By Esther Odunze & Beverley Agbakoba-Onyejianya
In an era where personal data has become the new oil, the need for robust data protection measures has never been more critical. In Nigeria, the journey towards comprehensive data protection regulation has been marked by significant milestones and persistent efforts. The issuance of the Nigeria Data Protection Regulation (NDPR) of 2019 followed by the establishment of the Nigeria Data Protection Bureau (NDPB) in 2022 were crucial steps in this direction. However, stakeholders have long anticipated more robust and enforceable legislation to regulate and address the challenges of the emerging data protection and privacy
On the 14th of June 2023, President Bola Tinubu signed into law, the Data Protection Act, 2023. The objective of the Act, amongst others, is to safeguard the fundamental rights and freedoms and the interests of data subjects as guaranteed under the 1999 Constitution of Nigeria. The Act establishes the Nigeria Data Protection Commission (the Commission) and replaces the Nigeria Data Protection Bureau (NDPB) established by former President Buhari. The Act focuses on crucial aspects such as the processing of personal data, protection of data subjects’ rights, the establishment of a Data Protection Commission, data security, cross-border data transfers and data breach management. This article critically analyses the key provisions of the Act and its potential impact on data controllers, processors, and subjects.
APPLICATION OF THE NIGERIA DATA PROTECTION ACT, 2023
The Act applies to data controllers or data processors domiciled, ordinarily resident or ordinarily operating in Nigeria or where the processing of personal data occurs within Nigeria. The Act also applies to data controllers or data processors not domiciled, ordinarily resident or ordinarily operating in Nigeria, so far they are processing personal data of data subjects in Nigeria. This is unlike the NDPR which focuses on natural persons residing in Nigeria or Nigerians residing outside Nigeria. It should be noted that the Act does not apply to the processing of personal data carried out by one or more individuals solely for personal or household purposes. The Act also exempts activities carried out by competent authorities from the rights and obligations specified, and for the purpose of investigation and prosecution of crimes, national public health emergency, national security and publication in the public interest for journalism, educational, artistic and literary purposes. The Act goes further to empower the Commission to create further exemptions by Regulation.
As opposed to the NDPR, it appears that the applicability of the Act is more focused on data controllers and processors and not data subjects. This may be a beneficial approach as it places a higher burden on data controllers and processors to safeguard privacy rights. The applicability of the Act also seemingly excludes Nigerians living abroad.
ESTABLISHMENT OF THE NIGERIA DATA PROTECTION COMMISSION AND ITS GOVERNING COUNCIL
The Act establishes the Nigeria Data Protection Commission (“the Commission”) as an “independent” body which is to be a body corporate with perpetual succession and a common seal. The Act makes transitional provisions to empower the Commission to take over all the powers and duties of the existing NDPB. The Commission is tasked with the functions of promoting awareness to data controllers and data processors on their obligations under the Bill and supervising the implementation of the provisions of the Act. Some other functions of the Commission include advising the government on policy issues relating to data protection and privacy, licence, accrediting and registering bodies to provide data protection compliance services like Olisa Agbakoba Legal and submitting legislative proposals to the Minister, including amending existing laws amongst others.
The Act also sets up a Governing Council. The members of the council are all citizens of Nigeria and part-time members except for the National Commissioner. The National Commissioner shall have 10 years of cognate experience and proficiency in law, data protection, cybersecurity management, information and communication technology, consumer protection, management science or other relevant disciplines at a senior management level.
On a closer look into the composition of the Governing Council, there is concern as to the true independent status of the commission being that reliance is placed on the executive arm of government. The President is empowered to oversee the appointment and removal of the National Commissioner who is the only permanent member of the council as well as other members. Furthermore, the Governing Council has to submit legislative proposals to the Minister of Communications and Digital Economy (“the Minister”). This supervisory power of the Minister, in a way, questions the independent status of the Commission.
PRINCIPLES AND LAWFUL BASIS GOVERNING PROCESSING OF PERSONAL DATA
Section 25 provides for the principles governing the processing of personal data and they include lawfulness, fairness, and transparency, data minimisation, data minimisation, accuracy, purpose limitation, storage limitation, integrity and confidentiality. The Act goes further to place a higher burden on a data controller or data processor by emphasising a duty of care in respect of data processing and that they shall demonstrate accountability in respect of the principles contained in the Act.
A notable provision of the Act is the inclusion of legitimate interest as a basis for processing personal data. Legitimate interest comes up in an instance where an organisation needs to process personal data in order to discharge responsibilities related to the business that may not necessarily be justified by a legal or contractual obligation but such processing of personal data can be justified on grounds of legitimate interest. This implies that data controllers and processors can justify the processing on grounds of legitimate interest. e.g. data processing for the prevention of fraud, and employee-employer relationships.
It is important to note that Legitimate interest will not be a basis for processing personal data in instances where the fundamental rights and freedom of a data subject override such interest, where the interest is incompatible with the other lawful bases or where the data subject would not have a reasonable expectation that the personal data would be processed in the manner envisaged.
As laudable as the inclusion of legitimate interest is, its definition and scope lack clarity and do not sufficiently give broad protection on both sides. Firstly this may pose a challenge to its interpretation secondly This comes with a potential risk to data controllers and processors hiding under the ground of legitimate interests to circumvent their obligations.
DATA PRIVACY IMPACT ASSESSMENT
The Act highlights the need for a data protection impact assessment (DPIA) where the processing of personal data appears likely to result in a high risk to the rights and freedoms of data subjects by virtue of its nature. It goes further to mandate the data controller to consult the Commission prior to the processing if the DPIA indicates that the processing of the data would result in a high risk to the rights and freedoms of data subjects. The Act defines a DPIA and also empowers the Commission to issue guidelines and directives on DPIA, including the categories of processing subject to the requirement for a DPIA.
This is a significant improvement to the NDPR as it provides more detailed information on a DPIA than the NDPR. It also reflects the attitude of the Act towards safeguarding privacy rights.
SENSITIVE PERSONAL DATA AND CHILD RIGHTS
The Act sets a higher standard of care for sensitive personal data. Sensitive personal data means data relating to religious or other beliefs, sexual orientation, health, race, ethnicity, political views, trades union membership, criminal records or any other sensitive personal information. Generally, a data controller or processor cannot process sensitive personal data except where the data subject has given explicit consent, necessary for vital interests, legitimate interest but with safeguards, the performance of rights and obligations under employment law amongst other lawful bases. The Act goes further to state that the Commission may prescribe in rules, further categories of personal data that may be classified as sensitive personal data, further grounds on which such personal data may be processed, and safeguards that may apply.
On the rights of a child, the Act states that, where a data subject is a child or another individual lacking the legal capacity to consent, a data controller shall obtain the consent of a parent or other appropriate legal guardian of the child or other individual, as applicable. Data controllers are also expected to apply appropriate mechanisms in order to verify the age and consent.
This is an upgrade from the NDPR which barely spoke about sensitive personal data and child rights. This is a relief to data subjects as this infers that there is a higher burden on data controllers and protectors to safeguard their rights.
RIGHTS OF A DATA SUBJECT AND CONDITIONS OF CONSENT
In line with Section 27 of the Act, the burden of proof for establishing a data subject’s consent is on the data controller. It should be noted that the silence or inactivity by the data subject shall not constitute consent. The consent may be granted in writing, orally or through electronic means. The data subject can also withdraw his consent at any time. It is important to note that the withdrawal will not affect the lawfulness of prior data processing.
In comparison to the NDPR, the Act provides for more rights of data subjects. It emphasises data subject access rights like obtaining confirmation of the personal data being processed and details regarding its purpose and retention periods, the right to request rectification or erasure, lodge complaints with the Commission and request a copy of the personal data in electronic format without undue delay. It also grants data subjects the right to object to the processing of personal data and to not be subjected to a decision based solely on the automated processing of personal data.
It is commendable how comprehensive the Act is in respect of the rights of data subjects. However, it does not stipulate a clear timeline for responding to rights requests. There is a need to answer the question of what amounts to unreasonable delay. The Commission may also need to consider coming up with an implementation framework that addresses how the rights can be exercised, and the limitations to the exercise of those rights.
DATA SECURITY AND DATA BREACH MANAGEMENT
The Act mandates data controllers and data processors to implement appropriate technical and organisational measures to ensure the security, integrity and confidentiality of personal data in its care. It also provides for certain measures that may be implemented to ensure data security like pseudonymization and de-identification of personal data, encryption etc.
Another notable addition to the Act is the provision of detailed steps to be taken in the event of a data breach of the personal data stored or processed by a data processor. The data processor is mandated to notify the data controller or data processor that engaged it of the nature of the breach and respond to all information requests from the data controller or data processor without delay. Where the breach is likely to result in a risk to the rights of individuals, the data controller is to notify the Commission within 72 hours of becoming aware. The timeline may be extended where it is reasonably necessary to implement measures required to determine the scope of the breach. The data controller and data processor are also mandated to keep a record of all personal data breaches.
CROSS-BORDER DATA TRANSFERS
This simply means the transfer of personal data to another country or jurisdiction. Generally, a data controller or data processor is not permitted to transfer personal data from Nigeria to another country under the Act. Under the Act, personal data can only be transferred from Nigeria to another country if the recipient of the personal data is subject to a law, binding corporate rules, contractual clauses, codes of conduct or certification mechanisms that afford an adequate level of protection with respect to the personal data. Section 43 of the Act provides that a level of protection is adequate if it upholds principles that are substantially similar to the conditions for the processing of the personal data provided for in the Act. The Act goes further in Section 44 to enumerate other bases for the transfer of personal data outside Nigeria contained in the Act. Furthermore, the Act empowers the Commission to create a blacklist of some sort from time to time. It is a list of countries, regions, specific sectors within a country, or standard contractual clauses which the Commission deems as not providing adequate protection for the international transfer of data.
The Data Protection Act deviates from the requirement of the NDPR to obtain an Adequacy Decision from the attorney general for cross-border data transfer. Instead, the Act empowers the Commission to make decisions on what level of protection is adequate. In discharging this function, the commission should put into consideration organisations with sister companies outside the country who share similar internal controls. The bureaucracy involving the Commission may hinder the flow of business activities.
DATA CONTROLLERS AND DATA PROCESSORS OF MAJOR IMPORTANCE
The Act requires Data controllers and data processors of major importance to register with the Commission within six months of the commencement of the Act. The Act defines them as one domiciled, ordinarily resident, or ordinarily operating in Nigeria and processes or intends to process personal data of more than such number of data subjects who are within Nigeria as the Commission may prescribe, or such other class of data of particular value or significance to the economy, society or security of Nigeria as the Commission may designate. The Commission is also empowered to exempt a class of data controllers and processors from registration.
The Act fails to prescribe the quantum of data processed by a data controller or data processor to qualify as a data controller or processor of major importance. This responsibility shifts to the Commission. The commission should consider including this to an implementation framework to aid understanding and execution.
The Nigeria Data Protection Act is indeed welcome legislation regardless of any flaw or uncertainty it might have. From the examination of the Act, data controllers and data processors are given a higher responsibility to match the high level of accountability that is expected of any organisation entrusted with the personal data of data subjects. An important question that comes to mind is whether the Act repeals the Nigeria Data Protection Regulation 2019 (NDPR). There is no specific provision that mentions the repeal of the NDPR. However, on a careful reading of the transitional provisions in Section 64 of the Act that mandates all orders and regulations made or issued by NITDA and the NDPB to continue to be in force until they expire or are repealed, it can be rightfully assumed that the NDPR is not repealed by the Act.
 Section 4
 Section 64
 Section 9(4)
 Section 9(2)
 Section 26(1)(b)(v)
 Section 29
 Section 31
 Sections 35, 36, 37 and 38
 Section 65 (Interpretation Clause)