The Nigeria Data Protection Act, signed into law by President Tinubu, is touted as a game-changer for data protection in the country. But lawyers aren’t particularly convinced.
Last week, President Bola Tinubu signed the Nigeria Data Protection Bill 2023 into law. The new law—which repeals the Nigeria Data Protection Regulation (NDPR)—provides a legal framework for protecting and regulating personal data in the country. The Act also establishes the Nigeria Data Protection Commission. While this is good news, lawyers who spoke TechCabal said there are still grey areas in the law that its drafters should reconsider.
Unclear provisions
But despite being touted as a game-changer, the Act has some unclear provisions. Though the law establishes that no data can be processed without the consent of the data subject—a person whose information is being collected, Section 43 (1) (c) however allows the cross-border transfer of personal data without consent.
Samuel Ngwu, a lawyer and privacy professional, told TechCabal that the implication of this clause is that it gives the data controllers or processors the freedom to misuse personal data, thereby jeopardizing the rights of the data subject. “Since the exemption will be seen as an option instead of an alternative when adequate decision and appropriate safeguards become impossible,” he explained.
Section 32 of the Act provides that the data controller of major importance—defined as one that is domiciled in Nigeria—must have a Data Protection Officer (DPO) who can either be an employee or engaged by a service contract. However, the independence of the DPO is under question as such an individual is expected to report to the data controller in question, despite being a contact point for the Commission.
Oyindolapo Olusesi, a lawyer and Data Protection Officer at Kora, a fintech startup, told TechCabal, “The provisions on DPO could have been better since the DPO is at the helm of ensuring internal compliance within an organisation. Safeguards like approval by the Commission, of the appointment of a DPO; ensuring that a DPO can only be fired with notice to the Commission would better help to ensure that the companies take the role more seriously.”
Is the Commission truly independent?
Another brewing concern with the Act hinges on the independence of the Nigeria Data Protection Commission. First, the appointment of the National Commissioner by the President is upon the recommendation of the Minister of Communications and Digital Economy. The Act also establishes a Governing Council whose Chairman and the non-ex-officio members of the Council will also be appointed by the President on the recommendation of the Minister.
The underlying question is the extent of the powers of the Minister which include the appointment of council members, remuneration, and removal. This brings to mind the last-minute amendment of the Nigeria Startup Act by the former Minister, Prof. Isa Pantanmi, a move that was met with a torrent of criticism from stakeholders.
Olumide Babalola, a lawyer and author of “Privacy and data protection law in Nigeria”, said that it is safe to say that the Commission does not have any assurance of independence. “What makes it worse is the provision that empowers the minister to give directive to the Commission on ‘matters of policy’,” he told TechCabal.
What’s different with the Act?
According to stakeholders, the NDPR was laden with inconsistencies, hence the Act is presumed as a significant improvement from the defunct law. Babalola told TechCabal that the Act settles the legitimacy issue hovering around the establishment of NDPB.
“With the Act, data protection can now be principally enforced as another cause of action. The Act and the little noise around it will drive awareness and increase regulatory compliance with data processing obligations from a business perspective,” he said.
For Olusesi, the Act has ensured some harmonisation around the legality of data protection in the country. He said, “The issue of whether “legitimate interest” was a valid lawful basis because it was not in the NDPR but in the Implementation Framework has now been laid to rest. The Act now clearly includes legitimate interest as a lawful basis. And, that clears any previous confusion.”
While the Nigeria Data Protection Act provides a comprehensive framework for data protection in the country, it is however imperative for its drafters to address the aforementioned concerns as they raise serious questions about the genuine intention behind the creation of the Act.
What do you think about our stories? Tell us how you feel by taking this quick 3-minute survey.