Examining Nigerian Data Protection Act
Examining Nigerian Data Protection Act

By Eluyera Mutiu

In a significant stride towards safeguarding individual privacy in the digital age, Nigeria has taken a resolute step by enacting the Nigerian Data Protection Act (2023), which was signed into law by President Bola Tinubu on June 12, 2023. This legislation builds upon the foundation laid by the Nigerian Data Protection Regulation 2019, addressing shortcomings and bringing the nation more in line with international data protection standards, including the General Data Protection Regulation.

The Act was born out of a series of concerns arising from the limitations of the preceding regulation. While the NDPR aimed to create a data protection framework, it fell short in addressing evolving digital challenges. The absence of comprehensive provisions on processing of children’s personal data, inadequate guidelines on cross-border data transfers, and the omission of the legitimate interest as a lawful basis for data processing were among the primary concerns.

One of the pivotal differences between the NDPR and the GDPR is the lack of alignment with international standards. The GDPR, which serves as a global benchmark for data privacy, emphasises consent and stringent data protection measures. The Act aims to bridge this gap by incorporating vital GDPR principles into its framework.

The NDPA establishes a comprehensive framework for processing children’s personal data, acknowledging the unique vulnerabilities of this demographic in the digital realm. Under the Act, children and persons lacking the legal capacity to consent, such as a lunatic, cannot grant consent for the processing of their personal data. In these cases, the Act directs the data controller to obtain consent from their parents or guardians instead. The Act also mandates the Data Controller to utilise available technology to verify the consent and age of the data subject, which includes the presentation of any government-approved identification documents.

The Act’s stance on cross-border data transfers is another significant advancement. It outlines guidelines to ensure that personal data leaving Nigeria is protected in foreign jurisdictions. Prior to the enactment of the Act, the NDPR permitted such transfer subject to the supervision of the Attorney General of the Federation. Under the Act, cross-border transfers of personal data may be permissible if the recipient of the personal data is subject to a law, binding corporate rules, contractual clauses or code of conduct that affords an adequate level of protection with respect to the personal data.

One of the core components of the Act is that it prioritises data security by setting out guidelines for data protection and security measures. It mandates data controllers and processors to implement necessary organisational safeguards to prevent unauthorised access, loss, or damage to personal data. Furthermore, the Act establishes stringent requirements for reporting and managing data breaches. It further went ahead to provide that in the event of a breach, the data processor is to notify the data controller, who shall in turn notify the commission within 72 hours.

The Act is however without shortcomings as it fails to recognise the legitimate interests of the data controller as a lawful basis for processing personal data. The Act has now rectified this by recognising legitimate interests as a lawful basis. Under the Act, for a data controller to rely on legitimate interest as its lawful basis, it must show that the interest does not override the fundamental rights, freedoms, and interests of data subjects. It must also show that the interest is not incompatible with other lawful bases of processing under the Act. Finally, it must also show that the data subject has a reasonable expectation that personal data would be processed in the manner envisaged.

Perhaps, the pivotal feature of the Act, which is the establishment of the Nigerian Data Protection Commission which replaces the Nigerian Data Protection Bureau as the primary regulator for data protection in Nigeria, will cure the shortcomings through policy interventions pending further amendments of the Act. This institution is tasked with enforcing compliance, conducting investigations, overseeing the accreditation, and licensing of entities to provide data protection compliance services, and imposing penalties for violations. This regulatory reinforcement underscores Nigeria’s commitment to effective data governance.

The Act heralds a new era of data protection in Nigeria, rectifying past shortcomings and embracing global best practices. However, for successful implementation, collaboration between regulators, businesses, and citizens is essential. Stakeholders must engage in rigorous training, awareness campaigns, and continuous compliance efforts to ensure the seamless integration of the Act’s provisions.

Generally, the Act signifies a significant step toward data privacy, showcasing Nigeria’s commitment to upholding individual rights in the digital age. As the Act takes effect, its impact will resonate across industries, society, and governance. It will foster a culture of privacy, security, and respect for personal data.

Eluyera Mutiu writes via oladipupoeluyera96@gmail.com

In this article

Leave a Reply

Your email address will not be published. Required fields are marked *