Your Rights And Obligations Under The Nigeria Data Protection Act, 2023
On 12th June 2023, the President of the Federal Republic of Nigeria signed the Nigeria Data Protection Act, 2023 (“the Act” or the “NDPA”) (previously the Nigeria Data Protection Bill, 2023) into law. The Act provides the much-awaited legal framework for the protection of personal information. One of the principal objectives of the Act is to safeguard the fundamental rights and freedoms of data subjects, as guaranteed under the Constitution of the Federal Republic of Nigeria, 1999. The overall legislative intendment and goal of the Act are to ensure that personal data is processed in a fair, lawful and accountable manner that protects data subjects’ rights, and provides means of recourse and remedies, in the event of the breach of the data subject’s rights. Also, the Act seeks to strengthen the legal foundations of the nation’s digital economy through the beneficial and trusted use of personal data.
The provisions of the Act are superior to the provisions of any other law or enactment, in so far as they relate directly or indirectly to the processing of personal data.
The Act provides detailed transitioning and saving provisions for the previous “data protection regime” under the Nigeria Data Protection Regulation (NDPR) 2019 and NDPR Implementation Framework 2020. The Nigeria Data Protection Bureau (“the Bureau”) will essentially be transitioned into the Nigeria Data Protection Commission (the “Commission”) which is established under the Act. All documents issued in the name of the Bureau are deemed under the Act to have been issued by the Commission. Officers and employees of the Bureau are deemed to be officers of the Commission. Also, all orders, rules, regulations, decisions, directions, licences, authorisations, certificates, consents, approvals, declarations, permits, registrations, rates or other documents issued by the Bureau and the National Information Technology Development Agency will remain valid and effective as if they were made or issued by the Commission.
Furthermore, the Act draws a distinction between “ordinary” Data controllers or data processors, and Data controllers or data processors “of major importance”. The latter are subjected to a stricter regulatory regime under the Act and are required to register with the Commission within six months after the commencement of the Act or on attaining the status of a data controller or data processor “of major importance” (unless they are within the class or organizations exempted from registration by the Commission). The Act empowers the Commission to specify the category of data controller or data processor that may be regarded as data controller or data processor “of major importance”. Such organisations are now required to pay fees as may be prescribed by the Commission.
In this article, we have identified the key provisions of the NDPA and discussed some of the changes introduced under the Act, as well as the impact of such changes on businesses and other relevant organisations.
To access the complete article, please click here