In an era where data privacy is more important than ever, Nigeria has taken a significant step forward by enacting the Nigerian Data Protection Act 2023. This new legislation builds on the foundation laid by the Nigerian Data Protection Regulation (NDPR) 2019, its Implementation Framework, and various sector-specific laws. By introducing a more comprehensive legal framework, the Act aims to enhance data security and strengthen the protection of personal information. This blog explores some of the key provisions of the Nigerian Data Protection Act 2023 and its implications for individuals and organizations.
What is the Nigerian Data Protection Act 2023?
The Nigerian Data Protection Act 2023 is a piece of legislation aimed at safeguarding the personal data of Nigerian citizens. It establishes a legal framework for collecting, processing, storing, and transferring personal data in Nigeria. The Act is designed to ensure that individuals have control over their personal information while also setting clear guidelines for organisations and businesses on how they should handle personal data.
This law applies to all entities, both within Nigeria and those outside, that process the personal data of Nigerian citizens. This means that if a company in another country collects or processes the data of Nigerians, they are also required to comply with the NDPA.
Key Provisions of the Act
Establishment of a Regulatory Agency
: Nigeria previously lacked a dedicated regulatory authority for data privacy and protection, leading to concerns among stakeholders. The National Information Technology Development Agency (NITDA) had broad oversight over IT-related matters, including data privacy, but without a specific focus on data protection. The later establishment of the Nigeria Data Protection Bureau (NDPB) also raised legal concerns, as it was created based on presidential authority rather than a legislative framework, potentially overstepping the National Assembly’s role. However, the recent enactment of a new law resolves these issues by formally establishing the Nigeria Data Protection Commission (NDPC) as an independent regulatory body with clear powers and responsibilities for overseeing data protection in the country.
Data Controllers and Data Processors:
The new Act expands on the definitions of data controllers and processors under the Nigeria Data Protection Regulation (NDPR) by introducing the category of “data controllers and processors of major importance.” These entities operate in Nigeria and handle personal data exceeding a threshold set by the Nigeria Data Protection Commission (NDPC) or process data of significant economic, social, or security value. However, the Act does not specify the exact volume of data required for this classification, leaving the determination to the NDPC.
Entities designated as “data controllers or processors of major importance” must comply with specific obligations, including:
Mandatory Registration:
They must register with the NDPC within six months of the Act’s commencement or upon attaining the classification. The NDPC has the authority to exempt certain entities from this requirement if deemed unnecessary.
Appointment of a Data Protection Officer (DPO):
They must appoint a qualified DPO with expertise in data protection laws and practices.
Additionally, the NDPC is authorized to impose registration fees or levies on these entities. While the classification criteria remain somewhat ambiguous, the NDPC has urged controllers and processors to register in alignment with the new regulations.
Enhanced protection for Children’s Data:
The Nigeria Data Protection Regulation (NDPR) and its Implementation Framework define a child as anyone under the age of 13. They require that Data Controllers and Processors targeting children ensure their privacy policies are presented in a child-friendly manner, allowing both children and their guardians to understand the data processing activities before giving consent.
Section 31 of the new Act reinforces children’s rights by mandating that when a data subject is a child or lacks legal capacity, Data Controllers must obtain consent from a parent or legal guardian. Additionally, the Act requires Data Controllers to implement appropriate measures to verify age and consent.
Sensitive Data:
The Act defines sensitive personal data as information related to religious beliefs, sexual orientation, health, race, ethnicity, political views, trade union membership, criminal records, or any other classified sensitive data. Unlike the NDPR, the Act introduces specific conditions for processing such data.
A Data Controller or Processor may only process sensitive personal data if:
- The data subject has given explicit consent, which has not been withdrawn.
- The processing is necessary to fulfill obligations under employment, social security, or similar laws.
Additionally, the Nigeria Data Protection Commission (NDPC) has the authority to define further categories of personal data as sensitive.
Cross-Border Data Transfers:
The new Act establishes detailed guidelines for cross-border transfers of personal data between Nigeria and other countries. It outlines key considerations, including:
Adequacy of Protection: The recipient country must have laws, corporate rules, contractual clauses, or other mechanisms ensuring an adequate level of data protection, in line with the Act.
Compliance with Section 43: The transfer must meet at least one of the conditions specified in Section 43 of the Act.
Unlike the NDPR, the new Act removes the requirement for supervision by the Attorney General of Nigeria in cross-border data transfers, focusing solely on protection adequacy and compliance with Section 43. However, the whitelist of countries with adequate privacy laws, as provided in the NDPR Implementation Framework, remains valid since the new Act does not repeal the NDPR.
Data Protection Impact Assessments (DPIAs):
Certain businesses, particularly those engaging in high-risk data processing activities, are required to conduct Data Protection Impact Assessments (DPIAs). These assessments help organizations identify and mitigate potential risks to individuals’ privacy and data security.
Data Security:
The NDPR highlights the critical role of Data Controllers and Data Processors in safeguarding personal data. While the Regulation suggests some overarching measures for data protection, the Act takes it further by specifying additional strategies to bolster data security (Section 39 (2)). These strategies include ensuring timely data recovery in case of incidents, conducting periodic risk assessments of systems and services, and regularly testing and evaluating the effectiveness of security measures against both present and evolving risks.
Non-compliance penalties:
The Act grants the NDPC the authority to issue written compliance orders to data controllers or processors who fail to meet their obligations. These orders can include warnings, demands, and cease-and-desist directives. They will outline the necessary steps to correct or prevent the violation, the timeframe for compliance, and the right to seek judicial review. Additionally, the NDPC can investigate complaints from data subjects regarding the actions or inactions of data controllers or processors. Beyond any criminal penalties that may apply, the NDPC can also issue enforcement orders against those who are non-compliant. These enforcement orders may impose a remedial fee of either (i) the greater of NGN 10,000,000 (approximately $13,200) or 2% of the annual gross revenue from the previous financial year for major data controllers or processors, or (ii) the greater of NGN 2,000,000 (approximately $2,640) or 2% of the annual gross revenue from the previous financial year for those not classified as major.
Conclusion
The Nigerian Data Protection Act 2023 is an important step in creating a more secure and privacy-conscious digital environment for Nigerians. With stronger protections for personal data and clear guidelines for organizations, the law aims to build trust in Nigeria’s digital economy and ensure that citizens’ rights are respected in an increasingly connected world.
As we move forward, both individuals and businesses must understand the provisions of the Act and work together to create a safer online environment. By doing so, Nigeria can continue to grow as a digital powerhouse while ensuring that the privacy and security of its citizens remain a top priority. For More information, contact us.
