The Nigeria Data Protection Bill, as released on 6th of October, 2022 by the Nigeria Data Protection Bureau, is a step towards the enactment of conclusive legislation on the subject of data protection. There have been several attempts to ensure the enactment of a Data Protection Bill in the last decade in Nigeria, which were not successful. However, the Data Protection Bill, 2022 seems to be a worthy platform for the actualization of this goal. In this article, we would consider some of the key highlights as contained in the provisions of the Bill.
2.0 Key Highlights of Nigeria Data Protection Bill, 2022
- Objectives and Application
The objective of the Bill is to safeguard the fundamental rights, freedom and interests of data subjects under the Constitution of the Federal Republic of Nigeria, 1999, which include but not limited to: (i) provision for the regulation with respect to the processing of personal data, (ii) promotion of data processing practices which protect the privacy of personal data subjects and the security of personal data, (iii) ensuring that personal data is processed in a fair, lawful and accountable manner, (iv) minimization of the harmful effect of misusing personal data or abuse on data subjects and other victims (v) establishment of an independent regulatory Commission which will superintend over data protection and supervise data controllers and data processors, (vi) contributing to the legal foundations of the digital economy of Nigeria.
- Application of the Bill
The application of the Bill is in respect of the processing of personal data, whether by automated means or not. The scope of the application includes (i) where the data controller or processor is domiciled, resident or operating in Nigeria, (ii) where the personal data processing takes place in Nigeria, and (iii) where the data controller or the data processor is not domiciled or resident in Nigeria, but processes personal data of a data subject in Nigeria.
It should be noted that there are however exemptions to the application of the Bill. The Bill does not apply to the processing of personal data where the data processing is carried out by one or more individuals solely for personal or household purposes. The Commission is also empowered to prescribe types of personal data and processing that shall be exempted from the Bill or any of its provision.
- Establishment of the Nigeria Data Protection Commission
The Bill establishes the Nigeria Data Protection Commission which shall be independent in the discharge of its functions as stipulated by the Bill, and which may develop, adopt, and as appropriate from time to time amend or revoke appropriate regulations, codes and guidelines to regulate its operations with respect to discharging its functions.
- Functions of the Nigeria Data Protection Commission
The functions of the Nigeria Data Commission include (i) ensuring the deployment of technological and organizational measures for the enhancement of personal data protection, (ii) promotion of awareness of data controllers and processors as touching their obligations under the Bill, (iii) promotion of public awareness and understanding of data protection and the risks to personal data, with the inclusion of the rights and obligations provided for under the Bill, (iv) register data controllers and data processors of major importance, (v) license and register bodies to provide data compliance services, (vi) ensure compliance with national and international personal data protection good practice and obligations as laid down by international agreements and treaties to which Nigeria is a party.
- Powers of the Nigeria Data Protection Commission
The Nigeria Data Protection Commission is empowered to (i) issue regulations, rules and directives under the Bill, (ii) hire consultants and license or accredit consultants which would assist the Commission in the discharge of its functions when such is necessary, (iii) to impose penalties where any provision of the Bill or other subsidiary legislation made pursuant to the Bill is violated, (iv) to prescribe the manner and frequency of filing compliance returns by data controllers and data processors of major importance to the Commission.
- Principles of Personal Data Processing
It is the duty of a data controller or data processor to ensure that: (i) it processes personal data fairly, lawfully, and in a transparent manner, (ii) personal data is collected for specifies, explicit and legitimate purposes and not further processed in a way incompatible with those purposes, (iii) personal data is adequate, relevant and limited to the minimum necessary for the purposes for which the personal data was collected, (iv) personal data is retained no longer than is necessary to achieve the lawful basis for which the data was collected or further processed, (v) personal data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and access against loss, destruction or damage, and the data controller or data processor shall use appropriate technical organisational measures to ensure the confidentiality, integrity and availability of the personal data.
It is pertinent to note that a data controller or data processor owes a duty of care in respect of data processing and shall demonstrate accountability with respect to the principles contained in the Bill.
- Lawful Basis for Personal Data Processing
The legality of data processing borders on the application of the following: (i) if the data subject has given and not withdrawn his consent for the specific purpose(s) for which the data will be processed, (ii) if the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract. (iii) if the processing is necessary to protect the vital interest of the data subject or another individual, (iv) if the processing is necessary for compliance with a legal obligation tpo which the data controller or data processor is subject, (v) if the processing is necessary for the purposes of the legitimate interests pursued by the data controller or data processor or by a third party to whom the data is disclosed. However, the interests shall not be considered legitimate if they are overridden by the fundamental rights and freedom and interests of the data subject, or if the data subject would not have a reasonable expectation that the personal data would be processed in the manner envisaged.
- Conditions of Consent
Section 27 of the Bill stipulates the conditions of consent with respect to data processing. The burden of proof for establishing a data subject’s consent is on the data controller. It should be noted that the silence or inactivity by the data subject shall not constitute consent. Where consent is intended to be given for data processing, such consent may be provided in writing, orally or through electronic means. The data subject also has the right to withdraw his consent at any time. However, such withdrawal of consent will not affect the lawfulness of data processing that occurred before the withdrawal of consent.
- Sensitive Personal Data
Generally, a data controller is not permitted to process, or permit a data processor to process on its behalf, sensitive personal data. However, sensitive data can be processed by a data processor where: (i) the data subject has given and not withdrawn his consent to the processing for the specific purpose(s) for which it will be processed, (ii) the processing is necessary for the purposes of exercising or performing rights or obligations of the data controller or the data subject under employment or other social security laws, (iii) the processing is necessary to protect the vital interests of the data subject or another individual where the data subject is physically or legally incapable of giving consent, (iv) the processing relates to personal data which are manifestly made public by the data subject, (v) the processing is necessary for reasons of substantial public interest, on the basis of a law which shall be proportionate to the aim pursued, and provides for suitable measures to safeguard the fundamental rights and the interests of the data subject (vi) the processing is necessary for the establishment, exercise or defence of a legal claim, obtaining legal advice or conduct of a legal proceeding.
- Children and Individuals Lacking Legal Capacity to Consent
Where a data subject is a child or an individual who lacks legal capacity to consent is expected to obtain consent of the parent or other appropriate legal guardian of the child or other individual, as applicable. A data controller is mandated to apply appropriate mechanisms where feasible to verify age and consent, taking into consideration the available technology.
- Civil Remedies
Where a data subject suffers injury, loss or harm as a result of a violation of the Bill by a data controller or data processor, or a recognized consumer organisation acting on behalf of such data subject, he may recover damages from such data controller or data processor by way of civil proceedings in the appropriate court.
The Nigeria Data Protection Bill, 2022 would adequately contribute to the legal foundations of digital economy in the country. The consideration of the provisions of Nigeria Data Protection Bill, 2022 as published by Nigeria Data Protection Bureau also revealed that if passed into law, there would be a great advancement with respect to data protection in Nigeria, as it would address data privacy by efficiently helping to mitigate data leakage issues, enable the data controllers and data processors to have a clarification of the regulatory framework for their duties, and also ensure efficient dataflow.
 Section 1 of the Data Protection Bill, 2022.
 Section 2 Ibid.
 Section 3(1) Ibid.
 Section 3(3) Ibid.
 Sections 5 & 6 Ibid.
 Section 7 Ibid
 Section 8 Ibid
 Section 25(1) Ibid.
 Section 25 (2) Ibid.
 Section 26 (1) Ibid.
 Section 26 (2 Ibid.
 Section 27(3) Ibid
 Section 27(5) Ibid,
 Section 32 (1) Ibid.
 Section 52 Ibid.A