In today’s digital era, where huge amounts of data are continuously created, stored, and processed online, the importance of privacy and data protection has risen to the forefront for countries, businesses, and individuals alike. Recognizing the need to safeguard Nigerian citizen’s data and privacy rights, the Nigeria Data Protection Act 2023 was established. The Act upholds the fundamental rights, freedoms, and interests of data subjects as enshrined in the Constitution of the Federal Republic of Nigeria.
Its objectives include protecting personal information, creating the Nigeria Data Protection Commission to oversee the regulation of personal data processing, fostering data processing practices that ensure the security and privacy of personal information, safeguarding the rights of data subjects, and providing remedies in cases of rights violations.
This article outlines the objectives of the Data Protection Act and provides an overview of its key provisions, focusing on aspects relevant to individual data subjects and corporate entities or organizations involved in processing personal data as part of their operations. But first, what data is to be protected?
Understanding Personal Data
According to the Nigeria Data Protection Act, personal data refers to any information that relates, either directly or indirectly, to an identified or identifiable individual. This includes details such as a person’s name, identification number, location data, online identifier, or any other factor that is specific to the individual’s physical, physiological, genetic, psychological, cultural, social, or economic identity.
Personal data can be used to trace, recognize, or link back to an individual, either by itself or in combination with other information. The Act also defines “sensitive personal data” as a subset of personal data that is more closely tied to an individual’s privacy and requires higher protection due to its sensitive nature. This includes personal data relating to an individual’s:
- Genetic and biometric data used for uniquely identifying a person.
- Race or ethnic origin.
- Religious beliefs or similar convictions, including philosophical or conscience-based beliefs.
- Health status, including physical or mental health information.
- Sex life, including details about sexual orientation or behavior.
- Political opinions or affiliations, including party membership or political views.
- Trade union membership, which includes information about a person’s involvement in unions or labor organizations.
The primary lawful basis for processing personal data is the consent of the data subject, which must be given freely, intentionally, and not withdrawn, for specific purposes for which the personal data is being processed. The data controller holds the responsibility of proving that consent was obtained.
Silence or lack of action from the data subject does not equate to consent. However, data processing can be deemed lawful without consent in certain circumstances, such as when the processing is necessary for the following reasons:
- To perform a contract with the data subject or take steps before entering into a contract, provided it does not override the data subject’s fundamental rights or expectations.
- To comply with a legal obligation to which the data controller or processor is subject.
- To protect the vital interests of the data subject or another person, especially when the data subject cannot give consent.
- To carry out a task in the public interest or exercise official authority vested in the data controller or processor.
- To pursue the legitimate interests of the data controller, processor, or a third party, provided these interests are not overridden by the data subject’s rights.
- To establish, exercise, or defend a legal claim or obtain legal advice.
- For reasons of substantial public interest, as permitted by law, with appropriate measures to protect the data subject’s rights and freedoms.
Overview of Data Protection and Privacy in Nigeria
Data protection refers to the processes, laws, and practices that ensure the security of personal information, safeguarding it from unauthorized access, use, or disclosure. On the other hand, data privacy focuses on an individual’s right to control how their personal information is collected, processed, and shared.
Often used interchangeably with “data security,” these measures are essential for organizations that collect, process or store sensitive data, aiming to prevent its corruption, loss, or damage. In today’s era of rapidly increasing data generation and storage, having a robust data protection strategy is more critical than ever. The core objective of data protection is not only to secure sensitive information but also to ensure its accessibility and reliability, thereby fostering trust and maintaining compliance in data-driven operations.
Data privacy concerns apply to all sensitive information managed by organizations, including data related to customers, shareholders, and employees. This information is often integral to business operations, growth, and financial management.
Data privacy ensures that sensitive information is accessible only to authorized parties. It protects against malicious misuse by criminals and helps organizations comply with regulatory requirements.
Overview of the Nigerian Data Protection Regulation
The cornerstone of Nigeria’s data protection regime is the Nigeria Data Protection Regulation (NDPR) 2019 which was introduced by the National Information Technology Development Agency (NITDA) in January 2019. The NDPR aims to regulate the use of data in Nigeria, with the primary objectives of protecting individuals’ right to data privacy, ensuring secure transactions involving personal data, and preventing the misuse or manipulation of personal data.
The Regulation defines a Data Subject as an identifiable person, someone who can be identified directly or indirectly, particularly through an identification number or other factors specific to their physical, physiological, mental, economic, cultural, or social identity. Under the NDPR, a Data Subject has the right to take legal action if their privacy is violated by either natural or legal persons with access to their data.
On June 12, 2023, President Bola Ahmed Tinubu, signed the Nigeria Data Protection Bill, 2023 into law, creating the Nigeria Data Protection Act, 2023 (“the Act” or “NDPA”). The Act establishes a legal framework for regulating personal data in Nigeria and replaces the Nigerian Data Protection Regulations (NDPR) 2019 and the NDPR Implementation Framework 2019, which were issued under the National Information Technology Development Agency (NITDA) Act.
A key provision of the Act is the establishment of the Nigeria Data Protection Commission (NDPC or “the Commission”) and its Governing Council (“the Council”). The Commission will oversee the implementation and enforcement of the Act’s rules and regulations, regulate the processing of personal data, and address related issues. The Council is responsible for formulating and providing overall policy direction for the NDPC’s operations.
The Nigeria Data Protection Act was enacted to uphold the fundamental rights, freedoms, and interests of data subjects as guaranteed by the Constitution of the Federal Republic of Nigeria. The Act supersedes any other law or regulation related, directly or indirectly, to the processing of personal data in Nigeria. Its provisions will override any conflicting provisions in other laws or enactments concerning personal data processing.
Its objectives include:
- Protecting personal information.
- Establishing the Nigeria Data Protection Commission to regulate personal data processing.
- Promoting secure data processing practices that safeguard personal data and ensure the privacy of data subjects.
- Protecting the rights of data subjects and providing recourse and remedies in case of rights violations.
- Strengthening the legal framework of Nigeria’s digital economy and enabling the country’s active participation in regional and global economies through the trusted use of personal data.
The Act applies to companies and entities incorporated or established under Nigerian law conducting business in Nigeria, as well as foreign entities whose operations extensively involve the use of personal data belonging to Nigerian residents and citizens.
Notably, the Act excludes the processing of personal data conducted solely for personal or household purposes. However, this exemption is limited to instances where such processing does not infringe upon a data subject’s fundamental right to privacy.
Legal Framework for Data Protection and Privacy in Nigeria
In addition to the principal legislation discussed above, the Constitution of the Federal Republic of Nigeria and several sector-specific laws contain various provisions related to privacy and data protection. These laws collectively aim to ensure the confidentiality, security, and lawful processing of personal data across various sectors in Nigeria. They include the following:
- Constitution of the Federal Republic of Nigeria (1999, as Amended):
Section 37 guarantees citizens’ right to privacy in their homes, correspondence, and communications. However, the Constitution does not define “privacy” or provide detailed provisions. - Child Rights Act (2003):
Section 8 extends the constitutional right to privacy to children while allowing parental or guardian supervision. It defines a child as anyone under 18 years. - NCC Consumer Code of Practice Regulations (2007):
Requires licensees to protect customer information from unauthorized disclosure and securely store it. Information transfer is restricted unless agreed upon by the customer or required by law. - Consumer Protection Framework (2016):
Enacted under the Central Bank of Nigeria Act, it mandates financial institutions to safeguard customer data, train staff, and obtain written consent before sharing personal data with third parties. - Credit Reporting Act (2017):
Establishes rules for credit data retention and confidentiality. Data must be stored for six years, archived for 10 years, and protected under strict disclosure conditions. - Cybercrimes Act (2015):
Criminalizes unauthorized electronic communication interception and mandates financial institutions to protect retained data. - Freedom of Information Act (2011):
Protects personal privacy by denying access to personal information without consent or public availability. Professional privileges (e.g., lawyer-client confidentiality) are also upheld. - National Identity Management Commission Act (2007):
Establishes the NIMC to manage identity data and restricts database access without NIMC authorization, except for national security purposes. - National Health Act (2014):
Ensures confidentiality of patient health records and restricts unauthorized disclosure. Applies to all health-related information and DNA samples.
Conclusion
The Nigeria Data Protection Act is a welcome development as Nigeria moves towards building a digital economy. Since the digital economy relies heavily on data, any country aiming to join this space must invest in digital technologies and have a strong data protection law in place.
This Act is expected to increase the trust of Nigerian citizens and residents, encouraging them to support the country’s digital economy goals. When fully implemented, it will improve the business environment by providing clear rules for companies on how to handle personal data. It will also help improve Nigeria’s image as a safe place for business, attracting more foreign investment and supporting economic growth. For more information on Data Protection Regulations, please reach out to Resolution Law Firm.