President signs the Nigerian Data Protection Bill, 2023 into law

On 12 June 2023, President Bola Ahmed Tinubu, GCFR, signed the Nigerian Data Protection Bill, 2023 into law as Nigerian Data Protection Act, 2023 (“the Act”). The Act provides a legal framework for the regulation of personal data in Nigeria, which was hitherto provided for by the Nigerian Data Protection Regulations (NDPR) 2019 under the National Information Technology Development Agency (NITDA) Act.

The Act establishes the Nigeria Data Protection Commission (NDPC), which will be responsible for enforcement of rules and regulations set out in the Act, regulation of the processing of personal information, and other related matters. The Governing Council of the NDPC has been charged with formulation and provision of overall policy direction of the affairs of the NDPC.

The objectives of the Act, among others, include safeguarding of fundamental rights, freedoms and interests of data subjects as guaranteed under the Constitution of the Federal Republic of Nigeria, 1999, and regulation of processing of personal data to ensure that it is processed in a fair, lawful and accountable manner. Furthermore, the Act seeks to protect data subjects' rights, and provide means of recourse and remedies, in the event of the breach of the data subjects’ rights.

We have provided the highlights of the Act below:

1. Whilst the NDPR applies to every natural person, who is a Nigerian whether residing in Nigeria or not, the provisions of the Act apply mainly to data controllers or data processors domiciled, residing, operating, or processing personal data in Nigeria. It also applies where the data controller or the data processor is not domiciled in, resident in, or operating in Nigeria, but is processing personal data of a data subject in Nigeria.

2. The Act provides for the principles of personal data processing that a data controller or processor must follow, and these include ensuring that the data is:

a) processed in a fair, lawful and transparent manner;

b) collected for specified, explicit, and legitimate purposes;

c) adequate, relevant, and limited to the minimum necessary for the purposes for which the personal data was collected or further processed;

d) retained for not longer than is necessary to achieve the lawful bases for which the personal data was collected or further processed;

e) accurate, complete, not misleading, and, where necessary, kept up to date

f) processed in a manner that ensures appropriate security of personal data,

3. Most of the lawful bases provided in the Act for processing personal data are consistent with the provisions of the NDPR, and include: consent, the performance of a contract to which the data subject is a party, compliance with a legal obligation to which the data controller or data processor is subject, protection of the vital interest of the data subject or another person, performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller or data processor.

The Act also introduces a new lawful basis for processing personal data, being processing for the purposes of legitimate interests pursued by the data controller or processor, or a third-party to whom the data is disclosed. However, such interest will not suffice as legitimate where the fundamental rights and freedom of a data subject override such interest, or where such interest is incompatible with other lawful bases stipulated in the Act, or where the data subject would not have a reasonable expectation that the personal data would be processed in the manner envisaged.

4. The Act clearly prescribes the rights of data subjects. The Act also prohibits the automation of decision-making in terms of obtaining consent. It, therefore, demands that each data subject shall have the right to accept or reject the provision of consent and shall have the right not to be subject to a decision based solely on the automated processing of personal data, including profiling, which produces legal or similar significant effects concerning the data subject.

5. The Act defines the rules for the transfer of personal data outside Nigeria. Consequently, data controllers or processors can no longer transfer data outside Nigeria except there is a legal basis (laws, binding corporate rules, etc.) in the receiving country that affords an adequate level of protection with respect to the personal data of the Nigerian subject.

6. The sanction for breaches of any provisions of Act or subsidiary regulations made under the Act includes a penalty or remedial fees up to the greater of a standard maximum amount or higher maximum amount, depending on the importance of the data controllers/ processor. The Act defines a standard maximum amount and higher maximum amount as higher of ₦2million or ₦10million and 2% of annual gross revenue in the preceding financial year.

This penalty provided in the Act appears stiffer than the penalties stipulated in the NDPR which provides for a fine of 2% of the annual gross revenue of the preceding year or ₦10million where the breach involved more than 10,000 Data Subjects, and 1% of the annual gross revenue of the preceding year or ₦2million where the breach involves less than 10,000 Data Subjects.

7. The Act introduces a concept of data controllers and processors of ‘major importance’ who are required to register with the NDPC within six months after the commencement of the Act or upon acquiring the status of a data controller/process of major importance. These include a data controller or data processor that is domiciled, resident in, or operating in Nigeria and processes or intends to process personal data of more than such number of data subjects who are within Nigeria. This number will be determined by the NDPC. Although the Act does not explain the metrics for classifying a controller or processor as one of major importance, the Act specifies that the NDPC may exempt certain persons from being classified as controllers/processors of major importance. Thus, we expect that the NDPC will issue a circular/regulation defining who can be classified as a controller/processor of major importance or otherwise.

8. The Act requires the data controller, in the event of a data breach likely to result in a high risk to the rights and freedoms of data subjects, to notify the breach to the data subject without undue delay, including advising the measures the data subject could take to mitigate effectively the possible adverse effects of the data breach.

Commentaries

The Act provides promising regulations to regulate the fast-moving pace of technology today, and the data protection considerations. Its transitional provisions provide that the NDPR will continue to exist, in relation to the compliance requirements provided for under the NDPR. For example, the NDPR mandates an annual data protection audit, and this is expected to continue to subsist except the NDPC issues regulations to change it. However, the NDPC is to license persons having a requisite level of expertise, in relation to data protection and the Act, to monitor, audit and report on compliance by data controllers and data processors. Therefore, these persons will co-exist with the Data Protection Compliance Organizations (DPCOs) which had already been licensed under the NDPR.

Nonetheless, we expect the NDPC to issue the relevant Regulations and Guidelines to harmonize the NDPR, and clarify other compliance requirements to be undertaken under the Act, including the number of data subject that will qualify as data controller or data processor of major importance, the frequency of filing and content of compliance returns by such data controllers and data processors of major importance, and the steps to be taken by a data controller to adequately inform data subjects of a personal data breach.

It is also important that the NDPC provide in the Regulations, stricter requirements with respect to the individual who is appointed as the Data Protection Officer (DPO) to ensure that the DPO has the requisite experience and competence in the organization to drive compliance with the provisions of the Act. This will also ensure that issues of data protection are treated with utmost importance in Nigeria.