President Bola Tinubu, on Wednesday, signed the Data Protection Bill into law. This was contained in a statement signed by the Head of Legal Enforcement and Regulations of Nigeria Data Protection Bureau, Babatunde Bamigboye.
The legislation allows for the establishment of the Nigeria Data Protection Commission (NDPC) to replace the NDPB. The NDPC replaces the Nigeria Data Protection Bureau (NDPB) established by immediate past President Muhammadu Buhari in February 2022.
The new body will be headed by a National Commissioner appointed by the President for a term of four years which is renewable once. The commission is expected to protect citizens’ private information and be independent.
According to Section 8 of the Act, the powers of the Commission include issuing regulations, rules, directives, and guidance under the Act; engaging consultants for assistance in the discharge of its functions.
The new piece of legislation also has the power to impose penalties and prescribe fees payable by data controllers and data processors in accordance with data processing activities; prescribe the manner and frequency of filing, and content, of compliance returns by data controllers and data processors of major importance to the Commission.
The legislation also allows Nigerians to seek redress for any form of data breach. The law stipulates that citizens’ personal data is “processed in a fair, lawful and accountable manner”.
The Data Protection Bill becomes the fourth bill that President Tinubu has signed into law since assuming office, after previously assenting to the Judicial Officers Law, Electricity Act and Student Loan Act.
Read also: What free-floating forex means for dollar-trading platforms and Nigerian Fintechs
How this benefits the Digital Economy
Nigeria’s digital economy has experienced significant growth in recent years, fueled by increased internet penetration, mobile technology adoption, and the rise of tech startups. The country has a large population of tech-savvy youths who are actively engaging in various digital activities such as e-commerce, mobile payments, and online services.
However, Nigeria, like many other nations, has had issues with cybersecurity attacks and data breaches. Financial loss, reputational harm, and invasions of privacy are just a few of the serious repercussions that data breaches can cause.
Sensitive personal information about individuals such as names, addresses, and financial information, have recently been made public due to data breaches in some Nigeria institutions. These occurrences show how vulnerable security systems are and how easily personal information could become public in the digital age. This buttresses how essential strong data protection measures are.
In January 2022, for instance, a hacker claimed to have accessed the NIN database. But the National Identity Management Commission (NIMC) denied the breach. There have been many other reported breaches like this, with the organisations involved often denying them. These all explain why the new data bill is very much what Nigeria needs for its digital economy at this point.
Enhanced Consumer Trust
The current wave of privacy violations and data breaches by big tech companies and loan apps has caused customers to lose faith in the ecosystem of the continent. With more people reporting incidents involving theft and privacy concerns, the vulnerability of customers’ trust in businesses when it comes to their funds has grown even more precarious.
A data protection law will help establish trust between individuals and businesses by ensuring that their personal information is handled securely. When consumers trust that their data will be protected, they are more likely to engage in online activities, such as e-commerce, digital transactions, and online services, which can boost the digital economy.
Strengthened Cybersecurity Measures
Africa’s digital transformation has come with a dark side: the rise of digital fraud. Cybersecurity is a major concern across the continent. A recent report by Global Cybersecurity Index showed that only 29 of 54 African countries assessed have introduced cybersecurity legislation.
The Nigeria data protection law will typically require organizations to implement adequate cybersecurity measures to safeguard personal information. Enforcing such measures can reduce the risk of data breaches and cyber-attacks. A secure digital environment promotes business continuity and protects sensitive information, fostering a thriving digital economy.
Empowering Data Subjects
Data subjects are individuals or users who are needed to disclose sensitive information or data in order to use some of the services offered by businesses, organisations, and firms, whether they are public or private. There are situations when the subject has no option because this information and data were obtained without following the proper procedures or even the law.
In this case, a data protection law by the FG would typically grant individuals certain rights regarding their personal data. These rights may include the right to access, correct, and delete their data, as well as the right to give or withhold consent for data processing. By empowering individuals with control over their personal information, the Data Protection Bill can enhance user confidence, leading to increased digital participation and economic activity.
Read also: Meta slapped with a record-breaking $1.3 billion fine by the EU
What you should know about the Data Protection Law
The Data Bill, which has been signed into law by the president, offers a framework for the protection of people’s privacy and personal data.
The newly established Nigeria Data Protection Commission is in charge of ensuring that personal data about Nigerians is protected within its borders and that information shared with institutions or businesses—both public and private—that operate to attract Nigerians remains private and secure based on legitimate interest rather than just consent.
As an example, prior to now, certain processing activities, including employer-employee relationships, which should typically be covered by legitimate interest (with safeguards), were left to be covered by consent under the NDPR signed by former president Buhari. Recognition of legitimate interest as a legal basis for processing personal data marks a considerable improvement over the NDPR, which has been incorporated into the Bill.
Transparency and Informed Decision-Making
Another thing to be noted by the bill is that it enhances transparency and informed decision-making by data subjects. Section 25 of the Act outlines the principles of the processing of personal data, stating that the data controller or data processor must ensure that data is collected legitimately and “processed in a manner that ensures appropriate security”.
While Section 26 provides the lawful basis for personal data processing anchored on the consent of the subject data for the specific purpose or purposes for which the data will be processed.
This implies that data processors, such as businesses, corporations or fintechs, may need to specify the need for such data or at the very least establish a lawful process that provides for the data subject’s consent. Such a data subject should, in essence, be immediately informed of the acquisition of such data.
The Bill states that when a data subject is a child or another individual lacking the legal capacity to consent, a data controller shall obtain the consent of a parent or other appropriate legal guardian of the child or other individual, as applicable, to rely on consent under section 26(1)26(a) or 32(1)32(a) of the Bill.
Cross-Border Transfer of Personal Data
The Bill provides that personal data shall not be transferred from Nigeria to another country unless the recipient of the personal data is subject to a law, binding corporate rules, contractual clauses, code of conduct or certification mechanism that affords an adequate level of protection with respect to the personal data in accordance with the Bill, and upon the application of one of the laid down conditions in the Bill.
Previously, big tech companies have been involved in the cross-border transfer of personal data of individuals who use their platforms. A recent and typical example is the record $1.3 billion fine slapped on Meta by the EU which ordered it to stop transferring users’ personal information from Europe to the US where it is headquartered by October.
The new law by the FG now prohibits the cross-border transfer of personal data, except if there is legal backing for it. It equally states that all data controllers and processors of significant importance must be registered with the Commission within six months after the commencement of the Act.