A Review of the Nigerian Data Protection Act

Introduction

On the 12th of June 2023, Nigeria passed another milestone in its data protection evolution, with the enactment of the Data Protection Act (the “Act”). The Act emerged in the wake of a regime fastened by the Nigeria Data Protection Regulation 2019 (“NDPR”) and the NDPR: Implementation Framework 2020, which hitherto were the primary corpus of Nigeria’s data protection legal framework.

?

With the passing of the Act, Nigeria now has a primary legislation which has pre-eminence over all other data protection centric rules or regulations. The provisions of the Act are expansive, holistic, and heavily influenced by the European Union’s General Data Protection Regulation (“GDPR”).

?

?

Scope of the Act

With regards to its material and territorial scope, the Act applies to Data Controllers and Data Processors domiciled, resident or operating in Nigeria. Additionally, the Act also applies to the processing of personal data of data subjects in Nigeria.? A major point to note here is that the Act defines a “Data Controller” to include individuals, private entities, public commissions, and agencies. Therefore, unlike what is obtainable with many other data protection laws around the world, the Act applies to the processing of data carried out by individuals.

It is important to note that the main difference between a Data Controller and a Data Processor, as defined under the Act, lies in their roles and obligations. The Data Controller determines the purposes and means of processing of personal data. Meanwhile, a Data Processor processes personal data on behalf of or at the direction of a data controller or another data processor.

?If you wonder what constitutes “processing” of data, the Act defines it to include the: “collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction of data”.

?

Technically, a class captain taking names of noise makers in a secondary school needs to be wary of the provisions of the Act, as they apply.?

Undoubtedly, all corporate entities carrying out business in Nigeria are subject to the Act.

One more point to note is the fact that there is nothing within the reading of the Act that indicates whether the Act extends to deceased persons. It would flow within reason that in the absence of an outright proscription, the Act indeed applies to data relating to deceased persons as well.

Whilst the Act is a detailed document (66 sections over 47 pages), some of the key provisions its audience should look to, are the basic principles, lawful bases, and the rights of data subjects.

?

?

Basic Principles

?There are basic principles under the Act that govern the processing of data. These 6 principles closely mirror those reflected under the GDPR, which can be summarized as follows:

-?????? Lawfulness, fairness, and transparency

-?????? Purpose limitation

-?????? Data minimisation

-?????? Storage limitation

-?????? Accuracy

-?????? Integrity and confidentiality

?

In addition to the above, the Act emphasizes that appropriate technical and organisational measures are to be implemented to ensure the confidentiality, integrity, and availability of personal data. The Act also suggests various measures that may be explored to attain this directive, including: pseudonymisation/de-identification, encryption, periodic assessments of risks etc.

Furthermore, whilst implementing any of these measures, the Data Controller/Data Processor shall consider:

-?????? The amount and sensitivity of the personal data

-?????? Nature, degree, and likelihood of harm to a data subject that could result from a loss, disclosure, or misuse of the personal data

-?????? The extent of the processing

-?????? The period of data retention; and

-?????? Availability and cost of any technologies, tools, or other measures to be implemented relative to the size of the data controller/processor

?

Lawful Bases

To legally carry out processing of personal data under the Act, such processing must have a lawful basis which underpins the processing activity. Any of the following may apply:

?-?????? Consent of the data subject (or legal guardian).

-?????? Necessary for performance of contract to which the data subject is a party.

-?????? Necessary for compliance with a legal obligation.

-?????? Necessary to protect the vital interest of the data subject or another person.

-?????? Necessary to perform a task carried out in the public interest; or

-?????? Legitimate interests pursued by the data controller/processor or a third party to whom the data is disclosed.

?

The Act gives some clarification to aid the assessment of what may constitute legitimate interests, by stipulating the conditions which prevent a claim of legitimacy. A Data Controller or Processor’s interest in the processing of data shall not be legitimate where such processing activity:

-?????? Overrides the fundamental rights, freedoms, and interests of the data subject;

-?????? Is incompatible with other lawful bases of processing under the Act; or

-?????? Has no reasonable expectation on the part of the data subject that the personal data would be processed in the manner envisaged.

?

Data Subject Rights

?A summary of the key rights of a data subject under the Act, are:

-?????? Right to confirmation of facts surrounding the storage or processing of their personal data.

-?????? Right to lodge a complaint with the NDPC.

-?????? Right to obtain a copy of the data subject’s personal data.

-?????? Right to the correction/deletion of data that is inaccurate, out of date, incomplete or misleading.

-?????? Right to the erasure of data concerning the data subject.

-?????? Right to restrict data processing pending - (i) resolution of a request (ii) objection by a data subject (iii) establishment, exercise, or defense of a legal claim.

-?????? Right to object to processing of personal data. ?

-?????? Right not to be subjected to automated decision making.

-?????? Right to withdraw consent to processing of personal data

?

?

Further Regulations

As expected, the Act established the Nigeria Data Protection Commission (“NDPC”), which is empowered to make further regulations pursuant to the Act. Undoubtedly, there is a myriad of issues under the Act that the NDPC immediately needs to provide clarification on. Some of these include:

a.???? Detailing what/who constitutes a data controller/processor of “major importance”. The Act provides that all Data Controllers/Data Processors of “major importance” must register with the NDPC within six (6) months after the commencement of the Act or on becoming a Data Controller/Data Processor of major importance.

However, the Act’s definition of a data controller/processor of major importance is rather vague, as it is defined as a company domiciled in Nigeria, to whom the Act applies and who “processes or intends to process personal data of more than such number of data subjects who are within Nigeria, as the Commission may prescribe, or that processes personal data of particular value or significance to the economy, society or security of Nigeria”.

I would argue that if not appropriately attenuated, this definition is wide enough to capture an unnecessarily wide spectrum of companies in Nigeria. This would unwittingly impose the burdensome conditions that the Act imposes on data controller/processors of major importance.

b.??? Cross-Border Transfer of Personal Data – The Act does not permit data to be transferred from Nigeria to another country unless the recipient is subject to a law, binding corporate rules, contractual clauses, code of conduct, or certification mechanism that affords an adequate level of protection. The NDPC needs to make regulations as to what countries have an adequate level of protection (albeit the Whitelist under the NDPR still subsists).

The NDPC will also need to define what constitutes a cross-border transfer and distinguish it from mere data collection or data routing. Further guidance is also required for adequacy provisions, data that may have additional cross-border restrictions, and specifics on certification mechanisms.

?

c.???? Definition of terms within the Act – In addition to some of the terms above, many others such as – pseudonymisation, anonymization, data portability etc., all need to be properly defined, so that the corpus of our data protection legislative framework is richer and less equivocal.

?

d.??? Exemption of personal data – Section 3(3) of the Act provides that the NDPC may prescribe types of personal data and processing that may be exempted from the application of the Act. Presumably this may involve categories concerning investigations or prosecution by law enforcement, or data relating to national security.

?

e.???? Standards and Templates for Data Privacy Impact Assessment (DPIA) - The NDPC needs to provide a standards, procedures, and templates for DPIAs and Risk Assessments, lest privacy practitioners resort to a sustained use of foreign resources.

?

f.????? “License” of Data Protection Compliance Officers- The Act empowers the NDPC to license persons with requisite level of data protection expertise, to carry out audit, monitoring and compliance of Data Controllers and Data Processors with the Act. It would be intriguing to see the extent to which the application/certification processes are byzantine, if they will involve recurrent financial or intellectual maintenance, and the standards that are deemed minimum to suffice as being “expertise”.

?

g.???? Child capacity to consent – The Act provides that the NDPC shall make regulations where processing of data relates to a child below the age of 13 years old, in relation to the provision of information and services by electronic means. ?However, the Act also provides that a “child” shall be defined in line with the Child Rights Act (which defines a child as a person under the ager of 18). Clarity in this regard, is ultimately required

?

?

Status of the NDPR

?S.64(2)(f) of the Act provides that all pre-existing rules, orders, regulations etc. that have been issued by the National Information Technology Development Agency (NITDA) or the Nigeria Data Protection Bureau(“NDPB”). This in effect means that the NDPR is still applicable to all data processing in Nigeria, alongside yet subject to the Act. Thus, many matters not included in the Act, but covered in the NDPR, will still form a part of the compliance corpus for data controllers/processors.

?For example, the NDPR requires organisations who process personal data of over 10,000 (ten thousand) data subjects per annum, process sensitive personal data in regular course of business, or if they possess critical national information infrastructure (as defined under the Cybercrimes (Prohibition Prevention, Etc.) Act 2015). Also, the yearly requirement to conduct audits before March 25th, will still subsist.

?

?

Further Comments

Like every man-made venture, the Act is not perfect. Whilst a few of these have been addressed above, there are a few others that could do with a mention.

a.???? The Act provides that a maximum fine of N10,000,000 (ten million naira) and 2% of annual gross revenue for data controllers/processors of major importance, and a maximum fine of N2,000,000 and 2% of its annual gross revenue for others. I am of the view that this is an insufficient deterrent to data protection practices (which are currently endemic in Nigeria). Whilst 2% of annual gross revenue may be sufficient in most cases, most companies would gladly pay N2,000,000 (which at the time of writing this article is a mere $2,000) in exchange for wrongly exploiting the data of data subjects or refusing to address their negligence or recklessness in the handling of personal data. The Act also doesn’t address situations where the ultimate beneficiary of the infringement may be far removed from the processing, thus allowing SPVs or dead rubber entities (with little to no revenue) being setup to benefit their far-removed associates.

?

b.???? Whilst section 29 of the Act provides that data controllers enter into agreements with processors, it does not provide enough detail on what terms should be included, and this in my view may encourage an entire data protection arrangement to be a shoehorned clause in a main agreement, as opposed to being a standalone agreement with the amount of detail that it deserves. Also, section 29(e) simply provides that the data processor or sub-processor may simply notify the controller when a new data processor is engaged. This in my view should not be the case, as it would be more apropos for the data controller to have to consent to the engagement of another processor (ensuring compliance).

?

?

Conclusion

There is no gainsaying that the Act is much welcomed and will go a long way in strengthening the legal roots of data protection in Nigeria. One hopes that it also has a knock-on effect of addressing Nigeria’s culture of unnecessarily collecting every piece of information possible for every cause, and indiscriminately treating such data with very little care (which is not in keeping with basic data protection principles such as privacy by default).?

The Act’s broad scope, establishment of essential principles for processing, and enshrinement of rights for data subjects, is a game changer. However, it is ultimately just another a step on a journey that has more twists and turns on the way, especially as people and technology continue to evolve.

?

?

Oluwatobi Olowokure