In a letter read on the floor of the Senate and House of Representatives on Tuesday, 4 April 2023, President Muhammadu Buhari transmitted the Nigeria Data Protection Bill, 2023 to the National Assembly for consideration and passage. The bill provides a legal framework for the protection of personal information, in order to fulfill the fundamental rights and freedoms of individuals guaranteed in the 1999 Nigerian Constitution.
The bill establishes the Nigeria Data Protection Commission headed by a National Commissioner with the responsibility for regulating the processing of personal information. To this end, the Commission will foster the development of personal data protection technologies, in accordance with recognised international good practices and ensure compliance with data protection obligations. Among others, it will also have the powers to register data controllers and data processors of major importance; promote awareness on the obligation of data controllers and data processors, as well as sanction those who violate the provisions of the bill. The Nigeria Data Protection Bureau established by President Buhari in February 2022 to to regulate data protection and privacy will transition into the Nigeria Data Protection Commission, if the bill is passed into law.
The bill provides for a National Commissioner for the Commission, who will be appointed by the President for a term of four years which is renewable once. He or she will be responsible for its daily administration and execution of policies. The Commission will also have a Governing Council responsible for formulating policy direction for its affairs, approving strategic, action and budget plans for the Commission, among others.
A data controller is required to provide certain information to a data subject (that is the person whose data is being requested) before collection. Some of these information include the identity and address of business of the collector or processor, specific lawful basis to process the data, recipients of the data, data retention period and the right to lodge a complaint to the Commission, among others.
The Commission is expected to have powers to make compliance and enforcement orders against data controllers or processors in the event of the violation of the provisions of the bill or related subsidiary legislation. The orders of the Commission are subject to judicial review within 30 days from when they are made. The bill also criminalises failure to comply with the orders of the Commission, which is punishable by a fine and or imprisonment term. A data subject may also seek damages from a data controller through civil proceedings, in the event of a violation.
The bill sets out principles for the processing of personal data, some of which include that it must be done in a fair, lawful and transparent manner, that it is limited to the minimum necessary for the purpose it is collected and is not retained for longer than necessary.
The bill specifically states that the burden of proof is on a data controller to establish that he or she received the consent of the data subject before collecting his or her data. Silence or inactivity of the data subject will not be taken to imply consent. A child does not have capacity to consent and a person with capacity to consent such as a parent, can do so on behalf of a child. A data subject has the right to withdraw consent to the processing of his or her personal data. In that situation, the data controller is expected to discontinue processing the data of such a person unless the controller shows public interest or other legitimate grounds, which override the fundamental rights, freedoms and the interests of the data subject.
A data subject (a person whose information is collected) has the right to obtain information with regard to the processing, storage and other relevant information about his or her data, from a data controller.
A data controller is mandated to inform the Commission if a data breach occurs. The data controller is also required to inform the data subject of the breach if it is likely to result in high risk to the rights and freedoms of the subject.
The bill is a welcome development to protect the right to privacy guaranteed in section 37 of the 1999 Nigerian Constitution. The bill provides some procedural safeguards to protect the rights of those whose information are to be collected, such as the requirements for a data subject to be provided with necessary information and their consent sought prior to data collection. Another is the requirement for a data controller to carry out a data protection impact assessment where data processing is likely to result in high risk to the rights and freedoms of a data subject. The bill also provides that legitimate interests pursued by a data controller/processor (which is one of the bases for processing of personal data) will not be considered a lawful basis if those interests violate the fundamental rights, freedoms and interests of the data subject.
The provision that complaints related to data processing can be lodged with the Nigeria Data Protection Commission, is also important as a mechanism for redress.
On the other hand, the bill contains a limitation clause on institution of legal proceedings against the Commission and its personnel. It provides that such a suit cannot be commenced three months after the act, default or neglect in question was committed. Three months is a short period and restricts people’s rights to approach the courts to seek redress on for grievances by the Commission.
However, the bill contains several cross referencing errors that need to be corrected as it undergoes legislative consideration.
This bill, if passed will be the first comprehensive Act for data protection in Nigeria. Data protection is presently regulated by the Nigeria Data Protection Regulation, 2019 issued pursuant to the National Information Technology Development Agency (NITDA) Act, 2007. In 2022, the Nigeria Data Protection Bureau was established to develop a primary legislation on the subject. If passed, the bill will provide a legal framework for the establishment and operation of the Bureau as the Nigeria Data Protection Commission.
The Nigeria Data Protection Bill was developed by the Bureau in October 2022 and approved by the Federal Executive Council in February 2023. It has now been transmitted to the National Assembly for consideration and passage, with a little over two months until the end of the 9th National Assembly.