Nigeria’s President Muhammadu Buhari has enjoined the Senate to approve the Nigerian Data Protection Bill in a letter…
Nigeria’s President Muhammadu Buhari has enjoined the Senate to approve the Nigerian Data Protection Bill in a letter addressed to the Senate President, Alhaji Ahmad Lawan, read at Tuesday’s plenary.
The Bill seeks to provide a legal framework for protecting personal information sent to the government and establishing the Nigerian Data Protection Commission to regulate laws on personal information.
The Nigeria data protection bill seeks to give Nigerians full legal backing in protecting their data and will replace the current Nigeria Data Protection Regulation (NDPR). President Muhammadu Buhari approved the establishment of the Nigeria Data Protection Bureau on the 4th of February 2022.
Section 33 of the Bill establishes specific provisions for lawfully obtaining consent from children. Importantly, the Bill provides that the data controller must obtain the consent of a parent or other appropriate legal guardian of the child and apply appropriate mechanisms, including the presentation of government-approved identification documents, to verify age and consent.
The Bill also requires the controllers and processors of major importance to appoint a data protection officer (DPO) with expert knowledge of data protection law and practices and the ability to execute tasks.
The international transfer of personal data is regulated in Part IX of the Bill, which is similar to the GDPR. Precisely, the Bill establishes the concept of an adequacy decision for countries and appropriate safeguards for controllers and processors.
Section 47 of the Bill states that a data subject aggrieved by the decision, action or inaction of a data controller or data processor in violation of the Act, subsidiary legislation or orders may complain to the commission.
Read More; Nigeria Data Protection Bill: What it means for Nigerians
“Pursuant to Section 58, sub section 2 of the 1999 Constitution as amended, I forward herewith the Nigerian Data Protection Bill for consideration and approval of by the Senate,’’ the letter read.
What we know about the data protection bill
The draft of the bill was first introduced and presented to the Minister of Communication and Digital Economy, prof. Isa Pantami in October last year by the National Data Protection Bureau.
Before the bill was introduced, Nigeria had the Nigeria Data Protection Regulation (NDPR), which the Data Protection Bureau enforces. The regulation has faced several criticisms from experts who have questioned the lack of the law’s compelling power to ensure data protection in the government’s care.
Hence, the clamour for a substantive law that will guide data handling across all levels in the country.
Specific provisions of the data protection bill and implication
According to the statement contained in the document, signed by the Head of Legal, Enforcement & Regulations, NDPB, Barr Babatunde Bamigboye, “The central objective of the Bill is to safeguard the fundamental rights and freedoms, and the interests of data subjects, as guaranteed under the Constitution of the Federal Republic of Nigeria, 1999, by providing for the regulation of the processing of personal data;
“Promoting data processing practices that safeguard the security of personal data and privacy of data subjects; ensuring that personal data is processed in a fair, lawful and accountable manner.” This is a welcome development as the bill provides the power for the Commission to licence a body to carry out data protection compliance services and to impose sanctions on data processing bodies.
“Protecting data subjects’ rights as well as providing means of recourse and remedies in the event of the breaches; ensuring that data controllers and data processors fulfil their obligations to data subjects;
While the bill aims to safeguard the fundamental rights, freedom, and interests of data subjects, it does not explain the rights of data subjects, how they can be exercised, the process of exercising the rights, and the limitations to the exercise of the rights. According to this appraisal, the Bill provides a more comprehensive approach to the rights of the data subjects (compared to the NDPR), but it is still not encompassing compared to the EU GDPR.
Also, it is great that the Bill provides a detailed data breach management procedure. The data controller may extend the known seventy-two-hour reporting period to accommodate the legitimate needs of law enforcement or as reasonably necessary to implement measures required to determine the scope of the breach,
The data controller and data processor are also mandated to keep a record of all personal data breaches.
Establishing an impartial, independent and effective regulatory Commission to superintend over data protection and privacy issues and supervise data controllers and data processors.”
Finally, “Strengthen the legal foundations of the national digital economy and guarantee the participation of Nigeria in the regional and global economies through the beneficial trusted use of personal data.”
Establishment of a Data Protection Commission
Although a Bureau created by NITDA presently oversees data protection, the law calls for creating a substantive agency, the Nigeria Data Protection Commission (NDPC). According to section 7 of the bill, the functions of the commission are:
- Ensuring the deployment of technological and organizational measures to enhance personal data protection.
- Promoting public awareness and understanding of personal data protection and the risks to personal data, including the rights granted and obligations imposed under the Act.
- Promoting awareness of data controllers and processors’ obligations under the Act.
- Fostering the development of personal data protection technologies in accordance with recognized international good practices and applicable international law.
An independent and effective regulatory commission to oversee data protection and privacy issues and supervise data controllers and data processors within the private and public sectors is a major win for Nigeria.
However, a review of the composition of the governing council of the Commission shows a heavy reliance on the executive arm of government as the appointment and removal of the members lie on the President’s prerogative.
Also, the commission has to submit legislative proposals to the Minister of Communication and Digital Economy, including amending existing laws, to strengthen personal data protection in Nigeria. It can make regulations on any matter that the Minister considers necessary. This implies that the Minister (and the executive arm of government ) greatly influences the commission, throwing the commission’s independence in doubt.
Permission for processing sensitive data
The Bill introduces specific guidelines for the processing of sensitive personal data. In particular, the bill forbids data controllers or processors from processing sensitive personal data themselves or allowing a processor to handle it on their behalf unless one of the exceptions in Section 32(1) applies. The exceptions are:
- The data subject has given and not withdrawn their consent to the processing for the specific purpose or purposes for which it will be processed.
- The processing is necessary for exercising or performing the rights or obligations of the data controller or the data subject to underemployment or social security laws or any other similar laws.
- The processing is necessary to protect the vital interests of the data subject or of another individual where the data subject is physically or legally incapable of giving consent.
The new rules for processing personal data are an improvement on the NDPR. The new bill also states the lawful basis for processing sensitive personal data. The commission can also consider if a data set can be categorized as sensitive personal data, further grounds for processing such personal data, and safeguards that may apply.
Protection for Minors
Section 33 of the bill outlines guidelines for legally acquiring children’s permission. The Bill specifically states that the data controller must obtain the consent of the child’s parent or other appropriate legal guardian and use appropriate mechanisms, such as the presentation of government-approved identification documents, to verify the child’s age and consent.
However, the bill does not require approval or consent from the minor’s parents where “Processing is necessary to protect the vital interests of the child or individual lacking the legal capacity to consent, or the processing is carried out for purposes of medical or social care and is undertaken by or under the responsibility of a professional or similar service provider owing a duty of confidentiality.”