By Lukman Bolaji Tairu
ABSTRACT
The enactment of the Nigeria Data Protection Act by Nigeria in June 2023 finally puts in place principal legislation securing the protection of data and privacy of data subjects. The Act complements and gives more force to the existing Nigeria Data Protection Regulation, 2019 which is a subsidiary legislation intended to safeguard the rights of natural persons to data privacy and ensure that Nigerian businesses remain competitive in international trade. In line with best practices and as the main legal framework on data protection, the Act recognises the key principles underpinning the processing of personal data, protects the rights of data subjects, and imposed obligations on data controllers and data processors of individuals’ personal data. The Nigeria Data Protection Commission is created as the regulatory body on data protection to oversee the implementation of the provisions of the Act, and issue regulations, rules, directives, and guidelines among other powers. This article undertakes an in-depth review of the major provisions of the Act. The roles and responsibilities of stakeholders towards ensuring compliance with the provisions of the Act including cross-border transfer of data, penal and enforcement regime are also considered. It is concluded that the application of the Public Officers Protection Act to the provisions of the Act is not necessary given the already existing requirement for pre-action notice and limitation provisions which are in themselves needless.
Introduction As the amount of data being processed and stored in different forms across all platforms continues to increase at an unprecedented rate, there are emerging data protection laws and regulations within the international community.[2] These laws are geared towards the security of lives and property and fostering the integrity of commerce and industry in the volatile data economy. In line with this development, the Nigeria Data Protection Act, 2023 (“NDPA or the Act”) was enacted. Before its enactment, there was no comprehensive data privacy and protection legislation in Nigeria but various sector-specific laws with privacy and data protection provisions.
The country’s first attempt to harmonise data which is considered to be the new oil and the world’s most valuable asset[3] was through the Nigerian Data Protection Regulations (“NDPR”) 2019[4], a subsidiary legislation made by the National Information Technology Development Agency (“NITDA”) pursuant to the agency’s establishment law. The objective of the Act is to among others safeguard the fundamental rights and freedom of data subjects as guaranteed by the Constitution of the Federal Republic of Nigeria, 1999, regulate the processing of personal data, promote data processing practices that safeguard the security of personal data and privacy of data subjects and ensure that personal data is processed in a fair, lawful and accountable manner.[5]
Applicability of the Act The personal data of an individual is protected by the Act whether or not the process or processing of the data is carried out by the process of automation through the use of machines or electronic devices or by non-automated means involving human intervention. In addition, concerning its territorial scope, the Act is applicable where the data controller or data processor is domiciled or resident in Nigeria. Where the data controller or data processor is outside the country, the Act is also applicable insofar as the data that is being processed by the data controller or data processor is that of a data subject in Nigeria.[6]
Establishment of the NDPC, National Commissioner, and its Secretary The NDPC[7] and its Governing Council are established by the Act to among other functionsensure the deployment of technological and organisational measures to enhance personal data protection, foster the development of personal data protection technologies in accordance with recognized international good practices and applicable international law, promote awareness on the obligation of data controllers and data processors and public awareness and understanding of personal dataprotection, rights and obligations imposed under the Act including the risks topersonal data. The Commission is to also accredit, licence, and register suitable bodies to provide data protection compliance services where necessary and register data controllers and data processors of major importance.
The Governing Council of the Commission established under the Act is constituted of part-time members (with the exclusion of the National Commissioner) consisting of a representative each not below the rank of a director or its equivalent from the Federal Ministry of Justice, Federal Ministry responsible for communication and digital economy, Central Bank of Nigeria, a law enforcement agency and the private sector.[8] The National Commissioner is the only full-time member of the council and doubles as the secretary who is responsible for the keeping of records and conduct of the Council’s correspondence.[9]
Cognizant of the enormous duties of the National Commissioner and in a bid to insulate him/her from unnecessary distractions while carrying out the responsibilities of executing the policies and the administrationof the daily affairs of the Commission, the National Commissioner is barred from holding any other management position in a Ministry, Department, or Agency of Government, corporation, company, or any other business establishment.[10] It is submitted that this prohibition is commendable having regard to the enormous duties and responsibilities of the office of the National Commissioner. However, it is opined that notwithstanding the prohibition, the National Commissioner may still likely be overwhelmed by the responsibilities sincehe doubles as the Chief Executive and Accounting Officer of the Commission.[11]It is contended that the arrangement would have been better if these offices were separated and occupied by different persons because of the peculiarities of the tasks involved or expected of the offices.
Principles of Personal Data Processing In line with provisions of leading laws and regulations governingpersonal data protection and global best practices, the Act imposes important obligations on data controllers and data processors to ensure that their activities accord with the key principles underpinning data protection.[12] By Section 24 of the Act, a data controller or data processor shall ensure that the processing of the personal data of data subjects isconducted in accordance with fundamental principles of data protection which are as follows:
Lawfulness, Fairness, and Transparency[13]: It is incumbent on a data controller or data processor to act under the law, be fair, and transparent while dealing with the personal data of data subjects. Processing of data will be lawful where it is based on the legal grounds stipulated under Section 25 of the Act, the most prominent of which is consent. While there is no definition of what constitutes “fairness” under the Act, it should be interpreted as referring to the general concept of equity and justice. Processing will not be fair if it is carried out in a way that might be misleading for the data subject irrespective of whether the subject has granted consent.[14] Also, regardless of the ground upon which the processing is based, a data subject should be provided with information about the processing of his/her data. The information should be provided in clear and plain language with relevant details and easily accessible.[15] Purpose Limitation:[16]It is the responsibility of the data controller or data processor to ensure that personal data is processed for “specified, explicit and legitimate purposes”. Specifically, the purpose of the processing shall be specified at the onset of the process and respected throughout the whole personal data lifecycle. In addition, a data controller or data processor shall ensure that data is not processed for a purpose that is incompatible with the defined purpose.[17] Data Minimisation:[18] The principle of data minimization recognized under the Act is to the effect that personal data shall be “adequate, relevant and limited to what is necessary for ration to the purpose for which they are processed”. Meaning that data that are not necessary to achieve the intended purpose cannot be lawfully collected, stored, or otherwise processed. Retention:[19] A data controller or data processor is obliged to ensure that personal data shall be retained for no longer than is necessary to achieve the lawfulbases for which the personal data was collected or further processed. Factors that will determine storage limitation include agreement between parties and limitation period specified by statutes.[20] Accuracy:[21] Personal data of data subjects shall also be kept “accurate, complete, not misleading, and, where necessary, kept up to date” by data controllers or data processors having regard to the purposes for which the personal data is collected or is further processed. Integrity and confidentiality:[22]Under the Act, appropriate security measures must be put in place whenever the personal data of data subjects are being processed. The measures to be takenwill include protection against unauthorised or unlawful processing, access, loss, destruction, damage, or any form of a data breach. Rights of Data Subjects and Personal Data Processing Obligations under the Act. In addition to the responsibilities of data controllers and processors to always uphold the foregoing principles, the Act makes provisions for some important inalienable personal data rights of data subjects and imposes some obligations which must be fulfilled by data processors and controllers while processing data of subjects. Some of the rights and obligations are explained hereunder.
Rights of Data Subjects. Consent Except it is carried out in accordance with one of the grounds enumerated under Section 25 of the Act, processing of the personal data of a data subject must be with his/her consent. Consent is “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she signifies agreement to the processing”.[23] Consent may be express or implied but silence or inaction of the data subject cannot be interpreted as consent.[24] Under Section 35 of the Act, it is the right of a data subject to at any time withdraw his/her consent to the processing of his/her data and it is incumbent on the data controller or data processor to ensure that it is easy for the data subject to grant consent or exercise the right of withdrawal of consent.[25]
Right to Information[26] Where a data controller or a data processor operating on its behalf is storing or otherwise processing personal data relating to a data subject, the data subject is entitled to the following information without any constraint or unreasonable delay:
purposes of the processing; categories of personal data concerned; the recipients or those to whom the personal data have been or will be disclosed, particularly recipients in third countries or international organisations; duration of storage. Right to Rectification, Correction or Deletion[27] The Act guarantees the existence of the personal data subject’s right to request from the data controller, the rectification of his/her data. In addition, the data subject is entitled to obtain the correction of his/her data from the data controller without any constraint or unreasonable delay. Where correction of the data is not feasible or suitable, the data controller is to delete the data that is inaccurate, out of date, incomplete, or misleading.
Right to Erasure[28] The data subject has the right to obtain the erasure of his/her data from the data controller without any undue delay. The data controller is under a bounding duty to comply with this right even without the request of the data subject particularly, in the following circumstances:
Where the personal data is no longer necessary, in relation to the purposesfor which it was collected or processed, Where the data controller has no other lawful basis to retain the personaldata. Right to Access[29] In addition to the right to information, a data subject is entitled without undue delay to a copy of his/her data in a commonly used electronic format. Where providing access to such data would impose unreasonable costs on the data controller, the data subject may be required by the data controller to bear some or all of such costs.
Right to Restriction of Processing[30] A data subject has the right to restrict a data controller from processing or further processing his/her data. Circumstances that may warrant such restriction include where the resolution of a request is pending, the processing is unlawful, and where the controller needs more time to verify the accuracy of data or seek an alternative ground for processing. Where this right is invoked, the restricted data becomes “blocked for use” and can be stored by the data controller, but can only be processed with the consent of the data subject.[31]
Right to Object It is the right of a data subject to object to the processing of his/her data and where there is such objection the data controller or data processor shall discontinue the processing of the data unless it can demonstrate that the processing is for public interest or other legitimate grounds overriding the fundamental rights and freedom of the data subject. However, where the object is in respect of personal data processed for direct marketing purposes, the data controller or data subject shall desist from further processing the data of the subject[32].
Right of Data Portability The Act provides data subjects with the right of data portability[33] which is the ability to move data from one platform or service to another. This includes the right of data subject to where technically possible, receive personal data from a data controller without undue delay and transmit the same to another data controller without any hindrance.[34]
Right to sue for damages A data subject who suffers injury, loss, or harm as a result of a violation of the Act by a data controller or data processor may file an action for the recovery of damages from such data controller or data processor in a civil proceeding.
Sensitive Personal Data In addition to theforegoing personal data rights, the Actprotects the sensitive personal data ofdata subjects from beingprocessed by a data controller or dataprocessor.[35] Sensitive personal data is defined as personal data relating to an individual’s genetic and biometric data, to uniquely identify a natural person, race or ethnic origin, religious or similar beliefs, such as those reflecting conscience or philosophy, health status, sex life, political opinions or affiliations, trade union memberships, and other information prescribed by the Commission[36]. These sensitive personal data may however be processed in circumstances such as where the data subject has given and not withdrawn consent, where the processing is necessary for the purposes of performing the obligations of the data controller or exercising rights of the data subject underemployment or social security laws or any other similar laws, to protect the vital interests of the data subject or of another person, where the data subject is physically or legally incapable of giving consent, the processing is carried out in the course of its legitimate activities, with appropriate safeguards, by a foundation, association, or such other not-for-profit body with charitable, educational, literary, artistic, philosophical, religious, or trade union purposes[37], the processing relates to personal data, which are manifestly made public by the data subject, necessary for the establishment, exercise, or defence of a legal claim, obtaining legal advice, or conduct of a legal proceeding amongst others
Data Security and Personal Data Breaches An obligation is imposed on data controllers and data processors to implement appropriate technical and organisational measures to ensure the security, integrity, and confidentiality of the personal data of data subjects in their possession or under their control. This obligation includes providing protections against accidental or unlawful destruction, loss, misuse, alteration, unauthorised disclosure, or access, taking into account the factors specified under Section 39 of the Act. Where there is any breach of personal data, it is incumbent on a data processor to notify the data controller or data processor that engaged it with relevant information of any data breach upon becoming aware of such breach and to respond to all requests for information describing the nature of the personal data breach involved.[38] In the same vein, the data controller shall notify the commission within 72 hours of becoming aware of a data breach that is likely to result in a risk to the rights and freedom of individuals with relevant information including numbers of data subjects and personal data records concerned. But where the breach is likely to result in a high risk to the rights and freedoms of a data subject, the breach shall be immediately communicated to the data subject in plain and clear language including any measure that can mitigate the breach. It is also provided that the communication may be done publicly in one or more widely used social media sources in appropriate circumstances. The commission may also at any time make a publication about a data breach where it considers the steps taken by the data controller to be inadequate.[39]
Cross-Border Transfer of Data In respect of cross-jurisdictional transfer of data, the personal data of a data subject shall not be transferred from Nigeria to another country except in circumstances where the recipient of the data is subject to a law binding corporate rules, contractual clauses, code of conduct or certification mechanisms that are in line with an adequate level of protection. What constitutes adequacy of protection is to be determined by the Commission having considered factors such as enforceability of data subject right in the destination of the data or recipient of the data, access to the data by public authority, the existence of effective personal data laws, functional and competent data protection authority with enforcement powers amongst other factors.[40]
Other circumstances where personal data may be transferred from Nigeria to another country are contained in Section 43 of the Act and they include where the data subject has provided and not withdrawn consent to such transfer after having been informed of the possible risks of such transfers for the data subject due to the absence of adequate protections, the transfer is necessary for the performance of a contract to which a data subject is a party or to take steps at the request of a data subject, before entering into a contract, the transfer is for the benefit of the data subject or necessary for the public interest. It is important that as with other internationalinstruments,specific international,multi-national cross-border data transfer codes, rules or certification mechanisms can only be adopted as national standards for the protection of data subjects or data sovereignty subject to the approval of the National Assembly.[41]
Enforcement and Penal Provisions under the Act To give teeth to the provisions contained therein, the Act gives the Commission enforcement powers and provides for some penal provisions including the powers of investigation[42], to make enforcement orders, compliance orders and sanctions. Where any decision, action or inaction of a data controller or data processor constitutes the violation of the Act or subsidiary legislation made thereto an aggrieved data subject may lodge a complaint with the Commission for investigation. The Commission may investigate such a complaint if it appears not frivolous or vexatious. Also, where it has reason to believe that there is a violation or any likelihood, the Commission may of its own accord investigate any violation by a data controller or data processor.[43] To aid its investigation, the commission is empowered to order a person to attend a place at a set time for an oral examination, produce a document, article, or furnish a statement in writing setting out the information under oath or affirmation as may be relevant to the investigation.[44] Furthermore, where the Commission is satisfied that there is a violation or likely violation of any requirements under the Act or its subsidiary legislation or orders, it may make appropriate compliance orders or impose sanctions on the erring data controller or processor. To ensure that data subjects receive prompt and appropriate redress for any breach of their data, it is recommended that the unit of the Commission referenced under the Act to receive, follow up and conduct investigations of complaints from data subjects should adopt the same twenty-eight (28) working daysor similar period or duration prescribed for the Administrative Redress Tribunal under the NDPR for the investigation and determination of appropriate redress of allegations of any breach of the provisions of the Act.
Compliance Order is an order in writing made against a data controller or data processor for any decision, action or inaction of the data controller which constitutes the violation or likely violation of any requirement under the Act or subsidiary legislation made pursuant thereto.[45] This may include: Warning: A compliance order in the form of a warning is to be issued before the occurrence or likelihood of any violation under the Act, subsidiary legislation or orders issued under it. Requisition: By this type of compliance order the Commission will require the data controller or data processor to comply with a specific provision of the Act including the request of a data subject in the exercise of any right under the Act. Cease and Desist Order: The purpose of this form of compliance order is to direct the data controller or data processor to stop and refrain from doing any act which constitutes a violation of the Act, including stopping or refraining from processing personal data which is the subject of the order. An Enforcement Order or Sanction is an order directed to a data controller or data processor requiring it to remedy any violation of the Act or subsidiary legislation and ordering the payment of compensation to a data subject, who has suffered injury, loss, or harm as a result of the violation with an order for an account of the profits realised from the violation or payment of penalty or remedial fee.[46] Differences between Compliance Order and Enforcement Order It is noteworthy that the significant difference between a compliance order and an enforcement order or sanction is that while the former applies to circumstances where there is already a violation or likely violation of the Act or subsidiary legislation made under it, the latter is strictly applicable to circumstances where the violation has already occurred. In effect, on the one hand, a compliance order is appropriate where there is a violation or imminent violation of principles of personal data protection by a data controller or data processor. This non-compliance constitutes an offence punishable with a fine up to a ‘higher maximum amount’ or ‘standard maximum amount’ depending on the status of the data controller or data processor involved or imprisonment for a term not exceeding one year or both imprisonment and fine.[47] On the other hand, an enforcement order is made against or imposed on the data controller or data processor as a penalty or remedial sanction to address the occurrence of violation up to the ‘higher maximum amount’ or ‘standard maximum amount’ based on the status of the data controller or data processor.[48]
The above penal provisions and remedies notwithstanding, the Court may make an order of forfeiture against a convicted data controller, data processor, or individual in accordance with the Proceeds of Crime (Recovery and Management) Act.[49]Where a body corporate or firm commits an offence under the Act, the body corporate or firm, as well as principals officers of the body corporate or firm are deemed culpable, unless the principal officers establish that the offence was committed without their consent or connivance; and that they exercised diligence to prevent the commission of the offence. However, a data controller and data processor are vicariously liable for the acts or omissions of their agents or employees as long as the acts or omissions relate to their business.[50]
It is submitted that the meaning of ‘order’ as used in Section 50 of the Act establishing the right to apply for judicial review of the order of the Commission within 30 applies to a complianceorder and an enforcement order. Also, with regards to the Court with jurisdiction to entertain a suit under the Act, one can safely conclude that the High Court of a State and the Federal High Court have concurrent jurisdiction to hear and determine such actions.[51] Further, such actions must be commenced within three months after the act, neglect or default complained of or in the case of continued damage or injury, within three months after the ceasing of such act, neglect or default complained of.[52] Moreover, the intending plaintiff or his agent shall wait for one month after serving on the Commission, its member or staff, awritten notice of his intention to commence the suit.[53]
One wonders why in addition to the above provisions on the requirement of notice and period of limitation which are in themselves needless, the provisions of the Public Officers Protection Act (POPA)[54]which has been aptly described as an ‘anachronistic legislation’[55]is made applicable to any suit instituted against an official or employee of the Commission under the Act.[56] To put it mildly, this is an unnecessary limitation within limitations. As can be decipheredfrom various cases[57], it has been established that the POPA has ‘occasioned injustices to litigants with genuine causes of action, leaving them without remedies, even in cases where the delay was not deliberate’.[58]Therefore, there is no sound justification for subjecting the protection of data subjects’ rights to the special limitation rules for public offices and public institutions, particularly, the POPA that has been widely agreed requires an urgent repeal.[59]
Exceptions to the application of the Act Generally, the Act will not be applicable where the processing of the data is carried out by one or more persons solely for personal consumption or household purposes to the extent that such processing is not done in violation of the fundamental rights to privacy guaranteed and protected under Section 37 of the Constitution, 1999 as amended. Also, the obligations of data controllers or data processors specified under Part V of the Act except those provided under sections 24, 25, 32, and 40 are excluded if personal data is processed as follows:[60]
by a competent authority for the prevention, investigation, detection, prosecution, or adjudication of a criminal offence or the execution of a criminal penalty, in accordance with any applicable law; by a competent authority for prevention or control of a national public health emergency; by a competent authority, as is necessary for national security[61]; in respect of publication in the public interest, for journalism, and educational, academic, artistic, and literary purposes to the extent that such obligations and rights are incompatible with such purposes; or necessary for the establishment, exercise, or defence of legal claims, whether incourt proceedings or an administrative or out-of-court procedure. The implication of the foregoing is that a data subject cannot rely on or take the benefit of or enforce the obligations of the data controller or data processor in those circumstances. It is however important that notwithstanding this exclusion the Commission is empowered to issue a guidance notice containing legal safeguards and best practices to a data controller or processor, where in its opinion such processing violates or is likely to violate Sections 24 and 25 of the Act.
Concluding Remarks The Nigeria Data Protection Act contains extensive provisions which guarantee the protection of the personal data of individuals including their rights to know when, how, and why their data is being processed. In line with global laws and trends regulating the privacy and personal data of individuals, the Act also makes provisions for effective administrative and judicial remedy where the personal data of a data subject is not processed in accordance with the law.
From the foregoing analysis, it is obvious that the importance of this enactment aimed at protecting the personal data of citizens as data subjects in this technological age cannot be overemphasised. The eventual passage of the Act as the specific principal legislation giving force to the NDPR on the important issues of data protection is commendable. However, the inclusion of special limitation rules for public offices and public institutions, particularly, the POPA in the provisions of the Act is considered needless and unjustifiable.
This article has established the key principles of personal data protection, rights of data subjects and enforcement mechanisms enshrined in the Act. It is hoped that the NDPC as an independent supervisory authority and major stakeholder empowered to enforce and implement the provisions of the Act will effectively use its mandate towards the achievement of the objective of the Act which is mainly to safeguard the fundamental rights and freedoms, and the interests of data subjects, as guaranteed under the Constitution. To achieve this, the NDPC is expected to effectively utilise its powers to make regulations, guidelines, directives, and codes of conduct under the Act.
Hopefully, other stakeholders such as data controllers, data processors and data protection officers will equally ensure compliance with the provisions of the Act.
References
CLARIN ‘Principles of Data Processing’ <https://www.clarin.eu/content/principles-data processing#:~:text=This%20section%20presents%20the%20seven,confidentiality%3B%20(7)%20accountability> accessed 27 July, 2023. https://unctad.org/page/data-protection-and-privacy-legislation-worldwide https://ndpb.gov.ng/Home/about Nigeria Data Protection Regulation 2019. Nigeria Data Protection (Establishment, etc.) Bill, 2023. Published in the National Assembly Journal No. 4, Vol. 20, 4th April 2023. Nigeria Data Protection Act, 2023. OdusoteAbiodun ‘The Nigerian Public Officers Protection Act: An Anachronistic Legislation Yearning for Reforms’ Journal of Public Administration and Governance, 2019, Vol. 9, No. https://www.macrothink.org/journal/index.php/jpag/article/view/14404 accessed 6 August 2023. *Lukman Bolaji Tairu, Esq is a Partner in the law offices of Fiducia LP. He can be reached on lbolaji@fiducia.com.ng
[2] According to the United Nation Conference on Trade and Development (UNCTAD), 137 out of 194 countries had put in place legislation to secure the protection of data and privacy. Africa and Asia show different level of adoption with 61 and 57 per cent of countries having adopted such legislations. The share in the least developed countries in only 48 per cent. See: <https://unctad.org/page/data-protection-and-privacy-legislation-worldwide> Assessed on 6th June, 2023.
[3]The Economics, “The world’s most valuable resource is no longer oil, but data” (2017) <https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data>assessed on 6th June, 2023.
[4]The NDPR repealed the Date Protection Guidelines 2013 was issued by NITDA in January 2019 under Section 32 of the NITDA Act which empowered its Board to make such regulations as in its opinion are necessary or expedient for giving full effect to the provisions of the Act.
[5] Section 1 of the Act.
[6] Section 2(1) and (2) of the Act.
[7] The establishment of the NDPC is in line with the Article 14 of the Economic Community of West Africa (ECOWAS) Supplementary Act A/SA.1/01/10 on Personal Data Protection. The Commission replaced the Nigeria Data Protection Bureau which was established in February, 2022 and mandated to collaborate with stakeholders in achieving the objectives of the NDPR. See: https://ndpb.gov.ng/Home/about.
[8] The private sector representative shall be a Nigerian who possess not less than five years cognate experience and proficiency in data protection and privacy. See Sections 8 and 9 of the Act.
[9] Section 10(1) and 15 of the Act.
[10] Section 14(3) of the Act. This provision is in consonant with the Code of conduct of public officers as contained in paragraph 2(a) of the Fifth Schedule to the 1999 Constitution of the Federal Republic of Nigeria which prohibits double employment by any public officer.
[11] Section 14(1) (b).
[12] See Article 5 of the European Union General Data Protection Regulation (EU) 2016/679 and the United Kingdom’s General Data Protection Regulation (“UK GDPR”) for the principles governing the processing of personal data in these jurisdictions. Respectively available at <https://www.clarin.eu/content/principles-data processing#:~:text=This%20section%20presents%20the%20seven,confidentiality%3B%20(7)%20accountability><https://iclg.com/practice-areas/data-protection-laws-and-regulations/united-kingdom> accessed 27July, 2023.
[13] Section 24(1)(a).
[14]CLARIN, “Principles of Data Processing” <https://www.clarin.eu/content/principles-data processing#:~:text=This%20section%20presents%20the%20seven,confidentiality%3B%20(7)%20accountability> accessed 27 July, 2023.
[15] Ibid.
[16] Section 24(1)(b).
[17]CLARIN. Ibid.
[18] Section 24(1)(c).
[19] Section 24(1)(d).
[20] See for instance, Article 9 of NDPR Implementation Framework 2020 which prescribes a default guideline for retention period for data controllers and processors.
[21] Section 24(1)(e).
[22] Section 24(1)(f).
[23]CLARIN. Ibid.
[24]Where the data subject is a child or a person lacking the legal capacity to consent, the consent of the parent or legal guardian shall be obtained by the data controller. However, consent will not be required where the processing is to protect the vital interest of the child or person lacking the legal capacity to consent or carried out for the purpose of education, medical, or social care, ad undertaken by or under the responsibility of a professional or similar service provider owing a duty of confidentiality or necessary for proceedings before a court relating to the individual. See Section 31.
[25] Section 35.
[26] Section 34(1)(a).
[27] Section 34(1)(a)(v) and 34(1)(c).
[28] Section 34(1)(d) and 34(2). It is fundamental to note that erasure is not the same thing as deletion. See: BitRaser, “What is the Difference between Deletion and Data Erasure?” (2020) <https://www.bitraser.com/blog/what-is-the-difference-between-deletion-and-data-erasure/> accessed 17July, 2023.
[29] Section 34(1)(b).
[30] Section 34(1)(a).
[31]CLARIN. Ibid.
[32] Section 36.
[33] Section 38. According to Wikipedia Data portability is a concept to protect users from having their data stored in “silos” or “walled gardens” that are incompatible with one another, i.e. closed platforms, thus subjecting them to vendor lock-in and making the creation of data backups or moving accounts between services difficult. https://en.wikipedia.org/wiki/Data_portability accessed on 7 July, 2023.
[34] Section 38(2)(b) and (c).
[35] Section 30.
[36] See Section 65.
[37]In this circumstance, the processing must also relate solely to the members or formermembers of the entity, or to persons, who have regular contact with it in connection with its purposes, and the sensitive personal data must not be disclosed outside of the entity without the explicit consent of the data subject. See Section 30(1)(d).
[38]Section 40.
[39]Section 40 (5).
[40]Section 42.
[41]See: Section 12(1) of the 1999 Constitution and the case of Abacha &Ors v. Fawehinmi (2000) LPELR-14(SC).
[42]The investigative powers of the Commission under the Act include power of arrest, search and seize in furtherance of the enforcement of the provisions of the Act. See: Section 58 thereof.
[43]See Section 46(1), (2) and (3).
[44]Section 46(4).
[45]Section 47(1).
[46]Section 48(1) and (2).
[47] Section 49.
[48]See in particular Sections 47(1), 47(2)(c) and 48(1), 48(2)(d). “Higher maximum amount” is the greater of N10,000,000 and 25% of the annual gross revenue in the preceding financial year applicable to a data controller or data processor of major importance. Whereas, it connotes an order or a fine within the meaning of Compliance Order, it means a penalty or remedial fee with regards to an Enforcement Order. ‘Standard maximum amount’ means is the greater of N2,000,000 and 2% of the annual gross revenue in the preceding financial year of a data controller or data processor that is not of major importance. See Sections 48(4) and (5), 49(1).
[49] Section 52.
[50] Section 53 (1) and (2).
[51] “Court” is defined as any court of competent jurisdiction. See Section 65 of the Act.
[52]Section 54(1),
[53] Section 54(2).
[54] Cap. P41, LFN, 2004
[55]Abiodun Odusote, “The Nigerian Public Officers Protection Act: An Anachronistic Legislation Yearning for Reforms” Journal of Public Administration and Governance, [2019] Vol. 9, No. 1 https://www.macrothink.org/journal/index.php/jpag/article/view/14404 accessed 6 August, 2023.
[56]Section 54(4).
[57]Michael Obiefunav. Alexander Okoye (1961) All NLR 357 at 360 and 362;Ekeogav. Aliri(1991) 3 NWLR (Pt.179) 258; Adigun v. Ayinde (1993) 8 NWLR (Pt.313) 516; Olugbenga Jay Oguntuwasev University of Lagos, Unreported Suit No. NICN/LA/449/2017.
[58]Ibid, 222 – 224.
[59]It is interesting that to note that as far back as 2015,the Nigeria Law Reform Committee had called for the repeal of POPA. The Commission submitted to the National Assembly a Proposed Bill for the Repeal of the Public Officer Protection Act through the Committee for the Review and Reform of the Laws of the Federal Republic of Nigeria. Ibid 227.
[60] By the provisions of Section 3(2) a data controller or data processor is not obliged to follow the provisions of Part V for the Act other than Sections 25, 25, 32 and 40.
[61] See: Dokubo-Asari v. FRN (2007) LPELR-958(SC).
In this article