Legal Protection of Data in the Nigerian Digital Space

Introduction

With the rapid expansion of digital technology in Nigeria, data protection has become a crucial issue. The increasing reliance on digital platforms for financial transactions, social interactions, and business operations has led to concerns about data privacy, security breaches, and misuse of personal information. Despite Nigeria’s growing digital economy, legal protection of data remains a developing area. This article examines the legal framework for data protection in Nigeria, key challenges, and recommendations for strengthening data privacy and security.

Legal Framework for Data Protection in Nigeria

Laws and regulatory frameworks that govern data protection in Nigeria include:

• The Nigeria Data Protection Act (NDPA)

The Nigeria Data Protection Act (NDPA) 2023 is the landmark and primary legislation that brings Nigeria in line with global data protection standards. The NDPA, signed into law on June 12, 2023, marks a significant milestone in the country’s data protection landscape.

By strengthening regulatory oversight, enhancing individuals’ rights, and imposing strict penalties for non-compliance, the Act fosters a more accountable data protection ecosystem than the subsidiary regulations which Nigeria’s data space formerly relied on. The Act replaces the Nigeria Data Protection Regulation (NDPR) 2019 and establishes a robust legal framework for data protection, ensuring compliance with global standards. It introduces stricter obligations for data controllers and processors, enhances individuals’ rights, and strengthens enforcement mechanisms through the Nigeria Data Protection Commission (NDPC).[1]

1.1.2. The objectives of the NDPA 2023 include:

1. safeguard of data subjects’ fundamental and constitutional rights, freedom and interests, and establish an impartial, independent and effective regulatory body to supervise data controllers and data processors and superintend over data protection and privacy issues;[2]
2. ensuring the security of personal information;
3. regulating the processing of personal data and protecting data subjects;
4. provision of means of recourse and remedies, in the event of infringement of the rights of data subjects; and
5. strengthening the legal foundations of the national digital economy and guarantee the participation of Nigeria in the regional and global economies through the beneficial and trusted use of personal data etc.[3]

1.1.3. Key Provisions of the Nigeria Data Protection Act

Scope and Application

The NDPA 2023 applies to:

1. All personal data processing carried out within Nigeria.
2. Data processing of individuals residing in Nigeria, even if the processing entity is located outside Nigeria.
3. Public and private sector entities, including government institutions, businesses, and non-profits.

However, Section 3(1) of the Act exempts data processing related to national security, crime prevention, and some journalistic purposes, subject to certain safeguards.[4] Section 3(1) of the NDPA excludes processing of personal data solely for personal or household purposes from the material scope of the NDPA provided such processing does not constitute a violation of the fundamental right to privacy of a Data Subject.[5]

Establishment of the Nigeria Data Protection Commission (NDPC)

The NDPA establishes the Nigeria Data Protection Commission (NDPC) as the principal regulator for data protection in Nigeria. The Commission is empowered to:

1. Monitor and enforce compliance with data protection laws.
2. Investigate data breaches and impose sanctions.

• Promote public awareness on data protection rights and obligations.

1. Issue regulations, guidelines, and sector-specific codes of practice.
2. Oversee the appointment and functions of Data Protection Officers (DPOs).[6]

Rights of Data Subjects

The Sections 32 – 39 of the Act grant individuals significant rights over their personal data, including:

1. Right to access – Individuals can request copies of their personal data.
2. Right to rectification – Data subjects can request correction of inaccurate data.
3. Right to erasure (‘right to be forgotten’) – Individuals can request deletion of their data under specific conditions.
4. Right to data portability – Individuals can request their data in a structured, commonly used format.
5. Right to object – Individuals can object to certain types of data processing, including direct marketing.
6. Right to restrict processing – Data subjects can request temporary suspension of processing.
7. Right to lodge complaints – Individuals can file complaints with the NDPC regarding data misuse.

Principles of Data Processing

The Act outlines fundamental principles guiding the processing of personal data:

1. Lawfulness, fairness, and transparency: Data must be processed lawfully and fairly, with transparency to the data subject.
2. Purpose limitation: Data must be collected for specified, explicit, and legitimate purposes.
3. Data minimization: Only necessary data should be collected and processed.
4. Accuracy: Data must be kept accurate and up to date.
5. Storage limitation: Personal data should not be retained longer than necessary.
6. Integrity and confidentiality: Data must be processed securely to prevent unauthorized access, loss, or damage.[7]

Legal Basis for Data Processing

Section 25 of the NDPA 2023 provides six lawful grounds for processing personal data:

1. Consent: Data subjects must give clear, affirmative consent.
2. Contractual necessity: Processing is necessary for the performance of a contract.
3. Legal obligation: Processing is required to comply with a legal duty.
4. Vital interests: Processing is necessary to protect life or safety.
5. Public interest: Processing is essential for a task carried out in public interest.
6. Legitimate interests: Processing is necessary for the legitimate interests of the controller, except where overridden by data subject rights.

Data Protection Impact Assessment (DPIA)

Organizations engaging in high-risk data processing must conduct Data Protection Impact Assessments (DPIAs). This applies to activities such as large-scale processing of sensitive personal data, automated decision-making, and processing of children’s data.[8]

Data Breach Notification

Section 48 of the NDPA 2023 provides that organizations must notify the NDPC within 72 hours of becoming aware of a data breach that may result in harm to individuals. Affected data subjects must also be informed if there is a high risk to their rights and freedoms.

Cross-Border Data Transfers

The NDPA 2023 regulates international data transfers to ensure adequate protection. Transfers are permitted if:

1. The receiving country has adequate data protection laws.
2. The data controller adopts appropriate safeguards, such as contractual clauses.
3. The transfer falls under specific exemptions, such as consent or public interest.[9]

1.1.4. Enforcement Mechanisms

1. Powers of the Nigeria Data Protection Commission (NDPC)

The NDPC has extensive enforcement powers, including:

1. Conducting investigations and audits of organizations.
2. Issuing compliance and enforcement notices.
3. Imposing administrative fines and sanctions.
4. Ordering suspension of data processing activities.
5. Referring serious cases for criminal prosecution.[10]

Penalties for Non-Compliance

The NDPA prescribes strict penalties for violations:

• For large organizations: Up to ₦10 million or 2% of annual turnover, whichever is higher.
• For small and medium enterprises (SMEs): Up to ₦2 million or 1% of annual turnover.
• Criminal liability – In severe cases, individuals responsible for breaches can face criminal prosecution, including imprisonment (NDPA, Section 61).

3. Role of Data Protection Compliance Organizations (DPCOs)

The NDPC accredits Data Protection Compliance Organizations (DPCOs) to assist businesses in meeting regulatory requirements. DPCOs conduct audits, offer compliance training, and submit reports to the NDPC (NDPA, Section 26).

1.1.5. Implications for Businesses and Individuals

For Businesses

1. Organizations must review their data protection policies to align with NDPA requirements.
2. Mandatory DPIAs and DPO appointments for high-risk data processing.
3. Enhanced security measures to prevent breaches and avoid hefty fines.
4. Stricter compliance requirements for international data transfers.

For Individuals

1. Increased awareness and control over personal data.
2. Stronger legal recourse in case of data misuse.
3. Clear channels to file complaints and seek redress.

1.2. The Nigerian Constitution (1999, as amended)

Section 37 of the Nigerian Constitution guarantees the right to privacy, stating that “the privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected” (Constitution of Nigeria, 1999). However, this provision does not explicitly address digital data, necessitating specific legislation on data protection.

1.3. The Cybercrimes (Prohibition, Prevention, Etc.) Act, 2015

The Cybercrimes Act addresses cyber-related offenses, including identity theft, hacking, and unauthorized data interception (Cybercrimes Act, 2015). While it enhances digital security, its provisions do not comprehensively address data protection concerns.

1.4. The Freedom of Information Act, 2011

While primarily aimed at government transparency, the Freedom of Information Act (FOIA) contains provisions on access to public data and exceptions for personal data privacy (FOIA, 2011). However, it does not provide detailed rules on private sector data protection.

1.5. The Central Bank of Nigeria (CBN) Consumer Protection Framework, 2016

For the financial sector, the CBN’s Consumer Protection Framework imposes data protection obligations on financial institutions to prevent misuse of customer data (CBN, 2016). However, enforcement remains a challenge.

• CHALLENGES IN DATA PROTECTION ENFORCEMENT

Despite these laws, data protection enforcement in Nigeria faces several challenges:

1. Poor Compliance and Awareness

Many businesses, particularly small and medium-sized enterprises (SMEs), are unaware of their obligations under the NDPA. Additionally, enforcement mechanisms such as fines and audits are inconsistently applied.

2. Inadequate Cybersecurity Infrastructure

Nigeria faces significant cybersecurity threats, including data breaches and cyberattacks. Without strong cybersecurity infrastructure, enforcing data protection laws becomes difficult.

3. Cross-Border Data Transfer Issues

Nigeria lacks clear legal provisions on cross-border data transfers. While the NDPR mandates compliance with global standards, enforcement mechanisms are unclear, making it difficult to regulate multinational companies handling Nigerian data.

3.0. RECOMMENDATIONS FOR STRENGTHENING DATA PROTECTION

To enhance data protection in Nigeria, the following measures should be implemented:

1. Enhancing Public Awareness and Compliance

Government agencies and private organizations should launch public awareness campaigns on data protection rights and obligations. Training programs for businesses on NDPA compliance should also be encouraged.

2. Improving Cybersecurity Measures

Stronger cybersecurity frameworks should be implemented, including investment in digital infrastructure and enhanced collaboration between government and private sector stakeholders to prevent data breaches.

3. Clearer Rules on Cross-Border Data Transfers

Nigeria should adopt clear legal provisions on cross-border data transfers to protect citizens’ data when handled by foreign companies. The law should require that data transfers comply with international privacy standards.

Conclusion

Data protection is essential for Nigeria’s digital economy and national security. While existing frameworks such as the NDPA make reasonable provision for protection data, weak enforcement of these laws is counterproductive. Improving on cybersecurity measures and regulatory enforcement, and enhancing public awareness are necessary steps toward ensuring robust data privacy in Nigeria.

FOOTNOTES: 

[1] https://kpmg.com/ng/en/home/insights/2023/09/the-nigeria-data-protection-act–2023.html

[2]https://banwo-ighodalo.com/grey-matter/nigeria-data-protection-act-what-individuals-businesses-and-organizations-should-know

[3]https://www.dlapiperdataprotection.com/index.html?t=law&c=NG#:~:text=The%20Constitution%20provides%20Nigerian%20citizens,telephone%20conversations%20and%20telegraphic%20communications

[4] Section 3 of the NDPA

[5] https://iclg.com/practice-areas/data-protection-laws-and-regulations/nigeria

[6] Sections 5, 6 and 7 of the NDPA

[7] Section 24 of the NDPA

[8] Section 45 of the NDPA

[9] Section 51 of the NDPA

[10] Sections 58-60 of the NDPA