The world’s most valuable asset is no longer oil, but data. This is because with the fast pace with which the world is digitalizing, the requirement for and processing of data has increased. There is hardly any social media or online activity that does not require the request and sharing of sensitive data. In the face of this data request, there is this risk of data breach and infraction of privacy. Consequently, there is need for there to be legal regulation on this modern area of human existence. In the International Community, there are several conventions that provide for rights generally and include the right to privacy. For example, the Universal Declaration of Human Rights provides in article 12 for the rights of privacy. However, these international instruments do not extensively provide for the collection and exploitation of data. The Constitution of the Federal Republic of Nigeria 1999 clearly provided, as a fundamental right, the right to privacy and private life in section 37 where it stated that the privacy of citizens, their homes, correspondences, telephone conversations and telegraphic communications is hereby guaranteed and protected. This is one of the few fundamental rights provided for in a single and short sentence. Since, the amendment of the constitution in 1999, and the influx of technologies in early 2000, the inadequacy of the law in controlling the use and transmission of data had existed for over twenty years in Nigeria until the making of the Nigeria Data Protection Regulation in 2019.
This regulation was made pursuant to the powers enshrined in section 32 of the National Information Technology Development Agency Act of 2007 to the Governing Board in charge of the National Information Development Agency. This is also contained in section 6(a & c) of the Act. The regulation was made in similar pattern with the General Data Protection Regulation of the European Union which was made in May 2018. The Nigerian Data Protection Regulation contained key provisions like the governing principles of data processing, what is considered lawful processing, how consent is to be procured, among other matters. This Regulation has come under heavy criticisms from several data privacy scholars. For example, Olumide Babalola, a co-founder of the Digital Rights Lawyers Initiative, had criticized the objectives of the Regulation and stated that the Regulation ought to have also provided for the rights of artificial persons as the data of artificial persons also need to be protected. However, this criticism appears too sweeping. This is because it appears the need to protect the data privacy rights of natural persons stem from the constitution that provides for the fundamental right of privacy for Nigerians. Artificial persons not been entitled to the fundamental rights provided in section 37 of the constitution may not also be entitled to right to data privacy. He also criticized the Regulation unjustifiable fixation on “personal data” which appears to betray the regulation’s wide title as it contemplates “Data” simplicita. Since the regulations’ main focus is to protect data, then it’s restriction to personal data may be counterproductive in the nearest future and in addition, may give rise to agitations for another broader regulation protecting other kinds of data especially the non-personal, non-electronic data etc. The regulation was equally criticised for providing for penalties for default of data controllers, without providing for remedies of data subjects whose data has been breached.
Be that as it may, on the 14th day of June 2023, President Tinubu signed the Nigeria Data Protection Act 2023. This is a laudable step as it means that Nigeria now has a law that comprehensively provide for data protection and privacy. There are several key provisions of the Act that are worthy of review.
The Act began by stating the objectives of the Act in section 1 which is to safeguard the fundamental rights and freedoms, and the interest of data subjects as guaranteed under the constitution. In ensuring this safeguard, the Act is to provide for the regulation of personal data; promote data processing services that safeguard the security of data subjects and their personal data; ensure that personal data are processed for lawful basis; provide remedies to data subjects in the event of breach; ensuring that data controllers fulfil their duties, among others.
Section 2 of the Act states the application of the processing of personal data, regardless of whether it is by automated means or not, provided the data controller is domiciled in Nigeria or processing occurs in Nigeria or the data subject is domiciled in Nigeria. This provision is laudable as it attempts to cover all possible situations whereby a data controller may want to escape liability for data breach. Currently, there are several data controllers that are not domiciled in Nigeria but control the data of Nigerians. This provision ensures that they are held liable if there is a data breach. However, section 3 provides that the Act shall not apply to personal data processed solely for personal or household use. The reason for this is the respect of privacy of persons and families/homes which the constitution has already guaranteed. It is further provided that subject to the rights and freedoms under the constitution with their limitations, a data controller will be exempted from the obligations imposed under the Act where processing of data is carried out for every purpose involving crime, for national security and for publications made for national interest, etc. A very important provision is that the Nigeria Data Protection Commission may make regulations to prescribe the type of personal data that may be exempted from applications of the Act. It is suggested that the exercise of this power donated to the Commission should be carefully observed so that the Commission may not act arbitrarily.
The Act created the Nigeria Data Protection Commission as a corporate body having its main office in FCT in section 4. Section 5 states the functions of the Commission to include fostering the development and ensuring the deployment of technological and organizational measures to enhance personal data protection; licensing and accrediting suitable bodies to provide data compliance service; registering data controllers and promoting awareness of their obligations; receiving complaints about violations of the Act; advising government on policy issues relating to data protection and privacy, etc. the powers of the Commission are stated in section 6 to include ensuring the implementation of the Act; prescribing fees payable by data controllers and data processors; conducting investigations into violations of the Act; etc. Section 7 states that the Commission shall be independent in the discharge of its functions. Section 8 establishes a governing council for the Commission which shall be headed by a retired judge of Nigeria and several other members, mostly appointed by the president on the recommendation of the Minister of Communications. The Council shall be responsible for directing the affairs of the Commission, approving annual and financial reports and also staff regulations and terms of appointment, providing advice to the National Commissioner, etc. The Act provides that personal interest shall not conflict with the duties of the employees and any employee that accepts bribes or undue advantage contravenes the Act. The Act establishes the office of the National Commissioner who shall be the chief executive and accounting officer of the Commission, and to be appointed by the president on the recommendation of the Minister of Communication. The National Commissioner is to act as the secretary to the Council. By the creation of the Nigerian Data Protection Commission, the Nigerian Information Technology Agency no longer deals with matters involving personal data.
Section 24 provides the principles; data controllers need to be guided by in data processing. They include processing data in a fair, lawful, and transparent manner; collecting data for specified legitimate processes and not using them for any other incompatible process; keeping records not more than the periods required; and processing data in a manner that ensures data security and confidentiality.
Section 25 & 26 of the Act provides the lawful basis for processing personal data. They include where consent of the data subject has been given and where processing is necessary for the performance of a contract to which the data subject is a party; for compliance with a legal obligation for which the data controller or processor is subject; for the protection of the vital interest of the data subject or another person; for the performance of tasks carried out in public interest and for the purposes of legitimate interest which does not override fundamental rights of the data subject and are not inconsistent with other lawful basis of processing.
The burden of proving consent is on the data controller. He has to show that consent was actively and expressly given. The data controller has to lay before the data subject essential information before collecting the data. Such information includes the identity and contact information of the controller; the lawful basis for which the personal data is required; the recipient and retention period of the data; the rights of the data subject; etc. These pieces of information are required to be contained in a clear, concise, and easily accessible privacy policy.
Section 28 of the Act provides that where data processing will likely result to high risk in the rights of the data subject, a data protection impact assessment is to be carried out by the data controller, which involves identifying the risks and impacts of the envisaged processing of personal data. Section 30 provides the grounds upon which processing of sensitive personal data shall be processed. These grounds include the ground upon which personal data shall be processed and in addition, includes processing to the members of an entity which has regular contact with it or processing data, albeit considered to be sensitive, but have been manifestly let known to the public by the data subject. Section 31 of the Act provides that consent of the guardian is required in processing the personal information of children or any other person lacking the legal capacity to consent. It is submitted that this may include a lunatic and a drunk.
Section 34 of the Act provides for the rights of the data subject to include demanding to know why, how and who is the recipient of his or her data or the period for which the data is to be stored. He or she also has a right to demand for erasure of the data and even to lodge complaints to the Commission. Section 35 of the Act provides for the data subject the right to withdraw consent to the processing of personal data at any time. The data controller is to ensure that the personal data of the data subject is properly secured and confidential. Where there is a breach of data likely to affect the rights of the data subject, the data processor is to communicate this to the data controller who is then to communicate this to the Commission and then to the data subject.
Where a data subject is aggrieved as to a data controller’s action or inaction, he shall lodge a complaint with the Commission which shall commence investigation into the act or omission complained of. Where the Commission is satisfied that the data controller has defaulted in his duties, the Commission may make appropriate compliance order. A person not satisfied with an order of the Commission may apply for judicial review within thirty days after the order has been given. A data subject has a right against the data controller to recover damages in a civil action where he or she has suffered harm as a result of the violation of the Act.
This is an improvement on the Nigeria Data Protection Regulation that did not provide for any right to civil remedy of the data subject.
Section 61 of the Act gives the Commission the power to make regulations necessary for carrying out its objectives.
Section 65 of the Act provides the definition of certain essential terms used in the Act, of importance is the definition of a data subject which refers to an individual to whom personal data relates. Personal data is defined as any information relating to an individual, who can be identified or is identifiable, directly, or indirectly by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, cultural, social, or economic identity of that individual. Sensitive personal data is defined relating to an individual’s genetic or biometric data, race, or ethnic origin, religious or similar beliefs, health status, sex life, political affiliations, trade union membership and other information prescribed by the Commission. It is worthy of note to mention that the Act replaced the term ‘sexual orientation’ as used in the Regulation for ‘sex life’ in the list of items considered to be sensitive personal data.
Conclusion
The real value of data in this information age cannot be overemphasized, the world spurned by major data breaches and security concerns has woken up to the consciousness of enacting regulations and laws for data privacy protection, Nigeria is not left out, hence this Act has further solidified the awareness in data protection and statutorily protects the privacy of personal data. It is submitted that it will be a big boost to the trust and integrity of the Nigerian digital economy and ecosystem.