Key changes brought by the Nigerian Data Protection Act, 2023

Four years after the adoption of the Nigeria Data Protection Regulation (NDPR), the Nigeria Data Protection Act, 2023 (NDPA) was passed into law in June 2023.

This article reviews the main changes brought by the NDPA in comparison with the NDPR.

Background

The NDPR was issued by the National Information Technology Development Agency (NITDA) on 25 January 2019. The NDPR provides a comprehensive set of rules governing data protection in Nigeria, many of which are GDPR-compatible.

In November 2020, NITDA issued the NDPR implementation framework, which provided further detail and interpretation of the rules set out by the NDPR.

Over the past four years, capacity building and awareness raising, both resulting in compliance efforts by local and foreign data controllers have been significant. In addition, Nigeria has quickly become one of the most active African countries with respect to enforcement, by proactively auditing domestic organisations as well as foreign technology giants with no local presence.

However, Nigeria was facing two main challenges.

The first challenge was the fact that the rules governing data protection had been made by a government agency rather than parliament, even though it was pointed out that NITDA's regulatory power to adopt the NDPR was provided under the NITDA Act, 2007 which gives it mandate to create a framework for the regulation, development and advisory on all matters related to information technology practices, activities and systems. International standards indeed require that, beyond the fundamental right to privacy usually recognised under the constitution and civil law, data protection should be primarily governed by a legislative act. There had been an attempt to legislate on data protection soon after the adoption of the NDPR, but the bill was not passed due, amongst others, to the strict data localisation rule it included, with a requirement to host personal data in Nigeria.

The second challenge was the absence of an independent data protection authority, as NITDA, a government agency, was the initial data protection authority. Again, international standards lean towards having an independent data protection authority.  More specifically, the Economic Community of West African States (ECOWAS), to which Nigeria is a member, requires the establishment of an "independent administrative Authority", in its 2010 Supplementary Act on Personal Data Protection (article 15). With the mounting pressure, the Nigeria Data Protection Bureau was established by presidential assent in February 2022 and became operational a few months later, i.e. a few months before the enactment of the NDPA.

Order of precedence and NDPR residual provisions

The NDPA logically takes precedence over the NDPR. The NDPA does not provide a list of the specific legal/regulatory provisions that it amends or repeals, as the South African Protection of Personal Information Act and the Zimbabwe Data Protection Act do. Instead it provides that, in the event of inconsistency between the NDPA and any other legal provisions related to the processing of personal data, the NDPA provisions prevail.

The NDPA covers most of the NDPR. However, it does not go into the level of detail offered by the NDPR Implementation Framework. Therefore, we understand that (i) where an Implementation Framework provision is in application of a rule that conflicts with the NDPA, such provision will not be applicable and, (ii) where an Implementation Framework provision is in application of a rule that does not contradict the NDPA, such provision will still be applicable in conjunction with the NDPA.

Note that the NDPA regulations are due to be adopted and issued in the coming weeks. Such regulations are expected to repeal and replace the Implementation Framework.

Definitions

"Personal data". The definition of "personal data" under the NDPA is narrower than the NDPR definition as, under the NDPA, "personal data" is data relating an individual who is identifiable by reference to an identifier, whereas, under the NDPR, "reference to an identifier" is preceded with "in particular", which opens the means of identification of the data subject. The NDPA's requirement for the use of an identifier may result in some artificial intelligence data not falling within the scope of the definition of "personal data".

"Data processor". The NDPR and its implementation framework do not provide a definition for "data processor" although this term is used in both documents. The NDPA defines "data processor" as "an individual, private entity, public authority, or any other body, who processes personal data on behalf of or at the direction of a data controller or another data processor".

"Sensitive data". The NDPA broadens the scope of sensitive data by including genetic data, biometric data and data related to the data subject's conscience and philosophy.

"Processing". The NDPA definition of "processing" is narrower than the NDPR definition in that it now excludes transient data originating outside Nigeria.

"Personal data breach". The NDPA has broadened the meaning of "personal data breach" by defining it as "a breach of security of a data controller or data processor leading to or likely to lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed. The NDPR definition (which is identical to the GDPR definition) does not include "likely to lead to". As a consequence controllers and processors  will need to determine in what circumstances a breach of security is likely to lead to the situations listed in the definition. There is a risk that the interpretation of "likely to lead" differs from that of the data protection authority.

"Data controller or data processor of major importance". This category of controllers and processors is a new concept introduced by the NDPA and it is defined as "a data controller or data processor that is domiciled, resident in, or operating in Nigeria and processes or intends to process personal data of more than such number of data subjects who are within Nigeria, as the Commission may prescribe, or such other class of data controller or data processor that is processing personal data of particular value or significance to the economy, society or security of Nigeria as the Commission may designate".  Data controllers and processors of major importance must have a local presence or operate locally. "Operate" is not defined, but it is likely that the Commission will consider that processing personal data in Nigeria will constitute operations in Nigeria. 

Territorial scope 

The NDPA applies (i) to controllers and processors domiciled, resident or operating in Nigeria, (ii) to processing operations taking place in Nigeria or (iii) where the data subjects are located in Nigeria and the controller and processors are not domiciled, resident, or do not operate in Nigeria.

The NDPA has removed the NDPR references to the data subject's nationality or lineage. By doing so, it limits the risks of conflicts of laws and conflicts of jurisdictions as, by being applicable to foreign residents of Nigerian lineage, the law of the data subject's (individual of Nigerian descent) country of residence would have likely applied, in conjunction with the NDPR. In addition, determining an individual's country of ancestry prior to processing their data would have been an insurmountable challenge to most data controllers.

Legal bases for processing

The NDPR does not recognise the controllers' or a third parties' legitimate interest as a lawful basis for processing without consent. Legitimate interest of a data controller was viewed as susceptible to abuse in a jurisdiction where data protection is a nascent concept. The NDPA introduces, as a legal basis to the processing of personal data, " the legitimate interest pursued by the data controller or data processor, or by a third party to whom the data is disclosed".

Data protection authority

The NDPA formally institutes the Data Protection Commission as the independent data protection authority. To ensure continuity, it is specified that the Nigeria Data Protection Bureau, created in 2022, would morph into the Data Protection Commission, with some adjustments to be made in order to comply with the new statutory requirements regarding its composition and organisation.

Data protection officers (DPO)

While the NDPR required "every data controller to designate a data protection officer", the NDPA has limited this obligation to data controllers of major importance. The NDPA is silent with regard to the location of the DPO and the possibility of having a group-wide DPO. However, it appears that the Implementation Framework's provisions on the matter are still in force, specifically the following: "The Nigerian subsidiary of a multinational company shall appoint a data protection officer based in Nigeria and who must be given full access to the management in Nigeria. The data protection officer of the Nigerian subsidiary may report to a global data protection officer, if any."

Self-audits and registration with the data protection authority

The NDPR had innovated by introducing Data Protection Compliance Organisations (DPCOs), which are professional services organisations, such as consulting firms, audit firms, chartered accounting firms or law firms, that have successfully applied to the supervisory authority for a licence to conduct audits, certify self-audit reports, provide training, consulting and remediation services for data controllers and processors. With DPCOs, Nigeria had departed from the requirement, imposed by most African jurisdictions, for all data controllers (and sometimes processors), irrespective of the volume or sensitivity of the data processed, to notify or register with the authority in charge of data protection prior to processing any personal data and to apply to the same authority for an authorisation prior to transferring the personal data to a third country. Being aware of the likely logistical challenges (on the authority's side and on the controllers' side) that such requirements could generate in the most populous country in Africa, the NDPR adopted a less bureaucratic approach by imposing self-audits to data controllers who process the personal data of a minimum of 1,000 data subjects and by imposing that controllers, who process the data of 2,000 or more data subjects file with NITDA their audit report verified by a DPCO, on a yearly basis. This way of decentralising compliance activities for more efficiency has increased the capacity of Nigerians on data protection and allowed DPCOs to train themselves and raise awareness amongst controllers on data protection throughout the country.

Under the NDPA, self-audits and DPCOs are not mentioned as such, but Data Protection Compliance Services are introduced with the role of monitoring, auditing and reporting on compliance by data controllers and data processors. As such, nothing shows that the self-audit obligations and the DPCOs' status, licence and roles have been repealed by the NDPA.

Alongside these NDPR provisions, the NDPA provides that all controllers and processors of major importance must register with the Data Protection Commission within six months from its commencement or upon becoming a data controller or processor of major importance. To find out whether this requirement will be achievable in the Nigerian context, we will have to see the threshold that the Data Protection Commission has fixed for controllers and processors to enter into the category of controllers and processors of major importance.

Portability

The NDPA has removed the right to data portability and has given the Data Protection Commission the option to reintroduce this right (The Commission may make regulations establishing a right of personal data portability.)

International data transfers

Under the NDPR, NITDA had the responsibility to decide which data importing jurisdictions ensured an adequate level of protection, which it did in the Implementation Framework by issuing a "white list" of adequate jurisdictions. The NDPA has kept the adequacy requirement, but has added, as alternative conditions, the adoption of binding corporate rules, contractual clauses, a code of conduct or a certification mechanism. In addition, the Data Protection Commission may impose further restrictions to some categories of personal data.

*******

The NDPA is due to be complemented by implementation regulations. We expect to receive more detailed information on the future of the implementation framework provisions.

 

Authored by Aissatou Sylla and Olufemi Daniel. 

Olufemi Daniel, CIPP/E, CIPM, is a Solicitor-Barrister admitted in Nigeria and a former IT Regulatory Adviser at NITDA.

 

This website is operated by Hogan Lovells International LLP, whose registered office is at Atlantic House, Holborn Viaduct, London, EC1A 2FG. For further details of Hogan Lovells International LLP and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2024 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.