Since the introduction of the General Data Protection Regulation (GDPR), the law on data protection and privacy in the EU and the European Economic Area, Data Protection has become a hot topic that keeps on getting hotter. Hence it is not a surprise that the Nigerian National Assembly would extend its tentacles to ensure the enactment of a law to cover the topic, particularly to be seen as proactive within the space and a forerunner of proactive legislation within Africa. With the increasing reliance on technology and data-driven services, it has become imperative to establish a robust legal framework to protect user privacy and ensure data security.
The Nigeria Data Protection Act
This article will explore the key provisions and objectives of the Nigerian Data Protection Act, discuss compliance requirements for technology companies operating in Nigeria, and finally examine enforcement mechanisms and penalties for non-compliance.
The Nigeria Data Protection Bill was signed into law on the 14th of June, 2023 now referred to as the Nigerian Data Protection Act (NDPA) (“the Act”). The Act provides the legal framework for the protection of personal information and the practice of Data protection in Nigeria. The Act begins with a primary objective1, which is “to safeguard the fundamental rights and freedoms, and the interests of data subjects, as guaranteed under the Constitution of the Federal Republic of Nigeria, 1999” in essence to safeguard the privacy rights of individuals and ensure responsible data management practices.
The act is in essence a codification of the earlier Nigeria Data Protection Regulation issued by National Information Technology Development Agency (NITDA) but takes it further by establishing a statutory body called the Nigerian Data Protection Commission2(the “Commission”) charged with a number of functions ranging from the enhancement of personal data protection measures, promoting of global data protection best practices, registering data controllers or processors to promoting public awareness on the importance of security of personal information3.
Data Controllers and Processors
The Act has significant implications for tech companies and startups operating in Nigeria. Data-driven sectors, such as e-commerce, fintech, and digital marketing, heavily rely on the collection and processing of personal data. The Data Protection Act introduces guidelines and limitations on how these industries can handle personal data.
Personal Data refers to any information relating to a person (data subject) who can be identified or is identifiable, directly or indirectly, by reference to such information, e.g name, address, email address, BVN, phone number etc. any information in a company’s custody sufficient enough to identify a person is subject to the act.
Data controllers are companies/entities that determine the purpose and means of processing personal data. They have the primary responsibility for ensuring compliance with the Act and must implement appropriate security measures to protect personal data. Data controllers are required to conduct regular data protection impact assessments and appoint a data protection officer to oversee compliance.
Data processors are entities that process personal data on behalf of data controllers. They have specific obligations under the Act, including ensuring the security and confidentiality of the data, assisting data controllers in fulfilling individuals’ data privacy rights, and not subcontracting data processing activities without the data controller’s authorization.
The Act recognizes joint controllership when multiple entities jointly determine the purpose and means of processing personal data. In such cases, joint controllers share responsibilities and liabilities. The Act also addresses the relationships between data controllers and third-party processors, outlining the obligations and requirements for these relationships to ensure proper data handling practices.
The Commission may designate a certain threshold of processing activity such that where a company surpasses that threshold, it would be tagged “of major importance” and its processing activity would be deemed to be of particular value or significance to the economy, society or security of Nigeria as the Commission may designate. This status comes with increased regulatory requirements such as compulsory registration with the commission and an increased minimum penalty sum of N10,000,000 (Ten Million Naira).
Data Subjects Under the Act
The Act grants data subjects various rights to protect their personal data. These include the right to be informed about data processing activities in a clear and simple language and an accessible format, the right to access and rectify their data, the right to restrict or object to certain types of processing, and the very important “right to be forgotten”4. These rights empower data subjects to have greater control over their personal information.5
Data controllers or data processors must ensure that processing is lawful and that personal data is collected for an explicit purpose and not retained for longer than necessary to achieve the purpose for which it was collected.6
Consent must be obtained and the burden of proof that the consent was validly obtained rests on the company.7 Silence or inactivity is not consent furthermore consent may be withdrawn at any time.8 Also, the consent of a parent or legal guardian is required before processing the personal data of a child or other persons lacking the legal capacity to consent.
Furthermore, data portability, gives a data subject the right to receive, without undue delay from a data controller, personal data concerning the data subject in a structured, commonly used, and machine-readable format.9
Data Subject’s Right to seek redress
Data Subjects who are aggrieved by a decision, action or inaction of a data controller or data processor in violation of this act, may lodge a complaint with the Commission10. Upon the conclusion of an investigation, if the data controller or data processor is found to be at fault, the Commission may impose sanctions as it deems appropriate11. The penalty for non-compliance may amount to the greater of N2,000.000 and 2% of its annual gross revenue in the preceding financial year and possible imprisonment for one year or less.
Data Breach Notification
Where a personal data breach occurs, the data controller or data processor must immediately notify the person, body or entity that engaged them, describing the nature of the breach. The companies must also have a robust incident response plan in place to effectively manage and respond to data breaches, ensuring the protection of individuals’ personal information. Within 72 hours of being aware of the breach that is likely to put individuals at risk, the company must notify the Commission of the breach and possibly the nature of the breach. Where the breach will affect or potentially affect a data subject, that data subject must be notified immediately in clear and plain language, the notification should also include advice on possible ways of mitigating potential adverse effects of the breach on the data subject.12
Actions Against The Commission
While the primary purpose of the act is to protect the data subject, it also establishes that the commission is not infallible, that is why companies aggrieved by the actions of the commission can also seek redress against the commission.
However, individuals and companies must be mindful of the restriction on such actions, particularly the statute of limitation.13 Actions in Court can only be commenced within three months after the act, neglect or default complained of occurred; or In the case of continued damage or injury, within three months after the ceasing of such act, neglect or default.
Furthermore, in line with the provision above the commission must be served with one month’s written notice of intention to commence an action in court. In seeking redress, an aggrieved party must act proactively otherwise you may be shut out by the courts.
The Commission’s Enforcement Powers
The Commission is the regulatory authority responsible for enforcing the Act. The commission has the power to investigate companies suspected of non-compliance, conduct audits, and impose sanctions for violations. The commission also has the authority to issue guidelines and regulations to further support the implementation of the Act.
The commission may by ex-parte application to a judge in chambers, obtain a warrant for the purpose of obtaining evidence in relation to an investigation. This warrant may empower the commission in the company of any law enforcement agency, to enter any premises, without notice, effect a search on said premises and all its occupants, and seize, remove or detain anything which contains evidence of an offence under the act.
The challenges this may present for companies acting as data controllers and/or processors are limitless. A very pertinent one is evident in a situation where the investigation is malicious. Due to the requisite, one-month preaction notice, the aggrieved party is robbed of an equal opportunity of “swift” action14. This may ground the business and make it impossible to return to the status quo.
Cross-Border Transfer Of Personal Data
The general rule here is that data processors or controllers shall not transfer or permit the transfer of personal data from Nigeria to another country15. Personal data can however be transferred from Nigeria to another country if the recipient of the personal data is subject to a law, binding corporate rules, contractual clauses, codes of conduct or certification mechanisms that afford an adequate level of protection with respect to the personal data in accordance with this act.
Data Protection Compliance in the Tech Ecosystem
While data protection compliance can offer benefits, it also comes with some financial and operational challenges for tech startups. Implementing all necessary security measures and ensuring regulatory compliance can strain already limited resources, especially for cash-strapped startups.
To address these challenges, startups may prioritize resource allocation and plan their budget accordingly. They can explore cost-effective solutions such as outsourcing certain compliance tasks to specialized providers. It’s essential to strike a balance between compliance and financial sustainability, ensuring that compliance efforts don’t hamper the overall growth of the startup.
Data protection compliance may seem like a difficult undertaking for tech startups, but it also presents some unique benefits from a marketing viewpoint. By prioritizing data protection, startups can gain a competitive edge. Startups should see it as a chance to differentiate themselves from the competition and win over customers by allaying the data breaches and privacy concerns of their customers and building trust and loyalty.
It is important to mention that data protection is not solely the responsibility of IT departments or management. It requires a collective effort from all employees. Startups must invest in employee training programs on data protection best practices, including how to handle customer data, security and internal procedures. This approach may help minimize the risk of breaches caused by human error or negligence.
CONCLUSION
While there are similarities between the Act and international data protection standards like the General Data Protection Regulation (GDPR), The Act is specifically tailored to the Nigerian context, taking into account the specific needs and challenges of data protection in the country.
Non-compliance with the Act can result in significant penalties, including fines, sanctions, and potential imprisonment for individuals involved in data breaches or violations. The specific penalties will depend on the nature and severity of the non-compliance, as determined by the Commission.
The Act is a step in the right direction and an answer to the clamour by stakeholders for a clear statutory provision or enabling Act. The Act has firmly established the legal framework for data protection in Nigeria.
Startups should closely monitor legislative developments to ensure they remain compliant with any new requirements. They should also adopt a proactive approach, by adopting best practices and implementing robust data protection measures. Startups should also seek guidance from data protection specialists to understand the implications of the newly signed Act. This understanding will help them assess how it may impact their business operations and day-to-day activities. Ensuring full compliance with the Act is crucial to avoid potential liabilities associated with non-compliance. By proactively seeking expert advice, businesses can safeguard themselves and maintain adherence to the data protection regulations in Nigeria. 1
