BARELY three weeks in office, President Bola Tinubu signed the Nigerian Data Protection Bill into law to provide a legal framework for the protection of personal data collected by organisations.
The bill, proposed by former president, Muhammadu Buhari, aimed at regulating data processing, safeguarding personal data and improving the fundamental right to privacy. This means that companies that process data are mandated to protect the information collected from their subjects.
Also, the new law provides for a Nigeria Data Protection Commission (NDPC) which will be saddled with the responsibility to enforce rules and regulations set out in the Act.
The Head, Legal Enforcement and Regulations, NDPC, Babatunde Bamigboye, said that about 500,000 jobs would be created through the new commission, which would ease the 33.3 per cent rate of unemployed people in the country.
The new law also aims at solidifying Sections 39 (Freedom of Expression) and 37 (Rights to Privacy) of the 1999 constitution (as amended).
This report intends to capture how the Data Protection law has consolidated these laws.
Data Protection Act 2023
The bill was signed into law on June 14, 2023. This was five months after the Federal Executive Council approved and transmitted it to the National Assembly for review.
The law is subdivided into 12 parts, with 66 sections that capture regulations for organisations that collect data, the duties of the commission, how data should be managed, its limitations, and fines for violators.
Part VIII of the Act provides that if all conditions are fulfilled, personal data can be transferred outside of Nigeria. These conditions require that the recipient must be subject to a law, contractual clauses, or code of conduct that affords an adequate level of data protection.
Section 26 provides for companies to get consent before processing the subject’s data. It further provides that silence or inaction should not be taken as consent and even after obtaining the consent, the subject can choose to withdraw it while children do not have the right to give consent.
Also, Section 2 of the Act provides that data controllers or data processors resident in, operating in or processing personal data in Nigeria are bound by the provisions of the Act. This also applies to data controllers or data processors who do not fulfill the previous conditions but are processing the personal data of data subjects in Nigeria.
However, if the data processing is carried out just for personal/household purposes without violating the right to privacy of the data subject then the Act will not apply to it. Data processing carried out by competent authorities for the prevention or detection of crime, control of national public health emergencies, national security, the exercise of legal claims and publication in the public interest for journalistic, educational, artistic and literary purposes is also exempt from its applicability.
The Act establishes the Nigeria Data Protection Commission to replace the Nigeria Data Protection Bureau (NDPB) established by the former president.
The commission, headed by a commissioner, will enforce the provision of the Act in the country.
What the new law offers
Before the signing of the Act, Nigerians have always relied on the fundamental rights provision obtained in Sections 39 and 37 of the 1999 constitution.
While Section 39 provides an individual with the entitlement to the freedom of expression, Section 37 provides that “the privacy of citizens, their homes, correspondence, phone conversations and telegraphic communications is hereby guaranteed and protected.”
Despite this, a study by Surfshark’s Global this year said Nigeria had 82,000 leaked accounts in the first quarter of 2023 alone. Also, The ICIR captured, in several reports, how loan applications had posed a threat to financial cyber security.
For instance, this report, here, investigated how money lending institutions violated the Central Bank of Nigeria’s regulations of owning a licence before operations. This report, here, documented accounts of the victims creating a group to seek retribution.
Last year, the Federal government directed payment system operators and telecommunications companies to stop providing access to illegal digital money lenders. As a follow-up development, in April 2023, the government also prohibited loan apps from accessing contacts and images of their customers.
The signing of the Data Protection Act has now amplified the rights of the subject(s) providing the data.
Institutions are now obligated to seek the consent of subjects before data can be collected or processed. It further grants limits as to how the data can be used. The subject is obligated to request how the data will be stored and who will access it.
Also, the subject can demand the data provided to be erased and can object to using data for other purposes like marketing. If these rights are violated, part of the insulation’s profits are paid to the subject, among other clauses provided.
The law sends the right signal
An assurance and data protection expert, John Eromosele, told The ICIR that while the law is not peculiar to Nigeria, it would ensure that companies operate within global best practices and have a competitive advantage to do business.
Eromosele said, “Data subjects will also be able to do business in a secure environment knowing that their data is being controlled within the confines of the law. The law will also increase credibility in data provision and gathering by data controllers.”
Eromosele expects, with the law and commitment from data collectors, revenue from the ICT sector to increase and further drive the economy.