President Bola Tinubu has signed the Nigerian Data Protection Bill into law.
The new Act, is the first law enacted to provide a legal framework for the protection of personal information, and the practice of data protection in Nigeria. Prior to the passage the NDPR a subsidiary regulation issues by NITDA was the Regulations guiding the protection of personal information in Nigeria.
The bill was introduced to the Senate and House of Representatives for consideration and passage on Tuesday, 4 April 2023 via a letter from former President Muhammadu Buhari.
Now an Act, the new law establishes the Nigeria Data Protection Commission and replaces the Nigeria Data Protection Bureau (NDPB) established by President Buhari in February 2022. The Commission will be led by a National Commissioner with the responsibility for regulating the processing of personal information.
Part of the mandates of the Commission include to foster the development of personal data protection technologies, in accordance with recognised international good practices and ensure compliance with data protection obligations.
Among others, it will also have the powers to register data controllers and data processors of major importance; promote awareness on the obligation of data controllers and data processors, as well as sanction those who violate the provisions of the Act.
Under the Act, a National Commissioner for the Commission will be appointed by the President for a term of four years which is renewable once. The national Commissioner will be responsible for its daily administration and execution of policies. The Commission will also have a Governing Council responsible for formulating policy direction for its affairs, approving strategic, action and budget plans for the Commission, among others.
A data controller is required to provide certain information to a data subject (that is the person whose data is being requested) before collection. Some of these information include the identity and address of business of the collector or processor, specific lawful basis to process the data, recipients of the data, data retention period and the right to lodge a complaint to the Commission, among others.
“The Commission is expected to have powers to make compliance and enforcement orders against data controllers or processors in the event of the violation of the provisions of the bill or related subsidiary legislation. The orders of the Commission are subject to judicial review within 30 days from when they are made.
“The Act also criminalises failure to comply with the orders of the Commission, which is punishable by a fine and or imprisonment term. A data subject may also seek damages from a data controller through civil proceedings, in the event of a violation.
The new law “sets out principles for the processing of personal data, some of which include that it must be done in a fair, lawful and transparent manner, that it is limited to the minimum necessary for the purpose it is collected and is not retained for longer than necessary.”
“The law specifically states that the burden of proof is on a data controller to establish that he or she received the consent of the data subject before collecting his or her data. Silence or inactivity of the data subject will not be taken to imply consent. A child does not have capacity to consent and a person with capacity to consent such as a parent, can do so on behalf of a child. A data subject has the right to withdraw consent to the processing of his or her personal data. In that situation, the data controller is expected to discontinue processing the data of such a person unless the controller shows public interest or other legitimate grounds, which override the fundamental rights, freedoms and the interests of the data subject.
A data subject (a person whose information is collected) has the right to obtain information with regard to the processing, storage and other relevant information about his or her data, from a data controller.
A data controller is mandated to inform the Commission if a data breach occurs. The data controller is also required to inform the data subject of the breach if it is likely to result in high risk to the rights and freedoms of the subject.”
The Nigerian Data Protection Act represents a significant step toward safeguarding privacy rights, fostering trust, and promoting responsible data-driven innovation. ITEDGE