President Bola Ahmed Tinubu has signed the Nigeria Data Protection Bill, 2023 into law, marking a significant milestone in the country’s data protection and privacy landscape. The bill, which was sent to the National Assembly by former President Muhammadu Buhari in April 2023, establishes a robust legal framework that safeguards personal information and regulates data processing practices within the country.
The bill also creates the Nigeria Data Protection Commission (NDPC), which replaces the Nigeria Data Protection Bureau (NDPB) that was set up by Buhari in February 2022. The NDPC will be headed by a National Commissioner who will be responsible for overseeing the implementation and enforcement of the law.
The main objectives of the bill are to protect the fundamental rights, freedoms, and interests of data subjects, as enshrined in the Constitution of the Federal Republic of Nigeria; to promote data processing practices that prioritize the security and privacy of data subjects; to enforce fair, lawful, and accountable handling of personal data; to provide recourse and remedies for data breaches; and to foster a culture of data protection and compliance among data controllers and processors.
The bill also aims to bolster the legal foundations of the national digital economy by ensuring the trusted and beneficial use of personal data and enabling Nigeria to actively participate in regional and global data markets.
The bill is expected to have far-reaching implications for various sectors and stakeholders, such as government agencies, private organizations, civil society groups, media outlets, and individuals. Some of the key provisions of the bill include:
– The definition of personal data as any information relating to an identified or identifiable natural person, such as name, address, phone number, email address, biometric data, etc.
– The requirement for data controllers and processors to obtain consent from data subjects before collecting, using, or disclosing their personal data, except in certain circumstances such as legal obligations, public interest, vital interest, etc.
– The obligation for data controllers and processors to implement appropriate technical and organizational measures to protect personal data from unauthorized access, alteration, disclosure, or destruction.
– The right for data subjects to access, rectify, erase, restrict, object to, or port their personal data from one service provider to another.
– The duty for data controllers and processors to notify the NDPC and affected data subjects of any personal data breach within 72 hours of becoming aware of it.
– The power for the NDPC to investigate any violation of the law and impose sanctions such as warnings, fines, suspension or revocation of licenses, etc.
– The establishment of a Data Protection Tribunal to adjudicate disputes arising from the application or interpretation of the law.
The Nigeria Data Protection Act, 2023 is seen as a landmark legislation that aligns with international best practices and standards such as the General Data Protection Regulation (GDPR) of the European Union. It also fulfills one of the campaign promises of President Tinubu to create one million jobs in the digital economy sector by providing opportunities for training and licensing of data protection professionals and service providers.
The NDPC has announced that it will soon issue regulations, guidelines, and codes of conduct to operationalize the law and provide clarity on its implementation. It has also urged all stakeholders to familiarize themselves with the provisions of the law and comply with its requirements.
