Sir: In a significant stride towards safeguarding individual privacy, the Nigerian Data Protection Act (2023), was signed into law by President Bola Tinubu on June 12. This legislation builds upon the foundation laid by the Nigerian Data Protection Regulation of 2019 (“NDPR”), addressing shortcomings and bringing the nation more in line with international data protection standards, including the General Data Protection Regulation (GDPR).
The Act was born out of a series of concerns arising from the limitations of the preceding regulation. While the NDPR aimed to create a data protection framework, it fell short in addressing evolving digital challenges. The absence of comprehensive provisions on processing of children’s personal data, inadequate guidelines on cross-border data transfers, and the omission of the legitimate interest as a lawful basis for data processing were among the primary concerns.
The Act establishes a comprehensive framework for processing children’s personal data, acknowledging the unique vulnerabilities of this demographic in the digital realm. Under the Act, children and persons lacking the legal capacity to consent, such as a lunatic, cannot grant consent for the processing of their personal data. In these cases, the Act directs the Data Controller to obtain consent from their parents or guardians instead. The Act also mandates the Data Controller to utilize available technology to verify the consent and age of the Data Subject, which includes the presentation of any government-approved identification documents.
The Act’s stance on cross-border data transfers is another significant advancement. It outlines guidelines to ensure that personal data leaving Nigeria is protected in foreign jurisdictions. Prior to the enactment of the Act, the NDPR permitted such transfer subject to the supervision of the Attorney General of the Federation. Under the Act, cross-border transfers of personal data may be permissible if the recipient of the personal data is subject to a law, binding corporate rules, contractual clauses or code of conduct that affords an adequate level of protection with respect to the personal data.
One of the core components of the Act is that it prioritizes data security by setting out guidelines for data protection and security measures. It mandates data controllers and processors to implement necessary organizational safeguards to prevent unauthorized access, loss, or damage to personal data. Furthermore, the Act establishes stringent requirements for reporting and managing data breaches. It further went ahead to provide that in the event of a breach, the data processor is to notify the data controller, who shall in turn notify the Commission within 72 hours.
The Act is however not without shortcomings as it fails to recognize the legitimate interests (“LI”) of the data controller as a lawful basis for processing personal data. The Act has now rectified this by recognizing LI as a lawful basis. Under the Act, for a data controller to rely on LI as its lawful basis, it must show that: (i) The interest does not override the fundamental rights, freedoms, and interests of data subjects; (ii) The interest is not incompatible with other lawful bases of processing under the Act; (iii) The data subject has a reasonable expectation that personal data would be processed in the manner envisaged.
Perhaps, the pivotal feature of the Act, which is the establishment of the Nigerian Data Protection Commission which replaces the Nigerian Data Protection Bureau as the primary regulator for data protection in Nigeria, will cure the shortcomings through policy interventions, pending further amendments of the Act. This institution is tasked with enforcing compliance, conducting investigations, overseeing the accreditation, and licensing of entities to provide data protection compliance services, and imposing penalties for violations. This regulatory reinforcement underscores Nigeria’s commitment to effective data governance.
The Act heralds a new era of data protection in Nigeria, rectifying past shortcomings and embracing global best practices. However, for successful implementation, collaboration between regulators, businesses, and citizens is essential. Stakeholders must engage in rigorous training, awareness campaigns, and continuous compliance efforts to ensure seamless integration of the Act’s provisions.
Generally, the Act signifies a significant step toward data privacy, showcasing Nigeria’s commitment to upholding individual rights in the digital age. As the Act takes effect, its impact will resonate across industries, society, and governance, fostering a culture of privacy, security, and respect for personal data.
- Eluyera Oladipupo Mutiu, Abuja.
