In October last year, the National Data Protection Bureau, a subsidiary of the National Information Technology Development Agency (NITDA), presented the draft National Data Protection Bill to the Minister of Communication and Digital Economy, Isa Pantami. The Minister is to present the bill to the Federal Executive Council (FEC) for approval.
While the decision of the FEC on the bill is yet to be announced, the National Assembly has assured of the passage of the bill within 30 days of receiving it from the FEC.
The Chairman of the Senate Committee on Information Communication Technology (ICT), Yakubu Oseni, who gave the assurance during a one-day sensitization workshop on data protection organized for members of the national assembly, said the bill ought to have become law in 2019. He said the Senate understands the importance of having data protection laws in place.
Although the country currently has already the Nigeria Data Protection Regulation (NDPR) which is being enforced by the Data Protection Bureau, experts have argued that the NDPR lacks the force of law to ensure the protection of data in the government’s care. Hence, the clamour for a substantive law that will guide the handling of data across all levels in the country.
As Nigerians eagerly await the approval of the bill by the FEC and its passage by the National Assembly, below are 10 things to look out for in the bill.
1. Establishment of the Nigeria Data Protection Commission
While data protection is currently being managed by a Bureau created out of NITDA, the bill provides for the establishment of a substantive body, the Nigeria Data Protection Commission (NDPC).
Section 7 of the bill lists the functions of the Commission include
- Ensuring the deployment of technological and organizational measures to enhance personal data protection.
- Promoting awareness of data controllers and data processors of their obligations under the Act.
- Promoting public awareness and understanding of personal data protection and the risks to personal data, including the rights granted and obligations imposed under the Act.
- Fostering the development of personal data protection technologies in accordance with recognized international good practices and applicable international law.
2. Sensitive personal data
The Bill introduces specific requirements for the processing of sensitive personal data. Specifically, the bill prohibits data controllers or data processors from processing or permitting a data processor to process on its behalf, sensitive personal data unless one of the exceptions in Section 32(1) applies. Such exceptions include where:
- The data subject has given and not withdrawn their consent to the processing for the specific purpose or purposes for which it will be processed.
- The processing is necessary for exercising or performing the rights or obligations of the data controller or the data subject to underemployment or social security laws or any other similar laws.
- The processing is necessary to protect the vital interests of the data subject or of another individual where the data subject is physically or legally incapable of giving consent.
3. Minors’ protection
Section 33 of the Bill establishes specific provisions for lawfully obtaining consent from children. In particular, the Bill provides that the data controller must obtain the consent of a parent or other appropriate legal guardian of the child and must apply appropriate mechanisms, including the presentation of government-approved identification documents, to verify age and consent.
Importantly, the Bill does not require parental consent where:
- “Processing is necessary to protect the vital interests of the child or individual lacking the legal capacity to consent, or the processing is carried out for purposes of medical or social care and is undertaken by or under the responsibility of a professional or similar service provider owing a duty of confidentiality.”
4. Rights of data subjects
According to Section 35 of the bill, a data subject has the right to obtain from a data controller, without constraint or unreasonable delay — confirmation as to whether or not the data controller or a data processor operating on its behalf, is storing or otherwise processing personal data relating to the data subject. And where that is the case, the subject has the right to know the following:
- The purposes of the processing.
- The categories of personal data concerned.
- The recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations.
- Where possible, the envisaged period for which the personal data will be stored, or, if not. possible, the criteria used to determine that period.
- The existence of the right to request from the data controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing.
- The right to complain.
5. Data protection officer and compliance services
Section 33 of the bill requires both controllers and processors of major importance to appoint a data protection officer (‘DPO’) with expert knowledge of data protection law and practices and the ability to carry out the tasks as outlined in the Bill.
Specifically, the Bill establishes that the DPO tasks include advising the data controller, data processor, and their employees who carry out the processing of their obligations, monitoring compliance as well as related policies of the data controller or data more generally, and acting as the contact point for the Commission on issues relating to data processing In addition, the Bill clarifies that DPO can be the DPO an employee or engaged by a service contract.
6. International data transfers
The international transfer of personal data is regulated in Part IX of the Bill, which is similar to the GDPR. Specifically, the Bill establishes the concept of an adequacy decision for countries and appropriate safeguards for controllers and processors. In this context, Section 43(1)(a) of the Bill establishes that:
- “A data controller or data processor shall not transfer personal data from Nigeria to another country unless the recipient of the personal data is subject to a law, binding corporate rules, contractual clauses, code of conduct or certification mechanism that affords an adequate level of protection with respect to the personal data, or a permitted conditions outlined in Section 45 of the Bill”.
7. Complaints and investigation
Section 47 of the bill states that a data subject who is aggrieved by the decision, action, or inaction of a data controller or data processor in violation of the Act, subsidiary legislation, or orders may complain with the Commission.
- “The Commission shall investigate any complaint referred to it where it appears to the Commission that— (a) the complainant has an interest in the matter to which the complaint relates; and (b) the complaint is not frivolous or vexatious. (3) The Commission may initiate an investigation of its own accord where it has reason to believe a data controller or data processor has violated or is likely to violate this Act or any regulations, rules, or other subsidiary legislation or orders.”
8. Enforcement order
Section 49 provides that notwithstanding any criminal sanctions under the Act, if the Commission, after completing an investigation under Section 47, is satisfied that a data controller or data processor has violated. it may impose a sanction on the data controller or data processor.
It shall also inform the data controller or data processor, and if applicable, any data subject who lodged the complaint leading to the investigation, in writing of its decision.
9. Penalties for breach
Section 49(4) spells out the penalties that may be imposed by the Commission on any organization that breaches the data protection law. In the case of a data controller or data processor of major importance, the penalty shall be the greater of NGN 10 million and 2% of its annual gross revenue derived from Nigeria in the preceding financial year.
In the case of a data controller or data processor other than a data controller or data processor of major importance, the standard maximum amount shall be the greater of N2 million and 2% of its annual gross revenue derived from Nigeria in the preceding financial year.
- “In determining the sanctions, the Commission shall take into consideration the following factors: (a) the nature, gravity, and duration of the infringement; (b) the purpose of the processing; (c) the number of data subjects involved; (d) the level of damage and damage mitigation measures implemented; (e) intent or negligence; (f) degree of cooperation with the Commission; and (g) types of personal data involved.”
10. Civil remedies
Section 52 of the bill states that a data subject who suffers injury, loss, or harm as a result of a violation of this Act by a data controller or data processor, or a recognized consumer organization acting on behalf of such a data subject, may recover damages by way of civil proceedings in the appropriate court from such data controller or data processor.