The Nigerian President Bola Tinubu has signed the Nigeria Data Protection Bill, 2023 into law.
The Nigeria Data Protection Act, 2023 provides a legal framework for the protection of personal information, and the practice of data protection in Nigeria.
This was disclosed by the, National Commissioner, Nigeria Data Protection Commission, (NDPC), Dr. Vincent Olatunji at the Nigeria Data Protection Bureau Strategic Roadmap and Action Plan(SRAP) validation workshop in Abuja, Nigeria’s capital.
The bill was introduced to the Senate and House of Representatives for consideration and passage on Tuesday, 4 April 2023 via a letter from former President Muhammadu Buhari.
Now an Act, the new law establishes the Nigeria Data Protection Commission and replaces the Nigeria Data Protection Bureau (NDPB) established by former President Buhari in February 2022.
The Commission will be led by a National Commissioner with the responsibility for regulating the processing of personal information.
Part of the mandates of the Commission include to foster the development of personal data protection technologies, in accordance with recognised international good practices and ensure compliance with data protection obligations.
Dr Olatunji expressed delight over the growth of Nigeria’s data protection ecosystem.
“That the Nigeria Data Protection Bureau is now a commission by law. Nigeria now has its Data Protection Act signed by President Bola Ahmed Tinubu on 12th of June 2023,” he announced.
He appreciated the efforts of the former administration led by President Muhammadu Buhari who started this journey under the former Minister Isa Pantami.
The National Commissioner stressed the need for effective partnership and stakeholder engagement especially in the areas of awareness and sensitization.
“We agree that Nigeria is well positioned to move data protection ahead in Africa. We agree that Nigeria is well positioned to move. The whole of Africa waiting for us,” he stated.
He disclosed that “in Nigeria, we have identified over 500,000 job opportunities in the Data Protection and Privacy ecosystem which is in line with one of the campaign mantra of the current administration to create million jobs in the digital economy sector in 12 months.”
The Permanent Secretary, Ministry of Communications and Digital Economy, Mr. Williams Alo, reaffirmed government’s commitment to fostering a culture of trust and accountability in the digital sphere.
“We can create an ecosystem that protects the rights of individuals while fostering a vibrant and innovative digital economy.
“Together, let us embark on this validation workshop with a shared vision—a vision of a Nigeria where personal data is treated with the utmost respect, where individuals have control over their own information and where innovation thrives in an environment of trust,” he admonished.
In his remarks, the Director General of National Information Technology Development, Mr. Kashifu Inuwa, while stressing the importance of data as the currency of digital economy, urged the committee to look at the key principles for data protection.
“Firstly, we need to prioritize freedoms and rights of our citizens. Secondly, we need to promote transparency and accountability. And thirdly, we need to foster an enabling environment for innovation and economic growth.
“We can only create jobs create when we are innovative and look at how we can create prosperity in our Country,” he said.
In his presentation, the Committee Chairman, Nigeria Data Protection Bureau Strategic Roadmap and Action Plan, Dr. Abdul-Hakeem Ajijola said the roadmap “is intended to help identify some of those things we need to do to build the ecosystem so that we empower people to be able to have some kind of say and management over their own private data.”
Ajijola emphasised the need for more awareness and sensitization to build a robust data protection and privacy ecosystem which is inclusive and viable.
More About The Nigeria Data Protection Act
Among others, it will also have the powers to register data controllers and data processors of major importance; promote awareness on the obligation of data controllers and data processors, as well as sanction those who violate the provisions of the Act.
Under the Act, a National Commissioner for the Commission will be appointed by the President for a term of four years which is renewable once.
The National Commissioner will be responsible for its daily administration and execution of policies. The Commission will also have a Governing Council responsible for formulating policy direction for its affairs, approving strategic, action and budget plans for the Commission, among others.
A data controller is required to provide certain information to a data subject (that is the person whose data is being requested) before collection.
Some of these information include the identity and address of business of the collector or processor, specific lawful basis to process the data, recipients of the data, data retention period and the right to lodge a complaint to the Commission, among others.
“The Commission is expected to have powers to make compliance and enforcement orders against data controllers or processors in the event of the violation of the provisions of the bill or related subsidiary legislation. The orders of the Commission are subject to judicial review within 30 days from when they are made.
“The Act also criminalises failure to comply with the orders of the Commission, which is punishable by a fine and or imprisonment term. A data subject may also seek damages from a data controller through civil proceedings, in the event of a violation.”
The new law sets out principles for the processing of personal data, some of which include that it must be done in a fair, lawful and transparent manner, that it is limited to the minimum necessary for the purpose it is collected and is not retained for longer than necessary.”
The law specifically states that the burden of proof is on a data controller to establish that he or she received the consent of the data subject before collecting his or her data. Silence or inactivity of the data subject will not be taken to imply consent. A child does not have capacity to consent and a person with capacity to consent such as a parent, can do so on behalf of a child.
A data subject has the right to withdraw consent to the processing of his or her personal data. In that situation, the data controller is expected to discontinue processing the data of such a person unless the controller shows public interest or other legitimate grounds, which override the fundamental rights, freedoms and the interests of the data subject.
A data subject (a person whose information is collected) has the right to obtain information with regard to the processing, storage and other relevant information about his or her data, from a data controller.
A data controller is mandated to inform the Commission if a data breach occurs. The data controller is also required to inform the data subject of the breach if it is likely to result in high risk to the rights and freedoms of the subject.
The Nigerian Data Protection Act represents a significant step toward safeguarding privacy rights, fostering trust, and promoting responsible data-driven innovation.