR, which are contractual obligation, legal obligation, vital Interest, and public interest. There are, however, three provisos to the processing of personal data on the basis of a legitimate interest, which are:
- the fundamental rights and freedom of a data subject override such interest;
- the interest is incompatible with the other lawful bases mentioned above; or
- the data subject would not have a reasonable expectation that the personal data would be processed in the manner envisaged.
What amounts to legitimate interest is not defined in the NDPA.
Another key highlight of the NDPA is the introduction of Data Controllers/Processors of Major Importance (DCMIs/DPMIs) as stated under Section 32. DCMIs/DPMIs are to designate a data protection officer who shall be saddled with an advisory role to the data controller, as well as be a contact point between the Commission and the Data Controller. It is mandatory, based on the provisions of Section 44 of the NDPA, for DCMIs/DPMIs to register with NDPC within six months of the coming into effect of the NDPA or of their appointment as DCMIs/DPMIs.
Prior to the enactment of the NDPA, there were regulations issued by various statutory agencies to address data protection, privacy, transfers, and related issues, which are outlined below.
The Nigerian Communications Act, 2003 (the NCA), established the Nigerian Communications Commission (NCC) as the telecommunications industry regulator and empowered the NCC to create and publish regulations and guidelines for the regulation and administration of the telecommunications industry in Nigeria. The NCC has issued the following data transfer-related regulations:
- Consumer Code of Practice Regulations 2024 (the Consumer Code) - this has repealed the Consumer Code of Practice Regulation 2007;
- Registration of Telephone Subscribers Regulations 2011 (the RTSR);
- Guidelines on the Provision of Internet Service, which require compliance by all Internet Service Providers with the provisions of the Consumer Code;
- Internet Code of Practice (November 2019), which also requires compliance with the provisions of the Consumer Code; and
- the National Information Technology Development Agency Act 2007 established the NITDA with the mandate to develop IT in Nigeria through regulatory policies, guidelines, standards, and incentives. Draft National Cloud Computing Policy 2019 (the Draft Cloud Policy) aimed at driving greater uptake of cloud services in the public sector. The Draft Cloud Policy was published by NITDA and is intended as a guide to help public sector and small and medium-sized enterprises (SMEs) manage cloud adoption and ensure they get a fair deal from cloud service providers. The Nigeria Cloud Computing policy provides an efficient way of acquiring and deploying computing resources for better and improved quality of digital services.
The National Health Act 2014 (NHA) regulates the information that can be disclosed on the health of a sick person and provides that all information concerning a user, including information relating to his or her health status, treatment, or stay in a health establishment, is confidential. However, the NHA provides for an exception where non-disclosure of the information represents a serious threat to public health.
The Constitution of the Federal Republic of Nigeria 1999, as amended (the Constitution), which, by virtue of Section 37 thereof, protects the rights of citizens to their privacy and the privacy of their homes, correspondence, telephone conversations, and telegraphic communication. Data privacy and protection are thus extensions of a citizen's constitutional right to privacy.
The Central Bank of Nigeria (CBN) Consumer Protection Regulation (CPR) is a subsidiary legislation made pursuant to the Central Bank of Nigeria Act 2007 (as amended) (CBN Act) as amended and the Banks and Other Financial Institutions Act 2007 (BOFIA) aim at engendering public confidence in the financial system. The provisions of Section 5.4 of the CPR are to the effect that consumer information must be protected from unauthorized access and disclosure. Hence, before disclosure to a third party or use of data for promotional services, financial services institutions are required to obtain written consent from customers.
The Cybercrimes (Prohibition, Prevention, etc.) Act 2015 (CPPA) is a framework for the prohibition, prevention, detection, prosecution, and punishment of cybercrimes in Nigeria. It imposes an obligation on mobile networks, computers, and communications service providers to store and retain subscriber information for a period of time and also to accord premium to an individual's right to privacy as enshrined in the Constitution and to take steps towards safeguarding the confidentiality of data processed. The CPPA has, however, been modified by the Cybercrimes (Prohibition, Prevention etc.) (Amendment) Act 2024 (CPPAAmended Act). One of the key amendments of the CPPAAmended Act includes the change of the timeframe of reporting cyber breach incidents from seven days to 72 hours after its detection. This 72-hour notice is in line with the NDPA data breach notification requirement.
The Freedom of Information Act 2011 (FOIA) is aimed at making public records and information held by Government agencies more freely accessible to the public. However, Section 14 of the FOIA limits Government agencies from disclosing the personal information of citizens unless the individual's consent is obtained or the information is publicly available.
The Credit Reporting Act 2017 (the Credit Reporting Act) is a framework for credit reporting, licensing, and credit bureaus. Section 9 of the Credit Reporting Act provides that data subjects shall be entitled to the privacy, confidentiality, and protection of their credit information, subject to certain exceptions listed under Sections 9(2) to 9(6) of the Credit Reporting Act.
To view the full article click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
