Regulatory Update: Nigeria Data Protection Act, 2023

Let’s start off today by  celebrating our nation, Nigeria's, growth and also our indomitable spirit and resilience as its people. From diverse cultures to vibrant traditions, Nigeria is a tapestry of strength, unity, and endless possibilities. To the land of boundless potential and the people who light up its path to a brighter future. Happy Independence Day, Nigeria! 🇳🇬🎉

 Now, over to the juicy (or should I say, geeky 🫣) stuff! 

Remember that one time that Facebook allegedly sold the private data of tens of millions of users to a UK and a Russian firm? Yeah, the whole world went agog with speculations of what this data could be used for; some said the data was sold to the enemy forces in Russia (whatever that meant), while some others said the data was being used for classified criminal intent that could be very harmful to the large populace.

Anyways, although the protection of personal data was operational before the Facebook incident, this landmark case acted as a cosmic kick off the backside of many nations of the world by highlighting the need to tighten the reins of personal data protection.

Our dear Nigeria is not left out in this regulatory upgrade and the need to ensure the privacy of personal and sensitive data. President Bola Tinubu took a significant step in upholding individual privacy rights and promoting secure data practices when he signed the Nigerian Data Protection Act, 2023 (the “Act”) into law on June 12, 2023. This legislation builds upon the existing Nigerian Data Protection Regulation ("NDPR"). The Act is the first major federal legislative instrument for the processing and protection of personal data of natural persons residing or doing business in Nigeria and supersedes any other law or enactment that relates directly or indirectly to the processing of personal data. 

The journey to this milestone began when the National Data Protection Bureau ("NDPB") introduced the draft Data Protection Bill on October 4, 2022, and was subsequently approved by the Federal Executive Council in February 2023. This bill was passed into law and officially transformed into the Nigeria Data Protection Act 2023 on Tuesday 12th of June 2023, by President Bola Ahmed Tinubu.

In this article, we have highlighted key changes introduced by the new Act.

Scope

• The Act applies to both automated and non-automated data processing in Nigeria, regardless of the location of the data controller or processor. 
• This includes cases where personal data is processed within Nigeria or involves a data subject in Nigeria. It applies to entities incorporated under Nigerian law, as well as those not incorporated in Nigeria but extensively using personal data of Nigerian residents
• It does not cover personal data processing for purely personal or household purposes, unless it infringes on a data subject's privacy rights.

Key Highlights

1. Personal Data & Sensitive Personal Data: The Act prohibits unauthorized handling of personal and sensitive personal data. It defines personal data as information identifying individuals directly or indirectly. Sensitive personal data includes genetic and biometric data, health, religious, and political data, among others.
2. New Data Controller Categories: The Act introduces Data Controllers and Data Processors of Major Importance (DCPMI), mandating registration with the Nigeria Data Protection Commission. 
3. Nigeria Data Protection Commission: The Act establishes a new commission known as the Nigeria Data Protection Commission. The Commission will replace the Nigeria Data Protection Bureau as the apex regulator saddled with the responsibility of overseeing compliance with data protection laws in Nigeria. Acting within its authority under the Act, the Commission has recently made it known that it will now impose sanctions on executives of Ministries, Agencies, and Departments.
4. Cross-Border Data Transfer: The Act prohibits the transfer of personal data transfer from Nigeria to another country unless the recipient is subject to adequate data protection measures like laws, corporate rules, contracts, codes of conduct, or certifications, or where the transfer aligns with accepted data processing criteria specified in the Act. However, the Act does provide for exceptions under which personal data may be transferred abroad even in the absence of adequate protection. These exceptions include cases where the data subject has given informed consent for the transfer, understanding the potential risks involved; situations where the transfer is necessary for compelling public interests; and instances where the transfer is essential for initiating, exercising, or defending a legal claim, among other circumstances.
5. Legal Basis for Data Processing: The Act now explicitly incorporates "legitimate interest" as an additional lawful basis for processing personal data, alongside existing lawful bases like vital interest, consent, contract, legal obligation, and public task.
6. Third-Party Data Processing & Notification: The Act emphasizes the pre-existing mandate for a data processing agreement between a data processor and any third party involved in data processing according to the NDPR Implementation Framework
7. Consent for Minors and Incapacitated Individuals: Consent from parents or legal guardians is required when processing data of minors or those lacking legal capacity under the new Act. Exceptions to this requirement apply in particular instances for the well-being of the child, to foster the child’s education, for medical purposes, with respect to legal proceedings, etc.

Our Thoughts

In today’s fast-paced digital era, where vast amounts of data are constantly generated, stored, and processed online, safeguarding privacy and data protection have become a top priority for many countries, businesses, and individuals, it goes without saying that the introduction of the Nigeria Data Protection Act is a significant milestone, especially given Nigeria's concerted efforts to advance towards a fully realized digital economy. It is crucial to recognize that the digital economy thrives on data, making robust data protection measures imperative for any nation aspiring to embrace this paradigm. Beyond just investing in digital technologies, a nation must establish a dependable national database, supported by a robust and effective data protection framework. The enactment of this Act is anticipated to instill greater confidence in both Nigerian citizens and residents, thereby fostering wholehearted support for the country's digital economy aspirations.