Data Privacy Laws in Nigeria
Among other African nations, Nigeria was the first to introduce a regulatory policy on data protection. However, the policy objectives were limited to online business transactions, restricting individual data protection[1]. Presently, the Nigerian legislatures have enacted laws to serve as shields in protecting the Data of Nigerians. Nonetheless, the patriots' awareness of these laws is discouraging to both the drafters of these statutes and the judicial system, which serves as an armour of justice. In this article, we shall examine the legal frameworks, their objectives, and their practical role in protecting Nigerians' data.
NIGERIA DATA PROTECTION ACT 2023
The Nigeria Data Protection Act, 2023 (“NDPA” or “Act”) was enacted from a bill into an Act by President Bola Ahmed Tinubu, GCFR on 12th June 2023. The act serves as the primary law regulating the privacy of personal data in Nigeria. The NDPA upon enactment repealed the Nigeria Data Protection Regulation which served a similar role in regulating the personal data of Nigeria. Under the Act, individuals or organisations who give out their personal data upon consent are regarded as Data Subjects, while data controllers/processors are individuals or organisations who process the data of the data subjects upon obtaining consent[2]. For example; the users of WhatsApp are regarded as Data Subjects, while WhatsApp as an organisation is a Data controller, who processes your data.
Considering the daily use of technology, the personal data of data subjects are processed daily by data controllers/processors. The objective of Nigeria Data Protection is mainly to protect the Data Subject in their dealings with data controllers/processors in the processing of data. This protection is to avoid potential risk or detriment from the processed data. The essence of this objective is aimed at protecting the fundamental right to privacy of Nigerians.
The roles performed by the NDPA are evident in the rights of data subjects provided in its act. The deficient awareness of these rights renders the NDPA ineffective to an extent. We shall examine the rights in a (Do you know?) for a better understanding.
Rights of Data Subjects (Do you know?)
We shall examine the rights of a data subject, to increase
- Do you know that as a Data Subject, you have the right to request from a data processor or data controller the purpose of processing your data, and to restrict the use of your data?[3]
- Do you know as a Data Subject, any person who obtains your data without your consent has breached your privacy and it is punishable under the NDPA with payable fines?[4]
- Do you know as a Data Subject, you have the right to withdraw your consent to process your data?[5]
- Do you know as a Data Subject, you have the right to object to the use of your data?[6]
- Do you know as a Data Subject, that a data controller must seek your consent before transferring your data to a third party?
1999 CONSTITUTION OF THE FEDERAL REPUBLIC OF NIGERIA
The regulation of data protection is not complete without mentioning the importance of the 1999 Constitution of the Federal Republic of Nigeria (“the Constitution”). The constitution plays an important role in introducing the need to protect the privacy of Nigerians. The constitution being the supreme law of the state, guarantees the protection of personal data through a supervisory role of safeguarding the fundamental rights of citizens of Nigeria, which includes the right to privacy. As stated in Section 37 of the Constitution which provides that; “The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected.” This provision explicitly guarantees the right to privacy.
In addition, the constitution serves as an enabler towards the enactment of other statutes regulating data protection in Nigeria, including; the Nigeria Data Protection Act (earlier mentioned).
THE CYBERCRIME (PROHIBITION, PREVENTION, ETC.) ACT, 2015
The Cybercrime (Prohibition, Prevention, etc.) Act, 2015 (the “Act”) was enacted to provide a unified legal, regulatory and institutional framework for the prohibition, prevention, detection, investigation, and prosecution of cybercrimes in Nigeria. As it pertains to data protection, the primary purpose of the act is to penalize individuals who unlawfully access the personal data of a data subject. Section 6 of the Cybercrime Act 2015 provides that; Any person, who without authorization, intentionally accesses in whole or in part, a computer system or network for fraudulent purposes and obtains data that are vital to national security, commits an offence and shall be liable on conviction to imprisonment for a term of not more than 5 years or to a fine of not more than N5,000,000.00 or to both fine and imprisonment.
Other regulations are as follows
- National Information Technology Development Agency (NITDA) Act 2007
- Freedom of Information Act (2011)
- Electronic Transaction Act (2007)
CONCLUSION
In conclusion, Nigeria has made significant strides in data privacy legislation with the Data Protection Act of 2018 and other relevant laws. However, there is still room for improvement. It is crucial to effectively implement and enforce these laws to protect individuals' privacy rights. Additionally, the laws may need updates to address emerging data privacy challenges and align with international best practices. By strengthening its data privacy framework, Nigeria can foster a more secure and trustworthy digital environment for its citizens and businesses.
[1] From Bytes to Rights: The Journey to a Comprehensive Data Protection Law in Nigeria, TechHive Advisory, https://www.linkedin.com/pulse/adapting-change-aligning-your-privacy-programme (accessed August 29, 2024)
[2] Section 65 of NDPA 2023
[3] Nigeria Data Protection Act 2023, s34(1)
[4] Nigeria Data Protection Act 2023, s26
[5] Nigeria Data Protection Act 2023, s35
[6] Nigeria Data Protection Act 2023, s36