KNOW THE LAW 19/09/2023
Understanding The Nigeria Data Protection Act
On Tuesday 12th Of June 2023, President Bola Ahmed Tinubu assented to the passage of the Nigeria Data Protection Bill into law. The draft Data Protection Bill was introduced by the National Data Protection Bureau (“NDPB”) on the 4th of October 2022 and was approved by the Federal Executive Council in February 2023. The Nigeria Data Protection Act 2023 (“NDPA”) is the first major federal legislative instrument for the processing and protection of personal data in Nigeria.
The NDPA provides a comprehensive approach to the protection of personal data and its regulatory framework in Nigeria. The NDPA mirrors the European Union (“EU”) General Data Protection Regulation (“GDPR”) to a very large extent with a number of new legal principles. Some of which include:
- The new regulator: The establishment of the Nigeria Data Protection Commission (the “Commission” or” NDPC”): The Commission replaces the NDPB as the apex regulator for data protection related matters in Nigeria. The NDPC is an “Independent Commission “tasked with the responsibility of licencing, accrediting and registering bodies to provide data protection compliance services. The Commission also has the power to prescribe fees payable by data controllers and data processors in accordance with data processing activities.
- Additional legal basis for processing: The recognition of legitimate purpose as a legal basis for the processing of personal data amongst others.
- Introduction of new categories of data controller/processor: new classification of data controllers and processors i.e., “Data Controllers and Data Processors of major importance” and compulsory registration obligations with the Commission where they meet the threshold for such registration.
- New penalty regime: The above classification of data controller/processor has led to the introduction of two types of fines that are applicable to breach of data protection law and regulations. There is now (a) higher maximum amount, applicable to data controller/processor of major importance (b) standard maximum amount applicable to data controller/processor not of major importance.
- Digital age of consent: There is now a more elaborate provision in respect processing of children’s data, particularly the adoption of the EU digital age of consent consideration for children aged 13 years and above. The NDPA also makes provisions for persons lacking the legal capacity to give consent.
The primary objective of the NDPA is to safeguard the fundamental rights and freedom of privacy as guaranteed under the constitution of the Federal Republic of Nigeria. The NDPA will usher in a new era for privacy and data protection in Nigeria. We recommend that business owners and data dealers pay attention to the NDPA and their ensuing compliance obligations.