Professional Documents
Culture Documents
Data Protection Law in Nigeria
Data Protection Law in Nigeria
The world’s most valuable asset is no longer oil, but data. Data has
been described as individual units of information, which may be
measured; collected and reported; stored and analysed. In computing,
data is information that has been translated into a form that is
efficient for movement or processing.
Data is considered to be the ‘oil’ of the digital era. The world’s most
valuable companies include tech giants such as Google, Apple,
Facebook and Amazon (GAFA) whose subscribers are routinely required
to provide their data to facilitate access. The internet and smartphones
have contributed significantly to making data more valuable, available
and abundant. Almost every human activity generates a digital trace.
For example, our heart beat, our pulse, a running event, navigating
through traffic are all activities which produce data when connected to
the internet. The more cars, watches and phones that are connected to
the internet the more data that can be generated. Artificial Intelligence
through algorithms has become so smart today that they can now
review contracts, conduct legal research and mediation, predict
exposure to disease and determine when a machine needs servicing.
The data industry has demonstrated such exponential growth that
certain multinationals now position themselves as data purveyors and
merchants.
The General Data Protection Regulation (EU) 2016/679 (‘GDPR’) and the
2018 reform of the GDPR are regulations under EU law concerning data
protection and privacy for all individual citizens of the European Union
(EU) and the European Economic Area (EEA). It also deals with the
export of personal data outside of the EU and EEA. In Nigeria, while
there are several legislations containing ancillary provisions which seek
to protect data privacy, the most comprehensive statutory instrument
for this purpose is a subsidiary legislation made pursuant to the
National Information Technology Development Agency Act, 2007
(‘NITDA Act’). The NITDA Act empowers the National Information
Technology Agency (NITDA) to inter alia develop guidelines/regulations
for electronic governance and monitor the use of electronic data
interchange in both the private and public sectors of the economy6.
Deriving from this provision, NITDA then developed and issued the
2013 Guidelines for Data protection and thereafter, the Nigeria Data
Protection Regulation 2019 (‘NITDA Regulation’), which is the extant
body of rules regulating the subject in Nigeria. A significant feature that
distinguishes the NITDA Regulation from other legislation in Nigeria is
the element of it being a data protection-specific body of rules as
opposed to it being an ancillary provision in a legislation which is not
primarily concerned with data privacy protection.
Nigeria adopted the Child Rights Act (CRA) in 2003 to domesticate the
United Nations Convention on the Rights of the Child, which is a human
rights treaty designed to guarantee the civil, economic, political, social,
health and cultural rights of children. The CRA is a legislation to provide
for and protect the rights of a Nigerian Child, who is defined as a person
under the age of 18 years. Section 3 of Part II CRA incorporates by
reference the provisions of Chapter IV of the Constitution, which deal
with the fundamental rights of citizens. Also, section 8 of the CRA which
covers a child’s rights to private and family life states that a child is
entitled to his privacy, family life, home, correspondence, telephone
conversations and telegraphic communication.
The purpose of the FOIA is to make public records and information held
by Government agencies more freely accessible by the public. However,
it specifically makes an exception with respect to personal records and
information and matters concerning personal privacy. In this regard,
section 14 of the FOIA limits Government agencies from disclosing the
personal information of citizens unless the individual’s consent is
obtained, or the information is publicly available.
The CRPA was enacted for the purpose of improving access to credit
information and standardising risk management in credit transactions.
It provides the framework for credit reporting, licensing and credit
bureaux. Section 9 of the CRPA is to the effect that Data Subjects i.e.
persons whose data are maintained by credit bureaux, shall be entitled
to the privacy, confidentiality and protection of their credit information
subject to certain exceptions listed under section 9(2) to 9(6) of the
CRPA.
All media through which Personal Data is being collected must display
in a simple, conspicuous and understandable manner, their applicable
privacy policy. The minimum requirements for such a privacy policy are
as set out below:
remedies:
Breach of the privacy rights of any Data Subject under the NITDA
Regulation shall, apart from other criminal liability, attract, with respect
to Data Controllers dealing with more than 10,000 Data Subjects,
payment of a fine of 2% of annual gross revenue of the preceding year
or payment of N10 million, whichever is greater; and with respect to
Data Controllers dealing with less than 10,000 Data Subjects, a fine of
1% of the annual gross revenue of the preceding year or payment of ₦2
million, whichever is greater.
3.7 TRANSFER OF PERSONAL DATA TO A FOREIGN COUNTRY AND
EXCEPTIONS
The NITDA Regulation has established rules which govern the manner in
which the provisions of the Regulation should be implemented. The
major planks on which implementation rests are discussed below.
5. CONCLUSION