Information Technology

Navigating Data Privacy in Nigeria: Legal Frameworks and the Role of the Nigeria Data Protection Commission (NDPC)

Abdulganiu Alao Akinsola
| August 29th, 2024

Introduction

In today's interconnected world, data is critical for molding decisions and driving actions. Because of the high possibility that information would contain personal data, governments and authorities have prioritized information security to guarantee that it is not misused. As a result, many countries, including Nigeria, have established legislation ensuring data protection as a fundamental human right. Section 37 of the Constitution of the Federal Republic of Nigeria 1999 (as modified) ("the 1999 Constitution") expressly ensures citizens' right to privacy. This lays the groundwork for Nigeria's legal framework on data privacy and protection.

 

Relevant Legislation Impacting Data Privacy Under Nigerian Law

Based on the Governing Board's powers, the National Information Technology Development Agency (NITDA) appears to be Nigeria's primary regulator of data privacy and protection. However, this does not limit the authority of the regulators named in the individual legislations that contain data privacy and protection measures to enforce those laws in the way specified in the legislations that created them. The terms of the NITDA Regulation have no effect on the existing rights of natural people or Nigerians under any other law, regulation, policy, or contract.

Other laws and regulations impact data protection in Nigeria includes:

  1. The Constitution of the Federal Republic of Nigeria 1999 (as amended).
  2. The Nigeria Data Protection Regulation 2019 (“NDPR”).
  3. The NDPR Implementation Framework 2020, issued by the National Information Technology Development Agency - NITDA (“NDPR Implementation Framework”).
  4. The Child Rights Act 2003.
  5. The Cybercrimes (Prohibition, Prevention etc.) (Amendment) Act 2024 (“Cybercrimes Act”).
  6. The Freedom of Information Act 2011.
  7. The National Health Act 2014.
  8. The HIV and AIDS (Anti-Discrimination) Act 2014.
  9. The National Information Technology Development Agency Act 2007.

However, The Nigeria Data Protection Commission (“NDPC”) is the primary data protection authority and is responsible for enforcing the NDPA in Nigeria. The NDPA establishes the NDPC. The NDPC is the agency responsible for enforcing the provisions of the NDPA and the administration of all data protection matters in Nigeria. The NDPA retained and did not repeal the existing NDPR and its Implementation Framework. These documents are now to be read in conjunction with the NDPA; however, where there is any conflict in their provisions, the provisions of the NDPA are to prevail. 

Sector-specific regulatory authorities like the CBN, the NCC and the Federal Competition and Consumers Protection Commission (“FCCPC”) may also enforce the various regulations that touch on data protection within the sectors that they regulate. 

It is pertinent to establish that the Nigeria Data Protection Commission objectives includes: 

  • Safeguarding the fundamental rights and freedoms, and the interests of data subjects as guaranteed under the 1999 Constitution of the Federal Republic of Nigeria; 
  • Providing for the regulation of processing of personal data; 
  • Promoting data processing practices that safeguard the security of personal data and privacy of data subjects; 
  • Ensuring that personal data is processed in a fair, lawful and accountable manner; 
  • Protecting data subjects’ rights and providing means of recourse and remedies, in the event of the breach of the data subjects’ rights; 
  • Ensuring that data controllers and data processors fulfill their obligations to data subjects; 
  • Establishing an impartial, independent and effective regulatory Commission to superintend over data protection and privacy issues, and supervise data controllers and data processors; and 
  • Strengthening the legal foundations of the national digital economy and guaranteeing the participation of Nigeria in the regional and global economies through the beneficial and trusted use of personal data. 

The Act sets out its scope, the lawful basis for processing personal data and prescribes penalties for non-compliance with its provisions. In the subsequent pages, we have highlighted provisions that may be of interest to data controllers and processors or third parties engaged by them and our comments.

 

Conclusion

Nigeria's data privacy regulations, particularly the NDPA 2023, provide a comprehensive approach to protecting personal information. The formation of the NDPC and the harmonization of data protection principles with worldwide standards demonstrate Nigeria's commitment to protecting its citizens' privacy rights. Continuous efforts to raise knowledge and compliance with these rules are critical for effectively protecting personal data in Nigeria's digital world.


Abdulganiu Alao Akinsola
Author

Sign up for our Newsletter

Join our newsletter and get resources, curated content, and design inspiration delivered straight to your inbox.

Related Post