Since 2010, the Global Law Experts annual awards have been celebrating excellence, innovation and performance across the legal communities from around the world.
posted 1 year ago
On 12 June 2023, the Nigeria Data Protection Act, 2023 (“the Act”) was signed into law by President Bola Ahmed Tinubu. The Act provides a legal framework for the protection of personal information, processing and transfer of personal information and regulatory obligations of data controllers and data processors among others in Nigeria. Prior to this, Nigeria did not have a single unified data protection law, despite there being calls for one.
This article provides an overview of the new law and considers the objectives, application and principles guiding the processing of personal data, cross-border transfer of personal data and other key provisions.
Application of the Nigeria Data Protection Act
The Act applies to data controllers or data processors domiciled, resident or operating in Nigeria and the processing of personal data that occurs within Nigeria. It also applies to situations where the data controllers or data processors are not domiciled, resident or operating in Nigeria, but are processing the personal data of data subjects in Nigeria.
The Act does not apply to the processing of personal data, which is done solely for personal or household purposes by one or two more persons. The Act also does not apply to the processing of personal data necessary for the investigation, detection or prosecution of crimes or the prevention or control of a public health emergency, etc.
Objectives of the Act
The Act seeks to achieve the following objectives:
a. Safeguard the fundamental rights, freedoms and interest of data subjects as guaranteed under the Constitution.
b. Regulate the processing of personal data and ensure that personal data is processed in a fair, lawful and accountable manner.
c. Protect data subjects’ rights and provide means of recourse and remedies in the event of breach.
d. Ensure that data controllers and data processors fulfill their obligations to data subjects.
e. Establish an impartial, independent and effective regulatory Commission to superintend over data protection and privacy issues and supervise data controllers and data processors.
Establishment and Functions of the Nigeria Data Protection Commission
The Act established the Nigeria Data Protection Commission (“the Commission”) for the purposes of achieving the objectives of the Act. Thus, the Commission has the core functions of regulating the deployment of technological and organizational measures to enhance personal data protection, accredit, licence and register suitable persons to provide data protection compliance services, register data controllers and data processors, receiving complaints relating to violations of the Act or any subsidiary legislations.
Principles of Processing Personal Data
Data controllers and data processors process personal data on the basis of care and accountability to data subjects. Accordingly, data controllers and data processors must act in a fair, lawful and transparent manner, collect data only for specified and legitimate purpose, hold and retain the data accurately, not longer than necessary, and generally ensure appropriate security measures are taken to secure the personal data.
Consent and Lawful Basis for the Processing of Personal Data
Consent of a data subject is very important for processing personal data. A data subject is a person whose information or data is being processed or sought to be processed. A data controller or data processor must obtain the consent of a data subject before processing his/her data, and it lies on the data controller or processor to prove that the data subject has given consent. The request for consent must be in a clear, simple language and format with information that the data subject reserves the right to withdraw the consent at any time. The consent must be freely and intentionally given either in writing, orally or through electronic means. Silence or inactivity does not amount to consent. In the case of a child (or person lacking legal capacity), the consent of a parent or guardian will suffice. The need to obtain consent of parent or guardian may, however, not apply where the processing of personal data is necessary to protect the vital interests, or for the purpose of the education, medical or social care of such child or person lacking legal capacity, or where it is necessary for proceedings before a court.
The consent must be given for the specific purpose(s) for which personal data is processed, or where the processing is necessary for the following purposes:
a. For the performance of a contract to which the data subject is a party.
b. For compliance with a legal obligation to which the data controller or data processor is subject.
c. To protect the vital interest of the data subject or another person.
d. For the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller or data processor.
e. For the purposes of the legitimate interest pursued by the data controller or data processor, or by a third party to whom the data is disclosed.
Obligations of a Data Controller
a. Identity, residence or place of business and means of communication with the data controller and its representative.
b. Recipients or categories of recipients of the personal data.
c. Existence of the rights of the data subject.
d. Retention period for the personal data, etc.
The data controller shall make this information available by means of a privacy policy, which should be expressed in a clear, concise, transparent, intelligible and easily accessible format.
Obligations of a Data Processor
Data controllers are engaged by data processors to process personal data. These data processors are also mandated to comply with the principles for the processing of personal data, assist the data controller to fulfill its obligation, implement appropriate technical and organizational measures to ensure the security, integrity and confidentiality of personal data. Where a data processor engaged by a data controller further engages another data processor, the data processor directly engaged by the data controller is obliged to notify the data controller of its engagement with another data processor.
Data Protection Officers
Data controllers that process significant personal data are required to designate a person as a Data Protection Officer (DPO). The DPO may be an employee of the data controller or a person engaged by a service contract and must possess expert knowledge on data protection laws and practices. A DPO advises data controller, and monitors compliance with the Act and related data protection policies of the data controller. The DPO also act as the contact point for the Commission on data processing issues.
Rights of Data Subjects
A data subject has the following rights with respect to the processing of his personal data by a data controller.
Data Security
Data controllers and data processors are required to implement appropriate technical and organizational measures to ensure the security, integrity and confidentiality of personal data in the possession. They must ensure that personal data are protected against accidental or unlawful destruction, loss, misuse, alteration, unauthorized disclosure or access.
The security measures that may be implemented to ensure personal data security include encryption, periodic assessments of risks to processing systems and services, regular testing, assessing and evaluation of the effectiveness of the measures, regular updating of the measures and introducing new measures to address shortcomings, etc.
Personal Data Breaches
Personal data breach is the breach of the security of a data controller or data processor, which leads to or may lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or processed.
Data processors are required to notify data controllers or engaging data processors of personal data breaches, which the data processors store or process upon becoming aware of it by describing the nature of the personal data breach and the number of data subjects and personal data records concerned and also respond to all information requests from the data controllers or the engaging data processors.
Data controllers should also notify the Commission of personal data breaches that are likely to result in a risk to the rights and freedoms of individuals within 72 hours of becoming aware of such breach. Data controllers are also to communicate the personal data breach to the data subjects in a plain and clear language, including measures that could be taken by the data subjects to mitigate any possible adverse effects.
Data controllers and data processors are also required to keep a record of all personal data breaches, facts relating to the breaches, as well as their effects and remedial actions taken.
Cross-border Transfers of Personal Data
Data controllers and data processors are not allowed to transfer or permit the transfer of personal data from Nigeria to another country unless:
a. The recipient is subject to a law, binding corporate rules, contractual clauses, code of conduct or certification mechanism that affords an adequate level of protection.
b. It meets one of the lawful bases for transfer of personal data outside Nigeria.
The level of protection considered adequate must uphold the principles that are substantially similar to the conditions for processing personal data provided by the Act. An adequate level of protection is assessed by taking into account the existence of an effective data protection law, access of public authority to personal data, existence of an independent supervisory authority, etc.
Registration of Data Controllers and Data Processors
Data controllers and data processors of major importance are mandated to register with the Commission within six months after the commencement of the Act or upon becoming a data controller or data processor of major importance. Data controllers or data processors of major importance are data controllers or data processors that process personal data of particular value or significance to the economy, society or security and are resident or operating in Nigeria.
The Commission is required to maintain and publish a register of duly registered data controllers and data processors of major importance on its website. A data controller or data processor of major importance shall be removed from the register where it ceases operation.
Enforcement and Penalties
A data subject who is aggrieved by the action, inaction or decision of a data controller or processor may lodge a complaint with the Commission, and it may investigate the complaint where it is not vexatious or frivolous.
The Commission may also issue a compliance order once it is satisfied that any requirement of the Act or subsidiary legislation has been violated or likely to be violated by a data controller or data processor. The order may be a warning, order to comply with the request of a data subject or a cease-and-desist order. The Commission may also issue an enforcement order or impose a sanction for violation of the Act or a subsidiary legislation.
The penalty or remedial fee for violation of the Act or subsidiary legislation is:
a. Higher maximum amount, which is the greater of N10,000,000 and 2% of its annual gross revenue in the preceding financial year, in the case of a data controller or data processor of major importance.
b. Standard maximum amount, which is the greater of N2,000,000 and 2% of its annual gross revenue in the preceding financial year, in the case of a data controller or data processor not of major importance.
Conclusion and Remarks
The Nigeria Data Protection Act, 2023, is an important piece of legislation and has been long in coming. It provides for the basic principles and the lawful bases for the processing and transfer of personal data in Nigeria and applies to both resident and non-resident data processors. It provides for the responsibilities of data controllers and data processors while also providing for the rights of data subjects. The processing of sensitive personal data and the personal data of children and persons lacking legal capacity to consent must follow the applicable principles as provided by the Act. Data security measures that are robust are expected to be put in place by data controllers and data processors to protect against the risk of personal data breaches. The Act creates the Nigerian Data Protection Commission, which has the overall responsibility to ensure compliance and impose penalties where necessary. Both resident and non-resident data processors are advised to pay particular attention to this new legislation, as they are now required to take specific steps to ensure compliance with the Act.
Please note that the contents of this article are for general guidance on the Subject Matter. It is NOT legal advice.
For further information or to see our other service offerings, please visit www.goldsmithsllp.com or contact:
Colin Egemonye Shola Adekunle Ada Izuchukwu
Partner Associate Associate
+234-1-291-7913 +234-1-291-7913 +234-1-291-7913
Author
No results available
Resetposted 3 days ago
posted 3 days ago
posted 4 days ago
posted 7 days ago
posted 1 week ago
posted 1 week ago
posted 1 week ago
posted 1 week ago
posted 2 weeks ago
posted 2 weeks ago
No results available
ResetFind the right Legal Expert for your business
Sign up for the latest legal briefings and news within Global Law Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.
Naturally you can unsubscribe at any time.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.