Section 30(2) of the Act envisions a broad, flexible definition for sensitive personal data by authorizing the Commission to prescribe further categories of sensitive personal data. The Act also prohibits the processing of sensitive personal data unless specified conditions are met. Notable allowances for processing of sensitive personal data include:
While the Act reserves for the Commission authority to prescribe additional exemptions, it includes a greater number of protections for exempt processing activities than the 2022 Bill. In addition to the above-mentioned provisions that exempt entities must comply with, the Act empowers the Commission to issue a Guidance Note on the legal safeguards and best practices for exempted data controllers and processors where such processing violates or is likely to violate Sections 24 and 25 of the law. Some exemptions have been narrowed relative to the 2022 Bill. Entities who were exempted from complying with provisions under the 2022 Bill must now comply with the above-mentioned provisions for exempt entities under the 2023 Act, as well as those relating to data security and cross-border data transfers.
Another special obligation for controllers and processors of major importance is the requirement to appoint a Data Protection Officer (DPO), which is imposed by Section 32 on such entities only. This requirement substantially differs from the NDPR and the Implementation Framework; under the NDPR, every data controller must appoint a DPO (Article 4.1.2), while the Implementation Framework stipulates conditions for such an appointment (3.4.1).
As discussed in greater detail below, controllers and processors must seek the services of a data protection compliance organization (DPCO) to perform a data protection audit, among other obligations. As the Act does not create new criteria for entities required to conduct such audits, provisions under the NDPR and Implementation Framework remain in force. While the Implementation Framework provides that the authority may carry out scheduled audits or perform spot checks, the common practice is for controllers and processors that process personal data of more than 2000 data subjects in 12 months to engage a DPCO to conduct annual audits on their behalf. This practice is expected to continue.
Where a data breach occurs that affects a data processor, the processor will be required to notify the data controller or processor that engaged it as soon as the breached party becomes aware of the incident, and must respond to information requests regarding the breach (Section 40(1)).
The requirements for communications to the Commission and to affected data subjects also differ. Communication to the Commission should be as detailed as possible and include a description of the nature of the breach, while notice to data subjects should be in plain and clear language and include steps to take to mitigate any adverse effects. Section 40(4) highlights the common information that should be present in both cases, such as the name and contact details of a point of contact for the data controller. Information relating to a breach may be provided in a phased manner, where it is impossible to provide all information in a single communication.
Section 28 of the Act provides the Commission with the power to delegate the duty to monitor, audit, and report on compliance with the law to licensed data protection compliance organizations. This model was introduced under the NDPR and allows the data protection authority to delegate some functions under existing regulations to monitor, audit, and report on compliance by data controllers and data processors. Detailed provisions on the operation of DPCOs can be found under the NDPR and Implementation Framework and shall continue to apply to controllers and processors.
The Commission is expected to develop certain regulations as prescribed under the law and as detailed above, including in relation to designating new categories of sensitive data, adequate steps for data breach notification, conducting DPIAs, or issuing data localization regulations for specific categories of personal data.
Other functions of the Commission include promoting public awareness and understanding of personal data protection, the rights and obligations imposed under the law, and the risks to personal data; receiving complaints alleging violations of the Act or subsidiary legislation; and ensuring compliance with national and international personal data protection obligations and good practice.
In a bid to ensure that the services of the Commission are accessible beyond urban areas, the Commission is allowed to establish its offices in other parts of Nigeria (Section 3(b)). This is important as part of creating awareness of the importance of data protection across the country.
The Act provides a data subject who has suffered injury, loss, or harm arising from a violation of the law with a private right of action that allows recovery of damages in a civil proceeding. Where a controller or processor violates the provisions of the Act or subsidiary legislation, the Commission may issue a compliance order requiring them to take specific measures to remedy the situation within a specified period as well as inform them of their right to a judicial review. The Commission may also impose an enforcement order or a sanction. In issuing an enforcement order or a sanction, the Commission may:
The penalty amount depends on whether the violator is a data controller or processor of major importance or not. Penalties against data controllers or processors of major importance shall be the higher of N10,000,000 (approximately 22,000 USD) or 2% of the annual gross revenue of the preceding financial year. Penalties against other data controllers and processors shall be greater than N2,000,000 (approximately 4,300 USD) or 2% of the annual gross revenue of the preceding financial year.
As Nigeria continues to make its mark within the global digital economy and rapidly expand its technology ecosystem, this Act represents a continued focus on protecting the personal data of Nigerian citizens, in alignment with common internationally accepted principles of data protection.
In Nigeria, data protection is founded on the constitutional right to privacy under section 37 of the Constitution of the Federal Republic of Nigeria 1999 (as amended) ('the Constitution'). The Nigeria Data Protection Act 2023 ('NDPA') is Nigeria's main data protection legislation. The NDPA was enacted on June 12, 2023, and has been in effect since then.
Prior to the NDPA, the Nigerian Data Protection Regulation, 2019 ('NDPR') which was issued at the time by the National Information Technology Development Agency ('NITDA') was the go-to regulation on data protection. Although enforceable, it remains a subsidiary legislation, and there was no specific commission to oversee data protection. The NDPR was a placeholder until the enactment of the NDPA, and NITDA had to stretch itself to oversee data protection. To temporarily assist with supervision, the Nigerian Government ('the Government') issued an executive order in February 2022 that established the Nigeria Data Protection Bureau ('NDPB') and transferred the data protection role as well as the existing regulations or guidance issued by NITDA to the NDPB. In my opinion, the NDPB lacked legislative backing, but with the enactment of the NDPA, the Nigeria Data Protection Commission ('NDPC') was created to oversee data protection in Nigeria, and the 2022 abnormality was corrected. Based on the NDPA, the NDPB has been subsumed into the NDPC (Section 64 of the NDPA). Furthermore, the NDPR along with regulations or circulars on data protection issued by NITDA or NDPB are still applicable to data protection in Nigeria and are now treated as regulations issued by the NDPC (Section 64 of the NDPA). Thus, the NDPR operates side by side with the NDPA, but the NDPA will prevail where there is a conflicting provision in the NDPR (Section 63 of the NDPA). Therefore, in this guidance note, reference will be made mostly to the NDPA. The NDPR will also be covered where there are similar provisions or where there are no applicable provisions in the NDPA.
This suit was instituted in 2020 by the Digital Rights Lawyers Initiative against the National Youth Service Corps ('NYSC'). The claimant asserted that the NYSC published and sold a yearbook containing Corp members' personal details without consent and is seeking a declaration that the processing of the photos and other personal data of the Corp members violates Section 37 of the Constitution and Section 2.1(a) of the NDPR. The suit is currently before the court, and a decision is yet to be made by the court.
The main legislation on data protection in Nigeria is the NDPA while the NDPR and other regulations or circulars supplement. The NDPA applies to the processing of personal data whether or not by automated means (Section 2(1) of the NDPA).
The NDPR applies to Nigerian citizens regardless of where they reside. The NDPR will apply to a data controller so long as the data of a Nigerian citizen is collected. The NDPR will have extra-territorial scope in its application. (Section1.2(b) of the NDPR).
The NDPC is the main supervisory and regulatory authority for data protection in Nigeria. The NDPC oversees the implementation of the NDPA and matters relating to data protection in Nigeria (Section 4 of the NDPA).
 32749fdeaf