What you must know about the Data Protection Act, 2023
10 months agoOgechi Obasi
On 12 June 2023, the President signed the Data Protection Act into Law. The Data Protection Act is an Act to Provide a legal framework for the protection of personal information, and establish the Nigeria Data Protection Commission for the regulation of the processing of personal information, and for Related Matters. The Act covers key areas such as data protection principles, lawful bases for the processing of personal data, requirements for the processing of sensitive personal data and conducting of a data protection impact assessment, rights of data subjects, appointment of Data Protection Officers ("DPOs") and licensing of data protection compliance organisations ("DPCOs"), rules relating to cross-border transfer of personal data, etc. Key provisions of the Act are as follows:
1. Applicability: Part 1 of the Act provides for its Objectives and applicability. The Act will only apply where:
a. the processing of personal data is carried out by a data controller or data processor domiciled, ordinarily resident or ordinarily operating in Nigeria;
b. the processing of personal data occurs within Nigeria; or
c. the processing of the personal data of the data subject occurs in Nigeria without the data controller or the data processor being domiciled, ordinarily resident or ordinarily operating in Nigeria.
The Act does not apply to the processing of personal data for personal or household purposes as well as in cases of criminal investigation and prosecution, national public health emergency, national security, public interest or the establishment or defense of legal claims.
2. Establishment of The Nigeria Data Protection Commission, and its Governing Council: Part II of the Act provides for the establishment of the Nigeria Data Protection Commission to be headed by the National Commissioner, with the Governing Council assuming a supervisory role over the Commission. The Commission is responsible for the enforcement of the rules and regulations set out in the Act. The Commission replaces the NDPB established by former President Buhari in February 2022. The Commission is expected to be independent in the discharge of its responsibilities (Section 7).
3. Appointment of The National Commissioner, And Other Staff of the Commission: Part III of the Act provides for the appointment of a National Commissioner. A National Commissioner is to head the Commission, overseeing the protection of personal data and ensuring organizations adhere to the new legal framework.
4. Principles and Lawful Basis Governing Processing of Personal Data: Part V of the Act makes provisions for the processing of personal data. A Data controller or processor is a company or individual that determines the purpose of collecting data and how that data is processed. They can either be entities that reside in Nigeria, process data within Nigeria or not domiciled in Nigeria but process the data of Nigerians. The crux of the Act is the protection of individuals' personal data. It legally mandates organisations and individuals to respect and protect an individual's privacy by securing their personal data.
5. Legal Proceedings: PART XI of the Act makes provisions for legal proceedings under the Act. Section 57 in particular provides for the powers of arrest. The Act confers enormous enforcement powers to the Commission including the powers to arrest, search and seize during the course of investigation.
6. Rights of a Data Subject: Part VI of the Act provides for the rights of a Data Subject. It gives a person the right to:
a. Demand what type of data is being collected, where it's being stored, and who else will be using that data apart from the company that collected it.
b. Demand that the company erases or rectifies the data in use at any time.
c. Object to the use of data for marketing purposes.
7. Consent: Part V (Section 20) provides for consent by the Data Subject. Consent obtained from the subject Consent must be affirmative, and not through pre-selected means. It must be in writing, orally or through electronic means. Companies must make sure you give consent before using and processing your data. Silence or inaction will not be taken as consent. Even after obtaining consent, you can still withdraw consent from the company at any time you choose. Children do not have the right to give consent, so companies must take steps to verify the age of whoever they want to collect data from.
8. Cross-Border Transfers of Personal Data: Part VIII provides for data transfer across borders. Companies can no longer transfer data outside Nigeria unless there's valid legal backing. That is, the company that is receiving your data outside the country, has a valid data protection law and procedures in place to ensure the safety of your data. The company will also be subject to sanctions under Nigeria's data protection law if there's any violation.
9. Data Breaches: Section 35 of the Act provides for action to be taken in the event of a data breach. The Act institutes several provisions for data breaches where the company has to report to its partners and the data protection commission. When a breach that's likely to harm your rights and freedom happens, the Act mandates companies to notify you immediately. Either directly, or through public media.
10. Sanctions: Section 43 of the Act provides for Enforcement orders and sanctions under the Act. Companies or individuals found in any violation could be sanctioned in various ways. Some include:
a. Giving a part of the profits realised from the violation to a data subject
b. Paying a fine - of ₦10 million for data controllers of major importance and ₦2 million for data controllers not of major importance.
In conclusion, the Data Protection Act 2023 is a significant step towards safeguarding personal information in Nigeria. The Act outlines principles and lawful bases for processing personal data, grants rights to data subjects, and sets guidelines for consent and cross-border data transfers. The Act also addresses legal proceedings, data breaches, and imposes sanctions for non-compliance. Overall, this legislation aims to ensure the protection of individuals' privacy and enhance data security within the country.
Ogechi is an Analyst with NASSBER. Reach her on ogechi.obasi@nesgroup.org