A Guide to Nigeria's Data Protection Bill: Current Draft and Potential Changes
Nigeria is expected to join the community of nations with comprehensive data protection laws sometime in 2022, according to Dr. Vincent Olatunji, the National Commissioner of the Nigeria Data Protection Bureau (NDPB). The Nigeria Data Protection Regulation (NDPR) has been in effect since 2019, but a comprehensive bill has been held up since then. As the strongest economy in Africa, Nigeria needs a robust data protection system. The bill has faced some roadblocks in development, however, and the version that passes in 2022 may not be the same as the currently available draft.
Highlights of the 2020 Bill
The currently available draft of the bill is the version first put forward in 2020. This draft sets out a number of data management principles and data subjects' rights. It also establishes an independent regulatory authority to manage data privacy under the law.
The bill protects personal data collected from Nigerian citizens and residents. It covers data subjects who are citizens or residents of Nigeria, Nigerian corporations, unincorporated entities operating in Nigeria, any other entity that maintains a branch doing business in Nigeria, and foreign entities targeting persons resident in Nigeria. The bill covers a wide variety of organizations and unlike some laws, is not limited in its application based on the organization's revenue.
Data Subject Rights
The bill grants Nigerians a number of rights over their personal data, similar to other countries' data protection laws:
- Right to notification of a data breach within 48 hours of initial reporting.
- Right to request information on whether and why data has been processed.
- Right to not be subject to automated decision-making without personal input (unless authorized by law that safeguards subject rights and freedom).
- Right to correct or delete inaccurate, false, or unlawfully processed data.
- Right to object to processing (including profiling or direct marketing without consent).
- Right to have processing suspended (unless processor can prove a legitimate interest and grounds for processing sufficient to overcome the right).
- Right to data portability (subject may receive a machine-readable form of their own data from a data controller).
Sensitive Data
In addition to protecting personal information, the bill also creates very strict restrictions on the processing of sensitive data (data of children or an individual's religious beliefs, ethnicity, race, political opinions, health, sexual conduct or behavior). Such data cannot be processed unless it comes under one of the specific exceptions in the bill:
- The subject (or child subject’s parent) consents.
- Processing is necessary for a legal right or obligation of an employer.
- Processing is for the legitimate activities of a non-profit political, philosophical, religious, or trade union organization regarding its members and associates, and is not disclosed.
- Processing is performed as part of a legal proceeding.
- Processing is done for medical purposes by a health professional and is subject to the duty of patient confidentiality.
- Processing of racial or ethnic data is necessary to identify and eliminate discriminatory practices and is done with safeguards for the subject’s rights.
- Processing of data on religion is done by a religious or spiritual organization about its members or employees, and is consistent with and necessary to the organization’s principles.
Duties of Data Controllers and Processors
In addition to protecting the privacy rights of data subjects, the 2020 bill also imposes duties on data collectors and processors. Data controllers, including government organizations, must:
- Take all necessary measures (including technical and managerial) to comply with the Act and demonstrate that processing of personal data is compliant with the Act.
- Ensure that the processing is proportionate to the legitimate process pursued and the data subject’s interests, rights and freedoms.
- Consider the risks arising from the subjects’ interests, rights, and freedoms according to the nature, volume, and scope of processing.
- Appoint a Data Protection Officer responsible for compliance with the Act
- Examine the likely impact of the intended processing on the rights and freedoms of data subjects before starting processing.
- Design data processing in a manner, including technical and organizational measures, to prevent or minimize the risk of interference with those rights and freedoms.
The data collector is legally liable for any processing carried out on its behalf by a data processor and must take measures to ensure that the processor it chooses guarantees to follow the collector's legal obligations. The processor has its own legal obligations; it must:
- Process personal data on a data controller’s behalf only on the controller’s written instructions.
- Not engage with another data processor without written authorization by the controller.
- Inform the controller about the addition or replacement of data processors.
- Inform the data controller of any legal requirements that might endanger the subjects’ rights and freedoms, unless such notice is prohibited by law.
- Take appropriate technical and managerial security measures as required by the Act.
- Enact measures to fulfill the data controller’s obligations to respond to subject rights.
- Assist the data controller in complying with its security breach obligations under the Act.
- Delete or return all personal data to the controller at the end of processing, unless prohibited by law.
- Provide the controller with all information necessary for the controller to demonstrate compliance with the Act and facilitate audits.
The controller and processor must take the optimal technical and managerial measures to protect the data against dangers like accidental or unauthorized access, destruction, loss, use, modification, or disclosure of data. These "optimal measures" must take into account the current state-of-the-art in data security technology proportionate to the seriousness and likelihood of the risk, as well as factors such as the nature and volume of personal data, as well as the potential harm to the subject in the event of a breach.
Difficulties with the Bill
At this point in time, it is unclear what part of the Nigerian government would manage data privacy law. The 2020 Bill would establish the Data Protection Commission, a new agency with the duty and authority to regulate, enforce, and interpret data protection rules. However, in February of 2022, Nigeria established the Data Protection Bureau. The NDPB is subordinate to the Nigerian Information Technology Development Agency, while the Commission would be independent. Since the NDPB is so new, it is not entirely clear what its duties and authority are. If the NDPB is given enforcement power of the Bill, it would be a break from the many other privacy laws that are enforced and managed by an independent agency.
There have also been some recent concerns as to whether the 2020 draft is still being considered. In 2021, the Nigerian government began seeking World Bank funding to hire consultants to draft a new Bill. This upset some Nigerian digital experts since it came as something of a surprise. The 2020 draft was already complete and had been developed with input from Nigerian stakeholders to an international standard. By seeking World Bank funding and outside support, some stakeholders are worried about unwarranted foreign influence in internal security matters.
In an interview expressing his optimism about the bill, Dr. Olatunji seems to have confirmed that a new version of the bill is being worked on. "In 2019, there was a law passed by the National Assembly but it was not assented to by Mr. President," he said. "Now, we are working with the World Bank, European Investment Bank, and French Development Agency to have a principal legislation."
It remains to be seen what this possible new bill will say and how much it will resemble the current draft, but either way, Nigeria is likely to have a new comprehensive data law in the near future.
About Ardent Privacy
Ardent Privacy is an "Enterprise Data Privacy Technology" solutions provider based in the Maryland/DC region of the United States and Pune, India. Ardent harnesses the power of AI to enable companies with data discovery and automated compliance with PDPB (India), RBI Security Guidelines, GDPR (EU), CCPA/CPRA (California), and other global regulations by taking a data-driven approach. Ardent Privacy's solution utilizes machine learning and artificial intelligence to identify, inventory, map, minimize, and securely delete data in enterprises to reduce legal and financial liability.
For more information visit https://ardentprivacy.ai/ and find more resources here.
Note: Ardent Privacy articles should not be considered legal advice on data privacy regulations or any other specific facts or circumstances.