Nigeria New Data Protection Act, 2023: An In-depth Look into Key Provisions

The Nigeria Data Protection Act of 2023 has finally been signed into law. Among other things, the Act aims to provide a legal framework for the protection of personal information and establish the Nigeria Data Protection Commission to regulate the processing of personal data. The Act seeks to safeguard the fundamental rights and freedoms of data subjects as guaranteed under the Constitution of the Federal Republic of Nigeria, 1999. This article provides a detailed analysis of the Act under the most important headings.

Application of the Act:

The Act specifies the scope of its application:

• Processing of Personal Data: The Act applies to the processing of personal data, whether by automated means or not.
• Territorial Application: The Act applies when the data controller or data processor is domiciled in, resident in, or operating in Nigeria.
• Data Processing within Nigeria: The Act applies if the processing of personal data occurs within Nigeria.
• Processing of Nigerian Data Subjects’ Data: The Act applies even if the data controller or data processor is not based in Nigeria but processes personal data of data subjects located within Nigeria.
  

Exemptions from Application

The Act provides exemptions from its application under certain circumstances:

• Personal or Household Purposes: The Act does not apply to the processing of personal data carried out solely for personal or household purposes.
• Competent Authorities: Certain obligations under the Act do not apply if the processing of personal data is carried out by a competent authority for specific purposes, such as prevention, investigation, detection, prosecution, or adjudication of a criminal offense, execution of a criminal penalty, prevention or control of a national public health emergency, national security, public interest, journalism, or for the establishment, exercise, or defense of legal claims.
• Commission’s Discretion: The Nigeria Data Protection Commission has the authority to prescribe exemptions for specific types of personal data and processing through regulations.
• Guidance Notices: The Commission may issue Guidance Notices to data controllers or processors, providing legal safeguards and best practices for exempted data processing activities if such activities violate or are likely to violate certain sections of the Act.
  

Establishment of the Nigeria Data Protection Commission:

 The Act establishes the Nigeria Data Protection Commission as a body corporate with perpetual succession and a common seal. It grants the Commission the authority to sue or be sued in its corporate name and to hold, acquire, and dispose of its property. The Commission is required to have its head office in the Federal Capital Territory and may maintain other offices across Nigeria.

The provision outlines the functions of the Commission, which is responsible for overseeing personal data protection in Nigeria. The key functions include:

The provision outlines the functions of the Commission responsible for personal data protection in Nigeria. Its functions include:

1. Deployment of measures to enhance data protection.
2. Development of data protection technologies.
3. Accreditation, licensing, and registration of compliance services.
4. Registration of important data controllers and processors.
5. Promotion of awareness and understanding.
6. Handling complaints and collaborating with relevant entities.
7. Ensuring compliance with data protection obligations.
8. International cooperation and adequacy determination.
9. Collection and publication of information on data protection.
10. Advisory role and legislative proposals.
11. Legal actions as necessary.
    

Powers of the Commission: 

The Commission is vested with several powers, including:

a. Implementation Oversight: The Commission oversees the implementation of the provisions of the Act.

b. Prescribing Fees: The Commission has the authority to prescribe fees payable by data controllers and data processors based on their data processing activities.

c. Issuing Regulations, Rules, Directives, and Guidance: Subject to Council approval, the Commission can issue regulations, rules, directives, and guidance to support the implementation of the Act.

d. Compliance Returns: The Commission can prescribe the manner, frequency, and content of compliance returns filed by data controllers and processors of major importance.

e. Information Gathering: The Commission can call for information and inspect documents related to activities under the Act.

f. Conducting Investigations: The Commission can investigate violations of the Act or subsidiary legislation by data controllers or processors.

Staff Regulations and Pensions: 

According to the Commission Staff Regulations, the Council has the authority to determine the duties of the staff. The Commission can recruit staff directly or through secondment from the Public Service of the Federation. The terms and conditions of employment, including remunerations, allowances, and benefits, are subject to approval by the Council. The Commission may establish staff regulations concerning appointment, promotion, disciplinary control, and appeals by staff. The regulations require approval from the Council to be enforceable. Staff members are entitled to pensions and other retirement benefits as prescribed by the Pension Reform Act. However, specific office appointments may preclude the grant of pension and retirement benefits. The Council holds the power to exercise any authority under the Pension Reform Act, except for the power to make regulations.

Principles of Personal Data Processing: 

The Act outlines the principles and lawful basis for processing personal data. Personal data must be processed in a fair, lawful, and transparent manner. It should be collected for specified, legitimate purposes and not further processed in a manner incompatible with those purposes. The processing should be limited to the minimum necessary data and retained for a duration aligned with the lawful bases for processing. Accuracy, completeness, and relevance of personal data must be maintained, and appropriate security measures should be implemented to protect against unauthorized or unlawful processing, access, loss, destruction, or data breaches.

Lawful Basis of Personal Data Processing: 

The Act provides various lawful bases for processing personal data. These include the data subject’s consent, necessity for the performance of a contract, compliance with a legal obligation, protection of vital interests, performance of tasks carried out in the public interest or official authority, legitimate interests pursued by the data controller or processor, or by a third party to whom the data is disclosed. 

However, legitimate interests should not override the fundamental rights and freedoms of the data subject and must be compatible with other lawful bases of processing. Consent must be given freely and intentionally and can be withdrawn at any time. Silence or inactivity cannot be considered as consent.

Information Provision and Data Protection Impact Assessment:

Data controllers are required to provide certain information to data subjects, such as the identity and contact details of the controller, lawful basis for processing, recipients of personal data, retention periods, rights of the data subject, complaint lodgment procedures, and the existence of automated decision-making. A data protection impact assessment (DPIA) is mandatory for high-risk processing activities. It involves a systematic description of the processing, assessment of necessity and proportionality, identification of risks to data subjects’ rights, and measures to address these risks.

Obligations of the Data Controller and Data Processor: 

When engaging the services of a data processor, the data controller or engaging data processor must ensure compliance with data protection principles and obligations. The engaged data processor should assist the data controller in fulfilling obligations, implement security measures, provide necessary information for compliance, and notify the controller of any breaches or incidents.

Processing of Sensitive Personal Data:

1. Consent: Sensitive personal data should not be processed without the explicit and unwithdrawn consent of the data subject. Exceptions include cases where processing is necessary for legal obligations, protection of vital interests, legitimate activities of not-for-profit bodies, public interest, personal data made public by the data subject, legal claims, medical care, community welfare, public health, or archiving purposes.
2. Written Agreement: When engaging a new data processor, data controllers must establish measures, including written agreements, to ensure compliance with data protection regulations.
3. Additional Categories and Grounds: The Commission has the authority to define further categories of personal data that qualify as sensitive and outline additional grounds for their processing. These regulations must consider the risk of harm to data subjects, confidentiality expectations, and overall data protection.
   

Data Subjects lacking Legal Capacity:

1. Consent from Parents or Legal Guardians: In cases where data subjects are children or lack the legal capacity to consent, data controllers must obtain consent from the parent or legal guardian. This applies when relying on consent as the legal basis for processing.
2. Mechanisms for Age Verification: Data controllers should use appropriate mechanisms, considering available technology, to verify the age and consent of data subjects lacking legal capacity. Acceptable mechanisms may include the presentation of government-approved identification documents.
3. Exceptions: Consent from parents or legal guardians is not required when processing is necessary to protect vital interests, for educational, medical, or social care purposes under the responsibility of a professional, or for legal proceedings. Additionally, children aged 13 or older can provide consent for specific information and services requested electronically.
   

Data Protection Officers:

1. Designation: Data controllers of major importance must appoint a Data Protection Officer (DPO) with expert knowledge of data protection laws and practices. The DPO can be an employee or engaged through a service contract.
2. Responsibilities: The DPO advises data controllers, monitors compliance with data protection laws, and acts as the contact point for the Commission on data processing issues.
   

Monitoring and Compliance: The Commission has the authority to license individuals or bodies with expertise in data protection to monitor, audit, and report on compliance by data controllers and processors. This includes assessing compliance with the Nigeria Data Protection Act, regulations, guidelines, directives, and codes of conduct issued by the Commission.

Rights of a Data Subject: 

Data subjects have several rights under the Act, which include:

1. Right to confirmation and information: Data subjects have the right to obtain confirmation from a data controller regarding the storage and processing of their personal data. They are entitled to information about the purposes of processing, categories of personal data, recipients of the data, storage period, and the right to request rectification, erasure, or restriction of processing.
2. Right to access and data portability: Data subjects have the right to obtain a copy of their personal data in a commonly used electronic format. They can also request the transfer of their personal data to another data controller, where technically feasible.
3. Right to rectification and erasure: Data subjects can request the correction or deletion of inaccurate, out-of-date, incomplete, or misleading personal data.
4. Right to restriction of processing: Data subjects can request the limitation of data processing in certain circumstances, such as during the resolution of a request, objection, or legal claims.
5. Right to withdrawal of consent: Data subjects have the right to withdraw their consent to the processing of personal data at any time. Data controllers must ensure that withdrawing consent is as easy as giving consent.
6. Right to object to processing: Data subjects can object to the processing of their personal data, including profiling, based on certain grounds. The data controller must discontinue processing unless there are overriding legitimate grounds.
7. Right to object to automated decision-making: Data subjects have the right not to be subjected to decisions based solely on automated processing, including profiling, if it significantly affects them. Exceptions include contractual necessity, legal authorization, or consent.
   

Data Security: 

The Act emphasizes the importance of data security and imposes obligations on data controllers and processors. Key provisions include:

1. Implementation of appropriate measures: Data controllers and processors must implement suitable technical and organizational measures to ensure the security, integrity, and confidentiality of personal data. These measures should consider the amount and sensitivity of data, potential harm to data subjects, processing extent, data retention period, and available technologies.
2. Measures to be implemented: Examples of security measures include pseudonymization or de-identification of data, encryption, ensuring availability and resilience of processing systems, data restoration processes, risk assessments, regular testing and evaluation, and updating of security measures.
3. Personal data breaches: Data processors must notify the data controller without undue delay if a personal data breach occurs. The data controller, upon awareness of a breach, must notify the Commission and affected data subjects within specific timeframes. Notifications should include information about the breach, its consequences, and measures taken to address it. The Commission may issue regulations regarding breach notifications.
4. Cross-border transfers of personal data: Transfers of personal data from Nigeria to other countries are subject to specific requirements. Data controllers and processors must ensure that adequate data protection measures are in place, such as recipient adherence to protective laws, binding corporate rules, contractual clauses, or certification mechanisms. The Commission may regulate the notification and adequacy assessment of cross-border transfers.
   

Registration and Fees:

Under the Act, data controllers and data processors of significant importance are required to register with the Commission within six months of the Act’s commencement or upon assuming the role of a data controller or data processor of major importance. The registration process entails submitting relevant information, including the name and address of the data controller or data processor, description of personal data, purposes of processing, recipients of personal data, and security measures. It is also mandatory to notify the Commission within sixty days of any significant changes to the registered information. The Commission maintains a register of duly registered data controllers and data processors of major importance. However, the Act empowers the Commission to exempt certain classes of data controllers or data processors from the registration requirements if such registration is deemed unnecessary or disproportionate. Furthermore, the Act grants the Commission the authority to prescribe fees or levies to be paid by data controllers and data processors of major importance.

Complaints and Investigations:

The Act establishes a mechanism for individuals who have been aggrieved by violations of the Act to lodge complaints with the Commission. The Commission is granted the power to investigate complaints that are deemed meritorious and not frivolous or vexatious. Additionally, the Commission can initiate investigations on its own when it suspects that a data controller or data processor has violated or is likely to violate the Act. To facilitate investigations, the Commission may compel individuals to provide relevant documents, records, or statements. Furthermore, access to information stored in documents or electronic devices must be provided in a visible, legible, and machine-readable format. The Act also empowers the Commission to make representations to data controllers or data processors on behalf of complainants, or vice versa. To ensure efficient handling of complaints and investigations, a dedicated unit is established within the Commission.

Compliance Orders:

In cases where the Commission determines that a data controller or data processor has violated or is likely to violate the provisions of the Act, it may issue compliance orders. These orders can take the form of warnings, requirements for compliance, or cease and desist orders. Compliance orders specify the provisions that have been violated, the necessary measures to be undertaken for compliance, implementation deadlines, and the right to seek judicial review.

Enforcement Measures:

In addition to compliance orders, the Commission is authorized to impose sanctions on data controllers or data processors who contravene the Act. These enforcement measures include requiring remedies for violations, compensating affected data subjects, accounting for profits obtained from violations, and the payment of penalties or remedial fees. The penalties or remedial fees vary depending on the status of the data controller or data processor, with higher maximum amounts applicable to those of major importance. When determining sanctions, the Commission takes into consideration factors such as the nature of the infringement, purpose of processing, number of data subjects involved, level of damage caused, intent or negligence, level of cooperation, and the types of personal data involved.

Offences, Judicial Review, and Civil Remedies:

Failure to comply with orders issued by the Commission is deemed an offense under the Act and may result in fines and imprisonment. Parties who are dissatisfied with Commission orders can seek judicial review within thirty days. Additionally, data subjects who suffer harm as a result of violations of the Act have the right to seek damages through civil proceedings. The Act empowers the Court to issue forfeiture orders against convicted data controllers, data processors, or individuals involved in a contravention of the Act.

Legal Proceedings: 

Under Section 49 of the Act, no suit can be instituted against the Commission, members of the Council, or staff of the Commission for acts performed in the execution of the Act or any public duty, unless certain conditions are met. These conditions include commencing the suit within three months of the act or within three months of the cessation of the act in cases of continued damage or injury. Additionally, a written notice of intention to commence the suit must be served upon the Commission, member, or staff at least one month before initiating the suit. The notice should clearly state the cause of action, particulars of the claim, the name and place of abode of the plaintiff, and the relief being sought. The Public Officers Protection Act also applies to suits instituted against officials or employees of the Commission.

Service of Documents: 

Section 50 states that any notice, summons, process, or document required or authorized to be served on the Commission can be delivered to the National Commissioner at the Head Office of the Commission.

Restriction on Execution against Property of the Commission: 

Section 51(1) prohibits the issuance of execution or attachment process against the property of the Commission in relation to any action or suit against the Commission. Furthermore, any sum of money awarded against the Commission by a court should be paid from the Commission’s Fund.

Indemnity of Staff, Members, and Employees of the Commission: 

Section 52 provides indemnification of the National Commissioner, members of the Council, staff of the Commission, or other persons engaged by the Commission. This indemnification covers losses, charges, claims, expenses, and liabilities incurred in the performance of official duties or in defending a criminal or civil proceeding, under specific circumstances outlined in the Act.

Power of Arrest, Search, and Seizure: 

The Act empowers the Commission to apply ex-parte to a Judge in Chambers for the issuance of a warrant to obtain evidence in relation to an investigation. A Judge may issue a warrant upon satisfying certain conditions, such as the likelihood of a person engaging in conduct that contravenes the Act or the need to investigate data security breaches. The warrant grants the Commission powers such as entering and searching premises, stopping and searching individuals, seizing and detaining evidence, using computer technology to access data, and requiring individuals in possession of relevant computers or electronic devices to produce them.

Representation in Civil Proceedings: 

Under Section 54, a legal officer of the Commission or a private legal practitioner engaged by the Commission may represent the Commission in civil proceedings related to its business or operations.

Directive Powers of the Minister and Compliance by the Commission

Under Section 55 of the Act, the Minister is empowered to issue directives of a general nature or relating to matters of policy concerning the objectives and functions of the Nigeria Data Protection Commission (the Commission). It is the duty of the Commission to comply with these directives.

Regulations and Financial Management

Section 56 grants the Commission the authority to make regulations to facilitate the achievement of its objectives. These regulations cover a wide range of aspects, including financial management, protection of personal data and data subjects, exercise of powers and performance of duties, prescribed matters, application forms, complaint procedures, compliance returns, fees, fines, and charges.

Directives, Codes, and Guidelines

The Commission is authorized, as per Section 57, to issue directives, codes, and guidelines on various matters. These include the conduct of the Commission’s business and operations, budgeting and expenditure, governance code, and any other relevant operational aspects. The aim is to ensure transparency, accountability, compliance with international best practices, and adherence to data protection and privacy regulations.

Priority of the Act: 

Section 58 establishes that if any provision of another law or enactment, which directly or indirectly relates to the processing of personal data, contradicts the provisions of this Act, the provisions of the Nigeria Data Protection Act shall prevail.

Transitional Provisions

Section 59 outlines the transitional provisions of the Act. It establishes the Commission as the successor-in-title to the Nigeria Data Protection Bureau, granting the Commission the same rights, powers, and remedies as the Bureau. Existing staff, agreements, records, equipment, properties, and legal proceedings are to be transferred to the Commission accordingly.

Nigeria Data Protection Act 2023 Nigeria Data Protection Act 2023 Nigeria Data Protection Act 2023 Nigeria Data Protection Act 2023 Nigeria Data Protection Act 2023 Nigeria Data Protection Act 2023 Nigeria Data Protection Act 2023