In an era where personal data has become a valuable commodity and digital interactions permeate every aspect of our lives, safeguarding privacy has never been more pressing. Recognising this urgency, Nigeria has taken a significant stride in fortifying data protection by introducing the Data Protection Regulation as a subsidiary legislation in Jan 2019. This groundbreaking legislation, now an act signed by the Nigerian president in June 2023, holds immense significance as it not only underscores the importance of individual privacy but also promises to be a pivotal force in bolstering data privacy and security across diverse sectors within the country. By delving into the essence of the Data Protection Act and its potential role, we embark on a journey to unravel how Nigeria is poised to empower its citizens in the digital age while strengthening the foundation of data protection and privacy in the ever-evolving landscape of technology.

To begin with, the primary objective of this Act is to establish and provide an efficient regulatory framework for the protection of personal data; promote data processing practices that protect the security of personal data and the privacy of data subjects; ensure that personal data is processed in a fair, lawful and accountable manner; safeguard data subjects’ rights, and provide remedies and means of recourse in case of breach of those rights; ensure that data controllers and data processors fulfil their obligations to data subjects; and to minimize the harmful effect of personal data misuse or abuse on data subjects and other victims. 

For context, “Personal Data” in the act refers to personal & biometric data revealing a data subject’s identity, racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation or trade union membership. Personal banking and accounting records, personal data revealing a person’s flight reservation or itinerary, student’s academic transcripts records, personal medical & health records, telephone calls, call data records, messages, websites & other information stored on any electronic device. While a “Data Subject” refers to the person whose data is collected or being processed. Also, a “Data Controller” is an entity or organization that determines the purposes and means of processing personal data. They are typically responsible for making decisions about what data to collect, why it is being collected, and how it will be used. The data controller is also accountable for ensuring compliance with applicable data protection laws and regulations. While a “Data Processor” is an entity or organization that processes personal data on behalf of the data controller. They act according to the instructions provided by the data controller and handle the data processing activities, such as storage, analysis, or transmission. Data processors are required to maintain the security and confidentiality of the personal data they handle and comply with the terms outlined in a data processing agreement with the data controller.

Deep dive into some key provisions in the Act. 

The Act establishes the Nigeria Data Protection Commission, the former Nigeria Data Protection Bureau (NDPB) established by the past government. Some of the functions of the commission include ensuring the deployment of technological and organizational measures to enhance personal data protection; promoting awareness of data controllers and data processors of their obligations under this Act; promoting public awareness and understanding of personal data protection and the risks to personal data, including the rights granted and obligations imposed under the Act; receive complaints relating to violations of the Act or regulations issued according to the Act;  conduct investigations of potential violations by a data controller or a data processor of any requirement under this Act or other subsidiary legislation made under this Act; and generally implement the provisions of this Act and do such other things as are necessary to the carrying out of the functions of the Commission.

The Act also provides for the principle and lawful basis governing the processing of personal data. This principle provides that data controllers shall ensure that personal data is processed, by such data controller or any data processor processing personal data on its behalf, fairly, lawfully and in a transparent manner; collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; adequate, relevant and limited to the minimum necessary for the purposes for which the personal data was collected or further processed; processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and access against loss, destruction or damage and the data controller and data processor shall use appropriate technical and organizational measures to ensure the confidentiality, integrity and availability of the personal data. 

The Act also stated the conditions for consent and the right of data subjects. Some of the conditions include a data controller shall bear the burden of proof for establishing a data subject’s consent; silence or inactivity by the data subject shall not constitute consent, where the processing of personal data is based on the consent of the data subject, the data subject shall have the right to withdraw consent at any time and consent may be provided in writing, orally, or through electronic means.

Interestingly, the act also requires data controllers to provide some information to the data subject before collecting their personal data. This information, as stated in the act, includes the identity, residence or place of establishment of, and means of communication with, the data controller; the specific lawful basis of processing and the purposes of the processing for which the personal data are intended; the recipients or categories of recipients of the personal data, if any; the existence of the rights of the data subject; the right to lodge a complaint with the commission; and the existence of automated decision-making, including profiling, significance and envisaged consequence of such processing for the data subject, and the right to object to and challenge such processing. Where processing appears likely to result in a high risk to the rights and freedoms of data subjects by virtue of its nature, scope, context and purposes, a data controller shall, prior to the processing, carry out a data protection impact assessment. 

The Act also addresses one of the most pressing data protection and security threats which is data breach. It provide that when a personal data breach has occurred with respect to personal data being stored or otherwise processed by a data processor, the data processor shall notify the data controller or data processor that engaged it without undue delay after becoming aware thereof, describing the nature of the personal data breach including, where possible, the categories and approximate numbers of data subjects and personal data records concerned; and respond without undue delay to all information requests from the data controller or data processor that engaged it as they may require to comply with their obligations under this section. When such a personal data breach is likely to result in a high risk to the rights and freedoms of a data subject, the data controller shall communicate the personal data breach to the data subject without undue delay in plain and clear language, including advice about measures the data subject could take to mitigate the possible adverse effects of the data breach effectively; and  if a direct communication to the data subject would involve disproportionate effort or expense or is otherwise not feasible, the data controller may instead make public communication in one or more widely-used media sources such that data subjects are likely to be informed.

Empowering Individuals

The Act empowers individuals by giving them more control over their personal data and ensuring its secure handling by organizations. This includes the right to access their data, request its deletion and be informed about its collection, usage, transfer and processing, among other rights stated in the Act. Though this is not often the reality, and we hope that with the signing of this bill, organizations become more responsible in doing their own part of the bargain.

In addition, while this Act has the potential to address data protection issues in Nigeria, organizations, including data controllers and processors, must commit to the obligations imposed on them by implementing robust security measures, informed consent for data use and transfers, conducting impact assessments and maintaining records of data processing activities among other obligations in the Act.

Enforcing Compliance

To ensure compliance, the Act also put in place some enforcement mechanisms to encourage organizations to comply with the provisions of the Act and deter any misuse or mishandling of personal data. Some of these include; 

1. A data subject who is aggrieved by the decision, action or inaction of a data controller or data processor in violation of this Act, subsidiary legislation or orders may lodge a complaint with the commission. 
2. Where the Commission is satisfied that a data controller or data processor has violated or is likely to violate any requirement under this Act or any regulations, rules, or other subsidiary legislation or orders issued thereunder, the Commission may make an appropriate compliance order against that data controller or data processor.
3.  A data controller or data processor who fails to comply with orders made commits an offence for which such data controller or data processor is liable on conviction to: a fine of up to (i) in the case of a data controller or data processor of major importance, the higher maximum amount, and (ii) in the case of a data controller or data processor other than a data controller or data processor of major importance, the standard maximum amount.

By effectively implementing the Data Protection Act, Nigeria has embarked on a transformative path towards fostering trust and confidence among consumers. The introduction of robust data protection measures instils a sense of security and reassurance, assuring individuals that their personal data will be handled with utmost care and respect. As trust becomes the bedrock of digital interactions, consumers are empowered to engage more freely in online and offline activities that involve sharing personal data. Whether it’s conducting financial transactions, participating in e-commerce, or interacting on social media platforms, the knowledge that their privacy is protected encourages individuals to embrace the digital landscape and take advantage of its vast opportunities. This newfound trust not only benefits consumers but also enhances the overall growth and vitality of the digital economy, paving the way for increased innovation and collaboration.

As we conclude this exploration into Nigeria’s Data Protection Act, it becomes evident that the dawn of the digital age necessitates a robust framework for safeguarding privacy. The implementation of this groundbreaking legislation marks a significant stride in fortifying data protection and privacy rights in the country. By fostering trust, instilling confidence, and empowering individuals to engage more freely in online and offline activities involving personal data, Nigeria’s Data Protection Act stands as a beacon of progress and a testament to the nation’s commitment to digital security. As we navigate the ever-evolving landscape of technology, this comprehensive framework serves as a solid foundation for ensuring privacy, enhancing consumer rights, and inspiring innovation. With the Data Protection Act at the helm, Nigeria embarks on a journey towards a more privacy-conscious and secure future, where the digital realm can be embraced with confidence and individuals can exercise control over their personal information. The time has come to usher in a new era where privacy and technology harmoniously coexist, and Nigeria leads the charge as a pioneer in the protection of individual privacy in the digital age. 

By: Yazid Salahudeen Mikail, yazidsmikail@gmail.com and Muhammed Bayero Yayandi, yayandi@yandytech.org