News
Unveiling some salient features of Nigeria’s novel Nigeria Data Protection Act (NDPA) 2023.
For a period, the Nigeria Data Protection regulation (NDPR) 2019 was the reference point for data privacy and protection compliance in Nigeria. The enactment of the Nigeria Data Protection Act (“NDPA”) on June 12 2023 launched a new era in data privacy and protection regime. The Act laid to rest several controversial provisions, brought clarity to uncertainties, and contained several brand new provisions which shall form the crux of this article.
As earlier noted, the NDPA resolved several controversies stemming from the NDPR 2019, and contained several new provisions. In this article, the most notable salient provisions in the NDPA shall be examined.
a) Creation of a Data Protection Protection Authority
The National Information Technology Development Agency (NITDA) issued the Nigeria Data Protection Regulation (NDPR) 2019, and was the supervising authority for the NDPR from 2019 until 2022. Any breach of the NDPR was construed as a breach of the National Information Technology Development Agency (NITDA) Act 2007. The Federal Government of Nigeria in February 2022 approved the establishment of the Nigeria Data Protection Bureau (NDPB), and the NDPB acted as the data protection authority until the Nigeria Data Protection Act was enacted in June 2023. The NDPB was widely regarded as lacking the statutory backing to legitimately enforce the NDPR while it existed. This issue has been laid to rest by section 4 of the NDPA which establishes the Nigeria Data Protection Commission (NDPC), and clothes it with independence by virtue of section 7 of the NDPA. The NDPC is responsible for the implementation of the NDPA and has powers to issue fines, and carry out searches and seizures among others, upon obtaining a warrant from a Judge.
b) Alteration of the categories of Sensitive Personal Data
The categories of personal information that constituted sensitive personal data under Article 1.3 of the NDPR was expanded by section 65 of the NDPA to include genetic and biometric data. This was a significant introduction as the processing of biometric data in Nigeria is a key activity that allows individuals gain access to critical financial and social services with financial institutions. It was also a requirement to exercise several civic rights such as the right to vote, and also access to public tertiary education. It is worth noting that the NDPA excluded criminal records from the sensitive personal data category, but the NDPC by virtue of section 30(2) of the NDPA reserves the right to expand the categories of personal data that will constitute sensitive personal date.
c) Legitimate Interest Provision
Legitimate Interest as a legal basis for processing personal data was introduced into the Nigeria data privacy and protection regime by virtue of section 25(1)(v) of the NDPA to the relief of data controllers. This basis was absent under the NDPR 2019 and data controllers could only rely on consent, the performance of contract, compliance with a legal obligation, vital interests and public interest as the basis for processing personal data. It must be noted that processing on the basis of legitimate interest will only be considered valid if such processing does not override the fundamental rights, freedoms and the interests of the data subject; is not incompatible with other lawful basis of processing under; or the data subject has a reasonable expectation that the personal data would be processed in the manner envisaged.
d) Data Privacy Impact Assessment (DPIA)
In view of the large amounts of personal data processing that goes on in Nigeria in the private and public sectors, and against the backdrop of being the most populous black nation in the world, this introduction was a necessary innovation in the NDPA. Section 28(1) of the NDPA compels data controllers to conduct data privacy impact assessments (DPIA) when the scope, nature, context, and purpose of an envisaged processing will constitute high risk to the rights and freedoms of data subjects. A DPIA must contain a systemic description of the envisaged processing, purpose, legal basis, and proportionality of the processing in relation to the purposes for processing such data. A DPIA must also contain an assessment of what risks that the envisaged processing may pose to the rights and freedoms of the data subject, as well as the measures and safeguards proposed to mitigate and address the identified risks. If it remains the case that high risk will be posed to the rights and freedoms of data subjects irrespective of the mitigating measures and safeguards envisaged by the data controller, the data controller must consult the NDPC prior to commencement of the processing. The NDPC is empowered by section 28(3) of the NDPA to make further regulation in regards of this provision when necessary
e) Cross Border Personal Data Transfer
The NDPA modified the obligations of the data controller and data processor from its previous position under the NDPR. Under the NDPR the Attorney General of the Federation was mandated to supervise cross border data transfer among others. This provision has been eliminated, and section 41 of the NDPA prohibits cross border personal data transfer unless there is an adequate level of protection of personal data within the jurisdiction where the would-be recipient is located, or any of the derogations under section 43 of the NDPA are present.
The adequate level of protection listed as an exception to the prohibition on personal data transfer can be afforded in the available laws of the recipient’s jurisdiction, binding corporate rules, codes of conduct, contractual clauses or certification mechanisms. The derogations listed in section 43 of the NDPA include consent of the data subject; performance of contract; sole benefit of the data subject where the data subject is unavailable to give consent and it is reasonable that the data subject would likely have given consent; public interest, establishment, exercise and defence legal claims, and vital interest of data subject. Data controllers and processors are required by the NDPA to record the basis for any cross border transfer.
The provisions of sections 42(4) and 42(5) of the NDPA empower the NDPC to make adequacy of protection decisions, approve corporate rules, codes of conduct or similar instruments, and issue guidelines regarding the assessment of adequacy of protection.
CONCLUSION
It is beyond peradventure that the introduction of the Nigeria Data Privacy Act 2023 represents a significant stride toward addressing the ever-evolving challenges present in data processing activities in the digital age. However, it is crucial to emphasize that the pace of technological advancement will demand ongoing innovation within the legal framework to ensure that data privacy remains robust and adaptable to emerging technologies. It is within this context that the powers of the NDPC to issue regulations further to the NDPA is appreciated. Irrespective of the above, and to avoid further controversies in future, the NDPA will require continuous monitoring and potential amendments to keep pace with the dynamic landscape of data privacy, always with due regard for existing laws, regulations, and the pursuit of innovative solutions when required.
Article provided by INPLP member: Uche Val Obi SAN (Alliance Law Firm, Nigeria)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
News Archiv
- Alle zeigen
- November 2024
- Oktober 2024
- September 2024
- August 2024
- Juli 2024
- Juni 2024
- Mai 2024
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010