A new law signed by President Tinubu provides for the establishment of a new data protection body as well as a regulatory framework for data protection in the country.
On Wednesday, President Bola Tinubu signed the Nigeria Data Protection Bill 2023 into law. The new law provides a legal framework for protecting and regulating personal information in the country. Data protection is a contentious issue in Nigeria where personal data is collected with no assurance of protection. The problem is compounded by the surge in incidents of data breaches. In January 2022, for instance, a hacker claimed to have accessed the NIN database in January 2022, but the National Identity Management Commission (NIMC) denied the breach. There have been many other reported breaches like this, with the organisations involved often denying them. The new law will put a better framework around protecting personal information and ensuring they won’t fall into the wrong hands.
A new data protection body
The key provision of the new law is the establishment of the Nigeria Data Protection Commission, which replaces the Nigeria Data Protection Bureau (NDPB) established by immediate past President Muhammadu Buhari in February 2022. The new body will be headed by a National Commissioner appointed by the President for a term of four years which is renewable once.
According to Section 8 of the Act, the powers of the Commission include issuing regulations, rules, directives, and guidance under the Act; engaging consultants for assistance in the discharge of its functions; imposing penalties; prescribing fees payable by data controllers and data processors in accordance with data processing activities, and prescribe the manner and frequency of filing, and content, of compliance returns by data controllers and data processors of major importance to the Commission.
The Act also provides for creating a Governing Council to be chaired by a retired judge of a superior court of record. The members of the Council—who the President will appoint—will be part-time members other than the National Commissioner.
Framework for processing data
Section 25 of the Act outlines the principles of the processing of personal data, stating that the data controller or data processor must ensure that data is collected legitimately and “processed in a manner that ensures appropriate security”. While Section 26 provides the lawful basis for personal data processing anchored on the consent of the subject data for the specific purpose or purposes for which the data will be processed. Similarly, section 35-38 establishes the rights of a data subject—a person whose information is being collected.
The law also prohibits the cross-border transfer of personal data, except if there is legal backing for it. It equally states that all data controllers and processors of significant importance must be registered with the Commission within six months after the commencement of the Act.
The timeline of the bill
October 2022: The bill was developed by the Nigeria Data Protection Bureau (NDPB).
January 2023: The Federal Executive Council (FEC) approved the bill for further ratification and endorsement by the National Assembly.
April 2023: President Muhammadu Buhari transmitted the bill to the National Assembly for consideration and passage
May 2023: The Nigerian Senate announced that the bill had passed its third reading and sent to the House of Representatives for consideration.