Blog details

INTRODUCTIONThe need for the protection of Personal Data has been the chief concern of technology users in recent times due to the risk of data leak and the unauthorized collection, processing, storage, use and disclosure of the Personal Data of data subjects by data controllers, data processors and businesses in Nigeria. Gladly, these fears have now been allayed by the enactment of the Nigeria Data Protection (Establishment, etc.) Act, 2023. The Nigeria Data (Establishment, etc.) Act, 2023 (the Act) was signed into law on the 12^th of June, 2023, by the President of the Federal Republic of Nigeria. The Act provides a legal framework for safeguarding personal data and the regulation of data processing and storage in Nigeria. Before the enactment of the Act, the legal framework, albeit, a subsidiary legislation that attempted to safeguard the rights of data subjects and the processing of personal data in Nigeria is the Nigeria Data Protection Regulation, 2019, issued by the National Information Technology Development Agency (NITDA). The Nigeria Data Protection Regulation, 2019, being a subsidiary legislation did not make elaborate provisions on privacy and data protection, and this is the ground the Act has covered in the sphere of privacy and data protection in Nigeria. Hence, this article will discuss the key features of the Act while attempting a comparative analysis of privacy and data protection regulations in other jurisdictions.ESTABLISHMENT OF THE NIGERIA DATA PROTECTION COMMISSION AND ITS GOVERNING COUNCILOne of the key features of the Act is the establishment of the Nigeria Data Protection Commission (the Commission), as the successor-in-title to the Nigeria Data Protection Bureau, to oversee the implementation of the provisions of the Act. A Governing Council is created for the Commission which shall be headed by a part-time Chairman, who shall be a retired judge of Nigeria. The Council also have a National Chairman, who shall superintend over the daily activities of the Commission. The Act confers an independent status on the Commission in the discharge of its functions under the Act but however, provides that the Chairman and non-ex-officio members of the Council shall be appointed by the President, on the recommendation of the Minister of Communications and Digital Economy. It is our take that the independent status of the Commission may be whittled down by subjecting the appointment of the Chairman and the National Commissioner of the Commission at the will of the President of the Federal Republic of Nigeria.The functions and the powers of the Commission are enumerated in Sections 5 and 6 of the Act respectively. The Commission is required to register data controllers and data processors of major importance and to receive complaints relating to violation of the Act or subsidiary legislation made pursuant to the Act. Overall, the Commission’s mandates are to oversee issues of privacy and data protection and to regulate the processing of personal data by Data controllers and data processors.APPLICABILITY Going by section 2 of the Act, the Act applies to the processing of personal data, whether by automated means or not. Largely, the provisions of the Act apply to the processing of personal data within the territory of Nigeria except as otherwise provided in the Act. In effect, the circumstances under which the provisions of the Act will apply to the processing of personal data are:

1. where the data controller or data processor is domiciled in, resident in, or operating in Nigeria;

2. where the processing of personal data occurs within Nigeria; and

3. where the data controller or the data processor is not domiciled in, resident in, or operating in Nigeria, but is processing personal data of a data subject in Nigeria.

However, the Act does not apply to the processing of personal data where the processing of personal data is solely for personal or household purposes. Also, where the processing of personal data is carried out by a competent authority of the state for prevention and investigation of crime, national security, national public health emergency or it is in respect of publication in the public interest. In other words, the provisions of the Act do not apply to competent state authorities in the performance of their lawful duties.Aside from the exemptions to the applicability of the Act mentioned above, the Act has empowered the Commission to prescribe additional types of personal data and processing that may be exempted from the application of the Act vide a regulation made pursuant to the Act.PRINCIPLES OF PERSONAL DATA PROCESSING The Act, in section 19 enumerated the principles to be reckoned with by data controllers and data processors in processing personal data. Going by the principles of personal data processing highlighted in the Act, a data controller or data processor must ensure that:

1. the personal data of data subjects are processed in a fair, lawful and transparent manner. Section 20 of the Act provides for instances where data processing will be regarded as lawful, to wit-

1. where the data subject has given and not withdrawn consent for the specific purposes for which the personal data is to be processed;

2.  where the processing of personal data is necessary for the performance of a contract to which the data subject is a party;

3. where the processing of personal data is required for compliance with a legal obligation to which the data controller or data processor is subject; and
4.  where the processing of personal data is necessary for the public interest or the vital interest of the data subject.

By the foregoing, it, therefore, means that, a data controller or data processor, except in exceptional cases, is required to seek and obtain the consent of a data subject before the processing of his/her data. Where the data subject is a child (a person under the age of eighteen years) or a person lacking the legal capacity to consent, a data controller must obtain the consent of the parent of the child or the legal guardian of the child except where the processing is necessary to protect the vital interest of the child or person lacking the legal capacity to consent or for education, medical, social care or for processings before a court relating to the individual.Notwithstanding the requirement of the Act for a data controller to obtain the consent of the parent of a child before processing the child’s personal data, a data controller may rely on the consent of a child aged 13 or above, to provide information or services by electronic means at the specific request of the child.

2. the personal data of data subjects is collected for specified, explicit, and legitimate purposes, and not to be further processed in a way incompatible with these purposes. The Act allows for further processing of personal data by data controllers or data processors. However, the personal data should not be further processed in a manner that would be incompatible with the original purpose for which the personal data was originally collected or processed.

3. the personal data is adequate, relevant, and limited to the minimum necessary for the purpose the personal data was collected or further processed.

4. the personal data is retained for no longer is necessary to achieve the lawful bases for which the personal data was collected or further processed.

5. the personal data is kept up-to-date, accurate, not misleading and complete.

6. the personal data is processed in a manner that ensures appropriate security of personal data.

It is worthy of note that a data controller or data processor owes a duty of care to data subjects in the processing of their data, and shall demonstrate accountability, in respect of the principles of data processing contained in the Act. Hence, a data subject can sue a data controller or a data processor for breach of duty of care for which he/she has suffered an injury. The injury in this case may be as a result of the breach of duty of privacy, confidentiality or the unauthorized use or disclosure of the personal data of the data subject by a data controller or data processor.RIGHTS OF DATA SUBJECTA data subject under the Act is an individual to whom personal data relates. By the Act, data subjects have the right to obtain from a data controller, without constraint or unreasonable delay, confirmation as to whether the data controller or a data processor operating on its behalf, is storing or otherwise processing personal data relating to the data subject and where that is the case, to inquire on the purpose of the processing, the categories of personal data been processed, period of storage and the recipient (s) of the processed data.A data subject also has the right to request the correction or erasures of his/her personal data as well as to withdraw his/her consent to the processing of his/her personal data. Likewise, a data subject is entitled to object to the processing of his/her personal data on grounds that they are sensitive personal data or may amount to data profiling.Sensitive personal data under the Act means personal data relating to an individual’s genetic, biometric, race, religious belief, health status, sex life, political opinions or affiliations, and trade union membership.Aside from the right of data subjects to object to the processing of sensitive personal data relating to him/her, there is a legal restriction under the Act on the processing of sensitive personal data by data controllers or data processors. The limited circumstances under which a data controller or a data processor may process sensitive personal data are as follows:

1. if the data subject has given and not withdrawn consent to the processing for the specific purpose or purposes for which it will be processed;

2. if the processing is necessary for performing the obligations of the data controller or exercising rights of the data subject under employment or social security laws or any other similar laws;

3. if the processing is necessary to protect the vital interests of the data subject or of another person, where the data subject is physically or legally incapable of giving consent;

4. if the processing is carried out in the course of its legitimate activities, with appropriate safeguards, by a foundation, association, or such other not-for-profit body with charitable, educational, literary, artistic, philosophical, religious, or trade union purposes, and the processing must relate solely to the members or former members of the entity;

5. if the processing is carried out for purposes of medical care, community welfare or public health; and

6. if the processing is necessary for archiving purposes in the public interest or historical, statistical, or scientific research.

In addition to the rights of data subjects explicitly chronicled in the Act, section 33 of the Act has authorized the Commission to make regulations establishing a right of personal data portability. The idea of data portability is to enable data subjects to request for the transfer of their personal data obtained from one data controller to another data controller.Taking from the enormous rights conferred on data subjects under the Act, it is trite to say that the Act places premium on the freedom and privacy of data subjects in the processing of personal data by a data controller or data processors. The requirement of the Act mandating data controllers or data processor to obtain the consent of data subjects before processing their personal data is laudable, and will enhance the realization of data freedom and privacy being the main objective of the Act. However, as clearly articulated in the Act, the freedom and privacy of data subjects will be disregarded where the processing of the personal data is in the interest of the public, public health and security.DATA SECURITY A data controller or data processor has a duty under the Act to ensure the security, integrity, and confidentiality of personal data in its possession or under its control, including protection against accidental or unlawful destruction, loss, misuse, alteration, unauthorised disclosure, or access. The Act mandates data controllers or data processors to implement measures for the realization of data security. Some of the measures identified under the Act include pseudonymization or other methods of de-identification of personal data and encryption of personal data.Where there is a breach of duty of data security, a data controller is required to notify the Commission, within 72 hours of knowledge of the breach, and by extension, the data subject, where the personal data breach is likely to result in a high risk to the rights and freedom of the data subject. In the latter case, the data controller or data processor must advise the data subject on the measures to take to effectively mitigate the possible adverse effects of the data breach.DATA CONTROLLERS AND DATA PROCESSORS OF MAJOR IMPORTANCEThe Act categorised data controllers and data processors into “data controllers or data processors of major importance’’ and “data controllers or data processors not of major importance’’. To reinforce the above statement, section 43 (3) of the Act which provides for payment of penalty or remedial fee by a data controller or data processor in the event of a breach provides:“A penalty or remedial fee under subsection (2) (d) of this section may be an amount up to the-

1. higher maximum amount, in the case of a data controller or data processor of major importance; or

2. standard maximum amount, in the case of a data controller or data processor of not of major importance.

By the Act, a data controller or data processor of major importance means a data controller or data processor that is domiciled, resident in, or operating in Nigeria and processes or intends to process personal data of more than a such number of data subjects who are within Nigeria, as the Commission may prescribe, or such other class of data controller or data processor that is processing personal data of particular value or significance to the economy, society or security of Nigeria as the Commission may designate.  Going by the definition of a data controller or data processor of major importance under the Act, the indexes to determine whether a data controller or data processor is of major importance are as follows:

1. the data controller or data processor must be domiciled, resident in, or operating in Nigeria;

2. the data controller or data processor must be processing or intends to process personal data of more than such number of data subjects who are within Nigeria, as the Commission may prescribe in a regulation (as the case may be);

3. where the data controller or data processor is not processing or intends to process the personal data of a number of data subjects as may be prescribed by the Commission in (ii) above, then, the data controller or data processor must be in the business of processing personal data of a particular value to the economy, society or the security of Nigeria. Just like in (ii) above, the Commission is also authorized to designate data controllers or data processors that are processing personal data which are of a particular value to the economy, society or the security of Nigeria.

Going by the above, it, therefore, means that, a data controller or data processor whose business of data processing does not fall within the purview of (ii) and (iii) above, qualifies as a data controller or data processor not of major importance. The two categories of data controllers or data processors are required to register with the Commission. However, data controllers and data processors of major importance are required to register with the Commission within 6 months after the commencement of this Act.Also, a data controller or data processor of major importance is required under the Act to engage the services of a Data Protection Officer with expert knowledge of data protection law and practices, who will ensure and monitor compliance with this Act and related policies of the data controller or data processor as well as act as the contact point for the Commission on issues relating to data processing.CROSS-BORDER TRANSFERS OF PERSONAL DATAThe Act sanctions cross-border transfers of personal data. However, a data controller or data processor can only transfer or permit to be transferred personal data from Nigeria to another country if the recipient of the personal data is subject to a law, binding corporate rules, contractual clauses, code of conduct, or certification mechanism that affords an adequate level of protection to the personal data. In other words, a data controller or data processor is required to ensure that there is an existing and an enforceable legal instrument between it and the recipient of the personal data that affords an adequate level of protection to the personal data transferred before engaging in cross-border transfer of personal data. This requirement of the Act is sacrosanct to secure the right of data subjects to enforce their right to data freedom and privacy in cases of data breach.Notwithstanding the foregoing requirements of the Act in cross-border transfer of personal data, a data controller or data processor may not concern itself with the issue of adequacy of data protection where-

1. a data subject has provided and not withdrawn consent to such transfer after been informed of the possible risks of such transfers due to the absence of adequate protections;

2. the transfer is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of a data subject, prior to the contract;

3. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of a data subject between the data controller and a third party;

4. the transfer is for the sole benefit of a data subject; or

5. the transfer is necessary to protect the vital interests of a data subject, or of other persons, where a data subject is physically or incapable of giving consent.

ENFORCEMENT    The Commission has the primary duty to ensure compliance to the provisions of the Act by data controllers or data processors. The Act empowers the Commission to receive complaint from data subjects on issues of personal data breaches, investigate the complaint and to levy fine on data controllers or data processors that are non-compliant with the provisions of the Act. Aside from the administrative powers of the Commission to answer to the complaint of data subjects, a data subject who has suffered an injury consequent on the negligent of a data controller or data processor may file an action at the High Court for remedies.DATA PROTECTION IN THE EU AND CANADA   The EU is at the forefront of data protection in the world. The Nigeria Data Protection (Establishment, ETC) Act, 2023 mirrors the General Data Protection Regulation (GDPR) applicable in the EU states. The Act and the GDPR are similar in their provisions and application. Like the Act, the GDPR applies to the processing of personal data of EU citizens. The Regulation affords the nationals of the EU states a wide scope of protection in relation to their personal data across the globe provided that the said information is within the ambit of the Regulation. It stretches through where the controller or processor is situated to cover the jurisdiction wherein the data subjects have provided the data.Two sets of federal laws apply to data protection in Canada. One is the Privacy Act which applies to processing of personal data by federal institutions, and the Personal Information Protection and Electronic Document Act (PIPEDA) which applies to private-sector organizations. Like the Nigerian Data Protection Act 2023 and the GDPR, the PIPEDA makes provision for the collection, use and disclosure of personal information. Nevertheless, the Act restrictively covers the collection, use, and disclosure of personal data in the course of only commercial activities in Canada. Also, the Act is silent on its extraterritorial application. Nevertheless, the state has adapted the use of guidance notes to knot loose ends.CONCLUSIONThe Nigerian Data Protection Act, 2023, although a laudable add to the state’s legislation, does not entirely cover the field. The Act does not properly define important terms like data subject, cross border transfer, genetic data, third party etc. the Act also flaws in the inconsistency of its provision where it violates its object of safe guarding fundamental rights by  providing limitations to actions arising from its provisions.Nevertheless, the enactment of this Act will allow for further restructuring given the socio-economic