THE NIGERIA’S DATA PROTECTION ACT 2023: A LOOK AT KEY PROVISIONS

With the recent spate of personal data breaches occurring globally, the need for comprehensive data protection measures has never been more critical. In 2019, National Information Technology Development Agency (NITDA) a body created in April 2001 to implement the Nigerian Information Technology Policy and co-ordinate the IT development in the country, issued the Nigeria Data Protection Regulation which was a timely and welcome piece of subsidiary legislation. The NDPR includes provisions for the manner in which personal data may be processed lawfully in Nigeria and provides the governing principles of data processing, the lawful basis for processing, rights of data subjects, the obligations of data controllers and data processors and the transfer of data to a foreign territory amongst others. Later in 2022, the Federal Government established the Nigeria Data Protection Bureau (NDPB) to oversee the implementation of the NDPR. Stakeholders within the ecosystem have however, consistently called for more principal legislation directly from the country’s National Assembly, to regulate and address the emerging challenges of data protection and privacy in Nigeria.

In response to this clamour, the Data Protection Act 2023 was signed into law on the 14^th of June 2023, by President Bola Ahmed Tinubu. The objectives of the Act amongst others, is to safeguard the fundamental rights, freedoms and interests of data subjects as guaranteed under the 1999 Constitution of Nigeria.

Below are key highlights of the Act and its potential impact on Data Controllers, Data Processors and Data Subjects.

Establishment Of The Nigeria Data Protection Commission and Its Governing Council

The Act establishes the Nigeria Data Protection Commission (“the Commission”) as an independent body being a body corporate with perpetual succession and a common seal. This Commission replaced the Nigeria Data Protection Bureau (NDPB) established by the immediate past President Muhammed Buhari. The Act makes transitional provisions to empower the Commission to take over all the powers and duties of the existing NDPB. According to Section 5 of the Act, the Commission is tasked with the functions of promoting awareness to Data Controllers and Data Processors of their obligations under the Act and supervising the implementation of the provisions of the Act. Some other functions of the Commission include advising the government on policy issues relating to data protection and privacy, licencing, accrediting, and registering bodies to provide data protection compliance services and submitting legislative proposals to the Minister, including amending existing laws amongst others. It also sets up a Governing Council and the members of the council are to serve parttime, except for the National Commissioner.

Principles Governing the Processing of Personal Data

Section 24 of the Act provides for the principles governing the processing of personal data and these include lawfulness, fairness, and transparency, data minimisation, accuracy, purpose limitation, storage limitation, integrity, and confidentiality. The section further places a duty of care on the Data Controller or Data Processor in processing of data. To this end, these stakeholders are to demonstrate accountability with respect to the principles contained in the Act. One notable provision of the Act is the inclusion of the ‘legitimate interest’ concept as a basis for the processing of personal data (This was hitherto excluded in the NDPR). This implies that Data Controllers and processors can justify the processing on grounds of legitimate interest. Instances of this may include data processing for the prevention of fraud and matters regarding employee-employer relationships.

Data Privacy Impact Assessment

Section 28 of the Act specifies the need for a data protection impact assessment (DPIA) where the processing of personal data appears likely to result in a high risk to the rights and freedoms of Data Subjects by virtue of its nature. The section further mandates the Data Controller to consult the Commission prior to the processing, if the DPIA indicates that the processing of the data would result in a high risk to the rights and freedoms of Data Subjects. The Act defines a DPIA and empowers the Commission to issue guidelines and directives on DPIAs, including the categories of processing subject to the requirement for a DPIA.

Sensitive Personal Data and Child Rights

This provision bridges the gap the NDPR failed to address in the sense that Section 30 of the Act provides for a higher standard of care for protection of sensitive personal data. Sensitive Personal Data includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs; trade-union membership; genetic data, biometric data processed solely to identify a human being; health-related data; data concerning a person’s sex life or sexual orientation. This section states that a Data Controller or Processor cannot process sensitive personal data except where the data subject has given explicit consent, necessary for vital interests, legitimate interest but with safeguards, the performance of rights and obligations under employment law amongst other lawful basis.

The Act further makes provision for the rights of a child, providing that where a Data Subject is a child or another individual lacking the legal capacity to consent, a Data Controller shall obtain the consent of a parent or other appropriate legal guardian of the child or other individual, as applicable. Data Controllers are also expected to apply appropriate mechanisms to verify age and consent.

Conditions For Consent and Rights of A Data Subject

Section 26 of the Act provides what constitutes the giving of consent by a Data Subject and that the burden of proof for establishing a Data Subject’s consent is on the Data Controller. It states that silence or inactivity by the data subject shall not constitute consent and consent may be granted in writing, orally or through electronic means. The Data Subject can also withdraw his/her consent at any time. It is important to note that the withdrawal will not affect the lawfulness of prior data processing.

The Act further provides for more rights of Data Subjects with emphasis on the data subject rights, access rights like obtaining confirmation of the personal data being processed and details regarding its purpose and retention periods, the right to request rectification or erasure, lodge complaints with the Commission and request a copy of the personal data in electronic format without undue delay. It also grants Data Subjects the right to object to the processing of personal data and to not be subjected to a decision based solely on the automated processing of personal data.

Data Security and Data Breach Management

Section 39 of the Act mandates Data Controllers and Data Processors to implement appropriate technical and organisational measures to ensure the security, integrity, and confidentiality of personal data in its care. The Act also further provides detailed steps to be taken by a Data Processor in the event of a breach. In the event of a breach, the data processor is mandated to notify the Data Controller or Data Processor that engaged it of the nature of the breach and respond to all information requests from the Data Controller or Data Processor without delay. Where the breach is likely to result in a risk to the rights of individuals, the Data Controller is to notify the Commission within 72 hours of becoming aware. The timeline may be extended where it is reasonably necessary to implement measures required to determine the scope of the breach. The Data Controller and Data Processor are also mandated to keep a record of all personal data breaches.

Data Controllers and Data Processors of Major Importance

Section 44 of the Act requires “Data Controllers and Data Processors of major importance” to register with the Commission within six months of the commencement of the Act. In section 65- the Interpretation Section of the Act- Data Controllers or Data Processors of major importance are defined  as those domiciled, ordinarily resident, or ordinarily operating in Nigeria who process or intend to process personal data of more than such number of data subjects who are within Nigeria as the Commission may prescribe, or such other class of data of value or significance to the economy, society or security of Nigeria as the Commission may designate. The Commission is also empowered to exempt a class of Data Controllers and Processors from registration where it considers such unnecessary and disproportionate.

Cross-Border Data Transfers

This Act further makes provision for the transfer of personal data to another country or jurisdiction. Under the Act, personal data can only be transferred from Nigeria to another country if the recipient of the personal data is subject to a law, binding corporate rules, contractual clauses, codes of conduct or certification mechanisms that afford an adequate level of protection with respect to the personal data. Section 42 of the Act provides that a level of protection is adequate if it upholds principles that are substantially similar to the conditions of processing of the Personal Data provided for in the Act.

Furthermore, the Act empowers the Commission to create a ‘blacklist’ from time to time showing non-compliant jurisdiction or actors.

CONCLUSION

The enactment of the Nigeria Data Protection Act 2023 is indeed a welcome development. Despite the good intentions of the Act however, there are some provisions that need clarification.

Firstly, the interpretation section of the Act defines the term “Data Processors or Data Controllers of major importance” but fails to prescribe the volume of data that will be processed by such Data Controller or Data Processor before they qualify for this category.

Secondly, the Act does not stipulate a clear timeline for responding to Data Subject requests by a Data Controller or Data Processor and as such, it may be difficult to determine what amounts to an unreasonable delay in responding to such requests.

It is certain that over time and as the Act is implemented, adequate clarification on these and other deserving issues will be given by the regulator.

Author : Mary Ajibola – Associate, Lexworth Legal Partners

DISCLAIMER: LEXWORTH LEGAL PARTNERS

This document is intended only as a general discussion on the subject of this article. Please do not regard it as legal advice. We would be delighted to provide additional details or advice about specific queries, if required.

For further enquiries, kindly send an email to m.ajibola@lexworthlegal.com or info@lexworthlegal.com.