Nigeria - Data Protection Overview
1. THE LAW
1.1. Key Acts, Regulations, Directives, Bills
The following laws and regulations contain provisions on data protection:
- Constitution of the Federal Republic of Nigeria 1999 (as amended) ('the Constitution');
- Cybercrimes (Prohibition, Prevention, etc.) Act, 2015 ('the Cybercrimes Act');
- National Identity Management Commission Act, 2007 ('the NIMC Act'); and
- Nigerian Data Protection Regulation, 2019 ('NDPR').
In addition the Draft Data Protection Bill, 2020 ('the Bill') is currently going through the legislative process.
- Consumer Protection Framework 2016
- Framework and Guidelines for Public Internet Access 2019
- Guidelines for the Provision of Internet Service
1.3. Case Law
There has been minimal case law thus far in the field of data protection and privacy.
2. SCOPE OF APPLICATION
2.1. Who do the laws/regs apply to?
Generally, these laws and regulations are applicable to anyone or entity that collects, stores, uses or shares the data of individuals or consumers.
The NDPR applies to all transactions intended for the processing of personal data, and to the processing of personal data notwithstanding the means by which the data processing is being conducted or intended to be conducted in respect of natural persons in Nigeria. The NDPR also applies to natural persons residing in Nigeria or residing outside Nigeria who are citizens of Nigeria.
The Bill would apply to the collection, storage, processing and use of personal data relating to persons residing in Nigeria and persons of Nigerian nationality, by automated and non-automated means.
2.2. What types of processing are covered/exempted?
The above laws and regulations generally apply to the processing of data. However, Section 35 of the Bill would provide certain exemptions.
Section 35(1) of the Bill provides that the privacy of personal data is exempt from the provisions of this Act for the purposes of:
- public order;
- public safety;
- public morality;
- national security;
- public interest;
- the prevention or detection of crime
- the apprehension or prosecution of an offender;
- the assessment or collection of a tax or duty or of an imposition of a similar nature; or
- publication of a literary or artistic material.
Section 35(3) of the Bill stipulates that the Bill would not apply to the processing of personal data for the protection of members of the public:
- against loss or malpractice as it relates to:
- other financial services; or
- management of a body corporate;
- against dishonesty or malpractice in the provision of professional services;
- against the misconduct or mismanagement in the administration of a non-profit making entity;
- to secure the health, safety and welfare of persons at work; or
- to protect non-working persons against the risk to health or safety arising out of or in connection with the action of persons at work.
Section 35(6) of the Bill provides that 'the processing of personal data shall be exempt from the provisions on nondisclosure where the disclosure is required by law or by the order of a court.'
Section 35(8) of the Bill provides that personal data is exempt from the data protection principles if it consists of a reference given in confidence by the data controller for the purposes of:
- education, training or employment of the data subject;
- the appointment to an office of the data subject; or
- the provision of any service for the data subject.
Section 35(9) of the Bill states that personal data is exempt from the subject information provisions where the application of the provisions is likely to prejudice the combat effectiveness of the Armed Forces of the Federal Republic of Nigeria.
Section 35(10) of the Bill provides that the Data Protection Commission - the national authority for data protection which the Bill seeks to establish - may make regulations and guidelines to prescribe exemptions for the processing of personal data to assess a person's suitability for employment by government or appointment to a public office.
3. DATA PROTECTION AUTHORITY | REGULATORY AUTHORITY
3.1. Main regulator for data protection
At the moment there is no specific regulator for data protection in Nigeria. Thus, the regulatory body for each sector has been responsible for protecting data. For instance, the Central Bank of Nigeria ('CBN') oversees matters relating to protecting financial data; the Nigerian Communications Commission ('NCC') regulates data collected or processed by internet service providers and telecommunications companies.
Moreover, under the NDPR, the National Information Technology Development Agency ('NITDA') can set up an administrative redress panel to investigate breach of the NDPR and issue administrative orders.
As mentioned above, the Bill seeks to establish the Data Protection Commission ('the Commission'), which would be responsible for data protection in Nigeria.
3.2. Main powers, duties and responsibilities
If the Bill is passed into law, the Commission will exercise regulatory powers.
Section 9 of the Bill provides that the functions of the Commission are to:
- protect the personal data and privacy of data subjects by regulating the processing of personal information;
- provide the process to obtain, store, process, use or disclose personal information;
- ensure that data controllers and data processors adhere to the data protection principles as provided for by the Bill in order to protect the fundamental rights and freedoms, particularly privacy of natural persons in relation to the processing of their personal data;
- assist the facilitation of the free flow of personal data through consultation and cooperation with other relevant agencies in compliance with established data security best practices;
- act as the supervisory authority, and exercise regulatory, powers to:
- advise and approve risk management processes and systems for data controllers and data processors in order to ensure compliance with the provisions of the Bill;
- issue directives in the event that their operations are likely to infringe the provisions of the Bill;
- receive and process complaints from data subjects whose rights have been infringed;
- order the rectification, completion or deletion of personal data and impose a temporary or definitive limitation, including a ban, on processing operations; and
- impose administrative fines or sanctions where data controllers and data processors infringe any provision of the Bill;
- act with complete independence and impartiality in performing its functions and exercising its powers;
- promote public awareness of the rights of data subjects and the exercise of their rights and shall inform data controllers and data processors of their duties and responsibilities and shall share best practices in order to ensure the free flow of personal data;
- be consulted on proposals for any legislative or administrative measures which relate to the processing of personal data;
- provide relevant regulations, guidelines, and policies relating to transfers of personal data provided for under the Bill, or any other legislation;
- make regulations for the licensing and certification of data protection compliance officers and organisations;
- muster the resources necessary for the effective performance of its functions and the exercise of its powers; and
- prepare and publish its reports annually, outlining its activities which shall be submitted to the President.
4. KEY DEFINITIONS | BASIC CONCEPTS
Personal Data: Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. This can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM and others (Section 1.3(xix) of the NDPR).
Sensitive Data: Means (Section 66 of the Bill):
- personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;
- genetic data;
- biometric data for the purpose of uniquely identifying a natural person
- data concerning health;
- data concerning a natural person's sex life;
- personal data concerning the data of a child who is under the age of 16 years; or
- such other personal data that may be designated as sensitive data by guidelines made by the Commission.
Data Controller: A person who either alone, jointly with other persons or in common with other persons or as a statutory body determines the purposes for and the manner in which personal data is processed or is to be processed (Section 1.3(x) of the NDPR).
Data Processor: The natural or legal person, public authority, service, commission or any other body which, alone or jointly with others processes personal data on behalf of the data controller (Section 66 of the Bill).
Data Subject: An identifiable person; one who can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity (Section 1.3(xiv) of the NDPR).
5. NOTIFICATION | REGISTRATION
5.1. Requirements and brief description
Data controllers are required to submit a data protection audit to NITDA if they processes the data of more than 1,000 data subjects (in six months) or more than 2,000 data subjects (in 12 months).
6. DATA CONTROLLER RIGHTS AND RESPONSIBILITIES
Under the NDPR, a data controller must:
- designate a data protection officer ('DPO') for the purpose of ensuring adherence to the NDPR, relevant data privacy instruments and data protection directives of the data controller - the data controller may outsource data protection to a verifiably competent firm or person (Section 4.1(2) of the NDPR);
- ensure continuous capacity building for its DPOs and the generality of its personnel involved in any form data processing (Section 4.1(3) of the NDPR);
- ensure that consent of a data subject has been obtained without fraud, coercion or undue influence (Section 2.3(2) of the NDPR);
- send a soft copy of the summary of the audit containing information about processed data to NITDA where it processes the personal data of more than 1,000 in a period of six months (Section 4.1(6) of the NDPR); and
- submit a summary of its data protection audit to NITDA where it processes the personal data of more than 2,000 data subjects within 12 months by 15 March of the following year (Section 4.1(7) of the NDPR).
In addition, the Bill, if enacted, would require data controllers to (Section 30 and 31 of the Bill):
- take all necessary measures, including technical and managerial measures to comply with, and be able to demonstrate, in particular to the Commission, that the processing of personal data is performed in accordance with the Bill;
- ensure the processing of personal data is proportionate, the legitimate purpose pursued and having regard to the interests, rights and freedoms of the data subject or the public interest;
- take into consideration the risks arising from the interests, rights and fundamental freedoms of data subjects, according to the nature, volume, scope and purpose of processing the data;
- subject to Regulations made by the Commission, appoint a DPO responsible for compliance with the obligations under the Bill;
- examine the likely impact of the intended processing of personal data on the rights and fundamental freedoms of data subjects prior to the commencement of such processing;
- design the data processing in such a manner, and integrate appropriate technical and organisational measures, as to prevent or minimise the risk of interference with those rights and fundamental freedoms;
- perform such other duties as may be required by the Bill; and
- be liable for the processing of personal data carried out on its behalf by a data processor.
7. DATA PROCESSOR RIGHTS AND RESPONSIBILITIES
Section 32(1) of the Bill provides that the duties of a data processor include to:
- process personal data on behalf of a data controller only on the written instructions of the data controller;
- not engage another data processor without the prior written authorisation of the data controller;
- inform the data controller of changes concerning the addition or replacement of data processors;
- inform the data controller of any legal requirement that may create risks to the rights and fundamental freedoms of data subjects, unless the law prohibits such notice;
- take appropriate technical and managerial security measures pursuant to Section 34 of the Bill;
- assist the data controller by putting in place the appropriate technical and managerial measures for the fulfilment of the data controller's obligations to respond to the rights under the Bill;
- assist the data controller in ensuring compliance with its security obligations, including security breach notification;
- at the request of the data controller, delete or return all personal data to the data controller at the end of the provision of services, and delete any copies of personal data unless prohibited by law; and
- make available to the data controller all information necessary to assist the data controller demonstrate compliance with its obligations under this Act and facilitate audits conducted by the data controller or a third-party auditor determined by the data controller.
Section 4.1(3) of the NDPR provides that a data processor has to ensure continuous capacity building for its data protection officers and the generality of its personnel involved in any form data processing.
8. DATA CONTROLLER AND PROCESSOR AGREEMENTS
Section 2.4(b) of the NDPR provides that a data controller and processor have a duty take reasonable measures to ensure that a party to a data processing contract (other than the data subject) does not have a record of violating the rights of a data subject.
Moreover, every data controller and processor shall be liable for the actions or inactions of third parties which handle the personal data of data subjects under the NDPR.
9. DATA SUBJECT RIGHTS
Under the NDPR (Part 3) and the Bill (Part V), data subjects have the following rights:
- right to be informed of the processing of data;
- right to complain or send a request to the data controller;
- right to obtain information about his/her data from the data controller free of charge except as otherwise provided by regulation or public policy;
- right to know the details of the data controller;
- right to withdraw consent;
- right to access his/her personal data;
- right to data portability;
- right to data rectification;
- right to restrict or object the processing of his/her data;
- right to be informed where his/her data is being processed for additional purposes;
- right to be informed about the transfer of his/her data to another country;
- right to complain to relevant authority; and
- right to data deletion.
10. DATA PROTECTION OFFICER
10.1. DPO – compulsory appointment (yes/no)
Yes. Both data controller and processor are required to appoint a DPO. A data controller or processor can also outsource to a verifiably competent firm or person.
There are no specific requirements in this regard. However, a data controller or processor has to ensure continuous capacity building for its DPO and its personnel involved in any form data processing.
11. DATA BREACH NOTIFICATION
11.1. General obligation (yes/no)
Section 21(1) of the Cybercrimes Act provides that any person or institution who operates system or a network, whether public or private, must immediately inform the Nigeria Computer Emergency Response Team ('ngCERT') of any stacks, intrusions and other disruptions liable to hinder the functioning of another computer system or network, so that ngCERT can take necessary measures to tackle the issues.
Section 21(3) of the Cybercrimes Act provides that any person or institution who fails to report any such incident to ngCERT within seven days of its occurrence, commits an offence and shall be liable to denial of internet services. Such persons or institution shall, in addition, pay a mandatory fine of NGN 2 million (approx. €4,430) into the National Cyber Security Fund.
Section 17(3) of the Bill states that a data subject has the right to be notified of a data breach affecting him or her within 48 hours after notification to the Commission.
11.2. Sectoral obligations
Banks and other financial institutions have an obligation to report such breach to the CBN while telecommunication companies and internet service providers are required to report to the NCC.
Section 2.10 of the NDPR provides that any person subject to the NDPR who is found to be in breach of the data privacy rights of any data subject shall be liable, in addition to any other criminal liability, to the following:
- in the case of a data controller dealing with more than 10,000 data subjects, payment of a fine of 2% of annual gross revenue of the preceding year or payment of the sum of NGN 10 million (approx. €22,130), whichever is greater; or
- in the case of a data controller dealing with less than 10,000 data subjects, payment of a fine of 1% of the annual gross revenue of the preceding year or payment of the sum of NGN 2 million (approx. €4,430), whichever is greater.
The Bill provides for various offences and sanctions under Part XI, including fines of potentially NGN 10 million (approx. €22,130) or imprisonment for up to 2 years.
13. ADDITIONAL RELEVANT TOPICS
13.1. Data Transfers and Outsourcing
Pursuant to Section 2.11 of the NDPR, the transfer of data to foreign country falls under the supervision of the Honourable Attorney General of Federation ('HAGF'). For data to be transferrable that foreign country or the international organisation must ensure an adequate level of protection, as determined by NITDA and the HAGF. In determining the adequacy of a third country or organisation, the following considerations will be born in mind:
- the legal system of the foreign country notably as it relates to human rights protection, rule of law and relevant legislation;
- implementation of such legislation;
- the existence and effectiveness of an independent supervisory authority in the foreign country or to which an international organisation is subject responsible for compliance with data protection, assisting and advising the data subjects in exercising their rights and for cooperation with the relevant authorities Nigeria; and
- the commitments of the foreign country or international organisation to data protection through conventions, instruments and participation in multilateral or regional systems.
Under Section 2.12 of the NDPR, the exceptions to the above requirements are:
- where the data subject consent after being informed of the risk;
- where the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;
- where the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
- where the transfer is necessary for important reasons of public interest;
- where the transfer is necessary for the establishment, exercise or defense of legal claims; and
- where the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.
The data subject has to be aware of possible violation of his rights in the foreign country.
Part X of the Bill sets out conditions for the transfer of personal data abroad, including mechanisms such as an adequacy assessment, ad-hoc or standardised safeguards, explicit data subject consent, prevailing data subject interests, and legitimate interests. The Commission would also have the authority to request information on transfers and that organisations evidence appropriate safeguards, as well as to prohibit transfers and to regulate onward data transfers beyond the initial recipient.
The NDPR also applies to employers. Thus, they also have a duty to ensure that the data of employees are safe.
13.3. Data Retention
Section 38(1) of the Cybercrimes Act provides that a service provider shall keep all traffic data and subscriber information as may be prescribed by the relevant authority (responsible for the regulation of communication services in Nigeria), for the time being for a period of 2 years.
Non-compliance is an offence, punishable upon conviction with imprisonment for a term of not more than 3 years of fine not more than NGN 7 million (approx. €15,470) (Section 38(6) of the Cybercrimes Act).
14. OTHER SPECIFIC JURISDICTIONAL ISSUES
The Nigerian Cloud Computing Policy classifies data into the following categories:
- Official, Public or Non-Confidential Data: Refers to data publicly available and non-sensitive.
- Confidential, Routine Government Business Data: Includes health and financial information of natural person and is regarded as data of moderate sensitivity.
- Secret, Sensitive Government and Citizen Data: Applies to data of both natural and juridical persons. This data is classified as sensitive because its loss may be serious and have material effects on the data subject or related entities.
- Classified or National Security Information: This data is considered sensitive to national security and thus requires additional safeguards.