Introduction
Data is a central component of managing and conducting business activities. Individuals and businesses depend on data processing to execute their activities. In response, governments and institutions have over time enacted various laws to establish guidelines for the use of personal data, while having regard to the freedom and personal rights of subjects. On the 12th of June, 2023 the President of Nigeria officially signed the Nigeria Data Protection Bill into law. The Data Protection Act 2023 is the first Act primarily focused on data protection in Nigeria.
The Data Protection Act, 2023 (the “DPA”) was enacted against the backdrop of several attempts by various administrations to legislate on data protection in Nigeria. Before the passage of the 2023 Act, data protection was primarily governed by the Nigeria Data Protection Regulation 2019, given there was no substantive legislation by the country’s the National Assembly. The Act establishes a legal framework for the protection of personal data and implementation data reforms in Nigeria.
In light of the recent enactment, it becomes critical to evaluate the innovations it introduces. It is also vital for businesses and individuals to acquaint themselves with the various changes introduced by the legislation, to ensure they do not fall short of compliance. In this client alert, we shall be exploring the innovations and changes the Act heralds.
Key Innovations of the Data Protection Act
One of the primary innovations of the Data Protection Act, of 2023 is the establishment of the Nigeria Data Protection Commission (NDPC). The Commission replaces the Nigeria Data Protection Bureau (NDPB), which was originally established in February 2022 to replace the National Information Technology Development Agency (NITDA) as the main regulator of data processing in Nigeria.
A close examination of the DPA discloses that the NDPC retains the legal claims and actions, records, properties, agreements, employees, regulations, and certifications of the NITDA and NDPB as it relates to data protection. However, for the purpose of record keeping, nomenclature, regulatory documentation, and filings, it is important for data processors and controllers to note that the primary regulator of data protection in Nigeria remains the NDPC. Therefore, all compliance and communication obligations should be conducted bearing this in mind.
The NDPC is to be superintended by a National Commissioner. The Commission will oversee the safe practice of data protection in Nigeria, including conducting campaigns to boost public awareness on data protection, registering data processors and controllers, entertaining compliance complaints, accrediting data protection compliance services, and doing all that is necessary to achieving the objectives of the Act.
2. Data Controllers and Processors
The DPA introduced a new class of data controllers and processors called Data Controllers and Data Processors of Major Importance (DCMI/DPMI). Data controllers and processors are entities engaged in the processing of personal data beyond the number provided by the NDPC and/or involved in processing personal data of significant value to the security and economy of Nigeria.
Examples of data controllers and processors of significant importance are banks. The Act imposes a registration obligation on these entities and requires them to register with the NDPC within six months after the signing of the Act and also to nominate Data Protection Officers (DPO) with professional and deep knowledge of data protection laws and practices. DCMIs/DPMIs are subjected to higher fines than other data controllers and data processors in the event of a breach of the provisions of the Act.
3. Data Transfer
The Data Protection Act introduces a mechanism for cross-border data transfer. This is similar to (but more exhaustive) the cross-border data transfer mechanism under the defunct Nigeria Data Protection Regulation, which was largely based on inferences drawn from the implementation framework.
The DPA establishes two main premises for international data transfers namely the “adequacy protection” rule and any of the conditions enumerated under Section 43 of the DPA. The adequacy rule provides for binding corporate rules, a code of conduct, contractual clauses, a certification mechanism, and the recipient’s law. Both grounds differ slightly from the General Data Protection Regulation (GDPR) which establishes three main premises for cross-border data transfers including specific derogations with distinct parameters, adequacy decisions, and appropriate safeguards.
The Act provides that for there to be an effective data transfer, there has to be an instrument between the NDPC and a supervisory and competent authority in the recipient country. Such authority shall possess sufficient enforcement powers.
4. Powers of a Data Subject
The rights of data subjects are enshrined under Part VI of the DPA. This includes the right to access, erase, restrict, correct, and object to a request to process their data. They also have the right to be informed before any action can be taken on their personal data. Data subjects have the power to request the transfer of their data in machine-readable format to any organization of choice.
Subjects reserve the right to withdraw their consent at any time and can file a complaint with the Commission in the event of any breach of their rights. However, these rights are not absolute as the DPA allows for the derogation of their rights under the instances provided in Section 3 of the Act.
5. Legitimate Interest as Basis for Data Processing
One of the key shortcomings of the Nigeria Data Processing Regulation was the failure to provide for the legitimate interests of data controllers as a ground for processing personal data. This is no longer the case as the Data Protection Act now provides for legitimate interest as a lawful basis. However, for legitimate interest to apply, the data controller must establish the following:
- The interest does not affect the fundamental interests, rights, and freedom of the data subject.
- The data subject believes that the personal data will be processed in the manner provided.
- The legitimate interest does not conflict with other lawful grounds provided under the Act for data processing.
The data controller must establish a valid reason for data processing and ensure that the reason is necessary for attaining such a purpose. The controller shall also ensure that the fundamental freedoms and rights of the data subject are not affected by the controller’s interest. Companies operating in jurisdictions outside Nigeria but reliant on Nigerian personal data, especially businesses within the European Union, should note that the basis for relying on legitimate interest in Nigeria significantly differ from those provided under the General Data Protection Regulations applicable in such jurisdictions.
6. Novel Safeguards for Children’s Personal Data
One of the positive innovations introduced by the DPA is the introduction of new guidelines for dealing with children’s data. Under the Act, the consent of a child, who is a person below the age of 18, is to be obtained from a parent or legal guardian before processing their personal data. As such, data controllers must execute consent verification using valid government-issued identification like national identity number, driver’s license, and international passport.
Conclusion
The Data Protection Act signifies a remarkable milestone in the regulation of data processing in Nigeria. The Act introduces fresh and innovative changes that meet the demands of modern data protection standards. Therefore, stakeholders relying on data processing must ensure they familiarize themself with the provisions of the Act to avoid facing the sanctions of the law.
