In a letter read on the floor of the Senate and House of Representatives on Tuesday, 4 April 2023, President Muhammadu Buhari transmitted the Nigeria Data Protection Bill, 2023 to the National Assembly for consideration and passage. The bill provides a legal framework for the protection of personal information, in order to fulfill the fundamental rights and freedoms of individuals guaranteed in the 1999 Nigerian Constitution. <\/p>\n\n\n\n
The bill establishes\nthe Nigeria\nData Protection Commission headed by a National\nCommissioner\nwith the responsibility for regulating the\nprocessing of personal information. To this end, the\nCommission will foster the development of personal data protection\ntechnologies, in accordance with recognised international good practices and\nensure compliance with data protection obligations. Among others, it will also have\nthe powers to register\ndata controllers and data processors of major importance; promote awareness on\nthe obligation of data controllers and data processors, as well as sanction\nthose who violate the provisions of the bill. The Nigeria Data Protection\nBureau established by President Buhari in February 2022 to to regulate data protection and privacy will transition into the Nigeria Data Protection\nCommission, if the bill is passed into law. <\/p>\n\n\n\n
The bill provides for a National Commissioner for the\nCommission, who will be appointed by the President for a term of four years\nwhich is renewable once. He or she will be responsible for its daily\nadministration and execution of policies. The Commission will also have a\nGoverning Council responsible for formulating policy direction for its affairs,\napproving strategic, action and budget plans for the Commission, among others. <\/p>\n\n\n\n
A data controller is required to provide certain\ninformation to a data subject (that is the person whose data is being requested)\nbefore collection. Some of these information include the identity and address\nof business of the collector or processor, specific lawful basis to process the\ndata, recipients of the data, data retention period and the right to lodge a\ncomplaint to the Commission, among others. <\/p>\n\n\n\n
The Commission is expected to have powers to make\ncompliance and enforcement orders against data controllers or processors in the\nevent of the violation of the provisions of the bill or related subsidiary\nlegislation. The orders of the Commission are subject to judicial review within\n30 days from when they are made. The bill also criminalises failure to comply\nwith the orders of the Commission, which is punishable by a fine and or\nimprisonment term. A data subject may also seek damages from a data controller\nthrough civil proceedings, in the event of a violation. <\/p>\n\n\n\n
The bill sets out principles for the processing of\npersonal data, some of which include that it must be done in a fair, lawful and\ntransparent manner, that it is limited to the minimum necessary for the purpose\nit is collected and is not retained for longer than necessary. <\/p>\n\n\n\n
The bill specifically states that the burden of proof\nis on a data controller to establish that he or she received the consent of the\ndata subject before collecting his or her data. Silence or inactivity of the\ndata subject will not be taken to imply consent. A child does not have capacity\nto consent and a person with capacity to consent such as a parent, can do so on\nbehalf of a child. A data subject has the right to withdraw consent to the\nprocessing of his or her personal data. In that situation, the data controller\nis expected to discontinue processing the data of such a person unless the\ncontroller shows public interest or other legitimate grounds, which override\nthe fundamental rights, freedoms and the interests of the data subject.<\/p>\n\n\n\n
A data subject (a person whose information is\ncollected) has the right to obtain information with regard to the processing,\nstorage and other relevant information about his or her data, from a data\ncontroller.<\/p>\n\n\n\n
A data controller is mandated to inform the Commission\nif a data breach occurs. The data controller is also required to inform the\ndata subject of the breach if it is likely to result in high risk to the rights\nand freedoms of the subject. <\/p>\n\n\n\n
The bill is a welcome development to protect the right\nto privacy guaranteed in section 37 of the 1999 Nigerian Constitution. The bill\nprovides some procedural safeguards to protect the rights of those whose\ninformation are to be collected, such as the requirements for a data subject to\nbe provided with necessary information and their consent sought prior to data\ncollection. Another is the requirement for a data controller to carry out a\ndata protection impact assessment where data processing is likely to result in high\nrisk to the rights and freedoms of a data subject. The bill also provides that\nlegitimate interests pursued by a data controller\/processor (which is one of\nthe bases for processing of personal data) will not be considered a lawful\nbasis if those interests violate the\nfundamental rights, freedoms and interests of the data subject. <\/p>\n\n\n\n
The provision that complaints related to data\nprocessing can be lodged with the Nigeria Data Protection Commission, is also\nimportant as a mechanism for redress. <\/p>\n\n\n\n
On the other hand, the bill contains a limitation\nclause on institution of legal proceedings against the Commission and its\npersonnel. It provides that such a suit cannot be commenced three months after\nthe act, default or neglect in question was committed. Three months is a short\nperiod and restricts people\u2019s rights to approach the courts to seek redress on for\ngrievances by the Commission. <\/p>\n\n\n\n
However, the bill contains several cross referencing\nerrors that need to be corrected as it undergoes legislative consideration. <\/p>\n\n\n\n
This bill, if passed will be the first comprehensive Act\nfor data protection in Nigeria. Data protection is presently regulated by the\nNigeria Data Protection Regulation, 2019 issued pursuant to the National\nInformation Technology Development Agency (NITDA) Act, 2007. In 2022, the Nigeria Data Protection Bureau\nwas established to develop a primary legislation on the subject. If passed, the\nbill will provide a legal framework for the establishment and operation of the\nBureau as the Nigeria Data Protection Commission. <\/p>\n\n\n\n
The Nigeria Data Protection Bill was developed by the\nBureau in October 2022 and approved by the Federal Executive Council in\nFebruary 2023. It has now been transmitted to the National Assembly for\nconsideration and passage, with a little over two months until the end of the 9th<\/sup>\nNational Assembly. <\/p>\n","protected":false},"excerpt":{"rendered":" In a letter read on the floor of the Senate and House of Representatives on Tuesday, 4 April 2023, President Muhammadu Buhari transmitted the Nigeria Data Protection Bill, 2023 to the National Assembly for consideration and passage. The bill provides a legal framework for the protection of personal information, in order to fulfill the fundamental […]<\/p>\n","protected":false},"author":2,"featured_media":3219,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[],"class_list":["post-3211","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/placng.org\/Legist\/wp-json\/wp\/v2\/posts\/3211","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/placng.org\/Legist\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/placng.org\/Legist\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/placng.org\/Legist\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/placng.org\/Legist\/wp-json\/wp\/v2\/comments?post=3211"}],"version-history":[{"count":1,"href":"https:\/\/placng.org\/Legist\/wp-json\/wp\/v2\/posts\/3211\/revisions"}],"predecessor-version":[{"id":3220,"href":"https:\/\/placng.org\/Legist\/wp-json\/wp\/v2\/posts\/3211\/revisions\/3220"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/placng.org\/Legist\/wp-json\/wp\/v2\/media\/3219"}],"wp:attachment":[{"href":"https:\/\/placng.org\/Legist\/wp-json\/wp\/v2\/media?parent=3211"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/placng.org\/Legist\/wp-json\/wp\/v2\/categories?post=3211"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/placng.org\/Legist\/wp-json\/wp\/v2\/tags?post=3211"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}