AN OVERVIEW OF THE NIGERIAN DATA PROTECTION ACT 2023

Introduction

The Nigerian Data Protection Act which was recently signed by into law by President Bola Ahmed Tinubu, GCFR on the 12th June 2023 is the Nigeria`s first principal legislation of the National Assembly for data protection. Prior to the establishment of the NDPA, data protection in Nigeria was solely governed by the Nigerian Data Protection Regulations 2019 (NDPR) which was issued by the National Information Technology Development Agency (NITDA). Although the NDPA did not repeal the NDPR, it however supersedes the NDPR and gives the NDPR more force to safeguard the processing of personal data and privacy of data subjects in Nigeria. Unlike the NDPR which focuses on natural persons residing in Nigeria or Nigerians residing outside Nigeria, the NDPA protects the rights of data subjects and imposed obligations on data controllers and data processors of individuals’ personal data.

The Objective of the Act

The objective of the Act is explicitly stated in Section of the Act; the principal objective of the Act amongst others is to safeguard the fundamental rights and freedoms and the interests of data subjects as guaranteed under the Constitution. The Act defined data subject as personal individual to whom personal data relates.

Notable Highlights of the Nigerian Protection Act

1. Establishment of the Nigeria Data Protection Commission (the Commission):

In February 2022, the Nigerian Data Protection Bureau (NDPB) replaced the National Information Technology Development Agency (NITDA) as the primary regulator for data protection by regulating the NDPR has been replaced by the commission under the Act. The commission is established in Section 4 to oversee the implementation of the provisions of the Act, and issue regulations, rules, directives, and guidelines among other powers. Section 5 of the Act vests on the commission an independent power to oversee the full implementation of the Act. Even though the commission replaced the NDPB, a closer look at the provisions of the Act connotes that it was a change of nomenclature as all officer, employee or member of staff of the NDPB are deemed to have been appointed under the NDPA.

2. Jurisdictional scope of the Act:

There is a major difference in the applicability of the NDPA. Whilst the NDPR is applicable to all storage and processing of personal data conducted in respect of Nigerian citizens and residents, the NDPA focuses on the domicile of the data controller or data processor. The NDPA is applicable to automated and non-automated data processing where; (a) the data controller or data processor is domiciled, resident or operating in Nigeria; (b) the processing of personal data occurs within Nigeria; or (c) where the data controller or data processor is not domiciled, resident or operating in Nigeria, but is processing personal data of a data subject that is in Nigeria. Unlike the NDPR which is applicable to Nigerians living abroad, the NDPA is not applicable to the processing of data in respect of Nigerians living abroad.

It is important to know that the Act is not applicable to the processing of personal data carried out solely for personal or household purposes where such processing does not violate the fundamental right to privacy of a data subject.

3. Lawful Processing of Personal Data:

The NDPR provides five bases in which processing of personal data is lawful. These are; where consent has been given; to fulfil a contractual obligation; for compliance with a legal obligation; to protect vital interests of the data subject or for any public interest. The NDPA notably added legitimate interest as a basis for the processing of personal data. The Act further provides that legitimate interest will be unlawful where;

• they override the fundamental rights, freedoms and the interests of the data subject;

• they are incompatible with other lawful basis of processing

• the data subject would not have a reasonable expectation that the personal data would be processes in the manner envisaged.

4. Data Privacy Impact Assessment:

The NDPA provides that a data controller should carry out a data privacy impact assessment (DPIA) to identify risks and impact prior to the processing of a personal data that may likely result in high risk to the rights and freedoms of the data subject. The Act mandates the data controller to consult the commission before processing data where the DPIA indicates a high risk to the Data subject`s rights and freedoms.

5. Child Rights Protection:

Unlike the NDPR, the NDPA makes clear and precise provisions on consent to process the data of a child or a person lacking the capacity to give consent. The Act provides that data controllers should obtain the consent of a parent or guardian where the data subject is a child or the appropriate individual if the data subject lacks the legal capacity to provide consent. However, this right is limited where the processing is necessary to protect the vital interests of the child or individual lacking the legal capacity to consent or the processing is carried out for purposes of medical or social care and is undertaken by or under the responsibility of a professional or similar service provider owing a duty of confidentiality.

Conclusion

The Nigeria Data Protection Act contains extensive provisions which guarantee the protection of the personal data of individuals including their rights to know when, how, and why their data is being processed. In line with global laws and trends regulating the privacy and personal data of individuals, the Act also makes provisions for effective administrative and judicial remedy where the personal data of a data subject is not processed in accordance with the law.

From the foregoing analysis, it is obvious that the importance of this enactment aimed at protecting the personal data of citizens as data subjects in this technological age cannot be overemphasized. The eventual passage of the Act as the specific principal legislation giving force to the NDPR on the important issues of data protection is commendable.