Nigeria has enacted the Data Protection Act to safeguard citizens’ personal information and data. In the same period as the Act came into effect, the Central Bank of Nigeria (CBN) in what appears to be unrelated to banking services, is asking banks to collect social media handle information from its customers. The CBN claims that this is part of Know Your Customer (KYC) information needed from holders of accounts.
The Nigeria Data Protection Act 2023 is among the first laws that President Bola Tinubu assented to after assuming the office of President of Nigeria on May 29, 2023. It was passed by the Senate on May 3 and the House of Representatives on May 23 in the 9th National Assembly and eventually gained presidential assent on June 12, 2023. The Act is the legal framework for the protection and processing of personal information, in order to safeguard the fundamental rights, freedoms and interests of individuals guaranteed in the 1999 Nigerian Constitution. It establishes the Nigeria Data Protection Commission headed by a National Commissioner with the responsibility for regulating the processing of personal information in line with the provisions of the Act.
In the exercise of its functions, the Commission is empowered to carry out investigations into complaints of violation of the provisions of the Act, issue compliance orders, make enforcement orders or impose sanctions on a party found to be in breach of the provisions of the Act. In the course of investigation, the Commission must apply and obtain a warrant to among other things, enter and search any premises, stop and search any person on such premises, seize, seal, remove or detain anything, in the company of a law enforcement officer, for the purpose of obtaining evidence. Compliance orders issued by the Commission are subject to judicial review and failure to comply with an order amounts to an offence punishable by a fine or imprisonment for a maximum of one year or both.
The Act stipulates that data collection must be for a specific purpose which must be legitimate, and that it must be processed in a fair, lawful and transparent manner and not retained for longer than necessary. To this end, it requires data controllers and processors of major importance to be registered with the Nigeria Data Protection Commission. It also stipulates that a data controller or processor must engage the services of a Data Protection Officer who will be responsible for advising these data controlling entities and their employees on data processing, as well as monitor compliance with the provisions of the Act and other related internal policies. A Data Protection Officer will be the point of contact for the Data Protection Commission on matters of data processing. Data controllers and processors of major importance are defined by the Act as those domiciled, resident in or operating in Nigeria and process or intend to process personal data of a specified number of data subjects who are within Nigeria or those processing personal data of particular value or significance to the economy, society or security of Nigeria. The Act also stipulates conditions for transfer of data outside Nigeria.
The Nigeria Data Protection Act provides safeguards to individuals with respect to data collection and processing. It makes it compulsory for an individual’s consent to be sought and received for the processing or his or her data. The individual also reserves the right to withdraw this consent. A person whose data is being collected and processed, also called a data subject has rights to request from a data controller, information relating to their data including category of data, purpose of processing and period of storage. Also, a data subject has the right to request for erasure of data, correction or deletion of inaccurate, incomplete or misleading data, and has the right to lodge a complaint with the Commission. A data subject who suffers injury, loss or harm as a result of a violation of the provisions of the Act is entitled to seek damages from the defaulting data controller or processor, in civil legal proceedings.
Other procedural safeguards include that a data collector and processor is obliged to apply measures to ensure the security, integrity and confidentiality of data in its control or possession. A data collector or processor is also under obligation to report to the Data Protection Commission, any breach with respect to personal data that is likely to result in a risk to the rights and freedoms of individuals.
The Act is a welcome development as it provides further protection for the rights of individuals to privacy, guaranteed by section 37 of the 1999 Nigerian Constitution. It is also the first comprehensive legislation for data protection in Nigeria. Data protection was formerly regulated by the Nigeria Data Protection Regulation, 2019 issued pursuant to the National Information Technology Development Agency (NITDA) Act, 2007. With the enactment of the Nigeria Data Protection Act, the Nigeria Data Protection Bureau formed in 2022 is expected to transition into the Nigeria Data Protection Commission established by the Act.
In the light of the Act, it is unclear why the CBN is asking banks to request social media handle information from customers. Critics worry that the CBN’s directive to banks may be politically motivated and lacking in legal basis.
PLAC had earlier provided some analysis into the Nigeria Data Protection Bill, 2023 transmitted to the National Assembly in April 2023 by immediate past President, Muhammadu Buhari. Read here – https://tinyurl.com/4y2jseh4 . See the Act here: https://shorturl.at/hlqLT